summaryrefslogtreecommitdiffstats
path: root/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc')
-rw-r--r--security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc503
1 files changed, 0 insertions, 503 deletions
diff --git a/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
deleted file mode 100644
index dad944a1f..000000000
--- a/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
+++ /dev/null
@@ -1,503 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "ssl.h"
-#include "ssl3prot.h"
-#include "sslerr.h"
-#include "sslproto.h"
-#include "sslexp.h"
-
-#include <memory>
-
-#include "tls_connect.h"
-
-namespace nss_test {
-
-static void IncrementCounterArg(void *arg) {
- if (arg) {
- auto *called = reinterpret_cast<size_t *>(arg);
- ++*called;
- }
-}
-
-PRBool NoopExtensionWriter(PRFileDesc *fd, SSLHandshakeType message,
- PRUint8 *data, unsigned int *len,
- unsigned int maxLen, void *arg) {
- IncrementCounterArg(arg);
- return PR_FALSE;
-}
-
-PRBool EmptyExtensionWriter(PRFileDesc *fd, SSLHandshakeType message,
- PRUint8 *data, unsigned int *len,
- unsigned int maxLen, void *arg) {
- IncrementCounterArg(arg);
- return PR_TRUE;
-}
-
-SECStatus NoopExtensionHandler(PRFileDesc *fd, SSLHandshakeType message,
- const PRUint8 *data, unsigned int len,
- SSLAlertDescription *alert, void *arg) {
- return SECSuccess;
-}
-
-// All of the (current) set of supported extensions, plus a few extra.
-static const uint16_t kManyExtensions[] = {
- ssl_server_name_xtn,
- ssl_cert_status_xtn,
- ssl_supported_groups_xtn,
- ssl_ec_point_formats_xtn,
- ssl_signature_algorithms_xtn,
- ssl_signature_algorithms_cert_xtn,
- ssl_use_srtp_xtn,
- ssl_app_layer_protocol_xtn,
- ssl_signed_cert_timestamp_xtn,
- ssl_padding_xtn,
- ssl_extended_master_secret_xtn,
- ssl_session_ticket_xtn,
- ssl_tls13_key_share_xtn,
- ssl_tls13_pre_shared_key_xtn,
- ssl_tls13_early_data_xtn,
- ssl_tls13_supported_versions_xtn,
- ssl_tls13_cookie_xtn,
- ssl_tls13_psk_key_exchange_modes_xtn,
- ssl_tls13_ticket_early_data_info_xtn,
- ssl_tls13_certificate_authorities_xtn,
- ssl_next_proto_nego_xtn,
- ssl_renegotiation_info_xtn,
- ssl_tls13_short_header_xtn,
- 1,
- 0xffff};
-// The list here includes all extensions we expect to use (SSL_MAX_EXTENSIONS),
-// plus the deprecated values (see sslt.h), and two extra dummy values.
-PR_STATIC_ASSERT((SSL_MAX_EXTENSIONS + 5) == PR_ARRAY_SIZE(kManyExtensions));
-
-void InstallManyWriters(std::shared_ptr<TlsAgent> agent,
- SSLExtensionWriter writer, size_t *installed = nullptr,
- size_t *called = nullptr) {
- for (size_t i = 0; i < PR_ARRAY_SIZE(kManyExtensions); ++i) {
- SSLExtensionSupport support = ssl_ext_none;
- SECStatus rv = SSL_GetExtensionSupport(kManyExtensions[i], &support);
- ASSERT_EQ(SECSuccess, rv) << "SSL_GetExtensionSupport cannot fail";
-
- rv = SSL_InstallExtensionHooks(agent->ssl_fd(), kManyExtensions[i], writer,
- called, NoopExtensionHandler, nullptr);
- if (support == ssl_ext_native_only) {
- EXPECT_EQ(SECFailure, rv);
- EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
- } else {
- if (installed) {
- ++*installed;
- }
- EXPECT_EQ(SECSuccess, rv);
- }
- }
-}
-
-TEST_F(TlsConnectStreamTls13, CustomExtensionAllNoopClient) {
- EnsureTlsSetup();
- size_t installed = 0;
- size_t called = 0;
- InstallManyWriters(client_, NoopExtensionWriter, &installed, &called);
- EXPECT_LT(0U, installed);
- Connect();
- EXPECT_EQ(installed, called);
-}
-
-TEST_F(TlsConnectStreamTls13, CustomExtensionAllNoopServer) {
- EnsureTlsSetup();
- size_t installed = 0;
- size_t called = 0;
- InstallManyWriters(server_, NoopExtensionWriter, &installed, &called);
- EXPECT_LT(0U, installed);
- Connect();
- // Extension writers are all called for each of ServerHello,
- // EncryptedExtensions, and Certificate.
- EXPECT_EQ(installed * 3, called);
-}
-
-TEST_F(TlsConnectStreamTls13, CustomExtensionEmptyWriterClient) {
- EnsureTlsSetup();
- InstallManyWriters(client_, EmptyExtensionWriter);
- InstallManyWriters(server_, EmptyExtensionWriter);
- Connect();
-}
-
-TEST_F(TlsConnectStreamTls13, CustomExtensionEmptyWriterServer) {
- EnsureTlsSetup();
- InstallManyWriters(server_, EmptyExtensionWriter);
- // Sending extensions that the client doesn't expect leads to extensions
- // appearing even if the client didn't send one, or in the wrong messages.
- client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
- server_->ExpectSendAlert(kTlsAlertBadRecordMac);
- ConnectExpectFail();
-}
-
-// Install an writer to disable sending of a natively-supported extension.
-TEST_F(TlsConnectStreamTls13, CustomExtensionWriterDisable) {
- EnsureTlsSetup();
-
- // This option enables sending the extension via the native support.
- SECStatus rv = SSL_OptionSet(client_->ssl_fd(),
- SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, PR_TRUE);
- EXPECT_EQ(SECSuccess, rv);
-
- // This installs an override that doesn't do anything. You have to specify
- // something; passing all nullptr values removes an existing handler.
- rv = SSL_InstallExtensionHooks(
- client_->ssl_fd(), ssl_signed_cert_timestamp_xtn, NoopExtensionWriter,
- nullptr, NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
- auto capture =
- std::make_shared<TlsExtensionCapture>(ssl_signed_cert_timestamp_xtn);
- client_->SetPacketFilter(capture);
-
- Connect();
- // So nothing will be sent.
- EXPECT_FALSE(capture->captured());
-}
-
-// An extension that is unlikely to be parsed as valid.
-static uint8_t kNonsenseExtension[] = {91, 82, 73, 64, 55, 46, 37, 28, 19};
-
-static PRBool NonsenseExtensionWriter(PRFileDesc *fd, SSLHandshakeType message,
- PRUint8 *data, unsigned int *len,
- unsigned int maxLen, void *arg) {
- TlsAgent *agent = reinterpret_cast<TlsAgent *>(arg);
- EXPECT_NE(nullptr, agent);
- EXPECT_NE(nullptr, data);
- EXPECT_NE(nullptr, len);
- EXPECT_EQ(0U, *len);
- EXPECT_LT(0U, maxLen);
- EXPECT_EQ(agent->ssl_fd(), fd);
-
- if (message != ssl_hs_client_hello && message != ssl_hs_server_hello &&
- message != ssl_hs_encrypted_extensions) {
- return PR_FALSE;
- }
-
- *len = static_cast<unsigned int>(sizeof(kNonsenseExtension));
- EXPECT_GE(maxLen, *len);
- if (maxLen < *len) {
- return PR_FALSE;
- }
- PORT_Memcpy(data, kNonsenseExtension, *len);
- return PR_TRUE;
-}
-
-// Override the extension handler for an natively-supported and produce
-// nonsense, which results in a handshake failure.
-TEST_F(TlsConnectStreamTls13, CustomExtensionOverride) {
- EnsureTlsSetup();
-
- // This option enables sending the extension via the native support.
- SECStatus rv = SSL_OptionSet(client_->ssl_fd(),
- SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, PR_TRUE);
- EXPECT_EQ(SECSuccess, rv);
-
- // This installs an override that sends nonsense.
- rv = SSL_InstallExtensionHooks(
- client_->ssl_fd(), ssl_signed_cert_timestamp_xtn, NonsenseExtensionWriter,
- client_.get(), NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- // Capture it to see what we got.
- auto capture =
- std::make_shared<TlsExtensionCapture>(ssl_signed_cert_timestamp_xtn);
- client_->SetPacketFilter(capture);
-
- ConnectExpectAlert(server_, kTlsAlertDecodeError);
-
- EXPECT_TRUE(capture->captured());
- EXPECT_EQ(DataBuffer(kNonsenseExtension, sizeof(kNonsenseExtension)),
- capture->extension());
-}
-
-static SECStatus NonsenseExtensionHandler(PRFileDesc *fd,
- SSLHandshakeType message,
- const PRUint8 *data, unsigned int len,
- SSLAlertDescription *alert,
- void *arg) {
- TlsAgent *agent = reinterpret_cast<TlsAgent *>(arg);
- EXPECT_EQ(agent->ssl_fd(), fd);
- if (agent->role() == TlsAgent::SERVER) {
- EXPECT_EQ(ssl_hs_client_hello, message);
- } else {
- EXPECT_TRUE(message == ssl_hs_server_hello ||
- message == ssl_hs_encrypted_extensions);
- }
- EXPECT_EQ(DataBuffer(kNonsenseExtension, sizeof(kNonsenseExtension)),
- DataBuffer(data, len));
- EXPECT_NE(nullptr, alert);
- return SECSuccess;
-}
-
-// Send nonsense in an extension from client to server.
-TEST_F(TlsConnectStreamTls13, CustomExtensionClientToServer) {
- EnsureTlsSetup();
-
- // This installs an override that sends nonsense.
- const uint16_t extension_code = 0xffe5;
- SECStatus rv = SSL_InstallExtensionHooks(
- client_->ssl_fd(), extension_code, NonsenseExtensionWriter, client_.get(),
- NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- // Capture it to see what we got.
- auto capture = std::make_shared<TlsExtensionCapture>(extension_code);
- client_->SetPacketFilter(capture);
-
- // Handle it so that the handshake completes.
- rv = SSL_InstallExtensionHooks(server_->ssl_fd(), extension_code,
- NoopExtensionWriter, nullptr,
- NonsenseExtensionHandler, server_.get());
- EXPECT_EQ(SECSuccess, rv);
-
- Connect();
-
- EXPECT_TRUE(capture->captured());
- EXPECT_EQ(DataBuffer(kNonsenseExtension, sizeof(kNonsenseExtension)),
- capture->extension());
-}
-
-static PRBool NonsenseExtensionWriterSH(PRFileDesc *fd,
- SSLHandshakeType message, PRUint8 *data,
- unsigned int *len, unsigned int maxLen,
- void *arg) {
- if (message == ssl_hs_server_hello) {
- return NonsenseExtensionWriter(fd, message, data, len, maxLen, arg);
- }
- return PR_FALSE;
-}
-
-// Send nonsense in an extension from server to client, in ServerHello.
-TEST_F(TlsConnectStreamTls13, CustomExtensionServerToClientSH) {
- EnsureTlsSetup();
-
- // This installs an override that sends nothing but expects nonsense.
- const uint16_t extension_code = 0xff5e;
- SECStatus rv = SSL_InstallExtensionHooks(
- client_->ssl_fd(), extension_code, EmptyExtensionWriter, nullptr,
- NonsenseExtensionHandler, client_.get());
- EXPECT_EQ(SECSuccess, rv);
-
- // Have the server send nonsense.
- rv = SSL_InstallExtensionHooks(server_->ssl_fd(), extension_code,
- NonsenseExtensionWriterSH, server_.get(),
- NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- // Capture the extension from the ServerHello only and check it.
- auto capture = std::make_shared<TlsExtensionCapture>(extension_code);
- capture->SetHandshakeTypes({kTlsHandshakeServerHello});
- server_->SetPacketFilter(capture);
-
- Connect();
-
- EXPECT_TRUE(capture->captured());
- EXPECT_EQ(DataBuffer(kNonsenseExtension, sizeof(kNonsenseExtension)),
- capture->extension());
-}
-
-static PRBool NonsenseExtensionWriterEE(PRFileDesc *fd,
- SSLHandshakeType message, PRUint8 *data,
- unsigned int *len, unsigned int maxLen,
- void *arg) {
- if (message == ssl_hs_encrypted_extensions) {
- return NonsenseExtensionWriter(fd, message, data, len, maxLen, arg);
- }
- return PR_FALSE;
-}
-
-// Send nonsense in an extension from server to client, in EncryptedExtensions.
-TEST_F(TlsConnectStreamTls13, CustomExtensionServerToClientEE) {
- EnsureTlsSetup();
-
- // This installs an override that sends nothing but expects nonsense.
- const uint16_t extension_code = 0xff5e;
- SECStatus rv = SSL_InstallExtensionHooks(
- client_->ssl_fd(), extension_code, EmptyExtensionWriter, nullptr,
- NonsenseExtensionHandler, client_.get());
- EXPECT_EQ(SECSuccess, rv);
-
- // Have the server send nonsense.
- rv = SSL_InstallExtensionHooks(server_->ssl_fd(), extension_code,
- NonsenseExtensionWriterEE, server_.get(),
- NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- // Capture the extension from the EncryptedExtensions only and check it.
- auto capture = std::make_shared<TlsExtensionCapture>(extension_code);
- capture->SetHandshakeTypes({kTlsHandshakeEncryptedExtensions});
- server_->SetTlsRecordFilter(capture);
-
- Connect();
-
- EXPECT_TRUE(capture->captured());
- EXPECT_EQ(DataBuffer(kNonsenseExtension, sizeof(kNonsenseExtension)),
- capture->extension());
-}
-
-TEST_F(TlsConnectStreamTls13, CustomExtensionUnsolicitedServer) {
- EnsureTlsSetup();
-
- const uint16_t extension_code = 0xff5e;
- SECStatus rv = SSL_InstallExtensionHooks(
- server_->ssl_fd(), extension_code, NonsenseExtensionWriter, server_.get(),
- NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- // Capture it to see what we got.
- auto capture = std::make_shared<TlsExtensionCapture>(extension_code);
- server_->SetPacketFilter(capture);
-
- client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
- server_->ExpectSendAlert(kTlsAlertBadRecordMac);
- ConnectExpectFail();
-
- EXPECT_TRUE(capture->captured());
- EXPECT_EQ(DataBuffer(kNonsenseExtension, sizeof(kNonsenseExtension)),
- capture->extension());
-}
-
-SECStatus RejectExtensionHandler(PRFileDesc *fd, SSLHandshakeType message,
- const PRUint8 *data, unsigned int len,
- SSLAlertDescription *alert, void *arg) {
- return SECFailure;
-}
-
-TEST_F(TlsConnectStreamTls13, CustomExtensionServerReject) {
- EnsureTlsSetup();
-
- // This installs an override that sends nonsense.
- const uint16_t extension_code = 0xffe7;
- SECStatus rv = SSL_InstallExtensionHooks(client_->ssl_fd(), extension_code,
- EmptyExtensionWriter, nullptr,
- NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- // Reject the extension for no good reason.
- rv = SSL_InstallExtensionHooks(server_->ssl_fd(), extension_code,
- NoopExtensionWriter, nullptr,
- RejectExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
-}
-
-// Send nonsense in an extension from client to server.
-TEST_F(TlsConnectStreamTls13, CustomExtensionClientReject) {
- EnsureTlsSetup();
-
- // This installs an override that sends nothing but expects nonsense.
- const uint16_t extension_code = 0xff58;
- SECStatus rv = SSL_InstallExtensionHooks(client_->ssl_fd(), extension_code,
- EmptyExtensionWriter, nullptr,
- RejectExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- // Have the server send nonsense.
- rv = SSL_InstallExtensionHooks(server_->ssl_fd(), extension_code,
- EmptyExtensionWriter, nullptr,
- NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- client_->ExpectSendAlert(kTlsAlertHandshakeFailure);
- server_->ExpectSendAlert(kTlsAlertBadRecordMac);
- ConnectExpectFail();
-}
-
-static const uint8_t kCustomAlert = 0xf6;
-
-SECStatus AlertExtensionHandler(PRFileDesc *fd, SSLHandshakeType message,
- const PRUint8 *data, unsigned int len,
- SSLAlertDescription *alert, void *arg) {
- *alert = kCustomAlert;
- return SECFailure;
-}
-
-TEST_F(TlsConnectStreamTls13, CustomExtensionServerRejectAlert) {
- EnsureTlsSetup();
-
- // This installs an override that sends nonsense.
- const uint16_t extension_code = 0xffea;
- SECStatus rv = SSL_InstallExtensionHooks(client_->ssl_fd(), extension_code,
- EmptyExtensionWriter, nullptr,
- NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- // Reject the extension for no good reason.
- rv = SSL_InstallExtensionHooks(server_->ssl_fd(), extension_code,
- NoopExtensionWriter, nullptr,
- AlertExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- ConnectExpectAlert(server_, kCustomAlert);
-}
-
-// Send nonsense in an extension from client to server.
-TEST_F(TlsConnectStreamTls13, CustomExtensionClientRejectAlert) {
- EnsureTlsSetup();
-
- // This installs an override that sends nothing but expects nonsense.
- const uint16_t extension_code = 0xff5a;
- SECStatus rv = SSL_InstallExtensionHooks(client_->ssl_fd(), extension_code,
- EmptyExtensionWriter, nullptr,
- AlertExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- // Have the server send nonsense.
- rv = SSL_InstallExtensionHooks(server_->ssl_fd(), extension_code,
- EmptyExtensionWriter, nullptr,
- NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
-
- client_->ExpectSendAlert(kCustomAlert);
- server_->ExpectSendAlert(kTlsAlertBadRecordMac);
- ConnectExpectFail();
-}
-
-// Configure a custom extension hook badly.
-TEST_F(TlsConnectStreamTls13, CustomExtensionOnlyWriter) {
- EnsureTlsSetup();
-
- // This installs an override that sends nothing but expects nonsense.
- SECStatus rv =
- SSL_InstallExtensionHooks(client_->ssl_fd(), 0xff6c, EmptyExtensionWriter,
- nullptr, nullptr, nullptr);
- EXPECT_EQ(SECFailure, rv);
- EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
-}
-
-TEST_F(TlsConnectStreamTls13, CustomExtensionOnlyHandler) {
- EnsureTlsSetup();
-
- // This installs an override that sends nothing but expects nonsense.
- SECStatus rv =
- SSL_InstallExtensionHooks(client_->ssl_fd(), 0xff6d, nullptr, nullptr,
- NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECFailure, rv);
- EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
-}
-
-TEST_F(TlsConnectStreamTls13, CustomExtensionOverrunBuffer) {
- EnsureTlsSetup();
- // This doesn't actually overrun the buffer, but it says that it does.
- auto overrun_writer = [](PRFileDesc *fd, SSLHandshakeType message,
- PRUint8 *data, unsigned int *len,
- unsigned int maxLen, void *arg) -> PRBool {
- *len = maxLen + 1;
- return PR_TRUE;
- };
- SECStatus rv =
- SSL_InstallExtensionHooks(client_->ssl_fd(), 0xff71, overrun_writer,
- nullptr, NoopExtensionHandler, nullptr);
- EXPECT_EQ(SECSuccess, rv);
- client_->StartConnect();
- client_->Handshake();
- client_->CheckErrorCode(SEC_ERROR_APPLICATION_CALLBACK_ERROR);
-}
-
-} // namespace "nss_test"