TLS 1.2 fallback tests

goatgoose · Oct 17, 2023 · c3b120b · c3b120b
1 parent 4245e3e
commit c3b120b
Showing 1 changed file with 131 additions and 2 deletions.
diff --git a/tests/unit/s2n_protocol_version_getter_test.c b/tests/unit/s2n_protocol_version_getter_test.c
@@ -247,11 +247,140 @@ int main(int argc, char **argv)
 
     /* Test get_client_protocol_version fallback behavior on TLS 1.2 servers */
     {
-        /* Report client hello version if a supported version extension wasn't received */
-
         /* Report client hello version if the supported version extension is malformed */
+        for (uint8_t client_hello_version = S2N_SSLv3; client_hello_version <= S2N_TLS12; client_hello_version++) {
+            for (uint8_t send_valid_extension = 0; send_valid_extension <= 1; send_valid_extension++) {
+                DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
+                EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
+                EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "test_all_tls12"));
+
+                uint8_t supported_versions_data[3] = { 0 };
+                struct s2n_blob supported_versions_blob = { 0 };
+                EXPECT_SUCCESS(s2n_blob_init(&supported_versions_blob, supported_versions_data, s2n_array_len(supported_versions_data)));
+                struct s2n_stuffer supported_versions_stuffer = { 0 };
+                EXPECT_SUCCESS(s2n_stuffer_init(&supported_versions_stuffer, &supported_versions_blob));
+
+                /* Write length byte */
+                if (send_valid_extension) {
+                    EXPECT_SUCCESS(s2n_stuffer_write_uint8(&supported_versions_stuffer, 2));
+                } else {
+                    /* Create a malformed supported versions extension by writing an invalid length byte */
+                    EXPECT_SUCCESS(s2n_stuffer_write_uint8(&supported_versions_stuffer, 11));
+                }
+                /* Write supported version */
+                EXPECT_SUCCESS(s2n_stuffer_write_uint8(&supported_versions_stuffer, S2N_TLS13 / 10));
+                EXPECT_SUCCESS(s2n_stuffer_write_uint8(&supported_versions_stuffer, S2N_TLS13 % 10));
+
+                struct s2n_override_extension_ctx context = {
+                    .extension_blob = supported_versions_blob
+                };
+                EXPECT_SUCCESS(s2n_config_set_client_hello_cb(config, s2n_override_supported_versions_cb, &context));
+
+                DEFER_CLEANUP(struct s2n_connection *client = s2n_connection_new(S2N_CLIENT),
+                        s2n_connection_ptr_free);
+                EXPECT_NOT_NULL(client);
+                EXPECT_SUCCESS(s2n_connection_set_config(client, config));
+
+                DEFER_CLEANUP(struct s2n_connection *server = s2n_connection_new(S2N_SERVER),
+                        s2n_connection_ptr_free);
+                EXPECT_NOT_NULL(server);
+                EXPECT_SUCCESS(s2n_connection_set_config(server, config));
+
+                struct s2n_stuffer *hello_stuffer = &client->handshake.io;
+                EXPECT_SUCCESS(s2n_client_hello_send(client));
+
+                /* Overwrite the client hello version according to the test case. */
+                uint8_t protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN] = { 0 };
+                protocol_version[0] = client_hello_version / 10;
+                protocol_version[1] = client_hello_version % 10;
+
+                EXPECT_SUCCESS(s2n_stuffer_rewrite(hello_stuffer));
+                EXPECT_SUCCESS(s2n_stuffer_write_bytes(hello_stuffer, protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN));
+                EXPECT_SUCCESS(s2n_stuffer_write(&server->handshake.io, &hello_stuffer->blob));
+
+                EXPECT_SUCCESS(s2n_client_hello_recv(server));
+
+                if (send_valid_extension) {
+                    /* TLS 1.3 was written to the supported versions extension. If a valid extension was
+                     * sent, the reported client protocol version should be TLS 1.3.
+                     */
+                    EXPECT_EQUAL(s2n_connection_get_client_protocol_version(server), S2N_TLS13);
+                } else {
+                    /* The reported client protocol version should fall back to the client hello version
+                     * if the supported versions extension is malformed.
+                     */
+                    EXPECT_EQUAL(s2n_connection_get_client_protocol_version(server), client_hello_version);
+                }
+            }
+        }
 
         /* Report client hello version if an invalid supported version was received */
+        for (uint8_t client_hello_version = S2N_SSLv3; client_hello_version <= S2N_TLS12; client_hello_version++) {
+            for (uint8_t send_valid_version = 0; send_valid_version <= 1; send_valid_version++) {
+                DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
+                EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
+                EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "test_all_tls12"));
+
+                uint8_t supported_versions_data[3] = { 0 };
+                struct s2n_blob supported_versions_blob = { 0 };
+                EXPECT_SUCCESS(s2n_blob_init(&supported_versions_blob, supported_versions_data, s2n_array_len(supported_versions_data)));
+                struct s2n_stuffer supported_versions_stuffer = { 0 };
+                EXPECT_SUCCESS(s2n_stuffer_init(&supported_versions_stuffer, &supported_versions_blob));
+
+                /* Write length byte */
+                EXPECT_SUCCESS(s2n_stuffer_write_uint8(&supported_versions_stuffer, 2));
+                /* Write supported version */
+                uint8_t valid_supported_version = S2N_TLS13;
+                uint8_t invalid_supported_version = S2N_TLS13 + 10;
+                uint8_t supported_version = invalid_supported_version;
+                if (send_valid_version) {
+                    supported_version = valid_supported_version;
+                }
+                EXPECT_SUCCESS(s2n_stuffer_write_uint8(&supported_versions_stuffer, supported_version / 10));
+                EXPECT_SUCCESS(s2n_stuffer_write_uint8(&supported_versions_stuffer, supported_version % 10));
+
+                struct s2n_override_extension_ctx context = {
+                    .extension_blob = supported_versions_blob
+                };
+                EXPECT_SUCCESS(s2n_config_set_client_hello_cb(config, s2n_override_supported_versions_cb, &context));
+
+                DEFER_CLEANUP(struct s2n_connection *client = s2n_connection_new(S2N_CLIENT),
+                        s2n_connection_ptr_free);
+                EXPECT_NOT_NULL(client);
+                EXPECT_SUCCESS(s2n_connection_set_config(client, config));
+
+                DEFER_CLEANUP(struct s2n_connection *server = s2n_connection_new(S2N_SERVER),
+                        s2n_connection_ptr_free);
+                EXPECT_NOT_NULL(server);
+                EXPECT_SUCCESS(s2n_connection_set_config(server, config));
+
+                struct s2n_stuffer *hello_stuffer = &client->handshake.io;
+                EXPECT_SUCCESS(s2n_client_hello_send(client));
+
+                /* Overwrite the client hello version according to the test case. */
+                uint8_t protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN] = { 0 };
+                protocol_version[0] = client_hello_version / 10;
+                protocol_version[1] = client_hello_version % 10;
+
+                EXPECT_SUCCESS(s2n_stuffer_rewrite(hello_stuffer));
+                EXPECT_SUCCESS(s2n_stuffer_write_bytes(hello_stuffer, protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN));
+                EXPECT_SUCCESS(s2n_stuffer_write(&server->handshake.io, &hello_stuffer->blob));
+
+                EXPECT_SUCCESS(s2n_client_hello_recv(server));
+
+                if (send_valid_version) {
+                    /* If a valid supported version was sent, the version should be reported regardless of
+                     * the client hello version.
+                     */
+                    EXPECT_EQUAL(s2n_connection_get_client_protocol_version(server), valid_supported_version);
+                } else {
+                    /* The reported client protocol version should fall back to the client hello version
+                     * if the received supported version is invalid.
+                     */
+                    EXPECT_EQUAL(s2n_connection_get_client_protocol_version(server), client_hello_version);
+                }
+            }
+        }
     }
 
     END_TEST();