ssl_timers_unittest.cc

firefox-main/security/nss/gtests/ssl_gtest/ssl_timers_unittest.cc

Enable keyboard shortcuts

Source code

File a bug in NSS :: Libraries

Revision control

Copy as Markdown

Other Tools

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */

/* vim: set ts=2 et sw=2 tw=80: */

/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this file,

 * You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "secerr.h"

#include "ssl.h"

#include "sslerr.h"

#include "sslproto.h"

extern "C" {

// This is not something that should make you happy.

#include "libssl_internals.h"

#include "gtest_utils.h"

#include "nss_scoped_ptrs.h"

#include "tls_connect.h"

#include "tls_filter.h"

#include "tls_parser.h"

namespace nss_test {

// Reproducing https://bugzilla.mozilla.org/show_bug.cgi?id=1978603

// The test causes assertion failure: timer->cb == NULL, at

// lib/ssl/dtlscon.c:922

// The general problem in the bug was that each post-handshake message

// was starting a new retransmit timer.

// We've decided to change the timer logic such that a retransmit timer

// will be restarted when a new request for a timer arrives.

// This test ensures that if two different post-handshake messages are queued

// for retransmission, the timer behaves correctly. When the second message is

// queued, we reset the timer. This means a message never waits longer than the

// minimum timer delay. The first message queued will be retransmitted a bit

// more aggressively than it would otherwise, but this is unlikely to be a

// problem.

// We're currently supporting NewSessionTicker and KeyUpdate post-handshake

// messages.

// The filter will be dropping Key Update and New Session Ticket until disabled

// When it's disabled, it will keep track of the New Session Ticket messages

// sent by the server, and when it founds one - it will record the sequence

// number This sequence number will then be provided to the second filter that

// will be checking the list of ACKs seaching for this message

class TLSSessionTicketAndKUDropper : public TlsRecordFilter {

 public:

  TLSSessionTicketAndKUDropper(const std::shared_ptr<TlsAgent>& a)

      : TlsRecordFilter(a), enabled_(true), sequenceNumberNST(0) {}

  void disable() { enabled_ = false; }

  uint64_t getSentSessionTicketSeqNum() { return sequenceNumberNST; }

 protected:

  PacketFilter::Action FilterRecord(const TlsRecordHeader& header,

                                    const DataBuffer& record, size_t* offset,

                                    DataBuffer* output) override {

    if (!header.is_protected()) {

      return KEEP;

    uint16_t protection_epoch;

    uint8_t inner_content_type;

    DataBuffer plaintext;

    TlsRecordHeader out_header;

    if (!Unprotect(header, record, &protection_epoch, &inner_content_type,

                   &plaintext, &out_header)) {

      return KEEP;

    if (plaintext.data()[0] == ssl_hs_new_session_ticket) {

      if (enabled_) {

        return DROP;

      } else {

        sequenceNumberNST = out_header.sequence_number();

    if (plaintext.data()[0] == ssl_hs_key_update && enabled_) {

      return DROP;

    return KEEP;

 private:

  bool enabled_;

  uint64_t sequenceNumberNST;

};

class TLSACKRecorder : public TlsRecordFilter {

 public:

  TLSACKRecorder(const std::shared_ptr<TlsAgent>& a)

      : TlsRecordFilter(a),

        enabled_(false),

        isSeqNumFound(false),

        sequenceNumberToFindACKed(0) {}

  void EnableTLSACKCatcherWithSeqNum(uint64_t seqNum) {

    enabled_ = true;

    sequenceNumberToFindACKed = seqNum;

  bool isNSTACKFound() { return isSeqNumFound; }

 protected:

  PacketFilter::Action FilterRecord(const TlsRecordHeader& header,

                                    const DataBuffer& record, size_t* offset,

                                    DataBuffer* output) override {

    if (!enabled_) {

      return KEEP;

    if (!header.is_protected()) {

      return KEEP;

    uint16_t protection_epoch;

    uint8_t inner_content_type;

    DataBuffer plaintext;

    TlsRecordHeader out_header;

    if (!Unprotect(header, record, &protection_epoch, &inner_content_type,

                   &plaintext, &out_header)) {

      return KEEP;

    if (plaintext.data() == NULL || plaintext.len() == 0) {

      return KEEP;

    if (decrypting() && inner_content_type != ssl_ct_ack) {

      return KEEP;

    uint8_t ack_message_header_len = 2;

    uint8_t ack_message_len_one_ACK = 16;

    size_t acks = plaintext.len() - ack_message_header_len;

    EXPECT_EQ((uint64_t)0, acks % ack_message_len_one_ACK);

    acks = acks / ack_message_len_one_ACK;

    // struct {

    //   uint64 epoch;

    //   uint64 sequence_number;

    // } RecordNumber;

    // sequenceNumberToFindACKed has 16 bits for epoch and 48 for seqNum

    uint64_t epoch = sequenceNumberToFindACKed >> 48;

    uint64_t seqNum = sequenceNumberToFindACKed & 0xFFFFFFFFFFFF;

    uint64_t lastByteEpoch = 0;

    uint64_t leastByteSequence = 0;

    for (size_t i = 0; i < acks; i++) {

      // Here we check that the last byte of the epoch and the last byte of the

      // sequence Because we just sent a couple of messages, so the values will

      // be less than 256.

      lastByteEpoch = plaintext.data()[2 + i * ack_message_len_one_ACK + 7];

      leastByteSequence =

          plaintext.data()[2 + i * ack_message_len_one_ACK + 15];

      if ((epoch % 256 == lastByteEpoch) &&

          (seqNum % 256) == leastByteSequence) {

        isSeqNumFound = true;

        return KEEP;

    return KEEP;

 private:

  bool enabled_;

  bool isSeqNumFound;

  uint64_t sequenceNumberToFindACKed;

};

TEST_F(TlsConnectDatagram13, SendTicketThenKeyUpdate) {

  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);

  Connect();

  SendReceive();  // Need to read so that we absorb the session tickets.

  CheckKeys();

  // Resume the connection.

  Reset();

  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);

  ExpectResumption(RESUME_TICKET);

  auto filter = MakeTlsFilter<TLSSessionTicketAndKUDropper>(server_);

  filter->EnableDecryption();

  auto ackRecorderFilter = MakeTlsFilter<TLSACKRecorder>(client_);

  ackRecorderFilter->EnableDecryption();

  // This should cause sending a NewSessionTicket (thus, starting the timer)

  // Sending the NewSessionTicket will be blocked by the filter

  Connect();

  // Server sends Key Update

  // The first Key Update will also be dropped by the server

  EXPECT_EQ(SECSuccess, SSL_KeyUpdate(server_->ssl_fd(), false));

  client_->ReadBytes();

  // Check that the client indeed has not received the KU.

  SSLInt_SendImmediateACK(client_->ssl_fd());

  server_->ReadBytes();

  CheckEpochs(3, 3);

  // Disabling dropping the message, the effective retransmit will start

  filter->disable();

  // So, we don't have to wait until the next retransmit happens

  ShiftDtlsTimers();

  server_->ReadBytes();

  // We get the Sequence number of the NewSessionTicket that the server has sent

  uint64_t sequenceNumberNST = filter->getSentSessionTicketSeqNum();

  // And we check that the client has received (thus acked) the newly

  // retransmitted NewSessionTicket

  ackRecorderFilter->EnableTLSACKCatcherWithSeqNum(sequenceNumberNST);

  // Client Received NewSessionTicker and KU

  client_->ReadBytes();

  SSLInt_SendImmediateACK(client_->ssl_fd());

  server_->ReadBytes();

  // Client and Server both received and processed KU

  CheckEpochs(3, 4);

  // Client has successfully received and sent an ACK for NST message

  EXPECT_EQ(true, ackRecorderFilter->isNSTACKFound());

  SendReceive(50);

class TLSIthMessageSeqNumDropper : public TlsRecordFilter {

 public:

  TLSIthMessageSeqNumDropper(const std::shared_ptr<TlsAgent>& a,

                             uint8_t messageSeqNumToDrop)

      : TlsRecordFilter(a),

        enabled_(true),

        messageSeqNumToDrop_(messageSeqNumToDrop),

        currentMessageSeqNum_(0) {}

  void disable() { enabled_ = false; }

 protected:

  PacketFilter::Action FilterRecord(const TlsRecordHeader& header,

                                    const DataBuffer& record, size_t* offset,

                                    DataBuffer* output) override {

    if (enabled_ && currentMessageSeqNum_ == messageSeqNumToDrop_) {

      enabled_ = false;

      uint16_t protection_epoch;

      uint8_t inner_content_type;

      DataBuffer plaintext;

      TlsRecordHeader out_header;

      if (!Unprotect(header, record, &protection_epoch, &inner_content_type,

                     &plaintext, &out_header)) {

        return KEEP;

      if (inner_content_type == ssl_ct_ack ||

          inner_content_type == ssl_ct_application_data) {

        return KEEP;

      return DROP;

    currentMessageSeqNum_ += 1;

    return KEEP;

 private:

  bool enabled_;

  uint8_t messageSeqNumToDrop_;

  uint8_t currentMessageSeqNum_;

};

TEST_F(TlsConnectDatagram13, HandshakeDropIthMessageServer) {

  uint8_t maxServerMessageSeq = 10;

  for (uint8_t currMesSeqNum = 0; currMesSeqNum < maxServerMessageSeq;

       currMesSeqNum++) {

    EnsureTlsSetup();

    auto filter =

        MakeTlsFilter<TLSIthMessageSeqNumDropper>(server_, currMesSeqNum);

    filter->EnableDecryption();

    Connect();

    SendReceive();

    Reset();

TEST_F(TlsConnectDatagram13, HandshakeDropIthMessageClient) {

  uint8_t maxClientMessageSeq = 10;

  for (uint8_t currMesSeqNum = 0; currMesSeqNum < maxClientMessageSeq;

       currMesSeqNum++) {

    EnsureTlsSetup();

    auto filter =

        MakeTlsFilter<TLSIthMessageSeqNumDropper>(client_, currMesSeqNum);

    filter->EnableDecryption();

    Connect();

    SendReceive();

    Reset();

}  // namespace nss_test