Bug 1315252 - Fuzzing mode: Check that SSL_ExportKeyingMaterial() is …

…deterministic r=franziskus

Differential Revision: https://nss-review.dev.mozaws.net/D20

gtests/ssl_gtest/ssl_fuzz_unittest.cc

@@ -2,8 +2,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include "blapi.h"
 #include "ssl.h"
 #include "sslimpl.h"
+#include "tls_connect.h"
 
 #include "gtest/gtest.h"
 
@@ -13,12 +15,58 @@ namespace nss_test {
 
 class TlsFuzzTest : public ::testing::Test {};
 
+void ResetState() {
+  // Clear the list of RSA blinding params.
+  BL_Cleanup();
+
+  // Reinit the list of RSA blinding params.
+  EXPECT_EQ(SECSuccess, BL_Init());
+
+  // Reset the RNG state.
+  EXPECT_EQ(SECSuccess, RNG_ResetForFuzzing());
+}
+
 // Ensure that ssl_Time() returns a constant value.
 TEST_F(TlsFuzzTest, Fuzz_SSL_Time_Constant) {
   PRInt32 now = ssl_Time();
   PR_Sleep(PR_SecondsToInterval(2));
   EXPECT_EQ(ssl_Time(), now);
 }
 
+// Check that due to the deterministic PRNG we derive
+// the same master secret in two consecutive TLS sessions.
+TEST_P(TlsConnectGeneric, Fuzz_DeterministicExporter) {
+  const char kLabel[] = "label";
+  std::vector<unsigned char> out1(32), out2(32);
+
+  ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
+  DisableECDHEServerKeyReuse();
+
+  ResetState();
+  Connect();
+
+  // Export a key derived from the MS and nonces.
+  SECStatus rv = SSL_ExportKeyingMaterial(client_->ssl_fd(),
+                                          kLabel, strlen(kLabel),
+                                          false, NULL, 0,
+                                          out1.data(), out1.size());
+  EXPECT_EQ(SECSuccess, rv);
+
+  Reset();
+  ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
+  DisableECDHEServerKeyReuse();
+
+  ResetState();
+  Connect();
+
+  // Export another key derived from the MS and nonces.
+  rv = SSL_ExportKeyingMaterial(client_->ssl_fd(), kLabel, strlen(kLabel),
+                                false, NULL, 0, out2.data(), out2.size());
+  EXPECT_EQ(SECSuccess, rv);
+
+  // The two exported keys should be the same.
+  EXPECT_EQ(out1, out2);
+}
+
 #endif
 }

gtests/ssl_gtest/ssl_gtest.gyp

@@ -60,7 +60,7 @@
         '<(DEPTH)/lib/pki/pki.gyp:nsspki',
         '<(DEPTH)/lib/dev/dev.gyp:nssdev',
         '<(DEPTH)/lib/base/base.gyp:nssb',
-        '<(DEPTH)/lib/freebl/freebl.gyp:freebl',
+        '<(DEPTH)/lib/freebl/freebl.gyp:<(freebl_name)',
         '<(DEPTH)/lib/nss/nss.gyp:nss_static',
         '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap',
         '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',

gtests/ssl_gtest/tls_agent.cc

@@ -819,6 +819,12 @@ void TlsAgent::ConfigureSessionCache(SessionResumptionMode mode) {
   EXPECT_EQ(SECSuccess, rv);
 }
 
+void TlsAgent::DisableECDHEServerKeyReuse() {
+  ASSERT_EQ(TlsAgent::SERVER, role_);
+  SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
+  EXPECT_EQ(SECSuccess, rv);
+}
+
 static const std::string kTlsRolesAllArr[] = {"CLIENT", "SERVER"};
 ::testing::internal::ParamGenerator<std::string>
     TlsAgentTestBase::kTlsRolesAll = ::testing::ValuesIn(kTlsRolesAllArr);

gtests/ssl_gtest/tls_agent.h

@@ -150,6 +150,7 @@ class TlsAgent : public PollTarget {
   void SetDowngradeCheckVersion(uint16_t version);
   void CheckSecretsDestroyed();
   void ConfigNamedGroups(const std::vector<SSLNamedGroup>& groups);
+  void DisableECDHEServerKeyReuse();
 
   const std::string& name() const { return name_; }
 

gtests/ssl_gtest/tls_connect.cc

@@ -595,6 +595,10 @@ void TlsConnectTestBase::CheckEarlyDataAccepted() {
   server_->CheckEarlyDataAccepted(expect_early_data_accepted_);
 }
 
+void TlsConnectTestBase::DisableECDHEServerKeyReuse() {
+  server_->DisableECDHEServerKeyReuse();
+}
+
 TlsConnectGeneric::TlsConnectGeneric()
     : TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {}
 

gtests/ssl_gtest/tls_connect.h

@@ -107,6 +107,7 @@ class TlsConnectTestBase : public ::testing::Test {
   void Receive(size_t amount);
   void ExpectExtendedMasterSecret(bool expected);
   void ExpectEarlyDataAccepted(bool expected);
+  void DisableECDHEServerKeyReuse();
 
  protected:
   Mode mode_;