1 files changed, 64 insertions, 10 deletions

diff --git a/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc b/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
index 43dfcba..1e406b6 100644
--- a/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+++ b/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
@@ -58,7 +58,7 @@ TEST_P(TlsConnectTls12, ConnectEcdheP384) {
   Reset(TlsAgent::kServerEcdsa384);
   ConnectWithCipherSuite(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_ecdsa,
-            ssl_sig_ecdsa_secp384r1_sha384);
+            ssl_sig_ecdsa_secp256r1_sha256);
 }
 
 TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) {
@@ -75,8 +75,8 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) {
 // This causes a HelloRetryRequest in TLS 1.3.  Earlier versions don't care.
 TEST_P(TlsConnectGeneric, ConnectEcdheP384Server) {
   EnsureTlsSetup();
-  auto hrr_capture =
-      new TlsInspectorRecordHandshakeMessage(kTlsHandshakeHelloRetryRequest);
+  auto hrr_capture = std::make_shared<TlsInspectorRecordHandshakeMessage>(
+      kTlsHandshakeHelloRetryRequest);
   server_->SetPacketFilter(hrr_capture);
   const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1};
   server_->ConfigNamedGroups(groups);
@@ -191,6 +191,60 @@ TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) {
             ssl_sig_rsa_pss_sha256);
 }
 
+class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter {
+ public:
+  TlsKeyExchangeGroupCapture() : group_(ssl_grp_none) {}
+
+  SSLNamedGroup group() const { return group_; }
+
+ protected:
+  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader &header,
+                                               const DataBuffer &input,
+                                               DataBuffer *output) {
+    if (header.handshake_type() != kTlsHandshakeServerKeyExchange) {
+      return KEEP;
+    }
+
+    uint32_t value = 0;
+    EXPECT_TRUE(input.Read(0, 1, &value));
+    EXPECT_EQ(3U, value) << "curve type has to be 3";
+
+    EXPECT_TRUE(input.Read(1, 2, &value));
+    group_ = static_cast<SSLNamedGroup>(value);
+
+    return KEEP;
+  }
+
+ private:
+  SSLNamedGroup group_;
+};
+
+// If we strip the client's supported groups extension, the server should assume
+// P-256 is supported by the client (<= 1.2 only).
+TEST_P(TlsConnectGenericPre13, DropSupportedGroupExtensionP256) {
+  EnsureTlsSetup();
+  client_->SetPacketFilter(
+      std::make_shared<TlsExtensionDropper>(ssl_supported_groups_xtn));
+  auto group_capture = std::make_shared<TlsKeyExchangeGroupCapture>();
+  server_->SetPacketFilter(group_capture);
+
+  ConnectExpectAlert(server_, kTlsAlertDecryptError);
+  client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
+  server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+
+  EXPECT_EQ(ssl_grp_ec_secp256r1, group_capture->group());
+}
+
+// Supported groups is mandatory in TLS 1.3.
+TEST_P(TlsConnectTls13, DropSupportedGroupExtension) {
+  EnsureTlsSetup();
+  client_->SetPacketFilter(
+      std::make_shared<TlsExtensionDropper>(ssl_supported_groups_xtn));
+  ConnectExpectAlert(server_, kTlsAlertMissingExtension);
+  client_->CheckErrorCode(SSL_ERROR_MISSING_EXTENSION_ALERT);
+  server_->CheckErrorCode(SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION);
+}
+
 // If we only have a lame group, we fall back to static RSA.
 TEST_P(TlsConnectGenericPre13, UseLameGroup) {
   const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp192r1};
@@ -431,7 +485,7 @@ TEST_P(TlsConnectGeneric, P256ClientAndCurve25519Server) {
   client_->ConfigNamedGroups(client_groups);
   server_->ConfigNamedGroups(server_groups);
 
-  ConnectExpectFail();
+  ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
   client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
   server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
 }
@@ -507,25 +561,25 @@ class ECCServerKEXFilter : public TlsHandshakeFilter {
 
 TEST_P(TlsConnectGenericPre13, ConnectECDHEmptyServerPoint) {
   // add packet filter
-  server_->SetPacketFilter(new ECCServerKEXFilter());
-  ConnectExpectFail();
+  server_->SetPacketFilter(std::make_shared<ECCServerKEXFilter>());
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
   client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH);
 }
 
 TEST_P(TlsConnectGenericPre13, ConnectECDHEmptyClientPoint) {
   // add packet filter
-  client_->SetPacketFilter(new ECCClientKEXFilter());
-  ConnectExpectFail();
+  client_->SetPacketFilter(std::make_shared<ECCClientKEXFilter>());
+  ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
   server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH);
 }
 
 INSTANTIATE_TEST_CASE_P(KeyExchangeTest, TlsKeyExchangeTest,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV11Plus));
 
 #ifndef NSS_DISABLE_TLS_1_3
 INSTANTIATE_TEST_CASE_P(KeyExchangeTest, TlsKeyExchangeTest13,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV13));
 #endif