diff options
| -rw-r--r-- | gtests/nss_bogo_shim/nss_bogo_shim.cc | 37 | ||||
| -rw-r--r-- | lib/ssl/ssl3con.c | 8 |
2 files changed, 41 insertions, 4 deletions
diff --git a/gtests/nss_bogo_shim/nss_bogo_shim.cc b/gtests/nss_bogo_shim/nss_bogo_shim.cc index bbab34baf..f653e3784 100644 --- a/gtests/nss_bogo_shim/nss_bogo_shim.cc +++ b/gtests/nss_bogo_shim/nss_bogo_shim.cc @@ -529,7 +529,7 @@ class TestAgent { return SECSuccess; } - SECStatus DoExchange() { + SECStatus DoExchange(bool resuming) { SECStatus rv; int earlyDataSent = 0; sslSocket* ss = ssl_FindSocket(ssl_fd_.get()); @@ -537,6 +537,26 @@ class TestAgent { return SECFailure; } + /* Apply resumption SSL options (if any). */ + if (resuming) { + /* Client options */ + if (!cfg_.get<bool>("server")) { + auto resumeEchConfigList = + cfg_.get<std::string>("on-resume-ech-config-list"); + if (!resumeEchConfigList.empty()) { + unsigned int binLen; + auto bin = ATOB_AsciiToData(resumeEchConfigList.c_str(), &binLen); + rv = SSLExp_SetClientEchConfigs(ssl_fd_.get(), bin, binLen); + if (rv != SECSuccess) { + PRErrorCode err = PR_GetError(); + std::cerr << "Setting up resuption ECH configs failed with error=" + << err << FormatError(err) << std::endl; + } + free(bin); + } + } + } + /* If client send ClientHello. */ if (!cfg_.get<bool>("server")) { ssl_Get1stHandshakeLock(ss); @@ -713,6 +733,13 @@ class TestAgent { return SECFailure; } + if (cfg_.get<bool>("on-resume-expect-ech-accept")) { + if (!info.echAccepted) { + std::cerr << "Expected ECH on Resume" << std::endl; + return SECFailure; + } + } + if (cfg_.get<bool>("on-resume-expect-reject-early-data")) { if (info.earlyDataAccepted) { std::cerr << "Expected reject EarlyData" << std::endl; @@ -781,6 +808,7 @@ std::unique_ptr<const Config> ReadConfig(int argc, char** argv) { cfg->AddEntry<std::string>("nss-cipher", ""); cfg->AddEntry<std::string>("host-name", ""); cfg->AddEntry<std::string>("ech-config-list", ""); + cfg->AddEntry<std::string>("on-resume-ech-config-list", ""); cfg->AddEntry<bool>("expect-ech-accept", false); cfg->AddEntry<bool>("expect-hrr", false); cfg->AddEntry<bool>("enable-ech-grease", false); @@ -796,6 +824,7 @@ std::unique_ptr<const Config> ReadConfig(int argc, char** argv) { cfg->AddEntry<std::string>("expect-ech-retry-configs", ""); cfg->AddEntry<bool>("expect-no-ech-retry-configs", false); cfg->AddEntry<bool>("on-initial-expect-ech-accept", false); + cfg->AddEntry<bool>("on-resume-expect-ech-accept", false); auto rv = cfg->ParseArgs(argc, argv); switch (rv) { @@ -811,9 +840,9 @@ std::unique_ptr<const Config> ReadConfig(int argc, char** argv) { return std::move(cfg); } -bool RunCycle(std::unique_ptr<const Config>& cfg) { +bool RunCycle(std::unique_ptr<const Config>& cfg, bool resuming = false) { std::unique_ptr<TestAgent> agent(TestAgent::Create(*cfg)); - return agent && agent->DoExchange() == SECSuccess; + return agent && agent->DoExchange(resuming) == SECSuccess; } int GetExitCode(bool success) { @@ -856,7 +885,7 @@ int main(int argc, char** argv) { int resume_count = cfg->get<int>("resume-count"); while (success && resume_count-- > 0) { std::cout << "Resuming" << std::endl; - success = RunCycle(cfg); + success = RunCycle(cfg, true); } SSL_ClearSessionCache(); diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index e05dc0612..103e41581 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -5352,6 +5352,14 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type) if (!suite || !ssl3_config_match(suite, ss->ssl3.policy, &vrange, ss)) { sidOK = PR_FALSE; } + + /* Check that no (valid) ECHConfigs are setup in combination with a + * (resumable) TLS < 1.3 session id. */ + if (!PR_CLIST_IS_EMPTY(&ss->echConfigs)) { + /* If there are ECH configs, the client must not resume but + * offer ECH. */ + sidOK = PR_FALSE; + } } /* Check that we can recover the master secret. */ |