Bug 1307650 - Various tests to improve coverage. r=mt

Badly formed supported_versions extension

Curve non-overlap

Unknown server key shares

Badly formed supported_versions extension

Set 0-RTT option late on both sides

Reviewers: mt

Differential Revision: https://nss-dev.phacility.com/D54

external_tests/ssl_gtest/ssl_0rtt_unittest.cc

@@ -27,7 +27,7 @@ TEST_P(TlsConnectTls13, ZeroRtt) {
   client_->Set0RttEnabled(true);
   server_->Set0RttEnabled(true);
   ExpectResumption(RESUME_TICKET);
-  ZeroRttSendReceive(true);
+  ZeroRttSendReceive(true, true);
   Handshake();
   ExpectEarlyDataAccepted(true);
   CheckConnected();
@@ -38,7 +38,27 @@ TEST_P(TlsConnectTls13, ZeroRttServerRejectByOption) {
   SetupForZeroRtt();
   client_->Set0RttEnabled(true);
   ExpectResumption(RESUME_TICKET);
-  ZeroRttSendReceive(false);
+  ZeroRttSendReceive(true, false);
+  Handshake();
+  CheckConnected();
+  SendReceive();
+}
+
+// Test that we don't try to send 0-RTT data when the server sent
+// us a ticket without the 0-RTT flags.
+TEST_P(TlsConnectTls13, ZeroRttOptionsSetLate) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
+  Connect();
+  SendReceive();  // Need to read so that we absorb the session ticket.
+  CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
+  Reset();
+  server_->StartConnect();
+  client_->StartConnect();
+  // Now turn on 0-RTT but too late for the ticket.
+  client_->Set0RttEnabled(true);
+  server_->Set0RttEnabled(true);
+  ExpectResumption(RESUME_TICKET);
+  ZeroRttSendReceive(false, false);
   Handshake();
   CheckConnected();
   SendReceive();
@@ -51,7 +71,7 @@ TEST_P(TlsConnectTls13, ZeroRttServerForgetTicket) {
   ClearServerCache();
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
   ExpectResumption(RESUME_NONE);
-  ZeroRttSendReceive(false);
+  ZeroRttSendReceive(true, false);
   Handshake();
   CheckConnected();
   SendReceive();
@@ -87,7 +107,7 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRttAlpn) {
   server_->Set0RttEnabled(true);
   ExpectResumption(RESUME_TICKET);
   ExpectEarlyDataAccepted(true);
-  ZeroRttSendReceive(true, [this]() {
+  ZeroRttSendReceive(true, true, [this]() {
     client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
     return true;
   });
@@ -109,7 +129,7 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRttAlpnChangeServer) {
   client_->Set0RttEnabled(true);
   server_->Set0RttEnabled(true);
   ExpectResumption(RESUME_TICKET);
-  ZeroRttSendReceive(false, [this]() {
+  ZeroRttSendReceive(true, false, [this]() {
     client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
     return true;
   });
@@ -130,7 +150,7 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRttNoAlpnServer) {
   server_->Set0RttEnabled(true);
   EnableAlpn();
   ExpectResumption(RESUME_TICKET);
-  ZeroRttSendReceive(true, [this]() {
+  ZeroRttSendReceive(true, true, [this]() {
     PRUint8 b[] = {'b'};
     client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
     EXPECT_EQ(SECSuccess, SSLInt_Set0RttAlpn(client_->ssl_fd(), b, sizeof(b)));
@@ -150,7 +170,7 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRttNoAlpnClient) {
   client_->Set0RttEnabled(true);
   server_->Set0RttEnabled(true);
   ExpectResumption(RESUME_TICKET);
-  ZeroRttSendReceive(true, [this]() {
+  ZeroRttSendReceive(true, true, [this]() {
     PRUint8 b[] = {'b'};
     EXPECT_EQ(SECSuccess, SSLInt_Set0RttAlpn(client_->ssl_fd(), b, 1));
     client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "b");
@@ -170,7 +190,7 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRttAlpnChangeBoth) {
   client_->Set0RttEnabled(true);
   server_->Set0RttEnabled(true);
   ExpectResumption(RESUME_TICKET);
-  ZeroRttSendReceive(false, [this]() {
+  ZeroRttSendReceive(true, false, [this]() {
     client_->CheckAlpn(SSL_NEXT_PROTO_NO_SUPPORT);
     return false;
   });

external_tests/ssl_gtest/ssl_ecdh_unittest.cc

@@ -260,6 +260,24 @@ TEST_P(TlsConnectGeneric, P256andCurve25519OnlyServer) {
   CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 255);
 }
 
+TEST_P(TlsConnectGeneric, P256ClientAndCurve25519Server) {
+  EnsureTlsSetup();
+  client_->DisableAllCiphers();
+  client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
+
+  // the client sends a P256 key share while the server prefers 25519.
+  const std::vector<SSLNamedGroup> server_groups = {ssl_grp_ec_curve25519};
+  const std::vector<SSLNamedGroup> client_groups = {ssl_grp_ec_secp256r1};
+
+  client_->ConfigNamedGroups(client_groups);
+  server_->ConfigNamedGroups(server_groups);
+
+  ConnectExpectFail();
+  client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+  server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+}
+
+
 // Replace the point in the client key exchange message with an empty one
 class ECCClientKEXFilter : public TlsHandshakeFilter {
  public:

external_tests/ssl_gtest/ssl_extension_unittest.cc

@@ -187,6 +187,15 @@ class TlsExtensionTest13 : public TlsExtensionTestBase,
       : TlsExtensionTestBase(TlsConnectTestBase::ToMode(GetParam()),
                              SSL_LIBRARY_VERSION_TLS_1_3) {}
 
+  void ConnectWithBogusVersionList(const uint8_t* buf, size_t len) {
+    DataBuffer versions_buf(buf, len);
+    client_->SetPacketFilter(new TlsExtensionReplacer(
+        ssl_tls13_supported_versions_xtn, versions_buf));
+    ConnectExpectFail();
+    client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
+    server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+  }
+
   void ConnectWithReplacementVersionList(uint16_t version) {
     DataBuffer versions_buf;
 
@@ -518,6 +527,40 @@ TEST_F(TlsExtensionTest13Stream, DropServerKeyShare) {
   EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
 }
 
+TEST_F(TlsExtensionTest13Stream, WrongServerKeyShare) {
+  const uint16_t wrong_group = ssl_grp_ec_secp384r1;
+
+  static const uint8_t key_share[] = {
+    wrong_group >> 8, wrong_group & 0xff, // Group we didn't offer.
+    0x00, 0x02, // length = 2
+    0x01, 0x02 };
+  DataBuffer buf(key_share, sizeof(key_share));
+  EnsureTlsSetup();
+  server_->SetPacketFilter(new TlsExtensionReplacer(ssl_tls13_key_share_xtn,
+                                                    buf));
+  ConnectExpectFail();
+  EXPECT_EQ(SSL_ERROR_RX_MALFORMED_KEY_SHARE, client_->error_code());
+  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+}
+
+// TODO(ekr@rtfm.com): This is the wrong error code. See bug 1307269.
+TEST_F(TlsExtensionTest13Stream, UnknownServerKeyShare) {
+  const uint16_t wrong_group = 0xffff;
+
+  static const uint8_t key_share[] = {
+    wrong_group >> 8, wrong_group & 0xff, // Group we didn't offer.
+    0x00, 0x02, // length = 2
+    0x01, 0x02 };
+  DataBuffer buf(key_share, sizeof(key_share));
+  EnsureTlsSetup();
+  server_->SetPacketFilter(new TlsExtensionReplacer(ssl_tls13_key_share_xtn,
+                                                    buf));
+  ConnectExpectFail();
+  EXPECT_EQ(SSL_ERROR_MISSING_KEY_SHARE, client_->error_code());
+  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+}
+
+
 TEST_F(TlsExtensionTest13Stream, DropServerSignatureAlgorithms) {
   EnsureTlsSetup();
   server_->SetPacketFilter(
@@ -728,6 +771,16 @@ TEST_P(TlsExtensionTest13, RemoveTls13FromVersionListBothV12) {
 #endif
 }
 
+TEST_P(TlsExtensionTest13, EmptyVersionList) {
+  static const uint8_t ext[] = {0x00, 0x00};
+  ConnectWithBogusVersionList(ext, sizeof(ext));
+}
+
+TEST_P(TlsExtensionTest13, OddVersionList) {
+  static const uint8_t ext[] = {0x00, 0x01, 0x00};
+  ConnectWithBogusVersionList(ext, sizeof(ext));
+}
+
 INSTANTIATE_TEST_CASE_P(ExtensionStream, TlsExtensionTestGeneric,
                         ::testing::Combine(TlsConnectTestBase::kTlsModesStream,
                                            TlsConnectTestBase::kTlsVAll));

external_tests/ssl_gtest/ssl_loopback_unittest.cc

@@ -39,6 +39,20 @@ TEST_P(TlsConnectGeneric, ConnectEcdsa) {
   CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
 }
 
+TEST_P(TlsConnectGenericPre13, CipherSuiteMismatch) {
+  EnsureTlsSetup();
+  if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
+    client_->EnableSingleCipher(TLS_AES_128_GCM_SHA256);
+    server_->EnableSingleCipher(TLS_AES_256_GCM_SHA384);
+  } else {
+    client_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
+    server_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA);
+  }
+  ConnectExpectFail();
+  client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+  server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+}
+
 TEST_P(TlsConnectGenericPre13, ConnectFalseStart) {
   client_->EnableFalseStart();
   Connect();

external_tests/ssl_gtest/tls_connect.cc

@@ -486,6 +486,7 @@ void TlsConnectTestBase::SetupForResume() {
 }
 
 void TlsConnectTestBase::ZeroRttSendReceive(
+    bool expect_writable,
     bool expect_readable, std::function<bool()> post_clienthello_check) {
   const char* k0RttData = "ABCDEF";
   const PRInt32 k0RttDataLen = static_cast<PRInt32>(strlen(k0RttData));
@@ -496,7 +497,11 @@ void TlsConnectTestBase::ZeroRttSendReceive(
   }
   PRInt32 rv =
       PR_Write(client_->ssl_fd(), k0RttData, k0RttDataLen);  // 0-RTT write.
-  EXPECT_EQ(k0RttDataLen, rv);
+  if (expect_writable) {
+    EXPECT_EQ(k0RttDataLen, rv);
+  } else {
+    EXPECT_EQ(SECFailure, rv);
+  }
   server_->Handshake();  // Consume ClientHello, EE, Finished.
 
   std::vector<uint8_t> buf(k0RttDataLen);

external_tests/ssl_gtest/tls_connect.h

@@ -99,6 +99,7 @@ class TlsConnectTestBase : public ::testing::Test {
   void SetupForZeroRtt();
   void SetupForResume();
   void ZeroRttSendReceive(
+      bool expect_writable,
       bool expect_readable,
       std::function<bool()> post_clienthello_check = nullptr);
   void Receive(size_t amount);

lib/ssl/ssl3con.c

@@ -8253,8 +8253,9 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     if (versionExtension) {
         rv = tls13_NegotiateVersion(ss, versionExtension);
         if (rv != SECSuccess) {
-            desc = protocol_version;
-            errCode = SSL_ERROR_UNSUPPORTED_VERSION;
+            errCode = PORT_GetError();
+            desc = (errCode == SSL_ERROR_UNSUPPORTED_VERSION) ?
+                    protocol_version : illegal_parameter;
             goto alert_loser;
         }
     } else {