Quelle  tls_xyber_unittest.cc   Sprache: C

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "ssl.h"
#include "sslerr.h"
#include "sslproto.h"

extern "C" {
// This is not something that should make you happy.
#include "libssl_internals.h"
}

#include "gtest_utils.h"
#include "nss_scoped_ptrs.h"
#include "tls_connect.h"
#include "tls_filter.h"
#include "tls_parser.h"

namespace nss_test {

TEST_P(TlsKeyExchangeTest13, Xyber768d00Supported) {
  EnsureKeyShareSetup();
  ConfigNamedGroups({ssl_grp_kem_xyber768d00});

  Connect();
  CheckKeys(ssl_kea_ecdh_hybrid, ssl_grp_kem_xyber768d00, ssl_auth_rsa_sign,
            ssl_sig_rsa_pss_rsae_sha256);
}

TEST_P(TlsKeyExchangeTest, Tls12ClientXyber768d00NotSupported) {
  EnsureKeyShareSetup();
  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                           SSL_LIBRARY_VERSION_TLS_1_2);
  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                           SSL_LIBRARY_VERSION_TLS_1_3);
  client_->DisableAllCiphers();
  client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
  client_->EnableCiphersByKeyExchange(ssl_kea_ecdh_hybrid);
  EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(
                            client_->ssl_fd(),
                            kECDHEGroups.size() + kEcdhHybridGroups.size()));

  Connect();
  std::vector<SSLNamedGroup> groups = GetGroupDetails(groups_capture_);
  for (auto group : groups) {
    EXPECT_NE(group, ssl_grp_kem_xyber768d00);
  }
}

TEST_P(TlsKeyExchangeTest13, Tls12ServerXyber768d00NotSupported) {
  if (variant_ == ssl_variant_datagram) {
    /* Bug 1874451 - reenable this test */
    return;
  }

  EnsureKeyShareSetup();

  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                           SSL_LIBRARY_VERSION_TLS_1_3);
  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                           SSL_LIBRARY_VERSION_TLS_1_2);

  client_->DisableAllCiphers();
  client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
  client_->EnableCiphersByKeyExchange(ssl_kea_ecdh_hybrid);
  client_->ConfigNamedGroups({ssl_grp_kem_xyber768d00, ssl_grp_ec_curve25519});
  EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1));

  server_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
  server_->EnableCiphersByKeyExchange(ssl_kea_ecdh_hybrid);
  server_->ConfigNamedGroups({ssl_grp_kem_xyber768d00, ssl_grp_ec_curve25519});

  Connect();
  CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
            ssl_sig_rsa_pss_rsae_sha256);
}

TEST_P(TlsKeyExchangeTest13, Xyber768d00ClientDisabledByPolicy) {
  EnsureKeyShareSetup();
  client_->SetPolicy(SEC_OID_XYBER768D00, 0, NSS_USE_ALG_IN_SSL_KX);
  ConfigNamedGroups({ssl_grp_kem_xyber768d00, ssl_grp_ec_secp256r1});

  Connect();
  CheckKEXDetails({ssl_grp_ec_secp256r1}, {ssl_grp_ec_secp256r1});
}

TEST_P(TlsKeyExchangeTest13, Xyber768d00ServerDisabledByPolicy) {
  EnsureKeyShareSetup();
  server_->SetPolicy(SEC_OID_XYBER768D00, 0, NSS_USE_ALG_IN_SSL_KX);
  ConfigNamedGroups({ssl_grp_kem_xyber768d00, ssl_grp_ec_secp256r1});

  Connect();
  CheckKEXDetails({ssl_grp_kem_xyber768d00, ssl_grp_ec_secp256r1},
                  {ssl_grp_kem_xyber768d00}, ssl_grp_ec_secp256r1);
}

void CheckECDHShareReuse(const std::shared_ptr<TlsExtensionCapture>& capture) {
  EXPECT_TRUE(capture->captured());
  const DataBuffer& ext = capture->extension();
  DataBuffer xyber_share;
  DataBuffer x25519_share;

  size_t offset = 0;
  uint32_t ext_len;
  ext.Read(0, 2, &ext_len);
  EXPECT_EQ(ext.len() - 2, ext_len);
  offset += 2;

  uint32_t named_group;
  uint32_t named_group_len;
  ext.Read(offset, 2, &named_group);
  ext.Read(offset + 2, 2, &named_group_len);
  while (offset < ext.len()) {
    if (named_group == ssl_grp_kem_xyber768d00) {
      xyber_share = DataBuffer(ext.data() + offset + 2 + 2, named_group_len);
    }
    if (named_group == ssl_grp_ec_curve25519) {
      x25519_share = DataBuffer(ext.data() + offset + 2 + 2, named_group_len);
    }
    offset += 2 + 2 + named_group_len;
    ext.Read(offset, 2, &named_group);
    ext.Read(offset + 2, 2, &named_group_len);
  }
  EXPECT_EQ(offset, ext.len());

  ASSERT_TRUE(xyber_share.data());
  ASSERT_TRUE(x25519_share.data());
  ASSERT_GT(xyber_share.len(), x25519_share.len());
  EXPECT_EQ(
      0, memcmp(xyber_share.data(), x25519_share.data(), x25519_share.len()));
}

TEST_P(TlsKeyExchangeTest13, XyberShareReuseFirst) {
  if (variant_ == ssl_variant_datagram) {
    /* Bug 1874451 - reenable this test */
    return;
  }
  EnsureKeyShareSetup();
  ConfigNamedGroups({ssl_grp_kem_xyber768d00, ssl_grp_ec_curve25519});
  EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1));

  Connect();

  CheckKEXDetails({ssl_grp_kem_xyber768d00, ssl_grp_ec_curve25519},
                  {ssl_grp_kem_xyber768d00, ssl_grp_ec_curve25519});
  CheckECDHShareReuse(shares_capture_);
}

TEST_P(TlsKeyExchangeTest13, XyberShareReuseSecond) {
  if (variant_ == ssl_variant_datagram) {
    /* Bug 1874451 - reenable this test */
    return;
  }
  EnsureKeyShareSetup();
  ConfigNamedGroups({ssl_grp_ec_curve25519, ssl_grp_kem_xyber768d00});
  EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1));

  Connect();

  CheckKEXDetails({ssl_grp_ec_curve25519, ssl_grp_kem_xyber768d00},
                  {ssl_grp_ec_curve25519, ssl_grp_kem_xyber768d00});
  CheckECDHShareReuse(shares_capture_);
}

class XyberShareDamager : public TlsExtensionFilter {
 public:
  typedef enum {
    downgrade,
    extend,
    truncate,
    zero_ecdh,
    modify_ecdh,
    modify_kyber,
  } damage_type;

  XyberShareDamager(const std::shared_ptr<TlsAgent>& a, damage_type damage)
      : TlsExtensionFilter(a), damage_(damage) {}

  virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
                                               const DataBuffer& input,
                                               DataBuffer* output) {
    if (extension_type != ssl_tls13_key_share_xtn) {
      return KEEP;
    }

    // Find the Xyber768d00 share
    size_t offset = 0;
    if (agent()->role() == TlsAgent::CLIENT) {
      offset += 2;  // skip KeyShareClientHello length
    }

    uint32_t named_group;
    uint32_t named_group_len;
    input.Read(offset, 2, &named_group);
    input.Read(offset + 2, 2, &named_group_len);
    while (named_group != ssl_grp_kem_xyber768d00) {
      offset += 2 + 2 + named_group_len;
      input.Read(offset, 2, &named_group);
      input.Read(offset + 2, 2, &named_group_len);
    }
    EXPECT_EQ(named_group, ssl_grp_kem_xyber768d00);

    DataBuffer xyber_key_share(input.data() + offset, 2 + 2 + named_group_len);

    // Damage the Xyber768d00 share
    unsigned char* ecdh_component = xyber_key_share.data() + 2 + 2;
    unsigned char* kyber_component =
        xyber_key_share.data() + 2 + 2 + X25519_PUBLIC_KEY_BYTES;
    switch (damage_) {
      case XyberShareDamager::downgrade:
        // Downgrade a Xyber768d00 share to X25519
        xyber_key_share.Truncate(2 + 2 + X25519_PUBLIC_KEY_BYTES);
        xyber_key_share.Write(0, ssl_grp_ec_curve25519, 2);
        xyber_key_share.Write(2, X25519_PUBLIC_KEY_BYTES, 2);
        break;
      case XyberShareDamager::truncate:
        // Truncate a Xyber768d00 share after the X25519 component
        xyber_key_share.Truncate(2 + 2 + X25519_PUBLIC_KEY_BYTES);
        xyber_key_share.Write(2, X25519_PUBLIC_KEY_BYTES, 2);
        break;
      case XyberShareDamager::extend:
        // Append 4 bytes to a Xyber768d00 share
        uint32_t current_len;
        xyber_key_share.Read(2, 2, ¤t_len);
        xyber_key_share.Write(xyber_key_share.len(), current_len, 4);
        xyber_key_share.Write(2, current_len + 4, 2);
        break;
      case XyberShareDamager::zero_ecdh:
        // Replace an X25519 component with 0s
        memset(ecdh_component, 0, X25519_PUBLIC_KEY_BYTES);
        break;
      case XyberShareDamager::modify_ecdh:
        // Flip a bit in the X25519 component
        ecdh_component[0] ^= 0x01;
        break;
      case XyberShareDamager::modify_kyber:
        // Flip a bit in the Kyber component
        kyber_component[0] ^= 0x01;
        break;
    }

    *output = input;
    output->Splice(xyber_key_share, offset, 2 + 2 + named_group_len);

    // Fix the KeyShareClientHello length if necessary
    if (agent()->role() == TlsAgent::CLIENT &&
        xyber_key_share.len() != 2 + 2 + named_group_len) {
      output->Write(0, output->len() - 2, 2);
    }

    return CHANGE;
  }

 private:
  damage_type damage_;
};

class TlsXyberDamageTest
    : public TlsConnectTestBase,
      public ::testing::WithParamInterface<XyberShareDamager::damage_type> {
 public:
  TlsXyberDamageTest()
      : TlsConnectTestBase(ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_3) {}

 protected:
  void Damage(const std::shared_ptr<TlsAgent>& agent) {
    EnsureTlsSetup();
    client_->ConfigNamedGroups(
        {ssl_grp_ec_curve25519, ssl_grp_kem_xyber768d00});
    server_->ConfigNamedGroups(
        {ssl_grp_kem_xyber768d00, ssl_grp_ec_curve25519});
    EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1));
    MakeTlsFilter<XyberShareDamager>(agent, GetParam());
  }
};

TEST_P(TlsXyberDamageTest, DamageClientShare) {
  Damage(client_);

  switch (GetParam()) {
    case XyberShareDamager::extend:
    case XyberShareDamager::truncate:
      ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
      server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE);
      break;
    case XyberShareDamager::zero_ecdh:
      ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
      server_->CheckErrorCode(SEC_ERROR_INVALID_KEY);
      break;
    case XyberShareDamager::downgrade:
    case XyberShareDamager::modify_ecdh:
    case XyberShareDamager::modify_kyber:
      client_->ExpectSendAlert(kTlsAlertBadRecordMac);
      server_->ExpectSendAlert(kTlsAlertBadRecordMac);
      ConnectExpectFail();
      client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
      server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
      break;
  }
}

TEST_P(TlsXyberDamageTest, DamageServerShare) {
  Damage(server_);

  switch (GetParam()) {
    case XyberShareDamager::extend:
    case XyberShareDamager::truncate:
      client_->ExpectSendAlert(kTlsAlertIllegalParameter);
      server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
      ConnectExpectFail();
      client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE);
      break;
    case XyberShareDamager::zero_ecdh:
      client_->ExpectSendAlert(kTlsAlertIllegalParameter);
      server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
      ConnectExpectFail();
      client_->CheckErrorCode(SEC_ERROR_INVALID_KEY);
      break;
    case XyberShareDamager::downgrade:
    case XyberShareDamager::modify_ecdh:
    case XyberShareDamager::modify_kyber:
      client_->ExpectSendAlert(kTlsAlertBadRecordMac);
      server_->ExpectSendAlert(kTlsAlertBadRecordMac);
      ConnectExpectFail();
      client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
      server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
      break;
  }
}

INSTANTIATE_TEST_SUITE_P(TlsXyberDamageTest, TlsXyberDamageTest,
                         ::testing::Values(XyberShareDamager::downgrade,
                                           XyberShareDamager::extend,
                                           XyberShareDamager::truncate,
                                           XyberShareDamager::zero_ecdh,
                                           XyberShareDamager::modify_ecdh,
                                           XyberShareDamager::modify_kyber));

}  // namespace nss_test