/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ssl.h"
#include "sslerr.h"
#include "sslproto.h"
extern "C" {
// This is not something that should make you happy.
#include "libssl_internals.h"
}
#include "gtest_utils.h"
#include "nss_scoped_ptrs.h"
#include "tls_connect.h"
#include "tls_filter.h"
#include "tls_parser.h"
namespace nss_test {
TEST_P(TlsKeyExchangeTest13, Mlkem768x25519Supported) {
EnsureKeyShareSetup();
ConfigNamedGroups({ssl_grp_kem_mlkem768x25519});
Connect();
CheckKeys(ssl_kea_ecdh_hybrid, ssl_grp_kem_mlkem768x25519, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_rsae_sha256);
}
TEST_P(TlsKeyExchangeTest, Tls12ClientMlkem768x25519NotSupported) {
EnsureKeyShareSetup();
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_2);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_3);
client_->DisableAllCiphers();
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh_hybrid);
EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(
client_->ssl_fd(),
kECDHEGroups.size() + kEcdhHybridGroups.size()));
Connect();
std::vector<SSLNamedGroup> groups = GetGroupDetails(groups_capture_);
for (
auto group : groups) {
EXPECT_NE(group, ssl_grp_kem_mlkem768x25519);
}
}
TEST_P(TlsKeyExchangeTest13, Tls12ServerMlkem768x25519NotSupported) {
EnsureKeyShareSetup();
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_3);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_2);
client_->DisableAllCiphers();
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh_hybrid);
client_->ConfigNamedGroups(
{ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519});
EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(),
1));
server_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
server_->EnableCiphersByKeyExchange(ssl_kea_ecdh_hybrid);
server_->ConfigNamedGroups(
{ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519});
Connect();
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_rsae_sha256);
}
TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ClientDisabledByPolicy) {
EnsureKeyShareSetup();
client_->SetPolicy(SEC_OID_MLKEM768X25519,
0, NSS_USE_ALG_IN_SSL_KX);
ConfigNamedGroups({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_secp256r1});
Connect();
CheckKEXDetails({ssl_grp_ec_secp256r1}, {ssl_grp_ec_secp256r1});
}
TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ServerDisabledByPolicy) {
EnsureKeyShareSetup();
server_->SetPolicy(SEC_OID_MLKEM768X25519,
0, NSS_USE_ALG_IN_SSL_KX);
ConfigNamedGroups({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_secp256r1});
Connect();
CheckKEXDetails({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_secp256r1},
{ssl_grp_kem_mlkem768x25519}, ssl_grp_ec_secp256r1);
}
static void CheckECDHShareReuse(
const std::shared_ptr<TlsExtensionCapture>& capture) {
EXPECT_TRUE(capture->captured());
const DataBuffer& ext = capture->extension();
DataBuffer hybrid_share;
DataBuffer x25519_share;
size_t offset =
0;
uint32_t ext_len;
ext.Read(
0,
2, &ext_len);
EXPECT_EQ(ext.len() -
2, ext_len);
offset +=
2;
uint32_t named_group;
uint32_t named_group_len;
ext.Read(offset,
2, &named_group);
ext.Read(offset +
2,
2, &named_group_len);
while (offset < ext.len()) {
if (named_group == ssl_grp_kem_mlkem768x25519) {
hybrid_share = DataBuffer(ext.data() + offset +
2 +
2, named_group_len);
}
if (named_group == ssl_grp_ec_curve25519) {
x25519_share = DataBuffer(ext.data() + offset +
2 +
2, named_group_len);
}
offset +=
2 +
2 + named_group_len;
ext.Read(offset,
2, &named_group);
ext.Read(offset +
2,
2, &named_group_len);
}
EXPECT_EQ(offset, ext.len());
ASSERT_TRUE(hybrid_share.data());
ASSERT_TRUE(x25519_share.data());
ASSERT_GT(hybrid_share.len(), x25519_share.len());
EXPECT_EQ(
0, memcmp(hybrid_share.data() + KYBER768_PUBLIC_KEY_BYTES,
x25519_share.data(), x25519_share.len()));
}
TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ShareReuseFirst) {
EnsureKeyShareSetup();
ConfigNamedGroups({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519});
EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(),
1));
Connect();
CheckKEXDetails({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519},
{ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519});
CheckECDHShareReuse(shares_capture_);
}
TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ShareReuseSecond) {
EnsureKeyShareSetup();
ConfigNamedGroups({ssl_grp_ec_curve25519, ssl_grp_kem_mlkem768x25519});
EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(),
1));
Connect();
CheckKEXDetails({ssl_grp_ec_curve25519, ssl_grp_kem_mlkem768x25519},
{ssl_grp_ec_curve25519, ssl_grp_kem_mlkem768x25519});
CheckECDHShareReuse(shares_capture_);
}
class Mlkem768x25519ShareDamager :
public TlsExtensionFilter {
public:
typedef enum {
downgrade,
extend,
truncate,
zero_ecdh,
modify_ecdh,
modify_mlkem,
modify_mlkem_pubkey_mod_q,
} damage_type;
Mlkem768x25519ShareDamager(
const std::shared_ptr<TlsAgent>& a,
damage_type damage)
: TlsExtensionFilter(a), damage_(damage) {}
virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
const DataBuffer& input,
DataBuffer* output) {
if (extension_type != ssl_tls13_key_share_xtn) {
return KEEP;
}
// Find the Mlkem768x25519 share
size_t offset =
0;
if (agent()->role() == TlsAgent::CLIENT) {
offset +=
2;
// skip KeyShareClientHello length
}
uint32_t named_group;
uint32_t named_group_len;
input.Read(offset,
2, &named_group);
input.Read(offset +
2,
2, &named_group_len);
while (named_group != ssl_grp_kem_mlkem768x25519) {
offset +=
2 +
2 + named_group_len;
input.Read(offset,
2, &named_group);
input.Read(offset +
2,
2, &named_group_len);
}
EXPECT_EQ(named_group, ssl_grp_kem_mlkem768x25519);
DataBuffer hybrid_key_share(input.data() + offset,
2 +
2 + named_group_len);
// Damage the Mlkem768x25519 share
uint32_t mlkem_component_len =
hybrid_key_share.len() -
2 -
2 - X25519_PUBLIC_KEY_BYTES;
unsigned char* ecdh_component =
hybrid_key_share.data() +
2 +
2 + mlkem_component_len;
unsigned char* mlkem_component = hybrid_key_share.data() +
2 +
2;
switch (damage_) {
case Mlkem768x25519ShareDamager::downgrade:
// Downgrade a Mlkem768x25519 share to X25519
memcpy(mlkem_component, ecdh_component, X25519_PUBLIC_KEY_BYTES);
hybrid_key_share.Truncate(
2 +
2 + X25519_PUBLIC_KEY_BYTES);
hybrid_key_share.Write(
0, ssl_grp_ec_curve25519,
2);
hybrid_key_share.Write(
2, X25519_PUBLIC_KEY_BYTES,
2);
break;
case Mlkem768x25519ShareDamager::truncate:
// Truncate a Mlkem768x25519 share before the X25519 component
hybrid_key_share.Truncate(
2 +
2 + mlkem_component_len);
hybrid_key_share.Write(
2, mlkem_component_len,
2);
break;
case Mlkem768x25519ShareDamager::extend:
// Append 4 bytes to a Mlkem768x25519 share
uint32_t current_len;
hybrid_key_share.Read(
2,
2, ¤t_len);
hybrid_key_share.Write(hybrid_key_share.len(), current_len,
4);
hybrid_key_share.Write(
2, current_len +
4,
2);
break;
case Mlkem768x25519ShareDamager::zero_ecdh:
// Replace an X25519 component with 0s
memset(ecdh_component,
0, X25519_PUBLIC_KEY_BYTES);
break;
case Mlkem768x25519ShareDamager::modify_ecdh:
// Flip a bit in the X25519 component
ecdh_component[
0] ^=
0x01;
break;
case Mlkem768x25519ShareDamager::modify_mlkem:
// Flip a bit in the mlkem component
mlkem_component[
0] ^=
0x01;
break;
case Mlkem768x25519ShareDamager::modify_mlkem_pubkey_mod_q:
if (agent()->role() == TlsAgent::CLIENT) {
// Replace the client's public key with an sequence of 12-bit values
// in the same equivalence class mod 3329. The FIPS-203 input
// validation check should fail.
for (size_t i =
0; i < mlkem_component_len -
32; i +=
3) {
// Pairs of 12-bit coefficients are packed into 3 bytes.
// Unpack them, change equivalence class if possible, and repack.
uint16_t coeff0 =
mlkem_component[i] | ((mlkem_component[i +
1] &
0x0f) <<
8);
uint16_t coeff1 = (mlkem_component[i +
1] &
0xf0 >>
4) |
((mlkem_component[i +
2]) <<
4);
if (coeff0 <
4096 -
3329) {
coeff0 +=
3329;
}
if (coeff1 <
4096 -
3329) {
coeff1 +=
3329;
}
mlkem_component[i] = coeff0;
mlkem_component[i +
1] = (coeff0 >>
8) + ((coeff1 &
0x0f) <<
4);
mlkem_component[i +
2] = coeff1 >>
4;
}
}
break;
}
*output = input;
output->Splice(hybrid_key_share, offset,
2 +
2 + named_group_len);
// Fix the KeyShareClientHello length if necessary
if (agent()->role() == TlsAgent::CLIENT &&
hybrid_key_share.len() !=
2 +
2 + named_group_len) {
output->Write(
0, output->len() -
2,
2);
}
return CHANGE;
}
private:
damage_type damage_;
};
class TlsMlkem768x25519DamageTest
:
public TlsConnectTestBase,
public ::testing::WithParamInterface<
Mlkem768x25519ShareDamager::damage_type> {
public:
TlsMlkem768x25519DamageTest()
: TlsConnectTestBase(ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_3) {}
protected:
void Damage(
const std::shared_ptr<TlsAgent>& agent) {
EnsureTlsSetup();
client_->ConfigNamedGroups(
{ssl_grp_ec_curve25519, ssl_grp_kem_mlkem768x25519});
server_->ConfigNamedGroups(
{ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519});
EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(),
1));
MakeTlsFilter<Mlkem768x25519ShareDamager>(agent, GetParam());
}
};
TEST_P(TlsMlkem768x25519DamageTest, DamageClientShare) {
Damage(client_);
switch (GetParam()) {
case Mlkem768x25519ShareDamager::extend:
case Mlkem768x25519ShareDamager::truncate:
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE);
break;
case Mlkem768x25519ShareDamager::zero_ecdh:
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
server_->CheckErrorCode(SEC_ERROR_INVALID_KEY);
break;
case Mlkem768x25519ShareDamager::modify_mlkem_pubkey_mod_q:
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
server_->CheckErrorCode(SEC_ERROR_INVALID_ARGS);
break;
case Mlkem768x25519ShareDamager::downgrade:
case Mlkem768x25519ShareDamager::modify_ecdh:
case Mlkem768x25519ShareDamager::modify_mlkem:
client_->ExpectSendAlert(kTlsAlertBadRecordMac);
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
break;
}
}
TEST_P(TlsMlkem768x25519DamageTest, DamageServerShare) {
Damage(server_);
switch (GetParam()) {
case Mlkem768x25519ShareDamager::extend:
case Mlkem768x25519ShareDamager::truncate:
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE);
break;
case Mlkem768x25519ShareDamager::zero_ecdh:
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
ConnectExpectFail();
client_->CheckErrorCode(SEC_ERROR_INVALID_KEY);
break;
case Mlkem768x25519ShareDamager::downgrade:
case Mlkem768x25519ShareDamager::modify_ecdh:
case Mlkem768x25519ShareDamager::modify_mlkem:
client_->ExpectSendAlert(kTlsAlertBadRecordMac);
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
break;
case Mlkem768x25519ShareDamager::modify_mlkem_pubkey_mod_q:
// The server doesn't send a public key, so nothing is changed.
break;
}
}
INSTANTIATE_TEST_SUITE_P(
TlsMlkem768x25519DamageTest, TlsMlkem768x25519DamageTest,
::testing::Values(Mlkem768x25519ShareDamager::downgrade,
Mlkem768x25519ShareDamager::extend,
Mlkem768x25519ShareDamager::truncate,
Mlkem768x25519ShareDamager::zero_ecdh,
Mlkem768x25519ShareDamager::modify_ecdh,
Mlkem768x25519ShareDamager::modify_mlkem,
Mlkem768x25519ShareDamager::modify_mlkem_pubkey_mod_q));
}
// namespace nss_test
