Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1304924 - Report group and signature scheme, r=ekr
--HG--
extra : rebase_source : 957660352119e616371f22f17ca2e0998b05df70
extra : amend_source : 18b1bb8c0182228956e59d5cccaf43f786387ef1
  • Loading branch information
martinthomson committed Oct 4, 2016
1 parent 04a3fc0 commit 1044f92
Show file tree
Hide file tree
Showing 22 changed files with 336 additions and 200 deletions.
23 changes: 0 additions & 23 deletions external_tests/ssl_gtest/libssl_internals.c
Expand Up @@ -24,29 +24,6 @@ SECStatus SSLInt_IncrementClientHandshakeVersion(PRFileDesc *fd) {
return SECSuccess;
}

// This function guesses what key exchange strength libssl will choose.
PRUint32 SSLInt_DetermineKEABits(PRUint16 serverKeyBits,
SSLAuthType authAlgorithm,
PRUint32 symKeyBits) {
PRUint32 authBits;

if (authAlgorithm == ssl_auth_ecdsa || authAlgorithm == ssl_auth_ecdh_rsa ||
authAlgorithm == ssl_auth_ecdh_ecdsa) {
authBits = serverKeyBits;
} else {
PORT_Assert(authAlgorithm == ssl_auth_rsa_decrypt ||
authAlgorithm == ssl_auth_rsa_sign);
authBits = SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyBits);
}

// We expect a curve for key exchange to be selected based on the symmetric
// key strength (times 2) or the server key size, whichever is smaller.
PRUint32 targetKeaBits = PR_MIN(symKeyBits * 2, authBits);

// P-256 is the preferred curve of minimum size.
return PR_MAX(256U, targetKeaBits);
}

/* Use this function to update the ClientRandom of a client's handshake state
* after replacing its ClientHello message. We for example need to do this
* when replacing an SSLv3 ClientHello with its SSLv2 equivalent. */
Expand Down
3 changes: 0 additions & 3 deletions external_tests/ssl_gtest/libssl_internals.h
Expand Up @@ -15,9 +15,6 @@

SECStatus SSLInt_IncrementClientHandshakeVersion(PRFileDesc *fd);

PRUint32 SSLInt_DetermineKEABits(PRUint16 serverKeyBits,
SSLAuthType authAlgorithm,
PRUint32 symKeyBits);
SECStatus SSLInt_UpdateSSLv2ClientRandom(PRFileDesc *fd, uint8_t *rnd,
size_t rnd_len, uint8_t *msg,
size_t msg_len);
Expand Down
2 changes: 1 addition & 1 deletion external_tests/ssl_gtest/ssl_0rtt_unittest.cc
Expand Up @@ -96,7 +96,7 @@ TEST_P(TlsConnectTls13, ZeroRttServerOnly) {
Handshake();
CheckConnected();
SendReceive();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckKeys();
}

TEST_P(TlsConnectTls13, TestTls13ZeroRttAlpn) {
Expand Down
38 changes: 27 additions & 11 deletions external_tests/ssl_gtest/ssl_auth_unittest.cc
Expand Up @@ -25,14 +25,14 @@ namespace nss_test {
TEST_P(TlsConnectGeneric, ServerAuthBigRsa) {
Reset(TlsAgent::kRsa2048);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckKeys();
}

TEST_P(TlsConnectGeneric, ClientAuth) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckKeys();
}

// In TLS 1.3, the client sends its cert rejection on the
Expand All @@ -48,7 +48,7 @@ TEST_P(TlsConnectStream, DISABLED_ClientAuthRequiredRejected) {
TEST_P(TlsConnectGeneric, ClientAuthRequestedRejected) {
server_->RequestClientAuth(false);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckKeys();
}

TEST_P(TlsConnectGeneric, ClientAuthEcdsa) {
Expand All @@ -64,7 +64,7 @@ TEST_P(TlsConnectGeneric, ClientAuthBigRsa) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckKeys();
}

// Offset is the position in the captured buffer where the signature sits.
Expand All @@ -90,7 +90,7 @@ TEST_P(TlsConnectTls12, ServerAuthCheckSigAlg) {
new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
server_->SetPacketFilter(capture_ske);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckKeys();

const DataBuffer& buffer = capture_ske->buffer();
EXPECT_LT(3U, buffer.len());
Expand All @@ -111,7 +111,7 @@ TEST_P(TlsConnectTls12, ClientAuthCheckSigAlg) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckKeys();

CheckSigScheme(capture_cert_verify, 0, server_, kTlsSigSchemeRsaPkcs1Sha1,
1024);
Expand All @@ -125,7 +125,7 @@ TEST_P(TlsConnectTls12, ClientAuthBigRsaCheckSigAlg) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckKeys();
CheckSigScheme(capture_cert_verify, 0, server_, kTlsSigSchemeRsaPssSha256,
2048);
}
Expand All @@ -139,6 +139,16 @@ static const SSLSignatureAndHashAlg SignatureRsaSha384[] = {
static const SSLSignatureAndHashAlg SignatureRsaSha256[] = {
{ssl_hash_sha256, ssl_sign_rsa}};

static SSLNamedGroup NamedGroupForEcdsa384(uint16_t version) {
// NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and
// 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so
// we use P-384. With TLS 1.2 on we pick AES-128 GCM so use P-256.
if (version <= SSL_LIBRARY_VERSION_TLS_1_1) {
return ssl_grp_ec_secp384r1;
}
return ssl_grp_ec_secp256r1;
}

// When signature algorithms match up, this should connect successfully; even
// for TLS 1.1 and 1.0, where they should be ignored.
TEST_P(TlsConnectGeneric, SignatureAlgorithmServerAuth) {
Expand All @@ -148,7 +158,8 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmServerAuth) {
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
ssl_sig_ecdsa_secp384r1_sha384);
}

// Here the client picks a single option, which should work in all versions.
Expand All @@ -163,7 +174,8 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) {
client_->SetSignatureAlgorithms(clientAlgorithms,
PR_ARRAY_SIZE(clientAlgorithms));
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
ssl_sig_ecdsa_secp384r1_sha384);
}

// Here the server picks a single option, which should work in all versions.
Expand All @@ -173,7 +185,8 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) {
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
ssl_sig_ecdsa_secp384r1_sha384);
}

// In TlS 1.2, a P-256 cert can be used with SHA-384.
Expand All @@ -182,7 +195,10 @@ TEST_P(TlsConnectTls12, SignatureSchemeCurveMismatch12) {
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
// The scheme is reported as using secp384r1, but this is just the generic
// ECDSA + SHA-384 codepoint as defined in TLS 1.2.
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_ecdsa,
ssl_sig_ecdsa_secp384r1_sha384);
}

#ifdef NSS_ENABLE_TLS_1_3
Expand Down
9 changes: 4 additions & 5 deletions external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc
Expand Up @@ -294,8 +294,7 @@ TEST_P(TlsCipherSuiteTest, WriteLimit) {
TlsConnectTestBase::kTls##versions, k##name##Ciphers, \
groups, sigalgs));

static const SSLNamedGroup kDummyNamedGroupParamsArr[] = {
static_cast<SSLNamedGroup>(0)};
static const SSLNamedGroup kDummyNamedGroupParamsArr[] = {ssl_grp_none};
static const auto kDummyNamedGroupParams =
::testing::ValuesIn(kDummyNamedGroupParamsArr);
static const TlsSignatureScheme kDummySignatureSchemesParamsArr[] = {
Expand Down Expand Up @@ -404,9 +403,9 @@ class SecurityStatusTest
public ::testing::WithParamInterface<SecStatusParams> {
public:
SecurityStatusTest()
: TlsCipherSuiteTestBase(
"TLS", GetParam().version, GetParam().cipher_suite,
static_cast<SSLNamedGroup>(0), kTlsSignatureNone) {}
: TlsCipherSuiteTestBase("TLS", GetParam().version,
GetParam().cipher_suite, ssl_grp_none,
kTlsSignatureNone) {}
};

// SSL_SecurityStatus produces fairly useless output when compared to
Expand Down
12 changes: 8 additions & 4 deletions external_tests/ssl_gtest/ssl_dhe_unittest.cc
Expand Up @@ -23,7 +23,8 @@ namespace nss_test {
TEST_P(TlsConnectGeneric, ConnectDhe) {
EnableOnlyDheCiphers();
Connect();
CheckKeys(ssl_kea_dh, ssl_auth_rsa_sign);
CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_2048, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);
}

TEST_P(TlsConnectTls13, SharesForBothEcdheAndDhe) {
Expand All @@ -39,7 +40,7 @@ TEST_P(TlsConnectTls13, SharesForBothEcdheAndDhe) {

Connect();

CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckKeys();

bool ec, dh;
auto track_group_type = [&ec, &dh](SSLNamedGroup group) {
Expand Down Expand Up @@ -453,7 +454,10 @@ TEST_P(TlsConnectGenericPre13, PreferredFfdhe) {
PR_ARRAY_SIZE(groups)));

Connect();
CheckKeys(ssl_kea_dh, ssl_auth_rsa_sign, 3072);
client_->CheckKEA(ssl_kea_dh, ssl_grp_ffdhe_3072, 3072);
server_->CheckKEA(ssl_kea_dh, ssl_grp_ffdhe_3072, 3072);
client_->CheckAuthType(ssl_auth_rsa_sign, ssl_sig_rsa_pss_sha256);
server_->CheckAuthType(ssl_auth_rsa_sign, ssl_sig_rsa_pss_sha256);
}

TEST_P(TlsConnectGenericPre13, MismatchDHE) {
Expand Down Expand Up @@ -490,7 +494,7 @@ TEST_P(TlsConnectTls13, ResumeFfdhe) {
server_->SetPacketFilter(serverCapture);
ExpectResumption(RESUME_TICKET);
Connect();
CheckKeys(ssl_kea_dh, ssl_auth_rsa_sign);
CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_2048, ssl_auth_rsa_sign, ssl_sig_none);
ASSERT_LT(0UL, clientCapture->extension().len());
ASSERT_LT(0UL, serverCapture->extension().len());
}
Expand Down
48 changes: 32 additions & 16 deletions external_tests/ssl_gtest/ssl_ecdh_unittest.cc
Expand Up @@ -31,7 +31,8 @@ TEST_P(TlsConnectGenericPre13, ConnectEcdh) {
EnableSomeEcdhCiphers();

Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdh_ecdsa);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_ecdh_ecdsa,
ssl_sig_none);
}

TEST_P(TlsConnectGenericPre13, ConnectEcdhWithoutDisablingSuites) {
Expand All @@ -40,12 +41,13 @@ TEST_P(TlsConnectGenericPre13, ConnectEcdhWithoutDisablingSuites) {
EnableSomeEcdhCiphers();

Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdh_ecdsa);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_ecdh_ecdsa,
ssl_sig_none);
}

TEST_P(TlsConnectGeneric, ConnectEcdhe) {
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckKeys();
}

// If we pick a 256-bit cipher suite and use a P-384 certificate, the server
Expand All @@ -55,7 +57,10 @@ TEST_P(TlsConnectGeneric, ConnectEcdhe) {
TEST_P(TlsConnectTls12, ConnectEcdheP384) {
Reset(TlsAgent::kServerEcdsa384);
ConnectWithCipherSuite(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa, 384);
// This uses SHA-256 because TLS 1.2 doesn't care for the
// pairing of curve and hash function like in TLS 1.3.
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_ecdsa,
ssl_sig_ecdsa_secp256r1_sha256);
}

TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) {
Expand All @@ -65,7 +70,8 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) {
client_->ConfigNamedGroups(groups);
server_->ConfigNamedGroups(groups);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 384);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);
}

// This causes a HelloRetryRequest in TLS 1.3. Earlier versions don't care.
Expand All @@ -77,7 +83,8 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP384Server) {
const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1};
server_->ConfigNamedGroups(groups);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 384);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);
EXPECT_EQ(version_ == SSL_LIBRARY_VERSION_TLS_1_3,
hrr_capture->buffer().len() != 0);
}
Expand Down Expand Up @@ -106,7 +113,8 @@ TEST_P(TlsKeyExchangeTest, P384Priority) {
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
Connect();

CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 384);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);

std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
CheckKEXDetails(groups, shares);
Expand All @@ -122,7 +130,8 @@ TEST_P(TlsKeyExchangeTest, DuplicateGroupConfig) {
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
Connect();

CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 384);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);

std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
std::vector<SSLNamedGroup> expectedGroups = {ssl_grp_ec_secp384r1,
Expand All @@ -139,7 +148,8 @@ TEST_P(TlsKeyExchangeTest, P384PriorityDHEnabled) {
ConfigNamedGroups(groups);
Connect();

CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 384);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);

if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
Expand All @@ -163,7 +173,8 @@ TEST_P(TlsConnectGenericPre13, P384PriorityOnServer) {

Connect();

CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 384);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);
}

TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) {
Expand All @@ -182,7 +193,8 @@ TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) {

Connect();

CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 384);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);
}

// If we only have a lame group, we fall back to static RSA.
Expand All @@ -191,7 +203,7 @@ TEST_P(TlsConnectGenericPre13, UseLameGroup) {
client_->ConfigNamedGroups(groups);
server_->ConfigNamedGroups(groups);
Connect();
CheckKeys(ssl_kea_rsa, ssl_auth_rsa_decrypt);
CheckKeys(ssl_kea_rsa, ssl_grp_none, ssl_auth_rsa_decrypt, ssl_sig_none);
}

// In TLS 1.3, we can't generate the ClientHello.
Expand Down Expand Up @@ -219,14 +231,16 @@ TEST_P(TlsConnectStreamPre13, ConfiguredGroupsRenegotiate) {

Connect();

CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 384);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);
CheckConnected();

// The renegotiation has to use the same preferences as the original session.
server_->PrepareForRenegotiate();
client_->StartRenegotiate();
Handshake();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 384);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);
}

TEST_P(TlsKeyExchangeTest, Curve25519) {
Expand All @@ -237,7 +251,8 @@ TEST_P(TlsKeyExchangeTest, Curve25519) {
ConfigNamedGroups(groups);
Connect();

CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa, 255);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_ecdsa,
ssl_sig_ecdsa_secp256r1_sha256);
const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
CheckKEXDetails(groups, shares);
}
Expand All @@ -257,7 +272,8 @@ TEST_P(TlsConnectGeneric, P256andCurve25519OnlyServer) {

Connect();

CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 255);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);
}

TEST_P(TlsConnectGeneric, P256ClientAndCurve25519Server) {
Expand Down

0 comments on commit 1044f92

Please sign in to comment.