proxygen
ClientProtocolTest.cpp
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2018-present, Facebook, Inc.
3  * All rights reserved.
4  *
5  * This source code is licensed under the BSD-style license found in the
6  * LICENSE file in the root directory of this source tree.
7  */
8 
9 #include <gmock/gmock.h>
10 #include <gtest/gtest.h>
11 
12 #include <fizz/client/ClientProtocol.h>
13 #include <fizz/client/test/Mocks.h>
14 #include <fizz/client/test/Utilities.h>
15 #include <fizz/protocol/test/Matchers.h>
16 #include <fizz/protocol/test/ProtocolTest.h>
17 #include <fizz/protocol/test/TestMessages.h>
18 #include <fizz/record/test/Mocks.h>
19 
20 using namespace fizz::test;
21 using namespace folly;
22 using namespace testing;
23 
24 namespace fizz {
25 namespace client {
26 namespace test {
27 
28 class ClientProtocolTest : public ProtocolTest<ClientTypes, Actions> {
29  public:
30  void SetUp() override {
31  context_ = std::make_shared<FizzClientContext>();
32  context_->setSupportedVersions({ProtocolVersion::tls_1_3});
33  context_->setSupportedCiphers({CipherSuite::TLS_AES_128_GCM_SHA256,
34  CipherSuite::TLS_AES_256_GCM_SHA384});
35  auto mockFactory = std::make_unique<MockFactory>();
36  mockFactory->setDefaults();
37  factory_ = mockFactory.get();
38  context_->setFactory(std::move(mockFactory));
39  context_->setSupportedAlpns({"h2"});
40  verifier_ = std::make_shared<MockCertificateVerifier>();
41  pskCache_ = std::make_shared<MockPskCache>();
42  context_->setPskCache(pskCache_);
43  context_->setSendEarlyData(true);
44  mockLeaf_ = std::make_shared<MockPeerCert>();
45  mockClientCert_ = std::make_shared<MockSelfCert>();
46  }
47 
48  protected:
49  void setMockRecord() {
50  mockRead_ = new MockPlaintextReadRecordLayer();
51  mockWrite_ = new MockPlaintextWriteRecordLayer();
52  mockWrite_->setDefaults();
53  state_.readRecordLayer().reset(mockRead_);
54  state_.writeRecordLayer().reset(mockWrite_);
55  }
56 
57  void setMockHandshakeEncryptedRecord() {
58  mockHandshakeRead_ =
59  new MockEncryptedReadRecordLayer(EncryptionLevel::Handshake);
60  mockHandshakeWrite_ =
61  new MockEncryptedWriteRecordLayer(EncryptionLevel::Handshake);
62  mockHandshakeWrite_->setDefaults();
63  state_.readRecordLayer().reset(mockHandshakeRead_);
64  state_.writeRecordLayer().reset(mockHandshakeWrite_);
65  }
66 
67  void setMockEarlyRecord() {
68  mockEarlyWrite_ =
69  new MockEncryptedWriteRecordLayer(EncryptionLevel::EarlyData);
70  mockEarlyWrite_->setDefaults();
71  state_.earlyWriteRecordLayer().reset(mockEarlyWrite_);
72  }
73 
74  void setMockContextAndScheduler() {
75  auto handshakeContext = std::make_unique<MockHandshakeContext>();
76  mockHandshakeContext_ = handshakeContext.get();
77  mockHandshakeContext_->setDefaults();
78  state_.handshakeContext() = std::move(handshakeContext);
79  auto keyScheduler = std::make_unique<MockKeyScheduler>();
80  mockKeyScheduler_ = keyScheduler.get();
81  mockKeyScheduler_->setDefaults();
82  state_.keyScheduler() = std::move(keyScheduler);
83  }
84 
85  static ClientHello getDefaultClientHello() {
86  return TestMessages::clientHello();
87  }
88 
89  CachedPsk getCachedPsk() {
90  CachedPsk psk = getTestPsk("PSK", std::chrono::system_clock::now());
91  psk.serverCert = mockLeaf_;
92  psk.clientCert = mockClientCert_;
93  return psk;
94  }
95 
96  EarlyDataParams getEarlyDataParams() {
97  EarlyDataParams params;
98  params.version = TestProtocolVersion;
99  params.cipher = CipherSuite::TLS_AES_128_GCM_SHA256;
100  params.serverCert = mockLeaf_;
101  params.clientCert = mockClientCert_;
102  params.alpn = "h2";
103  params.earlyExporterSecret = IOBuf::copyBuffer("earlyexporter");
104  return params;
105  }
106 
107  void setupExpectingServerHello() {
108  setMockRecord();
109  state_.context() = context_;
110  state_.encodedClientHello() = IOBuf::copyBuffer("chlo");
111  auto mockKex = std::make_unique<MockKeyExchange>();
112  mockKex_ = mockKex.get();
113  mockKex_->setDefaults();
114  std::map<NamedGroup, std::unique_ptr<KeyExchange>> kexs;
115  kexs.emplace(NamedGroup::x25519, std::move(mockKex));
116  state_.keyExchangers() = std::move(kexs);
117  Random random;
118  random.fill(0x44);
119  state_.clientRandom() = std::move(random);
120  state_.legacySessionId() = IOBuf::create(0);
121  state_.sni() = "www.hostname.com";
122  state_.verifier() = verifier_;
123  state_.earlyDataType() = EarlyDataType::NotAttempted;
124  state_.state() = StateEnum::ExpectingServerHello;
125  state_.requestedExtensions() = std::vector<ExtensionType>(
126  {ExtensionType::supported_versions,
127  ExtensionType::key_share,
128  ExtensionType::key_share_old,
129  ExtensionType::server_name,
130  ExtensionType::application_layer_protocol_negotiation,
131  ExtensionType::pre_shared_key,
132  ExtensionType::early_data});
133  }
134 
135  void setupExpectingServerHelloAfterHrr() {
136  setupExpectingServerHello();
137  state_.keyExchangeType() = KeyExchangeType::HelloRetryRequest;
138  auto handshakeContext = std::make_unique<MockHandshakeContext>();
139  mockHandshakeContext_ = handshakeContext.get();
140  mockHandshakeContext_->setDefaults();
141  state_.handshakeContext() = std::move(handshakeContext);
142  state_.version() = TestProtocolVersion;
143  state_.cipher() = CipherSuite::TLS_AES_128_GCM_SHA256;
144  state_.group() = NamedGroup::x25519;
145  state_.requestedExtensions() = std::vector<ExtensionType>(
146  {ExtensionType::supported_versions,
147  ExtensionType::key_share,
148  ExtensionType::key_share_old,
149  ExtensionType::server_name,
150  ExtensionType::application_layer_protocol_negotiation,
151  ExtensionType::pre_shared_key,
152  ExtensionType::early_data});
153  }
154 
155  void setupExpectingEncryptedExtensions() {
156  setMockRecord();
157  setMockContextAndScheduler();
158  state_.context() = context_;
159  state_.earlyDataType() = EarlyDataType::NotAttempted;
160  state_.version() = TestProtocolVersion;
161  state_.cipher() = CipherSuite::TLS_AES_128_GCM_SHA256;
162  state_.state() = StateEnum::ExpectingEncryptedExtensions;
163  state_.requestedExtensions() = std::vector<ExtensionType>(
164  {ExtensionType::supported_versions,
165  ExtensionType::key_share,
166  ExtensionType::key_share_old,
167  ExtensionType::server_name,
168  ExtensionType::application_layer_protocol_negotiation,
169  ExtensionType::pre_shared_key,
170  ExtensionType::early_data});
171  }
172 
173  void setupExpectingEncryptedExtensionsEarlySent() {
174  setupExpectingEncryptedExtensions();
175  setMockEarlyRecord();
176  state_.attemptedPsk() = getCachedPsk();
177  state_.pskType() = PskType::Resumption;
178  state_.earlyDataType() = EarlyDataType::Attempted;
179  state_.earlyDataParams() = getEarlyDataParams();
180  }
181 
182  void setupExpectingCertificate() {
183  setMockRecord();
184  setMockContextAndScheduler();
185  state_.context() = context_;
186  state_.state() = StateEnum::ExpectingCertificate;
187  }
188 
189  void setupExpectingCertificateRequest() {
190  setMockRecord();
191  setMockContextAndScheduler();
192  context_->setClientCertificate(mockClientCert_);
193  state_.context() = context_;
194  state_.state() = StateEnum::ExpectingCertificate;
195  }
196 
197  void setupExpectingCertificateVerify() {
198  setMockRecord();
199  setMockContextAndScheduler();
200  state_.context() = context_;
201  state_.verifier() = verifier_;
202  mockIntermediate_ = std::make_shared<MockPeerCert>();
203  std::vector<std::shared_ptr<const PeerCert>> certs;
204  certs.push_back(mockLeaf_);
205  certs.push_back(mockIntermediate_);
206  state_.unverifiedCertChain() = std::move(certs);
207  state_.state() = StateEnum::ExpectingCertificateVerify;
208  state_.clientAuthRequested() = ClientAuthType::NotRequested;
209  }
210 
211  void setupExpectingFinished() {
212  setMockHandshakeEncryptedRecord();
213  setMockContextAndScheduler();
214  state_.context() = context_;
215  state_.version() = TestProtocolVersion;
216  state_.cipher() = CipherSuite::TLS_AES_128_GCM_SHA256;
217  state_.group() = NamedGroup::x25519;
218  state_.clientHandshakeSecret() = IOBuf::copyBuffer("cht");
219  state_.serverHandshakeSecret() = IOBuf::copyBuffer("sht");
220  state_.state() = StateEnum::ExpectingFinished;
221  state_.clientAuthRequested() = ClientAuthType::NotRequested;
222  state_.earlyDataType() = EarlyDataType::NotAttempted;
223  }
224 
225  void setupAcceptingData() {
226  setMockRecord();
227  setMockContextAndScheduler();
228  state_.version() = ProtocolVersion::tls_1_3;
229  state_.cipher() = CipherSuite::TLS_AES_128_GCM_SHA256;
230  state_.group() = NamedGroup::x25519;
231  state_.context() = context_;
232  state_.state() = StateEnum::Established;
233  state_.resumptionSecret() = IOBuf::copyBuffer("resumptionsecret");
234  state_.sni() = "www.hostname.com";
235  state_.serverCert() = mockLeaf_;
236  }
237 
238  void doFinishedFlow(ClientAuthType authType);
239 
240  std::shared_ptr<FizzClientContext> context_;
241  MockPlaintextReadRecordLayer* mockRead_;
242  MockPlaintextWriteRecordLayer* mockWrite_;
243  MockEncryptedWriteRecordLayer* mockEarlyWrite_;
244  MockEncryptedWriteRecordLayer* mockHandshakeWrite_;
245  MockEncryptedReadRecordLayer* mockHandshakeRead_;
246  MockKeyExchange* mockKex_;
247  MockKeyScheduler* mockKeyScheduler_;
248  MockHandshakeContext* mockHandshakeContext_;
249  std::shared_ptr<MockPeerCert> mockLeaf_;
250  std::shared_ptr<MockPeerCert> mockIntermediate_;
251  std::shared_ptr<MockSelfCert> mockClientCert_;
252  std::shared_ptr<MockCertificateVerifier> verifier_;
253  std::shared_ptr<MockPskCache> pskCache_;
254 };
255 
256 TEST_F(ClientProtocolTest, TestInvalidTransitionNoAlert) {
257  auto actions = ClientStateMachine().processAppWrite(state_, AppWrite());
258  expectError<FizzException>(actions, none, "invalid event");
259 }
260 
261 TEST_F(ClientProtocolTest, TestInvalidWriteNewSessionTicket) {
262  auto actions = ClientStateMachine().processWriteNewSessionTicket(
263  state_, WriteNewSessionTicket());
264  expectError<FizzException>(actions, none, "invalid event");
265 }
266 
267 TEST_F(ClientProtocolTest, TestInvalidTransitionAlert) {
268  setMockRecord();
269  EXPECT_CALL(*mockWrite_, _write(_));
270  auto actions = ClientStateMachine().processAppWrite(state_, AppWrite());
271  expectError<FizzException>(
272  actions, AlertDescription::unexpected_message, "invalid event");
273 }
274 
275 TEST_F(ClientProtocolTest, TestInvalidTransitionError) {
276  state_.state() = StateEnum::Error;
277  auto actions = ClientStateMachine().processAppWrite(state_, AppWrite());
278  expectActions<ReportError>(actions);
279 }
280 
281 TEST_F(ClientProtocolTest, TestConnectFlow) {
282  EXPECT_CALL(*factory_, makePlaintextReadRecordLayer())
283  .WillOnce(Invoke([this]() {
284  auto ret = std::make_unique<MockPlaintextReadRecordLayer>();
285  mockRead_ = ret.get();
286  return ret;
287  }));
288  EXPECT_CALL(*factory_, makePlaintextWriteRecordLayer())
289  .WillOnce(Invoke([this]() {
290  auto ret = std::make_unique<MockPlaintextWriteRecordLayer>();
291  mockWrite_ = ret.get();
292  EXPECT_CALL(*ret, _writeInitialClientHello(_))
293  .WillOnce(Invoke([](Buf& encoded) {
294  EXPECT_TRUE(IOBufEqualTo()(
295  encoded, encodeHandshake(getDefaultClientHello())));
296  TLSContent record;
297  record.contentType = ContentType::handshake;
298  record.encryptionLevel = EncryptionLevel::Plaintext;
299  record.data = IOBuf::copyBuffer("writtenchlo");
300  return record;
301  }));
302  return ret;
303  }));
304  EXPECT_CALL(*factory_, makeRandom()).WillOnce(Invoke([]() {
305  Random random;
306  random.fill(0x44);
307  return random;
308  }));
309  MockKeyExchange* mockKex;
310  EXPECT_CALL(*factory_, makeKeyExchange(NamedGroup::x25519))
311  .WillOnce(InvokeWithoutArgs([&mockKex]() {
312  auto ret = std::make_unique<MockKeyExchange>();
313  EXPECT_CALL(*ret, generateKeyPair());
314  EXPECT_CALL(*ret, getKeyShare()).WillOnce(InvokeWithoutArgs([]() {
315  return IOBuf::copyBuffer("keyshare");
316  }));
317  mockKex = ret.get();
318  return ret;
319  }));
320 
321  Connect connect;
322  connect.context = context_;
323  connect.sni = "www.hostname.com";
324  connect.verifier = verifier_;
325  auto actions = detail::processEvent(state_, std::move(connect));
326 
327  expectActions<MutateState, WriteToSocket>(actions);
328  auto write = expectAction<WriteToSocket>(actions);
329  EXPECT_TRUE(
330  IOBufEqualTo()(write.contents[0].data, IOBuf::copyBuffer("writtenchlo")));
331  processStateMutations(actions);
332  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
333  EXPECT_EQ(state_.readRecordLayer().get(), mockRead_);
334  EXPECT_EQ(state_.writeRecordLayer().get(), mockWrite_);
335  EXPECT_TRUE(IOBufEqualTo()(
336  *state_.encodedClientHello(), encodeHandshake(getDefaultClientHello())));
337  EXPECT_EQ(state_.keyExchangers()->size(), 1);
338  EXPECT_EQ(state_.keyExchangers()->at(NamedGroup::x25519).get(), mockKex);
339  EXPECT_EQ(state_.verifier(), verifier_);
340  EXPECT_EQ(*state_.sni(), "www.hostname.com");
341  Random random;
342  random.fill(0x44);
343  EXPECT_EQ(*state_.clientRandom(), random);
344  EXPECT_FALSE(state_.attemptedPsk().hasValue());
345  EXPECT_EQ(*state_.earlyDataType(), EarlyDataType::NotAttempted);
346  EXPECT_EQ(state_.earlyWriteRecordLayer().get(), nullptr);
347  EXPECT_FALSE(state_.earlyDataParams().hasValue());
348 }
349 
350 TEST_F(ClientProtocolTest, TestConnectPskFlow) {
351  auto psk = getCachedPsk();
352  EXPECT_CALL(*factory_, makePlaintextReadRecordLayer())
353  .WillOnce(Invoke([this]() {
354  auto ret = std::make_unique<MockPlaintextReadRecordLayer>();
355  mockRead_ = ret.get();
356  return ret;
357  }));
358  EXPECT_CALL(*factory_, makePlaintextWriteRecordLayer())
359  .WillOnce(Invoke([this]() {
360  auto ret = std::make_unique<MockPlaintextWriteRecordLayer>();
361  mockWrite_ = ret.get();
362  EXPECT_CALL(*ret, _writeInitialClientHello(_))
363  .WillOnce(Invoke([](Buf&) {
364  TLSContent record;
365  record.contentType = ContentType::handshake;
366  record.encryptionLevel = EncryptionLevel::Plaintext;
367  record.data = IOBuf::copyBuffer("writtenchlo");
368  return record;
369  }));
370  return ret;
371  }));
372  EXPECT_CALL(*factory_, makeRandom()).WillOnce(Invoke([]() {
373  Random random;
374  random.fill(0x44);
375  return random;
376  }));
377  MockKeyExchange* mockKex;
378  EXPECT_CALL(*factory_, makeKeyExchange(NamedGroup::x25519))
379  .WillOnce(InvokeWithoutArgs([&mockKex]() {
380  auto ret = std::make_unique<MockKeyExchange>();
381  EXPECT_CALL(*ret, generateKeyPair());
382  EXPECT_CALL(*ret, getKeyShare()).WillOnce(InvokeWithoutArgs([]() {
383  return IOBuf::copyBuffer("keyshare");
384  }));
385  mockKex = ret.get();
386  return ret;
387  }));
388  mockKeyScheduler_ = new MockKeyScheduler();
389  mockHandshakeContext_ = new MockHandshakeContext();
390  Sequence contextSeq;
391  EXPECT_CALL(*factory_, makeKeyScheduler(CipherSuite::TLS_AES_128_GCM_SHA256))
392  .WillOnce(InvokeWithoutArgs(
393  [=]() { return std::unique_ptr<KeyScheduler>(mockKeyScheduler_); }));
394  EXPECT_CALL(
395  *mockKeyScheduler_, deriveEarlySecret(RangeMatches("resumptionsecret")));
396  EXPECT_CALL(
397  *mockKeyScheduler_, getSecret(EarlySecrets::ResumptionPskBinder, _))
398  .WillOnce(InvokeWithoutArgs([]() {
399  return std::vector<uint8_t>({'b', 'k'});
400  }));
401  EXPECT_CALL(
402  *factory_, makeHandshakeContext(CipherSuite::TLS_AES_128_GCM_SHA256))
403  .InSequence(contextSeq)
404  .WillOnce(InvokeWithoutArgs([=]() {
405  return std::unique_ptr<HandshakeContext>(mockHandshakeContext_);
406  }));
407  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(_))
408  .InSequence(contextSeq);
409  EXPECT_CALL(*mockHandshakeContext_, getFinishedData(RangeMatches("bk")))
410  .InSequence(contextSeq)
411  .WillOnce(
412  InvokeWithoutArgs([]() { return IOBuf::copyBuffer("binder"); }));
413  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(_))
414  .InSequence(contextSeq);
415 
416  Connect connect;
417  connect.context = context_;
418  connect.sni = "www.hostname.com";
419  connect.cachedPsk = psk;
420  connect.verifier = verifier_;
421  auto actions = detail::processEvent(state_, std::move(connect));
422 
423  expectActions<MutateState, WriteToSocket>(actions);
424  auto write = expectAction<WriteToSocket>(actions);
425  EXPECT_TRUE(
426  IOBufEqualTo()(write.contents[0].data, IOBuf::copyBuffer("writtenchlo")));
427  processStateMutations(actions);
428  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
429  EXPECT_EQ(state_.readRecordLayer().get(), mockRead_);
430  EXPECT_EQ(state_.writeRecordLayer().get(), mockWrite_);
431  EXPECT_EQ(state_.keyExchangers()->size(), 1);
432  EXPECT_EQ(state_.keyExchangers()->at(NamedGroup::x25519).get(), mockKex);
433  EXPECT_EQ(state_.verifier(), verifier_);
434  EXPECT_EQ(*state_.sni(), "www.hostname.com");
435  Random random;
436  random.fill(0x44);
437  EXPECT_EQ(*state_.clientRandom(), random);
438  EXPECT_TRUE(state_.legacySessionId().value()->empty());
439  EXPECT_FALSE(state_.sentCCS());
440  EXPECT_EQ(state_.attemptedPsk()->psk, psk.psk);
441  EXPECT_EQ(*state_.earlyDataType(), EarlyDataType::NotAttempted);
442  EXPECT_EQ(state_.earlyWriteRecordLayer().get(), nullptr);
443  EXPECT_FALSE(state_.earlyDataParams().hasValue());
444 }
445 
446 TEST_F(ClientProtocolTest, TestConnectPskEarlyFlow) {
447  auto psk = getCachedPsk();
448  psk.maxEarlyDataSize = 9000;
449  EXPECT_CALL(*factory_, makePlaintextReadRecordLayer())
450  .WillOnce(Invoke([this]() {
451  auto ret = std::make_unique<MockPlaintextReadRecordLayer>();
452  mockRead_ = ret.get();
453  return ret;
454  }));
455  EXPECT_CALL(*factory_, makePlaintextWriteRecordLayer())
456  .WillOnce(Invoke([this]() {
457  auto ret = std::make_unique<MockPlaintextWriteRecordLayer>();
458  mockWrite_ = ret.get();
459  EXPECT_CALL(*ret, _writeInitialClientHello(_))
460  .WillOnce(Invoke([](Buf&) {
461  TLSContent record;
462  record.contentType = ContentType::handshake;
463  record.encryptionLevel = EncryptionLevel::Plaintext;
464  record.data = IOBuf::copyBuffer("writtenchlo");
465  return record;
466  }));
467  return ret;
468  }));
469  EXPECT_CALL(*factory_, makeRandom()).WillOnce(Invoke([]() {
470  Random random;
471  random.fill(0x44);
472  return random;
473  }));
474  MockKeyExchange* mockKex;
475  EXPECT_CALL(*factory_, makeKeyExchange(NamedGroup::x25519))
476  .WillOnce(InvokeWithoutArgs([&mockKex]() {
477  auto ret = std::make_unique<MockKeyExchange>();
478  EXPECT_CALL(*ret, generateKeyPair());
479  EXPECT_CALL(*ret, getKeyShare()).WillOnce(InvokeWithoutArgs([]() {
480  return IOBuf::copyBuffer("keyshare");
481  }));
482  mockKex = ret.get();
483  return ret;
484  }));
485  mockKeyScheduler_ = new MockKeyScheduler();
486  mockHandshakeContext_ = new MockHandshakeContext();
487  Sequence contextSeq;
488  EXPECT_CALL(*factory_, makeKeyScheduler(CipherSuite::TLS_AES_128_GCM_SHA256))
489  .WillOnce(InvokeWithoutArgs(
490  [=]() { return std::unique_ptr<KeyScheduler>(mockKeyScheduler_); }));
491  EXPECT_CALL(
492  *mockKeyScheduler_, deriveEarlySecret(RangeMatches("resumptionsecret")));
493  EXPECT_CALL(
494  *mockKeyScheduler_, getSecret(EarlySecrets::ResumptionPskBinder, _))
495  .WillOnce(InvokeWithoutArgs([]() {
496  return std::vector<uint8_t>({'b', 'k'});
497  }));
498  EXPECT_CALL(
499  *factory_, makeHandshakeContext(CipherSuite::TLS_AES_128_GCM_SHA256))
500  .InSequence(contextSeq)
501  .WillOnce(InvokeWithoutArgs([=]() {
502  return std::unique_ptr<HandshakeContext>(mockHandshakeContext_);
503  }));
504  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(_))
505  .InSequence(contextSeq);
506  EXPECT_CALL(*mockHandshakeContext_, getFinishedData(RangeMatches("bk")))
507  .InSequence(contextSeq)
508  .WillOnce(
509  InvokeWithoutArgs([]() { return IOBuf::copyBuffer("binder"); }));
510  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(_))
511  .InSequence(contextSeq);
512  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
513  .WillRepeatedly(
514  InvokeWithoutArgs([]() { return IOBuf::copyBuffer("chlo"); }));
515  EXPECT_CALL(
516  *mockKeyScheduler_,
517  getSecret(EarlySecrets::EarlyExporter, RangeMatches("chlo")))
518  .WillOnce(InvokeWithoutArgs([]() {
519  return std::vector<uint8_t>({'e', 'e'});
520  }));
521 
522  EXPECT_CALL(
523  *mockKeyScheduler_,
524  getSecret(EarlySecrets::ClientEarlyTraffic, RangeMatches("chlo")))
525  .WillOnce(InvokeWithoutArgs([]() {
526  return std::vector<uint8_t>({'c', 'e', 't'});
527  }));
528  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("cet"), _, _))
529  .WillOnce(InvokeWithoutArgs([]() {
530  return TrafficKey{IOBuf::copyBuffer("clientearlykey"),
531  IOBuf::copyBuffer("clientearlyiv")};
532  }));
533  MockAead* earlyAead;
534  MockEncryptedWriteRecordLayer* earlyRecordLayer;
535  expectAeadCreation({{"clientearlykey", &earlyAead}});
536  expectEncryptedWriteRecordLayerCreation(
537  &earlyRecordLayer, &earlyAead, StringPiece("cet"));
538 
539  Connect connect;
540  connect.context = context_;
541  connect.sni = "www.hostname.com";
542  connect.cachedPsk = psk;
543  connect.verifier = verifier_;
544  auto actions = detail::processEvent(state_, std::move(connect));
545 
546  expectActions<MutateState, WriteToSocket, ReportEarlyHandshakeSuccess>(
547  actions);
548  auto write = expectAction<WriteToSocket>(actions);
549  EXPECT_TRUE(
550  IOBufEqualTo()(write.contents[0].data, IOBuf::copyBuffer("writtenchlo")));
551  auto earlySuccess = expectAction<ReportEarlyHandshakeSuccess>(actions);
552  EXPECT_EQ(earlySuccess.maxEarlyDataSize, 9000);
553  processStateMutations(actions);
554  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
555  EXPECT_EQ(state_.readRecordLayer().get(), mockRead_);
556  EXPECT_EQ(state_.writeRecordLayer().get(), mockWrite_);
557  EXPECT_EQ(state_.keyExchangers()->size(), 1);
558  EXPECT_EQ(state_.keyExchangers()->at(NamedGroup::x25519).get(), mockKex);
559  EXPECT_EQ(state_.verifier(), verifier_);
560  EXPECT_EQ(*state_.sni(), "www.hostname.com");
561  Random random;
562  random.fill(0x44);
563  EXPECT_EQ(*state_.clientRandom(), random);
564  EXPECT_TRUE(state_.legacySessionId().value()->empty());
565  EXPECT_FALSE(state_.sentCCS());
566  EXPECT_EQ(state_.attemptedPsk()->psk, psk.psk);
567  EXPECT_EQ(*state_.earlyDataType(), EarlyDataType::Attempted);
568  EXPECT_EQ(state_.earlyWriteRecordLayer().get(), earlyRecordLayer);
569  EXPECT_EQ(state_.earlyDataParams()->version, TestProtocolVersion);
570  EXPECT_EQ(
571  state_.earlyDataParams()->cipher, CipherSuite::TLS_AES_128_GCM_SHA256);
572  EXPECT_EQ(state_.earlyDataParams()->serverCert, mockLeaf_);
573  EXPECT_EQ(state_.earlyDataParams()->clientCert, mockClientCert_);
574  EXPECT_EQ(state_.earlyDataParams()->alpn, "h2");
575  EXPECT_TRUE(IOBufEqualTo()(
576  state_.earlyDataParams()->earlyExporterSecret, IOBuf::copyBuffer("ee")));
577 }
578 
579 TEST_F(ClientProtocolTest, TestConnectNoHostNoPsk) {
580  Connect connect;
581  connect.context = context_;
582  auto actions = detail::processEvent(state_, std::move(connect));
583  expectActions<MutateState, WriteToSocket>(actions);
584  processStateMutations(actions);
585  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
586  EXPECT_FALSE(state_.attemptedPsk().hasValue());
587 }
588 
589 TEST_F(ClientProtocolTest, TestConnectPskBadVersion) {
590  Connect connect;
591  connect.context = context_;
592  auto psk = getCachedPsk();
593  psk.version = ProtocolVersion::tls_1_2;
594  connect.cachedPsk = psk;
595  auto actions = detail::processEvent(state_, std::move(connect));
596  expectActions<MutateState, WriteToSocket>(actions);
597  processStateMutations(actions);
598  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
599  EXPECT_FALSE(state_.attemptedPsk().hasValue());
600 }
601 
602 TEST_F(ClientProtocolTest, TestConnectPskBadCipher) {
603  context_->setSupportedCiphers({CipherSuite::TLS_AES_128_GCM_SHA256});
604  Connect connect;
605  connect.context = context_;
606  auto psk = getCachedPsk();
607  psk.cipher = CipherSuite::TLS_AES_256_GCM_SHA384;
608  connect.cachedPsk = psk;
609  auto actions = detail::processEvent(state_, std::move(connect));
610  expectActions<MutateState, WriteToSocket>(actions);
611  processStateMutations(actions);
612  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
613  EXPECT_FALSE(state_.attemptedPsk().hasValue());
614 }
615 
616 TEST_F(ClientProtocolTest, TestConnectSeparatePskIdentity) {
617  Connect connect;
618  connect.context = context_;
619  connect.sni = "www.hostname.com";
620  auto psk = getCachedPsk();
621  connect.cachedPsk = psk;
622  auto actions = detail::processEvent(state_, std::move(connect));
623  expectActions<MutateState, WriteToSocket>(actions);
624  processStateMutations(actions);
625  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
626  EXPECT_EQ(state_.attemptedPsk()->psk, psk.psk);
627 }
628 
629 TEST_F(ClientProtocolTest, TestConnectPskIdentityWithoutSni) {
630  Connect connect;
631  connect.context = context_;
632  auto psk = getCachedPsk();
633  connect.cachedPsk = psk;
634  auto actions = detail::processEvent(state_, std::move(connect));
635  expectActions<MutateState, WriteToSocket>(actions);
636  processStateMutations(actions);
637  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
638  EXPECT_EQ(state_.attemptedPsk()->psk, psk.psk);
639  EXPECT_FALSE(state_.sni().hasValue());
640 }
641 
642 TEST_F(ClientProtocolTest, TestConnectNoSni) {
643  Connect connect;
644  connect.context = context_;
645  connect.verifier = verifier_;
646  auto actions = detail::processEvent(state_, std::move(connect));
647  expectActions<MutateState, WriteToSocket>(actions);
648  processStateMutations(actions);
649  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
650  auto chlo = getDefaultClientHello();
651  TestMessages::removeExtension(chlo, ExtensionType::server_name);
652  EXPECT_TRUE(IOBufEqualTo()(
653  *state_.encodedClientHello(), encodeHandshake(std::move(chlo))));
654  EXPECT_EQ(state_.verifier(), verifier_);
655  EXPECT_FALSE(state_.sni().hasValue());
656 }
657 
658 TEST_F(ClientProtocolTest, TestConnectNoAlpn) {
659  context_->setSupportedAlpns({});
660  Connect connect;
661  connect.context = context_;
662  connect.sni = "www.hostname.com";
663  auto actions = detail::processEvent(state_, std::move(connect));
664  expectActions<MutateState, WriteToSocket>(actions);
665  processStateMutations(actions);
666  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
667  auto chlo = getDefaultClientHello();
668  TestMessages::removeExtension(
669  chlo, ExtensionType::application_layer_protocol_negotiation);
670  EXPECT_TRUE(IOBufEqualTo()(
671  *state_.encodedClientHello(), encodeHandshake(std::move(chlo))));
672 }
673 
674 TEST_F(ClientProtocolTest, TestConnectExtension) {
675  Connect connect;
676  connect.context = context_;
677  connect.verifier = verifier_;
678  connect.sni = "www.hostname.com";
679  auto extensions = std::make_shared<MockClientExtensions>();
680  connect.extensions = extensions;
681  EXPECT_CALL(*extensions, getClientHelloExtensions())
682  .WillOnce(InvokeWithoutArgs([]() {
683  Extension ext;
684  ext.extension_type = ExtensionType::token_binding;
685  ext.extension_data = folly::IOBuf::copyBuffer("some extension");
686  std::vector<Extension> exts;
687  exts.push_back(std::move(ext));
688  return exts;
689  }));
690  auto actions = detail::processEvent(state_, std::move(connect));
691  expectActions<MutateState, WriteToSocket>(actions);
692  processStateMutations(actions);
693  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
694  auto chlo = getDefaultClientHello();
695  Extension ext;
696  ext.extension_type = ExtensionType::token_binding;
697  ext.extension_data = folly::IOBuf::copyBuffer("some extension");
698  chlo.extensions.push_back(std::move(ext));
699  EXPECT_TRUE(IOBufEqualTo()(
700  *state_.encodedClientHello(), encodeHandshake(std::move(chlo))));
701 }
702 
703 TEST_F(ClientProtocolTest, TestConnectMultipleShares) {
704  MockKeyExchange* mockKex1;
705  MockKeyExchange* mockKex2;
706  EXPECT_CALL(*factory_, makeKeyExchange(NamedGroup::x25519))
707  .WillOnce(InvokeWithoutArgs([&mockKex1]() {
708  auto ret = std::make_unique<MockKeyExchange>();
709  EXPECT_CALL(*ret, generateKeyPair());
710  EXPECT_CALL(*ret, getKeyShare()).WillOnce(InvokeWithoutArgs([]() {
711  return IOBuf::copyBuffer("x25519share");
712  }));
713  mockKex1 = ret.get();
714  return ret;
715  }));
716  EXPECT_CALL(*factory_, makeKeyExchange(NamedGroup::secp256r1))
717  .WillOnce(InvokeWithoutArgs([&mockKex2]() {
718  auto ret = std::make_unique<MockKeyExchange>();
719  EXPECT_CALL(*ret, generateKeyPair());
720  EXPECT_CALL(*ret, getKeyShare()).WillOnce(InvokeWithoutArgs([]() {
721  return IOBuf::copyBuffer("p256share");
722  }));
723  mockKex2 = ret.get();
724  return ret;
725  }));
726 
727  context_->setDefaultShares({NamedGroup::x25519, NamedGroup::secp256r1});
728  Connect connect;
729  connect.context = context_;
730  connect.sni = "www.hostname.com";
731  auto actions = detail::processEvent(state_, std::move(connect));
732  expectActions<MutateState, WriteToSocket>(actions);
733  processStateMutations(actions);
734  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
735  EXPECT_EQ(state_.keyExchangers()->size(), 2);
736  EXPECT_EQ(state_.keyExchangers()->at(NamedGroup::x25519).get(), mockKex1);
737  EXPECT_EQ(state_.keyExchangers()->at(NamedGroup::secp256r1).get(), mockKex2);
738 }
739 
740 TEST_F(ClientProtocolTest, TestConnectCachedGroup) {
741  context_->setDefaultShares({NamedGroup::x25519});
742  MockKeyExchange* mockKex;
743  EXPECT_CALL(*factory_, makeKeyExchange(NamedGroup::secp256r1))
744  .WillOnce(InvokeWithoutArgs([&mockKex]() {
745  auto ret = std::make_unique<MockKeyExchange>();
746  EXPECT_CALL(*ret, generateKeyPair());
747  EXPECT_CALL(*ret, getKeyShare()).WillOnce(InvokeWithoutArgs([]() {
748  return IOBuf::copyBuffer("p256share");
749  }));
750  mockKex = ret.get();
751  return ret;
752  }));
753 
754  auto psk = getCachedPsk();
755  psk.group = NamedGroup::secp256r1;
756 
757  Connect connect;
758  connect.context = context_;
759  connect.cachedPsk = psk;
760  auto actions = detail::processEvent(state_, std::move(connect));
761  expectActions<MutateState, WriteToSocket>(actions);
762  processStateMutations(actions);
763  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
764  EXPECT_EQ(state_.keyExchangers()->size(), 1);
765  EXPECT_EQ(state_.keyExchangers()->at(NamedGroup::secp256r1).get(), mockKex);
766 }
767 
768 TEST_F(ClientProtocolTest, TestConnectNoShares) {
769  context_->setDefaultShares({});
770  Connect connect;
771  connect.context = context_;
772  connect.sni = "www.hostname.com";
773  auto actions = detail::processEvent(state_, std::move(connect));
774  expectActions<MutateState, WriteToSocket>(actions);
775  processStateMutations(actions);
776  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
777  EXPECT_EQ(state_.keyExchangers()->size(), 0);
778 }
779 
780 TEST_F(ClientProtocolTest, TestConnectPskEarly) {
781  Connect connect;
782  connect.context = context_;
783  auto psk = getCachedPsk();
784  psk.maxEarlyDataSize = 1000;
785  connect.cachedPsk = psk;
786  auto actions = detail::processEvent(state_, std::move(connect));
787  expectActions<MutateState, WriteToSocket, ReportEarlyHandshakeSuccess>(
788  actions);
789  processStateMutations(actions);
790  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
791  EXPECT_EQ(*state_.earlyDataType(), EarlyDataType::Attempted);
792  EXPECT_TRUE(state_.earlyDataParams().hasValue());
793 }
794 
795 TEST_F(ClientProtocolTest, TestConnectPskEarlyNoAlpn) {
796  Connect connect;
797  connect.context = context_;
798  auto psk = getCachedPsk();
799  psk.maxEarlyDataSize = 1000;
800  psk.alpn = folly::none;
801  connect.cachedPsk = psk;
802  auto actions = detail::processEvent(state_, std::move(connect));
803  expectActions<MutateState, WriteToSocket, ReportEarlyHandshakeSuccess>(
804  actions);
805  processStateMutations(actions);
806  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
807  EXPECT_EQ(*state_.earlyDataType(), EarlyDataType::Attempted);
808  EXPECT_TRUE(state_.earlyDataParams().hasValue());
809  EXPECT_EQ(state_.earlyDataParams()->alpn, folly::none);
810 }
811 
812 TEST_F(ClientProtocolTest, TestConnectPskEarlyDisabled) {
813  context_->setSendEarlyData(false);
814  Connect connect;
815  connect.context = context_;
816  auto psk = getCachedPsk();
817  psk.maxEarlyDataSize = 1000;
818  connect.cachedPsk = psk;
819  auto actions = detail::processEvent(state_, std::move(connect));
820  expectActions<MutateState, WriteToSocket>(actions);
821  processStateMutations(actions);
822  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
823  EXPECT_EQ(*state_.earlyDataType(), EarlyDataType::NotAttempted);
824  EXPECT_FALSE(state_.earlyDataParams().hasValue());
825 }
826 
827 TEST_F(ClientProtocolTest, TestConnectPskEarlyAlpnMismatch) {
828  Connect connect;
829  connect.context = context_;
830  auto psk = getCachedPsk();
831  psk.maxEarlyDataSize = 1000;
832  psk.alpn = "gopher";
833  connect.cachedPsk = psk;
834  auto actions = detail::processEvent(state_, std::move(connect));
835  expectActions<MutateState, WriteToSocket>(actions);
836  processStateMutations(actions);
837  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
838  EXPECT_EQ(*state_.earlyDataType(), EarlyDataType::NotAttempted);
839  EXPECT_FALSE(state_.earlyDataParams().hasValue());
840 }
841 
842 TEST_F(ClientProtocolTest, TestConnectCompat) {
843  context_->setCompatibilityMode(true);
844  Connect connect;
845  connect.context = context_;
846  connect.sni = "www.hostname.com";
847  auto actions = detail::processEvent(state_, std::move(connect));
848  expectActions<MutateState, WriteToSocket>(actions);
849  processStateMutations(actions);
850  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
851  EXPECT_FALSE(state_.sentCCS());
852  EXPECT_FALSE(state_.legacySessionId().value()->empty());
853 }
854 
855 TEST_F(ClientProtocolTest, TestConnectCompatEarly) {
856  context_->setCompatibilityMode(true);
857  Connect connect;
858  connect.context = context_;
859  auto psk = getCachedPsk();
860  psk.maxEarlyDataSize = 1000;
861  connect.cachedPsk = psk;
862  auto actions = detail::processEvent(state_, std::move(connect));
863  expectActions<MutateState, WriteToSocket, ReportEarlyHandshakeSuccess>(
864  actions);
865  processStateMutations(actions);
866  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
867  EXPECT_EQ(*state_.earlyDataType(), EarlyDataType::Attempted);
868  EXPECT_TRUE(state_.earlyDataParams().hasValue());
869  EXPECT_FALSE(state_.sentCCS());
870  EXPECT_FALSE(state_.legacySessionId().value()->empty());
871 }
872 
873 TEST_F(ClientProtocolTest, TestServerHelloFlow) {
874  setupExpectingServerHello();
875  mockKeyScheduler_ = new MockKeyScheduler();
876  mockHandshakeContext_ = new MockHandshakeContext();
877  EXPECT_CALL(*factory_, makeKeyScheduler(CipherSuite::TLS_AES_128_GCM_SHA256))
878  .WillOnce(InvokeWithoutArgs(
879  [=]() { return std::unique_ptr<KeyScheduler>(mockKeyScheduler_); }));
880  EXPECT_CALL(
881  *factory_, makeHandshakeContext(CipherSuite::TLS_AES_128_GCM_SHA256))
882  .WillOnce(InvokeWithoutArgs([=]() {
883  return std::unique_ptr<HandshakeContext>(mockHandshakeContext_);
884  }));
885  Sequence contextSeq;
886  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(BufMatches("chlo")))
887  .InSequence(contextSeq);
888  EXPECT_CALL(
889  *mockHandshakeContext_, appendToTranscript(BufMatches("shloencoding")))
890  .InSequence(contextSeq);
891  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
892  .InSequence(contextSeq)
893  .WillRepeatedly(Invoke([]() { return IOBuf::copyBuffer("chlo_shlo"); }));
894  EXPECT_CALL(*mockKex_, generateSharedSecret(RangeMatches("servershare")))
895  .WillOnce(InvokeWithoutArgs(
896  []() { return IOBuf::copyBuffer("sharedsecret"); }));
897  EXPECT_CALL(
898  *mockKeyScheduler_, deriveHandshakeSecret(RangeMatches("sharedsecret")));
899  EXPECT_CALL(
900  *mockKeyScheduler_,
901  getSecret(
902  HandshakeSecrets::ServerHandshakeTraffic, RangeMatches("chlo_shlo")))
903  .WillOnce(InvokeWithoutArgs([]() {
904  return std::vector<uint8_t>({'s', 'h', 't'});
905  }));
906  EXPECT_CALL(
907  *mockKeyScheduler_,
908  getSecret(
909  HandshakeSecrets::ClientHandshakeTraffic, RangeMatches("chlo_shlo")))
910  .WillOnce(InvokeWithoutArgs([]() {
911  return std::vector<uint8_t>({'c', 'h', 't'});
912  }));
913  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("sht"), _, _))
914  .WillOnce(InvokeWithoutArgs([]() {
915  return TrafficKey{IOBuf::copyBuffer("serverkey"),
916  IOBuf::copyBuffer("serveriv")};
917  }));
918  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("cht"), _, _))
919  .WillOnce(InvokeWithoutArgs([]() {
920  return TrafficKey{IOBuf::copyBuffer("clientkey"),
921  IOBuf::copyBuffer("clientiv")};
922  }));
923  MockAead* raead;
924  MockAead* waead;
925  MockEncryptedReadRecordLayer* rrl;
926  MockEncryptedWriteRecordLayer* wrl;
927  expectAeadCreation(&waead, &raead);
928  expectEncryptedReadRecordLayerCreation(&rrl, &raead, StringPiece("sht"));
929  expectEncryptedWriteRecordLayerCreation(&wrl, &waead, StringPiece("cht"));
930 
931  auto actions = detail::processEvent(state_, TestMessages::serverHello());
932  expectActions<MutateState>(actions);
933  processStateMutations(actions);
934  EXPECT_EQ(state_.state(), StateEnum::ExpectingEncryptedExtensions);
935  EXPECT_EQ(state_.readRecordLayer().get(), rrl);
936  EXPECT_EQ(
937  state_.readRecordLayer()->getEncryptionLevel(),
938  EncryptionLevel::Handshake);
939  EXPECT_EQ(state_.writeRecordLayer().get(), wrl);
940  EXPECT_EQ(
941  state_.writeRecordLayer()->getEncryptionLevel(),
942  EncryptionLevel::Handshake);
943  EXPECT_EQ(state_.handshakeContext().get(), mockHandshakeContext_);
944  EXPECT_EQ(state_.keyScheduler().get(), mockKeyScheduler_);
945  EXPECT_EQ(state_.version(), TestProtocolVersion);
946  EXPECT_EQ(state_.cipher(), CipherSuite::TLS_AES_128_GCM_SHA256);
947  EXPECT_EQ(state_.group(), NamedGroup::x25519);
948  EXPECT_TRUE(IOBufEqualTo()(
949  *state_.clientHandshakeSecret(), IOBuf::copyBuffer("cht")));
950  EXPECT_TRUE(IOBufEqualTo()(
951  *state_.serverHandshakeSecret(), IOBuf::copyBuffer("sht")));
952  EXPECT_EQ(state_.keyExchangeType(), KeyExchangeType::OneRtt);
953  EXPECT_EQ(state_.pskType(), PskType::NotAttempted);
954  EXPECT_EQ(state_.serverCert(), nullptr);
955 }
956 
957 TEST_F(ClientProtocolTest, TestServerHelloAfterHrrFlow) {
958  setupExpectingServerHelloAfterHrr();
959  mockKeyScheduler_ = new MockKeyScheduler();
960  EXPECT_CALL(*factory_, makeKeyScheduler(CipherSuite::TLS_AES_128_GCM_SHA256))
961  .WillOnce(InvokeWithoutArgs(
962  [=]() { return std::unique_ptr<KeyScheduler>(mockKeyScheduler_); }));
963  Sequence contextSeq;
964  EXPECT_CALL(
965  *mockHandshakeContext_, appendToTranscript(BufMatches("shloencoding")))
966  .InSequence(contextSeq);
967  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
968  .InSequence(contextSeq)
969  .WillRepeatedly(Invoke([]() { return IOBuf::copyBuffer("chlo_shlo"); }));
970  EXPECT_CALL(*mockKex_, generateSharedSecret(RangeMatches("servershare")))
971  .WillOnce(InvokeWithoutArgs(
972  []() { return IOBuf::copyBuffer("sharedsecret"); }));
973  EXPECT_CALL(
974  *mockKeyScheduler_, deriveHandshakeSecret(RangeMatches("sharedsecret")));
975  EXPECT_CALL(
976  *mockKeyScheduler_,
977  getSecret(
978  HandshakeSecrets::ServerHandshakeTraffic, RangeMatches("chlo_shlo")))
979  .WillOnce(InvokeWithoutArgs([]() {
980  return std::vector<uint8_t>({'s', 'h', 't'});
981  }));
982  EXPECT_CALL(
983  *mockKeyScheduler_,
984  getSecret(
985  HandshakeSecrets::ClientHandshakeTraffic, RangeMatches("chlo_shlo")))
986  .WillOnce(InvokeWithoutArgs([]() {
987  return std::vector<uint8_t>({'c', 'h', 't'});
988  }));
989  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("sht"), _, _))
990  .WillOnce(InvokeWithoutArgs([]() {
991  return TrafficKey{IOBuf::copyBuffer("serverkey"),
992  IOBuf::copyBuffer("serveriv")};
993  }));
994  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("cht"), _, _))
995  .WillOnce(InvokeWithoutArgs([]() {
996  return TrafficKey{IOBuf::copyBuffer("clientkey"),
997  IOBuf::copyBuffer("clientiv")};
998  }));
999  MockAead* raead;
1000  MockAead* waead;
1001  MockEncryptedReadRecordLayer* rrl;
1002  MockEncryptedWriteRecordLayer* wrl;
1003  expectAeadCreation(&waead, &raead);
1004  expectEncryptedReadRecordLayerCreation(&rrl, &raead, StringPiece("sht"));
1005  expectEncryptedWriteRecordLayerCreation(&wrl, &waead, StringPiece("cht"));
1006 
1007  auto actions = detail::processEvent(state_, TestMessages::serverHello());
1008  expectActions<MutateState>(actions);
1009  processStateMutations(actions);
1010  EXPECT_EQ(state_.state(), StateEnum::ExpectingEncryptedExtensions);
1011  EXPECT_EQ(state_.readRecordLayer().get(), rrl);
1012  EXPECT_EQ(
1013  state_.readRecordLayer()->getEncryptionLevel(),
1014  EncryptionLevel::Handshake);
1015  EXPECT_EQ(state_.writeRecordLayer().get(), wrl);
1016  EXPECT_EQ(
1017  state_.writeRecordLayer()->getEncryptionLevel(),
1018  EncryptionLevel::Handshake);
1019  EXPECT_EQ(state_.handshakeContext().get(), mockHandshakeContext_);
1020  EXPECT_EQ(state_.keyScheduler().get(), mockKeyScheduler_);
1021  EXPECT_EQ(state_.version(), TestProtocolVersion);
1022  EXPECT_EQ(state_.cipher(), CipherSuite::TLS_AES_128_GCM_SHA256);
1023  EXPECT_EQ(state_.group(), NamedGroup::x25519);
1024  EXPECT_TRUE(IOBufEqualTo()(
1025  *state_.clientHandshakeSecret(), IOBuf::copyBuffer("cht")));
1026  EXPECT_TRUE(IOBufEqualTo()(
1027  *state_.serverHandshakeSecret(), IOBuf::copyBuffer("sht")));
1028  EXPECT_EQ(state_.keyExchangeType(), KeyExchangeType::HelloRetryRequest);
1029  EXPECT_EQ(state_.pskType(), PskType::NotAttempted);
1030  EXPECT_EQ(state_.serverCert(), nullptr);
1031 }
1032 
1033 TEST_F(ClientProtocolTest, TestServerHelloPskFlow) {
1034  setupExpectingServerHello();
1035  state_.attemptedPsk() = getCachedPsk();
1036  mockKeyScheduler_ = new MockKeyScheduler();
1037  mockHandshakeContext_ = new MockHandshakeContext();
1038  EXPECT_CALL(*factory_, makeKeyScheduler(CipherSuite::TLS_AES_128_GCM_SHA256))
1039  .WillOnce(InvokeWithoutArgs(
1040  [=]() { return std::unique_ptr<KeyScheduler>(mockKeyScheduler_); }));
1041  EXPECT_CALL(
1042  *factory_, makeHandshakeContext(CipherSuite::TLS_AES_128_GCM_SHA256))
1043  .WillOnce(InvokeWithoutArgs([=]() {
1044  return std::unique_ptr<HandshakeContext>(mockHandshakeContext_);
1045  }));
1046  Sequence contextSeq;
1047  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(BufMatches("chlo")))
1048  .InSequence(contextSeq);
1049  EXPECT_CALL(
1050  *mockHandshakeContext_, appendToTranscript(BufMatches("shloencoding")))
1051  .InSequence(contextSeq);
1052  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
1053  .InSequence(contextSeq)
1054  .WillRepeatedly(Invoke([]() { return IOBuf::copyBuffer("chlo_shlo"); }));
1055  EXPECT_CALL(*mockKex_, generateSharedSecret(RangeMatches("servershare")))
1056  .WillOnce(InvokeWithoutArgs(
1057  []() { return IOBuf::copyBuffer("sharedsecret"); }));
1058  EXPECT_CALL(
1059  *mockKeyScheduler_, deriveEarlySecret(RangeMatches("resumptionsecret")));
1060  EXPECT_CALL(
1061  *mockKeyScheduler_, deriveHandshakeSecret(RangeMatches("sharedsecret")));
1062  EXPECT_CALL(
1063  *mockKeyScheduler_,
1064  getSecret(
1065  HandshakeSecrets::ServerHandshakeTraffic, RangeMatches("chlo_shlo")))
1066  .WillOnce(InvokeWithoutArgs([]() {
1067  return std::vector<uint8_t>({'s', 'h', 't'});
1068  }));
1069  EXPECT_CALL(
1070  *mockKeyScheduler_,
1071  getSecret(
1072  HandshakeSecrets::ClientHandshakeTraffic, RangeMatches("chlo_shlo")))
1073  .WillOnce(InvokeWithoutArgs([]() {
1074  return std::vector<uint8_t>({'c', 'h', 't'});
1075  }));
1076  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("sht"), _, _))
1077  .WillOnce(InvokeWithoutArgs([]() {
1078  return TrafficKey{IOBuf::copyBuffer("serverkey"),
1079  IOBuf::copyBuffer("serveriv")};
1080  }));
1081  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("cht"), _, _))
1082  .WillOnce(InvokeWithoutArgs([]() {
1083  return TrafficKey{IOBuf::copyBuffer("clientkey"),
1084  IOBuf::copyBuffer("clientiv")};
1085  }));
1086  MockAead* raead;
1087  MockAead* waead;
1088  MockEncryptedReadRecordLayer* rrl;
1089  MockEncryptedWriteRecordLayer* wrl;
1090  expectAeadCreation(&waead, &raead);
1091  expectEncryptedReadRecordLayerCreation(&rrl, &raead, StringPiece("sht"));
1092  expectEncryptedWriteRecordLayerCreation(&wrl, &waead, StringPiece("cht"));
1093 
1094  auto actions = detail::processEvent(state_, TestMessages::serverHelloPsk());
1095  expectActions<MutateState>(actions);
1096  processStateMutations(actions);
1097  EXPECT_EQ(state_.state(), StateEnum::ExpectingEncryptedExtensions);
1098  EXPECT_EQ(state_.readRecordLayer().get(), rrl);
1099  EXPECT_EQ(
1100  state_.readRecordLayer()->getEncryptionLevel(),
1101  EncryptionLevel::Handshake);
1102  EXPECT_EQ(state_.writeRecordLayer().get(), wrl);
1103  EXPECT_EQ(
1104  state_.writeRecordLayer()->getEncryptionLevel(),
1105  EncryptionLevel::Handshake);
1106  EXPECT_EQ(state_.handshakeContext().get(), mockHandshakeContext_);
1107  EXPECT_EQ(state_.keyScheduler().get(), mockKeyScheduler_);
1108  EXPECT_EQ(state_.version(), TestProtocolVersion);
1109  EXPECT_EQ(state_.cipher(), CipherSuite::TLS_AES_128_GCM_SHA256);
1110  EXPECT_EQ(state_.group(), NamedGroup::x25519);
1111  EXPECT_TRUE(IOBufEqualTo()(
1112  *state_.clientHandshakeSecret(), IOBuf::copyBuffer("cht")));
1113  EXPECT_TRUE(IOBufEqualTo()(
1114  *state_.serverHandshakeSecret(), IOBuf::copyBuffer("sht")));
1115  EXPECT_EQ(state_.keyExchangeType(), KeyExchangeType::OneRtt);
1116  EXPECT_EQ(state_.pskType(), PskType::Resumption);
1117  EXPECT_EQ(state_.serverCert(), mockLeaf_);
1118  EXPECT_EQ(state_.clientCert(), mockClientCert_);
1119 }
1120 
1121 TEST_F(ClientProtocolTest, TestServerHelloPskNoDhFlow) {
1122  setupExpectingServerHello();
1123  state_.attemptedPsk() = getCachedPsk();
1124  mockKeyScheduler_ = new MockKeyScheduler();
1125  mockHandshakeContext_ = new MockHandshakeContext();
1126  EXPECT_CALL(*factory_, makeKeyScheduler(CipherSuite::TLS_AES_128_GCM_SHA256))
1127  .WillOnce(InvokeWithoutArgs(
1128  [=]() { return std::unique_ptr<KeyScheduler>(mockKeyScheduler_); }));
1129  EXPECT_CALL(
1130  *factory_, makeHandshakeContext(CipherSuite::TLS_AES_128_GCM_SHA256))
1131  .WillOnce(InvokeWithoutArgs([=]() {
1132  return std::unique_ptr<HandshakeContext>(mockHandshakeContext_);
1133  }));
1134  Sequence contextSeq;
1135  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(BufMatches("chlo")))
1136  .InSequence(contextSeq);
1137  EXPECT_CALL(
1138  *mockHandshakeContext_, appendToTranscript(BufMatches("shloencoding")))
1139  .InSequence(contextSeq);
1140  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
1141  .InSequence(contextSeq)
1142  .WillRepeatedly(Invoke([]() { return IOBuf::copyBuffer("chlo_shlo"); }));
1143  EXPECT_CALL(
1144  *mockKeyScheduler_, deriveEarlySecret(RangeMatches("resumptionsecret")));
1145  EXPECT_CALL(*mockKeyScheduler_, deriveHandshakeSecret());
1146  EXPECT_CALL(
1147  *mockKeyScheduler_,
1148  getSecret(
1149  HandshakeSecrets::ServerHandshakeTraffic, RangeMatches("chlo_shlo")))
1150  .WillOnce(InvokeWithoutArgs([]() {
1151  return std::vector<uint8_t>({'s', 'h', 't'});
1152  }));
1153  EXPECT_CALL(
1154  *mockKeyScheduler_,
1155  getSecret(
1156  HandshakeSecrets::ClientHandshakeTraffic, RangeMatches("chlo_shlo")))
1157  .WillOnce(InvokeWithoutArgs([]() {
1158  return std::vector<uint8_t>({'c', 'h', 't'});
1159  }));
1160  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("sht"), _, _))
1161  .WillOnce(InvokeWithoutArgs([]() {
1162  return TrafficKey{IOBuf::copyBuffer("serverkey"),
1163  IOBuf::copyBuffer("serveriv")};
1164  }));
1165  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("cht"), _, _))
1166  .WillOnce(InvokeWithoutArgs([]() {
1167  return TrafficKey{IOBuf::copyBuffer("clientkey"),
1168  IOBuf::copyBuffer("clientiv")};
1169  }));
1170  MockAead* raead;
1171  MockAead* waead;
1172  MockEncryptedReadRecordLayer* rrl;
1173  MockEncryptedWriteRecordLayer* wrl;
1174  expectAeadCreation(&waead, &raead);
1175  expectEncryptedReadRecordLayerCreation(&rrl, &raead, StringPiece("sht"));
1176  expectEncryptedWriteRecordLayerCreation(&wrl, &waead, StringPiece("cht"));
1177 
1178  auto shlo = TestMessages::serverHelloPsk();
1179  TestMessages::removeExtension(shlo, ExtensionType::key_share);
1180  auto actions = detail::processEvent(state_, std::move(shlo));
1181  expectActions<MutateState>(actions);
1182  processStateMutations(actions);
1183  EXPECT_EQ(state_.state(), StateEnum::ExpectingEncryptedExtensions);
1184  EXPECT_EQ(state_.readRecordLayer().get(), rrl);
1185  EXPECT_EQ(
1186  state_.readRecordLayer()->getEncryptionLevel(),
1187  EncryptionLevel::Handshake);
1188  EXPECT_EQ(state_.writeRecordLayer().get(), wrl);
1189  EXPECT_EQ(
1190  state_.writeRecordLayer()->getEncryptionLevel(),
1191  EncryptionLevel::Handshake);
1192  EXPECT_EQ(state_.handshakeContext().get(), mockHandshakeContext_);
1193  EXPECT_EQ(state_.keyScheduler().get(), mockKeyScheduler_);
1194  EXPECT_EQ(state_.version(), TestProtocolVersion);
1195  EXPECT_EQ(state_.cipher(), CipherSuite::TLS_AES_128_GCM_SHA256);
1196  EXPECT_FALSE(state_.group().hasValue());
1197  EXPECT_TRUE(IOBufEqualTo()(
1198  *state_.clientHandshakeSecret(), IOBuf::copyBuffer("cht")));
1199  EXPECT_TRUE(IOBufEqualTo()(
1200  *state_.serverHandshakeSecret(), IOBuf::copyBuffer("sht")));
1201  EXPECT_EQ(state_.keyExchangeType(), KeyExchangeType::None);
1202  EXPECT_EQ(state_.pskType(), PskType::Resumption);
1203  EXPECT_EQ(state_.serverCert(), mockLeaf_);
1204 }
1205 
1206 TEST_F(ClientProtocolTest, TestServerHelloPskAfterHrrFlow) {
1207  setupExpectingServerHelloAfterHrr();
1208  state_.attemptedPsk() = getCachedPsk();
1209  mockKeyScheduler_ = new MockKeyScheduler();
1210  EXPECT_CALL(*factory_, makeKeyScheduler(CipherSuite::TLS_AES_128_GCM_SHA256))
1211  .WillOnce(InvokeWithoutArgs(
1212  [=]() { return std::unique_ptr<KeyScheduler>(mockKeyScheduler_); }));
1213  Sequence contextSeq;
1214  EXPECT_CALL(
1215  *mockHandshakeContext_, appendToTranscript(BufMatches("shloencoding")))
1216  .InSequence(contextSeq);
1217  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
1218  .InSequence(contextSeq)
1219  .WillRepeatedly(Invoke([]() { return IOBuf::copyBuffer("chlo_shlo"); }));
1220  EXPECT_CALL(*mockKex_, generateSharedSecret(RangeMatches("servershare")))
1221  .WillOnce(InvokeWithoutArgs(
1222  []() { return IOBuf::copyBuffer("sharedsecret"); }));
1223  EXPECT_CALL(
1224  *mockKeyScheduler_, deriveHandshakeSecret(RangeMatches("sharedsecret")));
1225  EXPECT_CALL(
1226  *mockKeyScheduler_,
1227  getSecret(
1228  HandshakeSecrets::ServerHandshakeTraffic, RangeMatches("chlo_shlo")))
1229  .WillOnce(InvokeWithoutArgs([]() {
1230  return std::vector<uint8_t>({'s', 'h', 't'});
1231  }));
1232  EXPECT_CALL(
1233  *mockKeyScheduler_,
1234  getSecret(
1235  HandshakeSecrets::ClientHandshakeTraffic, RangeMatches("chlo_shlo")))
1236  .WillOnce(InvokeWithoutArgs([]() {
1237  return std::vector<uint8_t>({'c', 'h', 't'});
1238  }));
1239  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("sht"), _, _))
1240  .WillOnce(InvokeWithoutArgs([]() {
1241  return TrafficKey{IOBuf::copyBuffer("serverkey"),
1242  IOBuf::copyBuffer("serveriv")};
1243  }));
1244  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("cht"), _, _))
1245  .WillOnce(InvokeWithoutArgs([]() {
1246  return TrafficKey{IOBuf::copyBuffer("clientkey"),
1247  IOBuf::copyBuffer("clientiv")};
1248  }));
1249  MockAead* raead;
1250  MockAead* waead;
1251  MockEncryptedReadRecordLayer* rrl;
1252  MockEncryptedWriteRecordLayer* wrl;
1253  expectAeadCreation(&waead, &raead);
1254  expectEncryptedReadRecordLayerCreation(&rrl, &raead, StringPiece("sht"));
1255  expectEncryptedWriteRecordLayerCreation(&wrl, &waead, StringPiece("cht"));
1256 
1257  auto actions = detail::processEvent(state_, TestMessages::serverHelloPsk());
1258  expectActions<MutateState>(actions);
1259  processStateMutations(actions);
1260  EXPECT_EQ(state_.state(), StateEnum::ExpectingEncryptedExtensions);
1261  EXPECT_EQ(state_.readRecordLayer().get(), rrl);
1262  EXPECT_EQ(
1263  state_.readRecordLayer()->getEncryptionLevel(),
1264  EncryptionLevel::Handshake);
1265  EXPECT_EQ(state_.writeRecordLayer().get(), wrl);
1266  EXPECT_EQ(
1267  state_.writeRecordLayer()->getEncryptionLevel(),
1268  EncryptionLevel::Handshake);
1269  EXPECT_EQ(state_.handshakeContext().get(), mockHandshakeContext_);
1270  EXPECT_EQ(state_.keyScheduler().get(), mockKeyScheduler_);
1271  EXPECT_EQ(state_.version(), TestProtocolVersion);
1272  EXPECT_EQ(state_.cipher(), CipherSuite::TLS_AES_128_GCM_SHA256);
1273  EXPECT_EQ(state_.group(), NamedGroup::x25519);
1274  EXPECT_TRUE(IOBufEqualTo()(
1275  *state_.clientHandshakeSecret(), IOBuf::copyBuffer("cht")));
1276  EXPECT_TRUE(IOBufEqualTo()(
1277  *state_.serverHandshakeSecret(), IOBuf::copyBuffer("sht")));
1278  EXPECT_EQ(state_.keyExchangeType(), KeyExchangeType::HelloRetryRequest);
1279  EXPECT_EQ(state_.pskType(), PskType::Resumption);
1280  EXPECT_EQ(state_.serverCert(), mockLeaf_);
1281 }
1282 
1283 TEST_F(ClientProtocolTest, TestServerHello) {
1284  setupExpectingServerHello();
1285  auto actions = detail::processEvent(state_, TestMessages::serverHello());
1286  expectActions<MutateState>(actions);
1287  processStateMutations(actions);
1288  EXPECT_EQ(state_.state(), StateEnum::ExpectingEncryptedExtensions);
1289 }
1290 
1291 TEST_F(ClientProtocolTest, TestServerHelloPsk) {
1292  setupExpectingServerHello();
1293  state_.attemptedPsk() = getCachedPsk();
1294  auto actions = detail::processEvent(state_, TestMessages::serverHelloPsk());
1295  expectActions<MutateState>(actions);
1296  processStateMutations(actions);
1297  EXPECT_EQ(state_.state(), StateEnum::ExpectingEncryptedExtensions);
1298  EXPECT_EQ(state_.pskType(), PskType::Resumption);
1299 }
1300 
1301 TEST_F(ClientProtocolTest, TestServerHelloPskRejected) {
1302  setupExpectingServerHello();
1303  state_.attemptedPsk() = getCachedPsk();
1304  auto actions = detail::processEvent(state_, TestMessages::serverHello());
1305  expectActions<MutateState>(actions);
1306  processStateMutations(actions);
1307  EXPECT_EQ(state_.state(), StateEnum::ExpectingEncryptedExtensions);
1308  EXPECT_EQ(state_.pskType(), PskType::Rejected);
1309 }
1310 
1311 TEST_F(ClientProtocolTest, TestServerHelloExtraData) {
1312  setupExpectingServerHello();
1313  EXPECT_CALL(*mockRead_, hasUnparsedHandshakeData())
1314  .WillRepeatedly(Return(true));
1315  auto actions = detail::processEvent(state_, TestMessages::serverHello());
1316  expectError<FizzException>(
1317  actions, AlertDescription::unexpected_message, "data after server hello");
1318 }
1319 
1320 TEST_F(ClientProtocolTest, TestServerHelloBadVersion) {
1321  setupExpectingServerHello();
1322  auto shlo = TestMessages::serverHello();
1323  TestMessages::removeExtension(shlo, ExtensionType::supported_versions);
1324  ServerSupportedVersions supportedVersions;
1325  supportedVersions.selected_version = ProtocolVersion::tls_1_1;
1326  shlo.extensions.push_back(encodeExtension(std::move(supportedVersions)));
1327  auto actions = detail::processEvent(state_, std::move(shlo));
1328  expectError<FizzException>(
1329  actions,
1330  AlertDescription::protocol_version,
1331  "unsupported server version");
1332 }
1333 
1334 TEST_F(ClientProtocolTest, TestServerHelloBadCipher) {
1335  setupExpectingServerHello();
1336  auto shlo = TestMessages::serverHello();
1337  shlo.cipher_suite = static_cast<CipherSuite>(0x03ff);
1338  auto actions = detail::processEvent(state_, std::move(shlo));
1339  expectError<FizzException>(
1340  actions, AlertDescription::handshake_failure, "unsupported cipher");
1341 }
1342 
1343 TEST_F(ClientProtocolTest, TestServerHelloBadGroup) {
1344  context_->setSupportedGroups({NamedGroup::x25519});
1345  setupExpectingServerHello();
1346  auto shlo = TestMessages::serverHello();
1347  TestMessages::removeExtension(shlo, ExtensionType::key_share);
1348  ServerKeyShare serverKeyShare;
1349  serverKeyShare.server_share.group = NamedGroup::secp256r1;
1350  serverKeyShare.server_share.key_exchange =
1351  folly::IOBuf::copyBuffer("servershare");
1352  shlo.extensions.push_back(encodeExtension(std::move(serverKeyShare)));
1353  auto actions = detail::processEvent(state_, std::move(shlo));
1354  expectError<FizzException>(
1355  actions, AlertDescription::handshake_failure, "unsupported group");
1356 }
1357 
1358 TEST_F(ClientProtocolTest, TestServerHelloNoKeyShare) {
1359  setupExpectingServerHello();
1360  auto shlo = TestMessages::serverHello();
1361  TestMessages::removeExtension(shlo, ExtensionType::key_share);
1362  auto actions = detail::processEvent(state_, std::move(shlo));
1363  expectError<FizzException>(
1364  actions, AlertDescription::handshake_failure, "did not send share");
1365 }
1366 
1367 TEST_F(ClientProtocolTest, TestServerHelloHrrBadVersion) {
1368  setupExpectingServerHelloAfterHrr();
1369  state_.version() = ProtocolVersion::tls_1_2;
1370  auto actions = detail::processEvent(state_, TestMessages::serverHello());
1371  expectError<FizzException>(
1372  actions, AlertDescription::handshake_failure, "version does not match");
1373 }
1374 
1375 TEST_F(ClientProtocolTest, TestServerHelloHrrBadCipher) {
1376  setupExpectingServerHelloAfterHrr();
1377  state_.cipher() = CipherSuite::TLS_AES_256_GCM_SHA384;
1378  auto actions = detail::processEvent(state_, TestMessages::serverHello());
1379  expectError<FizzException>(
1380  actions, AlertDescription::handshake_failure, "cipher does not match");
1381 }
1382 
1383 TEST_F(ClientProtocolTest, TestServerHelloHrrBadGroup) {
1384  setupExpectingServerHelloAfterHrr();
1385  auto mockKex = std::make_unique<MockKeyExchange>();
1386  mockKex->setDefaults();
1387  std::map<NamedGroup, std::unique_ptr<KeyExchange>> kexs;
1388  kexs.emplace(NamedGroup::secp256r1, std::move(mockKex));
1389  state_.keyExchangers() = std::move(kexs);
1390 
1391  auto actions = detail::processEvent(state_, TestMessages::serverHello());
1392  expectError<FizzException>(
1393  actions, AlertDescription::handshake_failure, "group");
1394 }
1395 
1396 TEST_F(ClientProtocolTest, TestServerHelloPskAcceptedNotSent) {
1397  setupExpectingServerHello();
1398  state_.requestedExtensions() = std::vector<ExtensionType>(
1399  {ExtensionType::supported_versions,
1400  ExtensionType::key_share,
1401  ExtensionType::key_share_old,
1402  ExtensionType::server_name,
1403  ExtensionType::application_layer_protocol_negotiation});
1404  auto actions = detail::processEvent(state_, TestMessages::serverHelloPsk());
1405  expectError<FizzException>(
1406  actions,
1407  AlertDescription::illegal_parameter,
1408  "unexpected extension in shlo: pre_shared_key");
1409 }
1410 
1411 TEST_F(ClientProtocolTest, TestServerHelloOtherPskAccepted) {
1412  setupExpectingServerHello();
1413  state_.attemptedPsk() = getCachedPsk();
1414  auto shlo = TestMessages::serverHello();
1415  ServerPresharedKey pskExt;
1416  pskExt.selected_identity = 1;
1417  shlo.extensions.push_back(encodeExtension(std::move(pskExt)));
1418  auto actions = detail::processEvent(state_, std::move(shlo));
1419  expectError<FizzException>(
1420  actions, AlertDescription::illegal_parameter, "non-0 psk");
1421 }
1422 
1423 TEST_F(ClientProtocolTest, TestServerHelloPskDifferentHash) {
1424  setupExpectingServerHello();
1425  state_.attemptedPsk() = getCachedPsk();
1426  state_.attemptedPsk()->cipher = CipherSuite::TLS_AES_256_GCM_SHA384;
1427  auto actions = detail::processEvent(state_, TestMessages::serverHelloPsk());
1428  expectError<FizzException>(
1429  actions,
1430  AlertDescription::handshake_failure,
1431  "incompatible cipher in psk");
1432 }
1433 
1434 TEST_F(ClientProtocolTest, TestServerHelloPskDifferentCompatibleCipher) {
1435  setupExpectingServerHello();
1436  state_.attemptedPsk() = getCachedPsk();
1437  state_.attemptedPsk()->cipher = CipherSuite::TLS_CHACHA20_POLY1305_SHA256;
1438  auto actions = detail::processEvent(state_, TestMessages::serverHelloPsk());
1439  expectActions<MutateState>(actions);
1440  processStateMutations(actions);
1441  EXPECT_EQ(state_.state(), StateEnum::ExpectingEncryptedExtensions);
1442  EXPECT_EQ(state_.cipher(), CipherSuite::TLS_AES_128_GCM_SHA256);
1443 }
1444 
1445 TEST_F(ClientProtocolTest, TestServerHelloPskDheNotSupported) {
1446  context_->setSupportedPskModes({PskKeyExchangeMode::psk_ke});
1447  setupExpectingServerHello();
1448  state_.attemptedPsk() = getCachedPsk();
1449  auto actions = detail::processEvent(state_, TestMessages::serverHelloPsk());
1450  expectError<FizzException>(
1451  actions, AlertDescription::handshake_failure, "unsupported psk mode");
1452 }
1453 
1454 TEST_F(ClientProtocolTest, TestServerHelloExtensions) {
1455  setupExpectingEncryptedExtensions();
1456  auto ext = std::make_shared<MockClientExtensions>();
1457  state_.extensions() = ext;
1458  EXPECT_CALL(*ext, onEncryptedExtensions(_));
1459  auto actions = detail::processEvent(state_, TestMessages::encryptedExt());
1460  expectActions<MutateState>(actions);
1461  processStateMutations(actions);
1462 }
1463 
1464 TEST_F(ClientProtocolTest, TestServerHelloPskKeNotSupported) {
1465  context_->setSupportedPskModes({PskKeyExchangeMode::psk_dhe_ke});
1466  setupExpectingServerHello();
1467  state_.attemptedPsk() = getCachedPsk();
1468  auto shlo = TestMessages::serverHelloPsk();
1469  TestMessages::removeExtension(shlo, ExtensionType::key_share);
1470  auto actions = detail::processEvent(state_, std::move(shlo));
1471  expectError<FizzException>(
1472  actions, AlertDescription::handshake_failure, "unsupported psk mode");
1473 }
1474 
1475 TEST_F(ClientProtocolTest, TestServerHelloBadSessionId) {
1476  setupExpectingServerHello();
1477  auto shlo = TestMessages::serverHello();
1478  shlo.legacy_session_id_echo = IOBuf::copyBuffer("hi!!");
1479  auto actions = detail::processEvent(state_, std::move(shlo));
1480  expectError<FizzException>(
1481  actions, AlertDescription::illegal_parameter, "session id");
1482 }
1483 
1484 TEST_F(ClientProtocolTest, TestConnectPskKeNoShares) {
1485  Connect connect;
1486  connect.context = context_;
1487  auto psk = getCachedPsk();
1488  psk.group = folly::none;
1489  connect.cachedPsk = psk;
1490  auto actions = detail::processEvent(state_, std::move(connect));
1491  expectActions<MutateState, WriteToSocket>(actions);
1492  processStateMutations(actions);
1493  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
1494 
1495  auto& encodedHello = *state_.encodedClientHello();
1496 
1497  // Get rid of handshake header (type + version)
1498  encodedHello->trimStart(4);
1499  auto decodedHello = decode<ClientHello>(std::move(encodedHello));
1500  auto keyShare = getExtension<ClientKeyShare>(decodedHello.extensions);
1501  EXPECT_TRUE(keyShare->client_shares.empty());
1502  EXPECT_TRUE(state_.keyExchangers()->empty());
1503 }
1504 
1505 TEST_F(ClientProtocolTest, TestHelloRetryRequestFlow) {
1506  setupExpectingServerHello();
1507  state_.clientRandom()->fill(0x66);
1508  auto mockHandshakeContext1 = new MockHandshakeContext();
1509  auto mockHandshakeContext2 = new MockHandshakeContext();
1510  Sequence contextSeq;
1511  EXPECT_CALL(
1512  *factory_, makeHandshakeContext(CipherSuite::TLS_AES_128_GCM_SHA256))
1513  .InSequence(contextSeq)
1514  .WillOnce(InvokeWithoutArgs([=]() {
1515  return std::unique_ptr<HandshakeContext>(mockHandshakeContext1);
1516  }));
1517  EXPECT_CALL(*mockHandshakeContext1, appendToTranscript(BufMatches("chlo")))
1518  .InSequence(contextSeq);
1519  EXPECT_CALL(*mockHandshakeContext1, getHandshakeContext())
1520  .InSequence(contextSeq)
1521  .WillRepeatedly(Invoke([]() { return IOBuf::copyBuffer("chlo1"); }));
1522  EXPECT_CALL(
1523  *factory_, makeHandshakeContext(CipherSuite::TLS_AES_128_GCM_SHA256))
1524  .InSequence(contextSeq)
1525  .WillOnce(InvokeWithoutArgs([=]() {
1526  return std::unique_ptr<HandshakeContext>(mockHandshakeContext2);
1527  }));
1528  EXPECT_CALL(*mockHandshakeContext2, appendToTranscript(_))
1529  .InSequence(contextSeq);
1530  EXPECT_CALL(
1531  *mockHandshakeContext2, appendToTranscript(BufMatches("hrrencoding")))
1532  .InSequence(contextSeq);
1533  EXPECT_CALL(*mockHandshakeContext2, appendToTranscript(_))
1534  .InSequence(contextSeq);
1535  MockKeyExchange* mockKex;
1536  EXPECT_CALL(*factory_, makeKeyExchange(NamedGroup::secp256r1))
1537  .WillOnce(InvokeWithoutArgs([&mockKex]() {
1538  auto ret = std::make_unique<MockKeyExchange>();
1539  EXPECT_CALL(*ret, generateKeyPair());
1540  EXPECT_CALL(*ret, getKeyShare()).WillOnce(InvokeWithoutArgs([]() {
1541  return IOBuf::copyBuffer("keyshare");
1542  }));
1543  mockKex = ret.get();
1544  return ret;
1545  }));
1546  auto chlo = getDefaultClientHello();
1547  chlo.random.fill(0x66);
1548  ClientKeyShare keyShare;
1549  KeyShareEntry entry;
1550  entry.group = NamedGroup::secp256r1;
1551  entry.key_exchange = folly::IOBuf::copyBuffer("keyshare");
1552  keyShare.client_shares.push_back(std::move(entry));
1553  auto it = chlo.extensions.erase(
1554  findExtension(chlo.extensions, ExtensionType::key_share));
1555  chlo.extensions.insert(it, encodeExtension(std::move(keyShare)));
1556  auto encodedExpectedChlo = encodeHandshake(std::move(chlo));
1557  EXPECT_CALL(*mockWrite_, _write(_)).WillOnce(Invoke([&](TLSMessage& msg) {
1558  TLSContent content;
1559  content.contentType = msg.type;
1560  content.encryptionLevel = mockWrite_->getEncryptionLevel();
1561  EXPECT_EQ(msg.type, ContentType::handshake);
1562  EXPECT_TRUE(IOBufEqualTo()(msg.fragment, encodedExpectedChlo));
1563  content.data = IOBuf::copyBuffer("writtenchlo");
1564  return content;
1565  }));
1566 
1567  auto actions =
1568  detail::processEvent(state_, TestMessages::helloRetryRequest());
1569  expectActions<MutateState, WriteToSocket>(actions);
1570  auto write = expectAction<WriteToSocket>(actions);
1571  EXPECT_TRUE(
1572  IOBufEqualTo()(write.contents[0].data, IOBuf::copyBuffer("writtenchlo")));
1573  processStateMutations(actions);
1574  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
1575  EXPECT_EQ(state_.readRecordLayer().get(), mockRead_);
1576  EXPECT_EQ(
1577  state_.readRecordLayer()->getEncryptionLevel(),
1578  EncryptionLevel::Plaintext);
1579  EXPECT_EQ(state_.writeRecordLayer().get(), mockWrite_);
1580  EXPECT_EQ(
1581  state_.writeRecordLayer()->getEncryptionLevel(),
1582  EncryptionLevel::Plaintext);
1583  EXPECT_TRUE(
1584  IOBufEqualTo()(*state_.encodedClientHello(), encodedExpectedChlo));
1585  EXPECT_EQ(
1586  StringPiece((*state_.encodedClientHello())->coalesce()),
1587  StringPiece(encodedExpectedChlo->coalesce()));
1588  EXPECT_EQ(state_.keyExchangers()->size(), 1);
1589  EXPECT_EQ(state_.keyExchangers()->at(NamedGroup::secp256r1).get(), mockKex);
1590  EXPECT_EQ(state_.verifier(), verifier_);
1591  EXPECT_EQ(*state_.sni(), "www.hostname.com");
1592  Random random;
1593  random.fill(0x66);
1594  EXPECT_EQ(*state_.clientRandom(), random);
1595  EXPECT_FALSE(state_.sentCCS());
1596  EXPECT_EQ(state_.version(), TestProtocolVersion);
1597  EXPECT_EQ(state_.cipher(), CipherSuite::TLS_AES_128_GCM_SHA256);
1598  EXPECT_FALSE(state_.group().hasValue());
1599  EXPECT_EQ(state_.keyExchangeType(), KeyExchangeType::HelloRetryRequest);
1600  EXPECT_EQ(state_.earlyDataType(), EarlyDataType::NotAttempted);
1601 }
1602 
1603 TEST_F(ClientProtocolTest, TestHelloRetryRequestPskFlow) {
1604  auto psk = getCachedPsk();
1605  setupExpectingServerHello();
1606  state_.attemptedPsk() = psk;
1607  state_.clientRandom()->fill(0x66);
1608  auto mockHandshakeContext1 = new MockHandshakeContext();
1609  auto mockHandshakeContext2 = new MockHandshakeContext();
1610  mockKeyScheduler_ = new MockKeyScheduler();
1611  EXPECT_CALL(*factory_, makeKeyScheduler(CipherSuite::TLS_AES_128_GCM_SHA256))
1612  .WillOnce(InvokeWithoutArgs(
1613  [=]() { return std::unique_ptr<KeyScheduler>(mockKeyScheduler_); }));
1614  EXPECT_CALL(
1615  *mockKeyScheduler_, deriveEarlySecret(RangeMatches("resumptionsecret")));
1616  EXPECT_CALL(
1617  *mockKeyScheduler_, getSecret(EarlySecrets::ResumptionPskBinder, _))
1618  .WillOnce(InvokeWithoutArgs([]() {
1619  return std::vector<uint8_t>({'b', 'k'});
1620  }));
1621  Sequence contextSeq;
1622  EXPECT_CALL(
1623  *factory_, makeHandshakeContext(CipherSuite::TLS_AES_128_GCM_SHA256))
1624  .InSequence(contextSeq)
1625  .WillOnce(InvokeWithoutArgs([=]() {
1626  return std::unique_ptr<HandshakeContext>(mockHandshakeContext1);
1627  }));
1628  EXPECT_CALL(*mockHandshakeContext1, appendToTranscript(BufMatches("chlo")))
1629  .InSequence(contextSeq);
1630  EXPECT_CALL(*mockHandshakeContext1, getHandshakeContext())
1631  .InSequence(contextSeq)
1632  .WillRepeatedly(Invoke([]() { return IOBuf::copyBuffer("chlo1"); }));
1633  EXPECT_CALL(
1634  *factory_, makeHandshakeContext(CipherSuite::TLS_AES_128_GCM_SHA256))
1635  .InSequence(contextSeq)
1636  .WillOnce(InvokeWithoutArgs([=]() {
1637  return std::unique_ptr<HandshakeContext>(mockHandshakeContext2);
1638  }));
1639  EXPECT_CALL(*mockHandshakeContext2, appendToTranscript(_))
1640  .InSequence(contextSeq);
1641  EXPECT_CALL(
1642  *mockHandshakeContext2, appendToTranscript(BufMatches("hrrencoding")))
1643  .InSequence(contextSeq);
1644  EXPECT_CALL(*mockHandshakeContext2, appendToTranscript(_))
1645  .InSequence(contextSeq);
1646  EXPECT_CALL(*mockHandshakeContext2, getFinishedData(RangeMatches("bk")))
1647  .InSequence(contextSeq)
1648  .WillOnce(
1649  InvokeWithoutArgs([]() { return IOBuf::copyBuffer("binder"); }));
1650  EXPECT_CALL(*mockHandshakeContext2, appendToTranscript(_))
1651  .InSequence(contextSeq);
1652  MockKeyExchange* mockKex;
1653  EXPECT_CALL(*factory_, makeKeyExchange(NamedGroup::secp256r1))
1654  .WillOnce(InvokeWithoutArgs([&mockKex]() {
1655  auto ret = std::make_unique<MockKeyExchange>();
1656  EXPECT_CALL(*ret, generateKeyPair());
1657  EXPECT_CALL(*ret, getKeyShare()).WillOnce(InvokeWithoutArgs([]() {
1658  return IOBuf::copyBuffer("keyshare");
1659  }));
1660  mockKex = ret.get();
1661  return ret;
1662  }));
1663  EXPECT_CALL(*mockWrite_, _write(_)).WillOnce(Invoke([&](TLSMessage& msg) {
1664  TLSContent content;
1665  content.contentType = msg.type;
1666  content.encryptionLevel = mockWrite_->getEncryptionLevel();
1667  EXPECT_EQ(msg.type, ContentType::handshake);
1668  content.data = IOBuf::copyBuffer("writtenchlo");
1669  return content;
1670  }));
1671 
1672  auto actions =
1673  detail::processEvent(state_, TestMessages::helloRetryRequest());
1674  expectActions<MutateState, WriteToSocket>(actions);
1675  auto write = expectAction<WriteToSocket>(actions);
1676  EXPECT_EQ(write.contents[0].contentType, ContentType::handshake);
1677  EXPECT_EQ(write.contents[0].encryptionLevel, EncryptionLevel::Plaintext);
1678  processStateMutations(actions);
1679  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
1680  EXPECT_EQ(state_.readRecordLayer().get(), mockRead_);
1681  EXPECT_EQ(
1682  state_.readRecordLayer()->getEncryptionLevel(),
1683  EncryptionLevel::Plaintext);
1684  EXPECT_EQ(state_.writeRecordLayer().get(), mockWrite_);
1685  EXPECT_EQ(
1686  state_.writeRecordLayer()->getEncryptionLevel(),
1687  EncryptionLevel::Plaintext);
1688  EXPECT_EQ(state_.keyExchangers()->size(), 1);
1689  EXPECT_EQ(state_.keyExchangers()->at(NamedGroup::secp256r1).get(), mockKex);
1690  EXPECT_EQ(state_.verifier(), verifier_);
1691  EXPECT_EQ(*state_.sni(), "www.hostname.com");
1692  Random random;
1693  random.fill(0x66);
1694  EXPECT_EQ(*state_.clientRandom(), random);
1695  EXPECT_FALSE(state_.sentCCS());
1696  EXPECT_EQ(state_.version(), TestProtocolVersion);
1697  EXPECT_EQ(state_.cipher(), CipherSuite::TLS_AES_128_GCM_SHA256);
1698  EXPECT_FALSE(state_.group().hasValue());
1699  EXPECT_EQ(state_.keyExchangeType(), KeyExchangeType::HelloRetryRequest);
1700  EXPECT_EQ(state_.attemptedPsk()->psk, psk.psk);
1701  EXPECT_EQ(state_.earlyDataType(), EarlyDataType::NotAttempted);
1702 }
1703 
1704 TEST_F(ClientProtocolTest, TestHelloRetryRequest) {
1705  setupExpectingServerHello();
1706  auto actions =
1707  detail::processEvent(state_, TestMessages::helloRetryRequest());
1708  expectActions<MutateState, WriteToSocket>(actions);
1709  processStateMutations(actions);
1710  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
1711 }
1712 
1713 TEST_F(ClientProtocolTest, TestHelloRetryRequestPskDifferentHash) {
1714  setupExpectingServerHello();
1715  state_.attemptedPsk() = getCachedPsk();
1716  state_.attemptedPsk()->cipher = CipherSuite::TLS_AES_256_GCM_SHA384;
1717  auto actions =
1718  detail::processEvent(state_, TestMessages::helloRetryRequest());
1719  expectActions<MutateState, WriteToSocket>(actions);
1720  processStateMutations(actions);
1721  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
1722  EXPECT_FALSE(state_.attemptedPsk().hasValue());
1723 }
1724 
1725 TEST_F(ClientProtocolTest, TestDoubleHelloRetryRequest) {
1726  setupExpectingServerHello();
1727  state_.keyExchangeType() = KeyExchangeType::HelloRetryRequest;
1728  auto actions =
1729  detail::processEvent(state_, TestMessages::helloRetryRequest());
1730  expectError<FizzException>(
1731  actions, AlertDescription::unexpected_message, "two HRRs");
1732 }
1733 
1734 TEST_F(ClientProtocolTest, TestHelloRetryRequestBadVersion) {
1735  setupExpectingServerHello();
1736  auto hrr = TestMessages::helloRetryRequest();
1737  TestMessages::removeExtension(hrr, ExtensionType::supported_versions);
1738  ServerSupportedVersions supportedVersions;
1739  supportedVersions.selected_version = ProtocolVersion::tls_1_1;
1740  hrr.extensions.push_back(encodeExtension(std::move(supportedVersions)));
1741  auto actions = detail::processEvent(state_, std::move(hrr));
1742  expectError<FizzException>(
1743  actions,
1744  AlertDescription::protocol_version,
1745  "unsupported server version");
1746 }
1747 
1748 TEST_F(ClientProtocolTest, TestHelloRetryRequestBadCipher) {
1749  setupExpectingServerHello();
1750  auto hrr = TestMessages::helloRetryRequest();
1751  hrr.cipher_suite = static_cast<CipherSuite>(0x03ff);
1752  auto actions = detail::processEvent(state_, std::move(hrr));
1753  expectError<FizzException>(
1754  actions, AlertDescription::handshake_failure, "unsupported cipher");
1755 }
1756 
1757 TEST_F(ClientProtocolTest, TestHelloRetryRequestBadGroup) {
1758  setupExpectingServerHello();
1759  auto hrr = TestMessages::helloRetryRequest();
1760  TestMessages::removeExtension(hrr, ExtensionType::key_share);
1761  HelloRetryRequestKeyShare keyShare;
1762  keyShare.selected_group = static_cast<NamedGroup>(0x8923);
1763  hrr.extensions.push_back(encodeExtension(std::move(keyShare)));
1764  auto actions = detail::processEvent(state_, std::move(hrr));
1765  expectError<FizzException>(
1766  actions, AlertDescription::handshake_failure, "unsupported group");
1767 }
1768 
1769 TEST_F(ClientProtocolTest, TestHelloRetryRequestGroupAlreadySent) {
1770  setupExpectingServerHello();
1771  auto hrr = TestMessages::helloRetryRequest();
1772  TestMessages::removeExtension(hrr, ExtensionType::key_share);
1773  HelloRetryRequestKeyShare keyShare;
1774  keyShare.selected_group = NamedGroup::x25519;
1775  hrr.extensions.push_back(encodeExtension(std::move(keyShare)));
1776  auto encryptionLevel = state_.writeRecordLayer()->getEncryptionLevel();
1777  auto actions = detail::processEvent(state_, std::move(hrr));
1778  expectError<FizzException>(
1779  actions, AlertDescription::illegal_parameter, "already-sent group");
1780  auto write = expectAction<WriteToSocket>(actions);
1781  EXPECT_EQ(write.contents[0].encryptionLevel, encryptionLevel);
1782  EXPECT_EQ(write.contents[0].contentType, ContentType::alert);
1783 }
1784 
1785 TEST_F(ClientProtocolTest, TestHelloRetryRequestNoKeyShare) {
1786  setupExpectingServerHello();
1787  auto kex = state_.keyExchangers()->at(NamedGroup::x25519).get();
1788  auto mockKex = std::make_unique<MockKeyExchange>();
1789  mockKex->setDefaults();
1790  state_.keyExchangers()->emplace(NamedGroup::secp256r1, std::move(mockKex));
1791  auto hrr = TestMessages::helloRetryRequest();
1792  TestMessages::removeExtension(hrr, ExtensionType::key_share);
1793  auto actions = detail::processEvent(state_, std::move(hrr));
1794  expectActions<MutateState, WriteToSocket>(actions);
1795  processStateMutations(actions);
1796  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
1797  EXPECT_FALSE(state_.group().hasValue());
1798  EXPECT_EQ(state_.keyExchangers()->size(), 2);
1799  EXPECT_EQ(state_.keyExchangers()->at(NamedGroup::x25519).get(), kex);
1800 }
1801 
1802 TEST_F(ClientProtocolTest, TestHelloRetryRequestCookie) {
1803  setupExpectingServerHello();
1804  auto hrr = TestMessages::helloRetryRequest();
1805  Cookie cookie;
1806  cookie.cookie = folly::IOBuf::copyBuffer("cookie!!");
1807  hrr.extensions.push_back(encodeExtension(std::move(cookie)));
1808  auto actions = detail::processEvent(state_, std::move(hrr));
1809  expectActions<MutateState, WriteToSocket>(actions);
1810  processStateMutations(actions);
1811  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
1812  auto range = (*state_.encodedClientHello())->coalesce();
1813  EXPECT_THAT(std::string(range.begin(), range.end()), HasSubstr("cookie!!"));
1814 }
1815 
1816 TEST_F(ClientProtocolTest, TestHelloRetryRequestAttemptedEarly) {
1817  setupExpectingServerHello();
1818  state_.earlyDataType() = EarlyDataType::Attempted;
1819  auto actions =
1820  detail::processEvent(state_, TestMessages::helloRetryRequest());
1821  expectActions<MutateState, WriteToSocket>(actions);
1822  processStateMutations(actions);
1823  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
1824  EXPECT_EQ(state_.earlyDataType(), EarlyDataType::Rejected);
1825  EXPECT_EQ(state_.earlyWriteRecordLayer(), nullptr);
1826 }
1827 
1828 TEST_F(ClientProtocolTest, TestHelloRetryRequestCompat) {
1829  context_->setCompatibilityMode(true);
1830  setupExpectingServerHello();
1831  auto actions =
1832  detail::processEvent(state_, TestMessages::helloRetryRequest());
1833  expectActions<MutateState, WriteToSocket>(actions);
1834  processStateMutations(actions);
1835  auto write = expectAction<WriteToSocket>(actions);
1836  EXPECT_EQ(write.contents.size(), 2);
1837  EXPECT_EQ(write.contents[0].encryptionLevel, EncryptionLevel::Plaintext);
1838  EXPECT_EQ(write.contents[0].contentType, ContentType::change_cipher_spec);
1839  EXPECT_EQ(write.contents[1].encryptionLevel, EncryptionLevel::Plaintext);
1840  EXPECT_EQ(write.contents[1].contentType, ContentType::handshake);
1841  EXPECT_EQ(state_.state(), StateEnum::ExpectingServerHello);
1842  EXPECT_TRUE(state_.sentCCS());
1843 }
1844 
1845 TEST_F(ClientProtocolTest, TestEncryptedExtensionsFlow) {
1846  context_->setSupportedAlpns({"h2"});
1847  setupExpectingEncryptedExtensions();
1848  EXPECT_CALL(
1849  *mockHandshakeContext_, appendToTranscript(BufMatches("eeencoding")));
1850 
1851  auto actions = detail::processEvent(state_, TestMessages::encryptedExt());
1852  expectActions<MutateState>(actions);
1853  processStateMutations(actions);
1854  EXPECT_EQ(*state_.alpn(), "h2");
1855  EXPECT_EQ(state_.state(), StateEnum::ExpectingCertificate);
1856 }
1857 
1858 TEST_F(ClientProtocolTest, TestEncryptedExtensionsPsk) {
1859  context_->setSupportedAlpns({"h2"});
1860  setupExpectingEncryptedExtensions();
1861  state_.serverCert() = mockLeaf_;
1862  EXPECT_CALL(
1863  *mockHandshakeContext_, appendToTranscript(BufMatches("eeencoding")));
1864 
1865  auto actions = detail::processEvent(state_, TestMessages::encryptedExt());
1866  expectActions<MutateState>(actions);
1867  processStateMutations(actions);
1868  EXPECT_EQ(*state_.alpn(), "h2");
1869  EXPECT_EQ(state_.state(), StateEnum::ExpectingFinished);
1870  EXPECT_EQ(state_.serverCert(), mockLeaf_);
1871 }
1872 
1873 TEST_F(ClientProtocolTest, TestEncryptedExtensionsAlpn) {
1874  context_->setSupportedAlpns({"h2"});
1875  setupExpectingEncryptedExtensions();
1876  auto actions = detail::processEvent(state_, TestMessages::encryptedExt());
1877  expectActions<MutateState>(actions);
1878  processStateMutations(actions);
1879  EXPECT_EQ(*state_.alpn(), "h2");
1880  EXPECT_EQ(state_.state(), StateEnum::ExpectingCertificate);
1881 }
1882 
1883 TEST_F(ClientProtocolTest, TestEncryptedExtensionsEmptyAlpn) {
1884  context_->setSupportedAlpns({"h2"});
1885  setupExpectingEncryptedExtensions();
1886  auto ee = TestMessages::encryptedExt();
1887  TestMessages::removeExtension(
1888  ee, ExtensionType::application_layer_protocol_negotiation);
1889  ee.extensions.push_back(encodeExtension(ProtocolNameList()));
1890  auto actions = detail::processEvent(state_, std::move(ee));
1891  expectError<FizzException>(
1892  actions, AlertDescription::illegal_parameter, "alpn list");
1893 }
1894 
1895 TEST_F(ClientProtocolTest, TestEncryptedExtensionsAlpnMismatch) {
1896  context_->setSupportedAlpns({"h3", "h1"});
1897  setupExpectingEncryptedExtensions();
1898  auto actions = detail::processEvent(state_, TestMessages::encryptedExt());
1899  expectError<FizzException>(
1900  actions, AlertDescription::illegal_parameter, "alpn mismatch");
1901 }
1902 
1903 TEST_F(ClientProtocolTest, TestEncryptedExtensionsNoAlpn) {
1904  context_->setSupportedAlpns({"h2"});
1905  setupExpectingEncryptedExtensions();
1906  auto ee = TestMessages::encryptedExt();
1907  TestMessages::removeExtension(
1908  ee, ExtensionType::application_layer_protocol_negotiation);
1909  auto actions = detail::processEvent(state_, std::move(ee));
1910  expectActions<MutateState>(actions);
1911  processStateMutations(actions);
1912  EXPECT_FALSE(state_.alpn().hasValue());
1913  EXPECT_EQ(state_.state(), StateEnum::ExpectingCertificate);
1914 }
1915 
1916 TEST_F(ClientProtocolTest, TestEncryptedExtensionsDisallowedExtension) {
1917  setupExpectingEncryptedExtensions();
1918  auto ee = TestMessages::encryptedExt();
1919  ee.extensions.push_back(encodeExtension(ClientPresharedKey()));
1920  auto actions = detail::processEvent(state_, std::move(ee));
1921  expectError<FizzException>(
1922  actions,
1923  AlertDescription::illegal_parameter,
1924  "unexpected extension in ee: pre_shared_key");
1925 }
1926 
1927 TEST_F(ClientProtocolTest, TestEncryptedExtensionsUnrequestedExtension) {
1928  setupExpectingEncryptedExtensions();
1929  state_.requestedExtensions() = std::vector<ExtensionType>(
1930  {ExtensionType::key_share,
1931  ExtensionType::application_layer_protocol_negotiation,
1932  ExtensionType::pre_shared_key});
1933  auto ee = TestMessages::encryptedExt();
1934  ee.extensions.push_back(encodeExtension(ServerNameList()));
1935  auto actions = detail::processEvent(state_, std::move(ee));
1936  expectError<FizzException>(
1937  actions,
1938  AlertDescription::illegal_parameter,
1939  "unexpected extension in ee: server_name");
1940 }
1941 
1942 TEST_F(ClientProtocolTest, TestEncryptedExtensionsEarlyAccepted) {
1943  setupExpectingEncryptedExtensionsEarlySent();
1944  auto ee = TestMessages::encryptedExt();
1945  ee.extensions.push_back(encodeExtension(ServerEarlyData()));
1946  auto actions = detail::processEvent(state_, std::move(ee));
1947  expectActions<MutateState>(actions);
1948  processStateMutations(actions);
1949  EXPECT_EQ(state_.state(), StateEnum::ExpectingCertificate);
1950  EXPECT_EQ(*state_.earlyDataType(), EarlyDataType::Accepted);
1951 }
1952 
1953 TEST_F(ClientProtocolTest, TestEncryptedExtensionsEarlyRejected) {
1954  setupExpectingEncryptedExtensionsEarlySent();
1955  auto ee = TestMessages::encryptedExt();
1956  auto actions = detail::processEvent(state_, std::move(ee));
1957  expectActions<MutateState>(actions);
1958  processStateMutations(actions);
1959  EXPECT_EQ(state_.state(), StateEnum::ExpectingCertificate);
1960  EXPECT_EQ(*state_.earlyDataType(), EarlyDataType::Rejected);
1961 }
1962 
1963 TEST_F(ClientProtocolTest, TestEncryptedExtensionsEarlyAlreadyRejected) {
1964  setupExpectingEncryptedExtensionsEarlySent();
1965  state_.earlyDataType() = EarlyDataType::Rejected;
1966  auto ee = TestMessages::encryptedExt();
1967  auto actions = detail::processEvent(state_, std::move(ee));
1968  expectActions<MutateState>(actions);
1969  processStateMutations(actions);
1970  EXPECT_EQ(state_.state(), StateEnum::ExpectingCertificate);
1971  EXPECT_EQ(*state_.earlyDataType(), EarlyDataType::Rejected);
1972 }
1973 
1974 TEST_F(ClientProtocolTest, TestEncryptedExtensionsEarlyAcceptedHrr) {
1975  setupExpectingEncryptedExtensionsEarlySent();
1976  state_.earlyDataType() = EarlyDataType::Rejected;
1977  auto ee = TestMessages::encryptedExt();
1978  ee.extensions.push_back(encodeExtension(ServerEarlyData()));
1979  auto actions = detail::processEvent(state_, std::move(ee));
1980  expectError<FizzException>(
1981  actions,
1982  AlertDescription::illegal_parameter,
1983  "unexpected accepted early data");
1984 }
1985 
1986 TEST_F(ClientProtocolTest, TestEncryptedExtensionsEarlyCipherMismatch) {
1987  setupExpectingEncryptedExtensionsEarlySent();
1988  state_.cipher() = CipherSuite::TLS_CHACHA20_POLY1305_SHA256;
1989  auto ee = TestMessages::encryptedExt();
1990  ee.extensions.push_back(encodeExtension(ServerEarlyData()));
1991  auto actions = detail::processEvent(state_, std::move(ee));
1992  expectError<FizzException>(
1993  actions, AlertDescription::illegal_parameter, "different cipher");
1994 }
1995 
1996 TEST_F(ClientProtocolTest, TestEncryptedExtensionsEarlyAlpnMismatch) {
1997  setupExpectingEncryptedExtensionsEarlySent();
1998  state_.earlyDataParams()->alpn = "h3";
1999  state_.attemptedPsk()->alpn = "h3";
2000  auto ee = TestMessages::encryptedExt();
2001  ee.extensions.push_back(encodeExtension(ServerEarlyData()));
2002  auto actions = detail::processEvent(state_, std::move(ee));
2003  expectError<FizzException>(
2004  actions, AlertDescription::illegal_parameter, "different alpn");
2005 }
2006 
2007 TEST_F(ClientProtocolTest, TestCertificateFlow) {
2008  setupExpectingCertificate();
2009  EXPECT_CALL(
2010  *mockHandshakeContext_, appendToTranscript(BufMatches("certencoding")));
2011  mockLeaf_ = std::make_shared<MockPeerCert>();
2012  mockIntermediate_ = std::make_shared<MockPeerCert>();
2013  EXPECT_CALL(*factory_, _makePeerCert(BufMatches("cert1")))
2014  .WillOnce(Return(mockLeaf_));
2015  EXPECT_CALL(*factory_, _makePeerCert(BufMatches("cert2")))
2016  .WillOnce(Return(mockIntermediate_));
2017 
2018  auto certificate = TestMessages::certificate();
2019  CertificateEntry entry1;
2020  entry1.cert_data = folly::IOBuf::copyBuffer("cert1");
2021  certificate.certificate_list.push_back(std::move(entry1));
2022  CertificateEntry entry2;
2023  entry2.cert_data = folly::IOBuf::copyBuffer("cert2");
2024  certificate.certificate_list.push_back(std::move(entry2));
2025  auto actions = detail::processEvent(state_, std::move(certificate));
2026 
2027  expectActions<MutateState>(actions);
2028  processStateMutations(actions);
2029  EXPECT_EQ(state_.unverifiedCertChain()->size(), 2);
2030  EXPECT_EQ(state_.unverifiedCertChain()->at(0), mockLeaf_);
2031  EXPECT_EQ(state_.unverifiedCertChain()->at(1), mockIntermediate_);
2032  EXPECT_EQ(state_.state(), StateEnum::ExpectingCertificateVerify);
2033 }
2034 
2035 TEST_F(ClientProtocolTest, TestCertificate) {
2036  setupExpectingCertificate();
2037  auto certificate = TestMessages::certificate();
2038  CertificateEntry entry;
2039  entry.cert_data = folly::IOBuf::copyBuffer("cert");
2040  certificate.certificate_list.push_back(std::move(entry));
2041  auto actions = detail::processEvent(state_, std::move(certificate));
2042  expectActions<MutateState>(actions);
2043  processStateMutations(actions);
2044  EXPECT_EQ(state_.unverifiedCertChain()->size(), 1);
2045  EXPECT_EQ(state_.state(), StateEnum::ExpectingCertificateVerify);
2046 }
2047 
2048 TEST_F(ClientProtocolTest, TestCertificateWithRequestContext) {
2049  setupExpectingCertificate();
2050  auto certificate = TestMessages::certificate();
2051  certificate.certificate_request_context = IOBuf::copyBuffer("something");
2052  CertificateEntry entry;
2053  entry.cert_data = folly::IOBuf::copyBuffer("cert");
2054  certificate.certificate_list.push_back(std::move(entry));
2055  auto actions = detail::processEvent(state_, std::move(certificate));
2056  expectError<FizzException>(
2057  actions, AlertDescription::illegal_parameter, "context must be empty");
2058 }
2059 
2060 TEST_F(ClientProtocolTest, TestCertificateEmpty) {
2061  setupExpectingCertificate();
2062  auto certificate = TestMessages::certificate();
2063  auto actions = detail::processEvent(state_, std::move(certificate));
2064  expectError<FizzException>(
2065  actions, AlertDescription::illegal_parameter, "no cert");
2066 }
2067 
2068 TEST_F(ClientProtocolTest, TestCompressedCertificateFlow) {
2069  setupExpectingCertificate();
2070  EXPECT_CALL(
2071  *mockHandshakeContext_,
2072  appendToTranscript(BufMatches("compcertencoding")));
2073  mockLeaf_ = std::make_shared<MockPeerCert>();
2074  mockIntermediate_ = std::make_shared<MockPeerCert>();
2075  EXPECT_CALL(*factory_, _makePeerCert(BufMatches("cert1")))
2076  .WillOnce(Return(mockLeaf_));
2077  EXPECT_CALL(*factory_, _makePeerCert(BufMatches("cert2")))
2078  .WillOnce(Return(mockIntermediate_));
2079 
2080  auto decompressor = std::make_shared<MockCertificateDecompressor>();
2081  decompressor->setDefaults();
2082  auto decompressionMgr = std::make_shared<CertDecompressionManager>();
2083  decompressionMgr->setDecompressors(
2084  {std::static_pointer_cast<CertificateDecompressor>(decompressor)});
2085  context_->setCertDecompressionManager(std::move(decompressionMgr));
2086  EXPECT_CALL(*decompressor, decompress(_))
2087  .WillOnce(Invoke([](const CompressedCertificate& cc) {
2088  EXPECT_TRUE(IOBufEqualTo()(
2089  cc.compressed_certificate_message,
2090  folly::IOBuf::copyBuffer("compressedcerts")));
2091  EXPECT_EQ(cc.algorithm, CertificateCompressionAlgorithm::zlib);
2092  EXPECT_EQ(cc.uncompressed_length, 0x111111);
2093  auto certificate = TestMessages::certificate();
2094  CertificateEntry entry1;
2095  entry1.cert_data = folly::IOBuf::copyBuffer("cert1");
2096  certificate.certificate_list.push_back(std::move(entry1));
2097  CertificateEntry entry2;
2098  entry2.cert_data = folly::IOBuf::copyBuffer("cert2");
2099  certificate.certificate_list.push_back(std::move(entry2));
2100  return certificate;
2101  }));
2102 
2103  auto compressedCert = TestMessages::compressedCertificate();
2104  auto actions = detail::processEvent(state_, std::move(compressedCert));
2105 
2106  expectActions<MutateState>(actions);
2107  processStateMutations(actions);
2108  EXPECT_EQ(state_.unverifiedCertChain()->size(), 2);
2109  EXPECT_EQ(state_.unverifiedCertChain()->at(0), mockLeaf_);
2110  EXPECT_EQ(state_.unverifiedCertChain()->at(1), mockIntermediate_);
2111  EXPECT_EQ(state_.serverCertCompAlgo(), CertificateCompressionAlgorithm::zlib);
2112  EXPECT_EQ(state_.state(), StateEnum::ExpectingCertificateVerify);
2113 }
2114 
2115 TEST_F(ClientProtocolTest, TestCompressedCertificate) {
2116  setupExpectingCertificate();
2117  auto decompressor = std::make_shared<MockCertificateDecompressor>();
2118  decompressor->setDefaults();
2119  auto decompressionMgr = std::make_shared<CertDecompressionManager>();
2120  decompressionMgr->setDecompressors(
2121  {std::static_pointer_cast<CertificateDecompressor>(decompressor)});
2122  context_->setCertDecompressionManager(std::move(decompressionMgr));
2123  EXPECT_CALL(*decompressor, decompress(_))
2124  .WillOnce(Invoke([](const CompressedCertificate& cc) {
2125  auto certificate = TestMessages::certificate();
2126  CertificateEntry entry;
2127  entry.cert_data = folly::IOBuf::copyBuffer("cert");
2128  certificate.certificate_list.push_back(std::move(entry));
2129  return certificate;
2130  }));
2131 
2132  auto compressedCert = TestMessages::compressedCertificate();
2133  auto actions = detail::processEvent(state_, std::move(compressedCert));
2134  expectActions<MutateState>(actions);
2135  processStateMutations(actions);
2136  EXPECT_EQ(state_.unverifiedCertChain()->size(), 1);
2137  EXPECT_EQ(state_.serverCertCompAlgo(), CertificateCompressionAlgorithm::zlib);
2138  EXPECT_EQ(state_.state(), StateEnum::ExpectingCertificateVerify);
2139 }
2140 
2141 TEST_F(ClientProtocolTest, TestCompressedCertificateUnknownAlgo) {
2142  setupExpectingCertificate();
2143  auto decompressor = std::make_shared<MockCertificateDecompressor>();
2144  decompressor->setDefaults();
2145  auto decompressionMgr = std::make_shared<CertDecompressionManager>();
2146  decompressionMgr->setDecompressors(
2147  {std::static_pointer_cast<CertificateDecompressor>(decompressor)});
2148  context_->setCertDecompressionManager(std::move(decompressionMgr));
2149 
2150  auto compressedCert = TestMessages::compressedCertificate();
2151  compressedCert.algorithm = static_cast<CertificateCompressionAlgorithm>(0xff);
2152  auto actions = detail::processEvent(state_, std::move(compressedCert));
2153  expectError<FizzException>(
2154  actions, AlertDescription::bad_certificate, "unsupported algorithm");
2155 }
2156 
2157 TEST_F(ClientProtocolTest, TestCompressedCertificateDecompressionFailed) {
2158  setupExpectingCertificate();
2159  auto decompressor = std::make_shared<MockCertificateDecompressor>();
2160  decompressor->setDefaults();
2161  EXPECT_CALL(*decompressor, decompress(_))
2162  .WillOnce(Invoke([](const CompressedCertificate& cc) -> CertificateMsg {
2163  throw std::runtime_error("foo");
2164  }));
2165  auto decompressionMgr = std::make_shared<CertDecompressionManager>();
2166  decompressionMgr->setDecompressors(
2167  {std::static_pointer_cast<CertificateDecompressor>(decompressor)});
2168  context_->setCertDecompressionManager(std::move(decompressionMgr));
2169  auto compressedCert = TestMessages::compressedCertificate();
2170  auto actions = detail::processEvent(state_, std::move(compressedCert));
2171  expectError<FizzException>(
2172  actions, AlertDescription::bad_certificate, "decompression failed: foo");
2173 }
2174 
2175 TEST_F(ClientProtocolTest, TestCompressedCertificateWithRequestContext) {
2176  setupExpectingCertificate();
2177  auto decompressor = std::make_shared<MockCertificateDecompressor>();
2178  decompressor->setDefaults();
2179  auto decompressionMgr = std::make_shared<CertDecompressionManager>();
2180  decompressionMgr->setDecompressors(
2181  {std::static_pointer_cast<CertificateDecompressor>(decompressor)});
2182  context_->setCertDecompressionManager(std::move(decompressionMgr));
2183  EXPECT_CALL(*decompressor, decompress(_))
2184  .WillOnce(Invoke([](const CompressedCertificate& cc) {
2185  auto certificate = TestMessages::certificate();
2186  certificate.certificate_request_context =
2187  IOBuf::copyBuffer("something");
2188  CertificateEntry entry;
2189  entry.cert_data = folly::IOBuf::copyBuffer("cert");
2190  certificate.certificate_list.push_back(std::move(entry));
2191  return certificate;
2192  }));
2193 
2194  auto compressedCert = TestMessages::compressedCertificate();
2195  auto actions = detail::processEvent(state_, std::move(compressedCert));
2196  expectError<FizzException>(
2197  actions, AlertDescription::illegal_parameter, "context must be empty");
2198 }
2199 
2200 TEST_F(ClientProtocolTest, TestCompressedCertificateEmpty) {
2201  setupExpectingCertificate();
2202  auto decompressor = std::make_shared<MockCertificateDecompressor>();
2203  decompressor->setDefaults();
2204  EXPECT_CALL(*decompressor, decompress(_))
2205  .WillOnce(Invoke([](const CompressedCertificate& cc) {
2206  return TestMessages::certificate();
2207  }));
2208  auto decompressionMgr = std::make_shared<CertDecompressionManager>();
2209  decompressionMgr->setDecompressors(
2210  {std::static_pointer_cast<CertificateDecompressor>(decompressor)});
2211  context_->setCertDecompressionManager(std::move(decompressionMgr));
2212  auto compressedCert = TestMessages::compressedCertificate();
2213  auto actions = detail::processEvent(state_, std::move(compressedCert));
2214  expectError<FizzException>(
2215  actions, AlertDescription::illegal_parameter, "no cert");
2216 }
2217 
2218 TEST_F(ClientProtocolTest, TestUnexpectedCompressedCertificate) {
2219  setupExpectingCertificate();
2220  auto compressedCert = TestMessages::compressedCertificate();
2221  auto actions = detail::processEvent(state_, std::move(compressedCert));
2222  expectError<FizzException>(
2223  actions, AlertDescription::unexpected_message, "received unexpectedly");
2224 }
2225 
2226 TEST_F(ClientProtocolTest, TestCertificateVerifyFlow) {
2227  setupExpectingCertificateVerify();
2228  Sequence contextSeq;
2229  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
2230  .InSequence(contextSeq)
2231  .WillRepeatedly(
2232  Invoke([]() { return IOBuf::copyBuffer("certcontext"); }));
2233  EXPECT_CALL(
2234  *mockHandshakeContext_,
2235  appendToTranscript(BufMatches("certverifyencoding")))
2236  .InSequence(contextSeq);
2237  EXPECT_CALL(
2238  *mockLeaf_,
2239  verify(
2240  SignatureScheme::ecdsa_secp256r1_sha256,
2241  CertificateVerifyContext::Server,
2242  RangeMatches("certcontext"),
2243  RangeMatches("signature")));
2244  EXPECT_CALL(*verifier_, verify(_))
2245  .WillOnce(Invoke(
2246  [this](const std::vector<std::shared_ptr<const PeerCert>>& certs) {
2247  EXPECT_EQ(certs.size(), 2);
2248  EXPECT_EQ(certs[0], mockLeaf_);
2249  EXPECT_EQ(certs[1], mockIntermediate_);
2250  }));
2251 
2252  auto actions =
2253  detail::processEvent(state_, TestMessages::certificateVerify());
2254  expectActions<MutateState>(actions);
2255  processStateMutations(actions);
2256  EXPECT_EQ(state_.sigScheme(), SignatureScheme::ecdsa_secp256r1_sha256);
2257  EXPECT_EQ(state_.serverCert(), mockLeaf_);
2258  EXPECT_FALSE(state_.unverifiedCertChain().hasValue());
2259  EXPECT_EQ(state_.state(), StateEnum::ExpectingFinished);
2260 }
2261 
2262 TEST_F(ClientProtocolTest, TestCertificateVerify) {
2263  setupExpectingCertificateVerify();
2264  auto actions =
2265  detail::processEvent(state_, TestMessages::certificateVerify());
2266  expectActions<MutateState>(actions);
2267  processStateMutations(actions);
2268  EXPECT_EQ(state_.state(), StateEnum::ExpectingFinished);
2269 }
2270 
2271 TEST_F(ClientProtocolTest, TestCertificateVerifyNoVerifier) {
2272  setupExpectingCertificateVerify();
2273  state_.verifier() = nullptr;
2274  auto actions =
2275  detail::processEvent(state_, TestMessages::certificateVerify());
2276  expectActions<MutateState>(actions);
2277  processStateMutations(actions);
2278  EXPECT_EQ(state_.state(), StateEnum::ExpectingFinished);
2279 }
2280 
2281 TEST_F(ClientProtocolTest, TestCertificateVerifyUnsupportedAlgorithm) {
2282  context_->setSupportedSigSchemes({SignatureScheme::rsa_pss_sha256});
2283  setupExpectingCertificateVerify();
2284  auto actions =
2285  detail::processEvent(state_, TestMessages::certificateVerify());
2286  expectError<FizzException>(
2287  actions, AlertDescription::illegal_parameter, "unsupported sig scheme");
2288 }
2289 
2290 TEST_F(ClientProtocolTest, TestCertificateVerifyFailure) {
2291  setupExpectingCertificateVerify();
2292  EXPECT_CALL(
2293  *mockLeaf_,
2294  verify(
2295  SignatureScheme::ecdsa_secp256r1_sha256,
2296  CertificateVerifyContext::Server,
2297  RangeMatches("context"),
2298  RangeMatches("signature")))
2299  .WillOnce(Throw(
2300  FizzException("verify failed", AlertDescription::bad_record_mac)));
2301  auto actions =
2302  detail::processEvent(state_, TestMessages::certificateVerify());
2303  expectError<FizzException>(
2304  actions, AlertDescription::bad_record_mac, "verify failed");
2305 }
2306 
2307 TEST_F(ClientProtocolTest, TestCertificateVerifyVerifierFailure) {
2308  setupExpectingCertificateVerify();
2309  EXPECT_CALL(*verifier_, verify(_))
2310  .WillOnce(Throw(FizzVerificationException(
2311  "verify failed", AlertDescription::bad_record_mac)));
2312  auto actions =
2313  detail::processEvent(state_, TestMessages::certificateVerify());
2314  expectError<FizzVerificationException>(
2315  actions, AlertDescription::bad_record_mac, "verify failed");
2316 }
2317 
2318 TEST_F(ClientProtocolTest, TestCertificateVerifyVerifierFailureOtherException) {
2319  setupExpectingCertificateVerify();
2320  EXPECT_CALL(*verifier_, verify(_))
2321  .WillOnce(Throw(std::runtime_error("no good")));
2322  auto actions =
2323  detail::processEvent(state_, TestMessages::certificateVerify());
2324  expectError<FizzException>(
2325  actions, AlertDescription::bad_certificate, "verifier failure: no good");
2326 }
2327 
2328 TEST_F(ClientProtocolTest, TestCertificateRequestNoCert) {
2329  setupExpectingCertificate();
2330  auto certificateRequest = TestMessages::certificateRequest();
2331  auto actions = detail::processEvent(state_, std::move(certificateRequest));
2332  expectActions<MutateState>(actions);
2333  processStateMutations(actions);
2334  EXPECT_EQ(state_.clientAuthRequested(), ClientAuthType::RequestedNoMatch);
2335  EXPECT_EQ(state_.selectedClientCert(), nullptr);
2336  EXPECT_EQ(state_.clientAuthSigScheme(), folly::none);
2337 }
2338 
2339 TEST_F(ClientProtocolTest, TestCertificateRequestDuplicated) {
2340  setupExpectingCertificate();
2341  auto certificateRequest = TestMessages::certificateRequest();
2342  auto actions = detail::processEvent(state_, std::move(certificateRequest));
2343  expectActions<MutateState>(actions);
2344  processStateMutations(actions);
2345  certificateRequest = TestMessages::certificateRequest();
2346  actions = detail::processEvent(state_, std::move(certificateRequest));
2347  expectError<FizzException>(
2348  actions,
2349  AlertDescription::unexpected_message,
2350  "duplicate certificate request message");
2351 }
2352 
2353 TEST_F(ClientProtocolTest, TestCertificateRequestAlgosMismatch) {
2354  setupExpectingCertificateRequest();
2355  auto certificateRequest = TestMessages::certificateRequest();
2356 
2357  SignatureAlgorithms sigAlgs;
2358  sigAlgs.supported_signature_algorithms = {
2359  SignatureScheme::ecdsa_secp256r1_sha256};
2360  certificateRequest.extensions.clear();
2361  certificateRequest.extensions.emplace_back(
2362  encodeExtension(std::move(sigAlgs)));
2363 
2364  EXPECT_CALL(*mockClientCert_, getSigSchemes())
2365  .WillOnce(Return(
2366  std::vector<SignatureScheme>(1, SignatureScheme::rsa_pss_sha256)));
2367 
2368  auto actions = detail::processEvent(state_, std::move(certificateRequest));
2369  expectActions<MutateState>(actions);
2370  processStateMutations(actions);
2371  EXPECT_EQ(state_.clientAuthRequested(), ClientAuthType::RequestedNoMatch);
2372  EXPECT_EQ(state_.selectedClientCert(), nullptr);
2373  EXPECT_EQ(state_.clientAuthSigScheme(), folly::none);
2374 }
2375 
2376 TEST_F(ClientProtocolTest, TestCertificateRequestContextAlgosUnsupported) {
2377  setupExpectingCertificateRequest();
2378  context_->setSupportedSigSchemes({SignatureScheme::rsa_pss_sha512});
2379  auto certificateRequest = TestMessages::certificateRequest();
2380 
2381  SignatureAlgorithms sigAlgs;
2382  sigAlgs.supported_signature_algorithms = {
2383  SignatureScheme::ecdsa_secp256r1_sha256, SignatureScheme::rsa_pss_sha256};
2384  certificateRequest.extensions.clear();
2385  certificateRequest.extensions.emplace_back(
2386  encodeExtension(std::move(sigAlgs)));
2387 
2388  EXPECT_CALL(*mockClientCert_, getSigSchemes())
2389  .WillOnce(Return(
2390  std::vector<SignatureScheme>(1, SignatureScheme::rsa_pss_sha256)));
2391 
2392  auto actions = detail::processEvent(state_, std::move(certificateRequest));
2393  expectActions<MutateState>(actions);
2394  processStateMutations(actions);
2395  EXPECT_EQ(state_.clientAuthRequested(), ClientAuthType::RequestedNoMatch);
2396  EXPECT_EQ(state_.selectedClientCert(), nullptr);
2397  EXPECT_EQ(state_.clientAuthSigScheme(), folly::none);
2398 }
2399 
2400 TEST_F(ClientProtocolTest, TestCertificateRequestPrefersContextOrder) {
2401  setupExpectingCertificateRequest();
2402  context_->setSupportedSigSchemes({SignatureScheme::rsa_pss_sha512,
2403  SignatureScheme::ecdsa_secp521r1_sha512,
2404  SignatureScheme::ed25519});
2405  auto certificateRequest = TestMessages::certificateRequest();
2406  SignatureAlgorithms requestAlgos;
2407  requestAlgos.supported_signature_algorithms = {
2408  SignatureScheme::ecdsa_secp521r1_sha512,
2409  SignatureScheme::ed25519,
2410  SignatureScheme::rsa_pss_sha512};
2411  certificateRequest.extensions.clear();
2412  certificateRequest.extensions.emplace_back(
2413  encodeExtension(std::move(requestAlgos)));
2414 
2415  EXPECT_CALL(*mockClientCert_, getSigSchemes())
2416  .WillOnce(Return(
2417  std::vector<SignatureScheme>({SignatureScheme::ed25519,
2418  SignatureScheme::ecdsa_secp521r1_sha512,
2419  SignatureScheme::rsa_pss_sha512})));
2420 
2421  auto actions = detail::processEvent(state_, std::move(certificateRequest));
2422  expectActions<MutateState>(actions);
2423  processStateMutations(actions);
2424  EXPECT_EQ(state_.clientAuthRequested(), ClientAuthType::Sent);
2425  EXPECT_EQ(state_.selectedClientCert(), mockClientCert_);
2426  EXPECT_EQ(state_.clientAuthSigScheme(), SignatureScheme::rsa_pss_sha512);
2427 }
2428 
2429 TEST_F(ClientProtocolTest, TestCertificateRequestMatch) {
2430  setupExpectingCertificateRequest();
2431  auto certificateRequest = TestMessages::certificateRequest();
2432 
2433  EXPECT_CALL(*mockClientCert_, getSigSchemes())
2434  .WillOnce(Return(
2435  std::vector<SignatureScheme>(1, SignatureScheme::rsa_pss_sha256)));
2436 
2437  auto actions = detail::processEvent(state_, std::move(certificateRequest));
2438  expectActions<MutateState>(actions);
2439  processStateMutations(actions);
2440  EXPECT_EQ(state_.clientAuthRequested(), ClientAuthType::Sent);
2441  EXPECT_EQ(state_.selectedClientCert(), mockClientCert_);
2442  EXPECT_EQ(state_.clientAuthSigScheme(), SignatureScheme::rsa_pss_sha256);
2443 }
2444 
2445 TEST_F(ClientProtocolTest, TestFinishedFlow) {
2446  setupExpectingFinished();
2447  doFinishedFlow(ClientAuthType::NotRequested);
2448 }
2449 
2450 TEST_F(ClientProtocolTest, TestFinishedCertNoMatchFlow) {
2451  setupExpectingFinished();
2452  state_.clientAuthRequested() = ClientAuthType::RequestedNoMatch;
2453  doFinishedFlow(ClientAuthType::RequestedNoMatch);
2454  EXPECT_EQ(state_.clientCert(), nullptr);
2455 }
2456 
2457 TEST_F(ClientProtocolTest, TestFinishedCertSentFlow) {
2458  setupExpectingFinished();
2459  state_.clientAuthRequested() = ClientAuthType::Sent;
2460  state_.clientAuthSigScheme() = SignatureScheme::ecdsa_secp256r1_sha256;
2461  state_.selectedClientCert() = mockClientCert_;
2462  doFinishedFlow(ClientAuthType::Sent);
2463  EXPECT_EQ(state_.clientCert(), mockClientCert_);
2464 }
2465 
2466 TEST_F(ClientProtocolTest, TestFinishedEarlyFlow) {
2467  setupExpectingFinished();
2468  state_.earlyDataType() = EarlyDataType::Accepted;
2469  setMockEarlyRecord();
2470 
2471  Sequence contextSeq;
2472  EXPECT_CALL(*mockHandshakeContext_, getFinishedData(RangeMatches("sht")))
2473  .InSequence(contextSeq)
2474  .WillOnce(
2475  InvokeWithoutArgs([]() { return IOBuf::copyBuffer("verifydata"); }));
2476  EXPECT_CALL(
2477  *mockHandshakeContext_,
2478  appendToTranscript(BufMatches("finishedencoding")))
2479  .InSequence(contextSeq);
2480  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
2481  .InSequence(contextSeq)
2482  .WillRepeatedly(
2483  Invoke([]() { return IOBuf::copyBuffer("sfincontext"); }));
2484  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(_))
2485  .InSequence(contextSeq);
2486  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
2487  .InSequence(contextSeq)
2488  .WillRepeatedly(Invoke([]() { return IOBuf::copyBuffer("sfin_eoed"); }));
2489  EXPECT_CALL(*mockHandshakeContext_, getFinishedData(RangeMatches("cht")))
2490  .InSequence(contextSeq)
2491  .WillRepeatedly(
2492  InvokeWithoutArgs([]() { return IOBuf::copyBuffer("verifydata"); }));
2493  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(_))
2494  .InSequence(contextSeq);
2495  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
2496  .InSequence(contextSeq)
2497  .WillRepeatedly(Invoke([]() { return IOBuf::copyBuffer("fincontext"); }));
2498  EXPECT_CALL(*mockHandshakeWrite_, _write(_))
2499  .WillOnce(Invoke([&](TLSMessage& msg) {
2500  TLSContent content;
2501  content.contentType = msg.type;
2502  content.encryptionLevel = mockHandshakeWrite_->getEncryptionLevel();
2503  EXPECT_EQ(msg.type, ContentType::handshake);
2504  EXPECT_TRUE(IOBufEqualTo()(
2505  msg.fragment, encodeHandshake(TestMessages::finished())));
2506  content.data = folly::IOBuf::copyBuffer("finwrite");
2507  return content;
2508  }));
2509  EXPECT_CALL(*mockEarlyWrite_, _write(_))
2510  .WillOnce(Invoke([&](TLSMessage& msg) {
2511  TLSContent content;
2512  content.contentType = msg.type;
2513  content.encryptionLevel = mockEarlyWrite_->getEncryptionLevel();
2514  EXPECT_EQ(msg.type, ContentType::handshake);
2515  EXPECT_TRUE(
2516  IOBufEqualTo()(msg.fragment, encodeHandshake(EndOfEarlyData())));
2517  content.data = folly::IOBuf::copyBuffer("eoed");
2518  return content;
2519  }));
2520  EXPECT_CALL(*mockKeyScheduler_, deriveMasterSecret());
2521  EXPECT_CALL(
2522  *mockKeyScheduler_,
2523  getSecret(MasterSecrets::ExporterMaster, RangeMatches("sfincontext")));
2524  EXPECT_CALL(
2525  *mockKeyScheduler_,
2526  getSecret(MasterSecrets::ResumptionMaster, RangeMatches("fincontext")))
2527  .WillOnce(InvokeWithoutArgs([]() {
2528  return std::vector<uint8_t>({'r', 'e', 's'});
2529  }));
2530  EXPECT_CALL(
2531  *mockKeyScheduler_, deriveAppTrafficSecrets(RangeMatches("sfincontext")));
2532  EXPECT_CALL(
2533  *mockKeyScheduler_, getSecret(AppTrafficSecrets::ServerAppTraffic))
2534  .WillOnce(InvokeWithoutArgs([]() {
2535  return std::vector<uint8_t>({'s', 'a', 't'});
2536  }));
2537  EXPECT_CALL(
2538  *mockKeyScheduler_, getSecret(AppTrafficSecrets::ClientAppTraffic))
2539  .WillOnce(InvokeWithoutArgs([]() {
2540  return std::vector<uint8_t>({'c', 'a', 't'});
2541  }));
2542  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("sat"), _, _))
2543  .WillOnce(InvokeWithoutArgs([]() {
2544  return TrafficKey{IOBuf::copyBuffer("serverkey"),
2545  IOBuf::copyBuffer("serveriv")};
2546  }));
2547  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("cat"), _, _))
2548  .WillOnce(InvokeWithoutArgs([]() {
2549  return TrafficKey{IOBuf::copyBuffer("clientkey"),
2550  IOBuf::copyBuffer("clientiv")};
2551  }));
2552  MockAead* raead;
2553  MockAead* waead;
2554  MockEncryptedReadRecordLayer* rrl;
2555  MockEncryptedWriteRecordLayer* wrl;
2556  expectAeadCreation(&waead, &raead);
2557  expectEncryptedReadRecordLayerCreation(&rrl, &raead, StringPiece("sat"));
2558  expectEncryptedWriteRecordLayerCreation(&wrl, &waead, StringPiece("cat"));
2559  EXPECT_CALL(*mockKeyScheduler_, clearMasterSecret());
2560 
2561  auto actions = detail::processEvent(state_, TestMessages::finished());
2562  expectActions<MutateState, ReportHandshakeSuccess, WriteToSocket>(actions);
2563  auto write = expectAction<WriteToSocket>(actions);
2564  EXPECT_EQ(write.contents.size(), 2);
2565  EXPECT_EQ(write.contents[0].encryptionLevel, EncryptionLevel::EarlyData);
2566  EXPECT_EQ(write.contents[0].contentType, ContentType::handshake);
2567  EXPECT_TRUE(
2568  IOBufEqualTo()(write.contents[0].data, IOBuf::copyBuffer("eoed")));
2569 
2570  EXPECT_EQ(write.contents[1].encryptionLevel, EncryptionLevel::Handshake);
2571  EXPECT_EQ(write.contents[1].contentType, ContentType::handshake);
2572  EXPECT_TRUE(
2573  IOBufEqualTo()(write.contents[1].data, IOBuf::copyBuffer("finwrite")));
2574  auto reportSuccess = expectAction<ReportHandshakeSuccess>(actions);
2575  EXPECT_EQ(reportSuccess.earlyDataAccepted, true);
2576  processStateMutations(actions);
2577  EXPECT_EQ(state_.readRecordLayer().get(), rrl);
2578  EXPECT_EQ(
2579  state_.readRecordLayer()->getEncryptionLevel(),
2580  EncryptionLevel::AppTraffic);
2581  EXPECT_EQ(state_.writeRecordLayer().get(), wrl);
2582  EXPECT_EQ(
2583  state_.writeRecordLayer()->getEncryptionLevel(),
2584  EncryptionLevel::AppTraffic);
2585  EXPECT_EQ(state_.earlyWriteRecordLayer().get(), nullptr);
2586  EXPECT_EQ(state_.state(), StateEnum::Established);
2587  EXPECT_TRUE(
2588  IOBufEqualTo()(*state_.resumptionSecret(), IOBuf::copyBuffer("res")));
2589 }
2590 
2591 void ClientProtocolTest::doFinishedFlow(ClientAuthType authType) {
2592  Sequence contextSeq;
2593  EXPECT_CALL(*mockHandshakeContext_, getFinishedData(RangeMatches("sht")))
2594  .InSequence(contextSeq)
2595  .WillOnce(
2596  InvokeWithoutArgs([]() { return IOBuf::copyBuffer("verifydata"); }));
2597  EXPECT_CALL(
2598  *mockHandshakeContext_,
2599  appendToTranscript(BufMatches("finishedencoding")))
2600  .InSequence(contextSeq);
2601  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
2602  .InSequence(contextSeq)
2603  .WillRepeatedly(
2604  Invoke([]() { return IOBuf::copyBuffer("sfincontext"); }));
2605  if (authType != ClientAuthType::NotRequested) {
2606  if (authType == ClientAuthType::Sent) {
2607  EXPECT_CALL(*mockClientCert_, _getCertMessage(_))
2608  .InSequence(contextSeq)
2609  .WillOnce(
2610  InvokeWithoutArgs([]() { return TestMessages::certificate(); }));
2611  }
2612  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(_))
2613  .InSequence(contextSeq)
2614  .WillOnce(Invoke([authType](const Buf& enc) {
2615  if (authType == ClientAuthType::Sent) {
2616  EXPECT_TRUE(IOBufEqualTo()(
2617  enc, encodeHandshake(TestMessages::certificate())));
2618  } else {
2619  EXPECT_TRUE(IOBufEqualTo()(enc, encodeHandshake(CertificateMsg())));
2620  }
2621  }));
2622  if (authType == ClientAuthType::Sent) {
2623  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
2624  .InSequence(contextSeq)
2625  .WillRepeatedly(
2626  Invoke([]() { return IOBuf::copyBuffer("csentcontext"); }));
2627  EXPECT_CALL(
2628  *mockClientCert_,
2629  sign(
2630  SignatureScheme::ecdsa_secp256r1_sha256,
2631  CertificateVerifyContext::Client,
2632  RangeMatches("csentcontext")))
2633  .InSequence(contextSeq)
2634  .WillOnce(InvokeWithoutArgs(
2635  []() { return IOBuf::copyBuffer("signature"); }));
2636  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(_))
2637  .InSequence(contextSeq)
2638  .WillOnce(Invoke([](const Buf& enc) {
2639  EXPECT_TRUE(IOBufEqualTo()(
2640  enc, encodeHandshake(TestMessages::certificateVerify())));
2641  }));
2642  }
2643  }
2644  EXPECT_CALL(*mockHandshakeContext_, getFinishedData(RangeMatches("cht")))
2645  .InSequence(contextSeq)
2646  .WillRepeatedly(
2647  InvokeWithoutArgs([]() { return IOBuf::copyBuffer("verifydata"); }));
2648  EXPECT_CALL(*mockHandshakeContext_, appendToTranscript(_))
2649  .InSequence(contextSeq);
2650  EXPECT_CALL(*mockHandshakeContext_, getHandshakeContext())
2651  .InSequence(contextSeq)
2652  .WillRepeatedly(Invoke([]() { return IOBuf::copyBuffer("fincontext"); }));
2653  EXPECT_CALL(*mockHandshakeWrite_, _write(_))
2654  .WillOnce(Invoke([&](TLSMessage& msg) {
2655  TLSContent content;
2656  content.contentType = msg.type;
2657  content.encryptionLevel = mockHandshakeWrite_->getEncryptionLevel();
2658  EXPECT_EQ(msg.type, ContentType::handshake);
2659 
2660  switch (authType) {
2661  case ClientAuthType::NotRequested:
2662  case ClientAuthType::Stored:
2663  EXPECT_TRUE(IOBufEqualTo()(
2664  msg.fragment, encodeHandshake(TestMessages::finished())));
2665  break;
2666  case ClientAuthType::RequestedNoMatch: {
2667  auto expectedMessages = encodeHandshake(CertificateMsg());
2668  expectedMessages->prependChain(
2669  encodeHandshake(TestMessages::finished()));
2670  EXPECT_TRUE(IOBufEqualTo()(msg.fragment, expectedMessages));
2671  break;
2672  }
2673  case ClientAuthType::Sent: {
2674  auto expectedMessages =
2675  encodeHandshake(TestMessages::certificate());
2676  expectedMessages->prependChain(
2677  encodeHandshake(TestMessages::certificateVerify()));
2678  expectedMessages->prependChain(
2679  encodeHandshake(TestMessages::finished()));
2680  EXPECT_TRUE(IOBufEqualTo()(msg.fragment, expectedMessages));
2681  break;
2682  }
2683  }
2684  content.data = folly::IOBuf::copyBuffer("finwrite");
2685  return content;
2686  }));
2687  EXPECT_CALL(*mockKeyScheduler_, deriveMasterSecret());
2688  EXPECT_CALL(
2689  *mockKeyScheduler_,
2690  getSecret(MasterSecrets::ExporterMaster, RangeMatches("sfincontext")));
2691  EXPECT_CALL(
2692  *mockKeyScheduler_,
2693  getSecret(MasterSecrets::ResumptionMaster, RangeMatches("fincontext")))
2694  .WillOnce(InvokeWithoutArgs([]() {
2695  return std::vector<uint8_t>({'r', 'e', 's'});
2696  }));
2697  EXPECT_CALL(
2698  *mockKeyScheduler_, deriveAppTrafficSecrets(RangeMatches("sfincontext")));
2699  EXPECT_CALL(
2700  *mockKeyScheduler_, getSecret(AppTrafficSecrets::ServerAppTraffic))
2701  .WillOnce(InvokeWithoutArgs([]() {
2702  return std::vector<uint8_t>({'s', 'a', 't'});
2703  }));
2704  EXPECT_CALL(
2705  *mockKeyScheduler_, getSecret(AppTrafficSecrets::ClientAppTraffic))
2706  .WillOnce(InvokeWithoutArgs([]() {
2707  return std::vector<uint8_t>({'c', 'a', 't'});
2708  }));
2709  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("sat"), _, _))
2710  .WillOnce(InvokeWithoutArgs([]() {
2711  return TrafficKey{IOBuf::copyBuffer("serverkey"),
2712  IOBuf::copyBuffer("serveriv")};
2713  }));
2714  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("cat"), _, _))
2715  .WillOnce(InvokeWithoutArgs([]() {
2716  return TrafficKey{IOBuf::copyBuffer("clientkey"),
2717  IOBuf::copyBuffer("clientiv")};
2718  }));
2719  MockAead* raead;
2720  MockAead* waead;
2721  MockEncryptedReadRecordLayer* rrl;
2722  MockEncryptedWriteRecordLayer* wrl;
2723  expectAeadCreation(&waead, &raead);
2724  expectEncryptedReadRecordLayerCreation(&rrl, &raead, StringPiece("sat"));
2725  expectEncryptedWriteRecordLayerCreation(&wrl, &waead, StringPiece("cat"));
2726  EXPECT_CALL(*mockKeyScheduler_, clearMasterSecret());
2727 
2728  auto actions = detail::processEvent(state_, TestMessages::finished());
2729  expectActions<MutateState, ReportHandshakeSuccess, WriteToSocket>(actions);
2730  auto write = expectAction<WriteToSocket>(actions);
2731  EXPECT_EQ(write.contents[0].encryptionLevel, EncryptionLevel::Handshake);
2732  EXPECT_EQ(write.contents[0].contentType, ContentType::handshake);
2733  EXPECT_TRUE(
2734  IOBufEqualTo()(write.contents[0].data, IOBuf::copyBuffer("finwrite")));
2735  auto reportSuccess = expectAction<ReportHandshakeSuccess>(actions);
2736  EXPECT_EQ(reportSuccess.earlyDataAccepted, false);
2737  processStateMutations(actions);
2738  EXPECT_EQ(state_.readRecordLayer().get(), rrl);
2739  EXPECT_EQ(
2740  state_.readRecordLayer()->getEncryptionLevel(),
2741  EncryptionLevel::AppTraffic);
2742  EXPECT_EQ(state_.writeRecordLayer().get(), wrl);
2743  EXPECT_EQ(
2744  state_.writeRecordLayer()->getEncryptionLevel(),
2745  EncryptionLevel::AppTraffic);
2746  EXPECT_EQ(state_.state(), StateEnum::Established);
2747  EXPECT_TRUE(
2748  IOBufEqualTo()(*state_.resumptionSecret(), IOBuf::copyBuffer("res")));
2749  EXPECT_FALSE(state_.sentCCS());
2750 }
2751 
2752 TEST_F(ClientProtocolTest, TestFinished) {
2753  setupExpectingFinished();
2754  auto actions = detail::processEvent(state_, TestMessages::finished());
2755  expectActions<MutateState, ReportHandshakeSuccess, WriteToSocket>(actions);
2756  processStateMutations(actions);
2757  EXPECT_EQ(state_.state(), StateEnum::Established);
2758 }
2759 
2760 TEST_F(ClientProtocolTest, TestFinishedExtraData) {
2761  setupExpectingFinished();
2762  EXPECT_CALL(*mockHandshakeRead_, hasUnparsedHandshakeData())
2763  .WillRepeatedly(Return(true));
2764  auto actions = detail::processEvent(state_, TestMessages::finished());
2765  expectError<FizzException>(
2766  actions, AlertDescription::unexpected_message, "data after finished");
2767 }
2768 
2769 TEST_F(ClientProtocolTest, TestFinishedMismatch) {
2770  setupExpectingFinished();
2771  auto finished = TestMessages::finished();
2772  finished.verify_data = IOBuf::copyBuffer("ver1fydata");
2773  auto actions = detail::processEvent(state_, std::move(finished));
2774  expectError<FizzException>(
2775  actions, AlertDescription::bad_record_mac, "finished verify failure");
2776 }
2777 
2778 TEST_F(ClientProtocolTest, TestFinishedRejectedEarly) {
2779  setupExpectingFinished();
2780  state_.earlyDataType() = EarlyDataType::Rejected;
2781  auto actions = detail::processEvent(state_, TestMessages::finished());
2782  expectActions<MutateState, ReportHandshakeSuccess, WriteToSocket>(actions);
2783  auto reportSuccess = expectAction<ReportHandshakeSuccess>(actions);
2784  EXPECT_EQ(reportSuccess.earlyDataAccepted, false);
2785  processStateMutations(actions);
2786  EXPECT_EQ(state_.state(), StateEnum::Established);
2787 }
2788 
2789 TEST_F(ClientProtocolTest, TestFinishedCompat) {
2790  context_->setCompatibilityMode(true);
2791  setupExpectingFinished();
2792  auto actions = detail::processEvent(state_, TestMessages::finished());
2793  expectActions<MutateState, ReportHandshakeSuccess, WriteToSocket>(actions);
2794  auto write = expectAction<WriteToSocket>(actions);
2795  EXPECT_EQ(write.contents.size(), 2);
2796  EXPECT_EQ(write.contents[0].encryptionLevel, EncryptionLevel::Plaintext);
2797  EXPECT_EQ(write.contents[0].contentType, ContentType::change_cipher_spec);
2798  EXPECT_EQ(write.contents[1].encryptionLevel, EncryptionLevel::Handshake);
2799  EXPECT_EQ(write.contents[1].contentType, ContentType::handshake);
2800  processStateMutations(actions);
2801  EXPECT_EQ(state_.state(), StateEnum::Established);
2802  EXPECT_TRUE(state_.sentCCS());
2803 }
2804 
2805 TEST_F(ClientProtocolTest, TestNewSessionTicket) {
2806  setupAcceptingData();
2807 
2808  EXPECT_CALL(
2809  *mockKeyScheduler_,
2810  getResumptionSecret(RangeMatches("resumptionsecret"), RangeMatches("")))
2811  .WillOnce(InvokeWithoutArgs(
2812  []() { return IOBuf::copyBuffer("derivedsecret"); }));
2813  state_.clientCert() = mockClientCert_;
2814 
2815  auto actions = detail::processEvent(state_, TestMessages::newSessionTicket());
2816  auto newCachedPsk = expectSingleAction<NewCachedPsk>(std::move(actions));
2817  auto psk = newCachedPsk.psk;
2818  EXPECT_EQ(psk.psk, "ticket");
2819  EXPECT_EQ(psk.secret, "derivedsecret");
2820  EXPECT_EQ(psk.type, PskType::Resumption);
2821  EXPECT_EQ(psk.version, ProtocolVersion::tls_1_3);
2822  EXPECT_EQ(psk.cipher, CipherSuite::TLS_AES_128_GCM_SHA256);
2823  EXPECT_EQ(psk.group, NamedGroup::x25519);
2824  EXPECT_EQ(psk.serverCert, mockLeaf_);
2825  EXPECT_EQ(psk.clientCert, mockClientCert_);
2826  EXPECT_EQ(psk.maxEarlyDataSize, 0);
2827  EXPECT_EQ(psk.ticketAgeAdd, 0x44444444);
2828 }
2829 
2830 TEST_F(ClientProtocolTest, TestNewSessionTicketNonce) {
2831  setupAcceptingData();
2832 
2833  EXPECT_CALL(
2834  *mockKeyScheduler_,
2835  getResumptionSecret(
2836  RangeMatches("resumptionsecret"), RangeMatches("nonce")))
2837  .WillOnce(InvokeWithoutArgs(
2838  []() { return IOBuf::copyBuffer("derivedsecret"); }));
2839 
2840  auto nst = TestMessages::newSessionTicket();
2841  nst.ticket_nonce = IOBuf::copyBuffer("nonce");
2842  auto actions = detail::processEvent(state_, std::move(nst));
2843  expectSingleAction<NewCachedPsk>(std::move(actions));
2844 }
2845 
2846 TEST_F(ClientProtocolTest, TestNewSessionTicketEarlyData) {
2847  setupAcceptingData();
2848 
2849  EXPECT_CALL(
2850  *mockKeyScheduler_,
2851  getResumptionSecret(RangeMatches("resumptionsecret"), RangeMatches("")))
2852  .WillOnce(InvokeWithoutArgs(
2853  []() { return IOBuf::copyBuffer("derivedsecret"); }));
2854 
2855  auto nst = TestMessages::newSessionTicket();
2856  TicketEarlyData early;
2857  early.max_early_data_size = 2000;
2858  nst.extensions.push_back(encodeExtension(std::move(early)));
2859  auto actions = detail::processEvent(state_, std::move(nst));
2860  auto newCachedPsk = expectSingleAction<NewCachedPsk>(std::move(actions));
2861  auto psk = newCachedPsk.psk;
2862  EXPECT_EQ(psk.psk, "ticket");
2863  EXPECT_EQ(psk.secret, "derivedsecret");
2864  EXPECT_EQ(psk.type, PskType::Resumption);
2865  EXPECT_EQ(psk.version, ProtocolVersion::tls_1_3);
2866  EXPECT_EQ(psk.cipher, CipherSuite::TLS_AES_128_GCM_SHA256);
2867  EXPECT_EQ(psk.group, NamedGroup::x25519);
2868  EXPECT_EQ(psk.serverCert, mockLeaf_);
2869  EXPECT_EQ(psk.maxEarlyDataSize, 2000);
2870  EXPECT_EQ(psk.ticketAgeAdd, 0x44444444);
2871 }
2872 
2873 TEST_F(ClientProtocolTest, TestAppData) {
2874  setupAcceptingData();
2875 
2876  auto actions = detail::processEvent(state_, TestMessages::appData());
2877 
2878  expectSingleAction<DeliverAppData>(std::move(actions));
2879 }
2880 
2881 TEST_F(ClientProtocolTest, TestAppWrite) {
2882  setupAcceptingData();
2883  EXPECT_CALL(*mockWrite_, _write(_)).WillOnce(Invoke([&](TLSMessage& msg) {
2884  TLSContent content;
2885  content.contentType = msg.type;
2886  content.encryptionLevel = mockWrite_->getEncryptionLevel();
2887  EXPECT_EQ(msg.type, ContentType::application_data);
2888  EXPECT_TRUE(IOBufEqualTo()(msg.fragment, IOBuf::copyBuffer("appdata")));
2889  content.data = IOBuf::copyBuffer("writtenappdata");
2890  return content;
2891  }));
2892 
2893  auto actions = detail::processEvent(state_, TestMessages::appWrite());
2894  auto write = expectSingleAction<WriteToSocket>(std::move(actions));
2895  EXPECT_TRUE(IOBufEqualTo()(
2896  write.contents[0].data, IOBuf::copyBuffer("writtenappdata")));
2897  EXPECT_EQ(
2898  write.contents[0].encryptionLevel,
2899  state_.writeRecordLayer()->getEncryptionLevel());
2900  EXPECT_EQ(write.contents[0].contentType, ContentType::application_data);
2901 }
2902 
2903 TEST_F(ClientProtocolTest, TestKeyUpdateNotRequested) {
2904  setupAcceptingData();
2905  auto actions = detail::processEvent(state_, TestMessages::keyUpdate(false));
2906  expectActions<MutateState>(actions);
2907  EXPECT_EQ(getNumActions<WriteToSocket>(actions, false), 0);
2908 }
2909 
2910 TEST_F(ClientProtocolTest, TestKeyUpdateExtraData) {
2911  setupAcceptingData();
2912  EXPECT_CALL(*mockRead_, hasUnparsedHandshakeData())
2913  .WillRepeatedly(Return(true));
2914  auto actions = detail::processEvent(state_, TestMessages::keyUpdate(false));
2915  expectError<FizzException>(
2916  actions, AlertDescription::unexpected_message, "data after key_update");
2917 }
2918 
2919 TEST_F(ClientProtocolTest, TestKeyUpdateRequestFlow) {
2920  setupAcceptingData();
2921  EXPECT_CALL(*mockKeyScheduler_, serverKeyUpdate());
2922  EXPECT_CALL(*mockRead_, hasUnparsedHandshakeData()).WillOnce(Return(false));
2923 
2924  EXPECT_CALL(
2925  *mockKeyScheduler_, getSecret(AppTrafficSecrets::ServerAppTraffic))
2926  .WillOnce(InvokeWithoutArgs([]() {
2927  return std::vector<uint8_t>({'s', 'a', 't'});
2928  }));
2929 
2930  EXPECT_CALL(*mockWrite_, _write(_)).WillOnce(Invoke([&](TLSMessage& msg) {
2931  TLSContent content;
2932  content.contentType = msg.type;
2933  content.encryptionLevel = mockWrite_->getEncryptionLevel();
2934  EXPECT_EQ(msg.type, ContentType::handshake);
2935  EXPECT_TRUE(IOBufEqualTo()(
2936  msg.fragment, encodeHandshake(TestMessages::keyUpdate(false))));
2937  content.data = folly::IOBuf::copyBuffer("keyupdated");
2938  return content;
2939  }));
2940 
2941  EXPECT_CALL(*mockKeyScheduler_, clientKeyUpdate());
2942  EXPECT_CALL(
2943  *mockKeyScheduler_, getSecret(AppTrafficSecrets::ClientAppTraffic))
2944  .WillOnce(InvokeWithoutArgs([]() {
2945  return std::vector<uint8_t>({'c', 'a', 't'});
2946  }));
2947 
2948  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("sat"), _, _))
2949  .WillOnce(InvokeWithoutArgs([]() {
2950  return TrafficKey{IOBuf::copyBuffer("serverkey"),
2951  IOBuf::copyBuffer("serveriv")};
2952  }));
2953  EXPECT_CALL(*mockKeyScheduler_, getTrafficKey(RangeMatches("cat"), _, _))
2954  .WillOnce(InvokeWithoutArgs([]() {
2955  return TrafficKey{IOBuf::copyBuffer("clientkey"),
2956  IOBuf::copyBuffer("clientiv")};
2957  }));
2958 
2959  MockAead* raead;
2960  MockAead* waead;
2961  MockEncryptedReadRecordLayer* rrl;
2962  MockEncryptedWriteRecordLayer* wrl;
2963 
2964  expectAeadCreation(&waead, &raead);
2965  expectEncryptedReadRecordLayerCreation(&rrl, &raead, StringPiece("sat"));
2966  expectEncryptedWriteRecordLayerCreation(&wrl, &waead, StringPiece("cat"));
2967 
2968  auto actions = detail::processEvent(state_, TestMessages::keyUpdate(true));
2969  expectActions<MutateState, WriteToSocket>(actions);
2970  auto write = expectAction<WriteToSocket>(actions);
2971  EXPECT_TRUE(
2972  IOBufEqualTo()(write.contents[0].data, IOBuf::copyBuffer("keyupdated")));
2973  EXPECT_EQ(
2974  write.contents[0].encryptionLevel,
2975  state_.writeRecordLayer()->getEncryptionLevel());
2976  EXPECT_EQ(write.contents[0].contentType, ContentType::handshake);
2977  processStateMutations(actions);
2978  EXPECT_EQ(state_.readRecordLayer().get(), rrl);
2979  EXPECT_EQ(
2980  state_.readRecordLayer()->getEncryptionLevel(),
2981  EncryptionLevel::AppTraffic);
2982  EXPECT_EQ(state_.writeRecordLayer().get(), wrl);
2983  EXPECT_EQ(
2984  state_.writeRecordLayer()->getEncryptionLevel(),
2985  EncryptionLevel::AppTraffic);
2986  EXPECT_EQ(state_.state(), StateEnum::Established);
2987 }
2988 
2989 TEST_F(ClientProtocolTest, TestInvalidEarlyWrite) {
2990  setupExpectingServerHello();
2991 
2992  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
2993  expectError<FizzException>(actions, folly::none, "invalid early write");
2994 }
2995 
2996 TEST_F(ClientProtocolTest, TestExpectingSHEarlyWrite) {
2997  setupExpectingServerHello();
2998  setMockEarlyRecord();
2999  state_.earlyDataType() = EarlyDataType::Attempted;
3000  EXPECT_CALL(*mockEarlyWrite_, _write(_))
3001  .WillOnce(Invoke([&](TLSMessage& msg) {
3002  TLSContent content;
3003  content.contentType = msg.type;
3004  content.encryptionLevel = mockEarlyWrite_->getEncryptionLevel();
3005  EXPECT_EQ(msg.type, ContentType::application_data);
3006  EXPECT_TRUE(IOBufEqualTo()(msg.fragment, IOBuf::copyBuffer("appdata")));
3007  content.data = IOBuf::copyBuffer("writtenappdata");
3008  return content;
3009  }));
3010 
3011  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3012 
3013  auto write = expectSingleAction<WriteToSocket>(std::move(actions));
3014  EXPECT_TRUE(IOBufEqualTo()(
3015  write.contents[0].data, IOBuf::copyBuffer("writtenappdata")));
3016 }
3017 
3018 TEST_F(ClientProtocolTest, TestEarlyEncryptionLevelRecvSHLO) {
3019  setupExpectingServerHello();
3020  setMockEarlyRecord();
3021  state_.earlyDataType() = EarlyDataType::Attempted;
3022 
3023  auto actions = detail::processEvent(state_, TestMessages::serverHello());
3024  processStateMutations(actions);
3025  EXPECT_EQ(
3026  state_.writeRecordLayer()->getEncryptionLevel(),
3027  EncryptionLevel::Handshake);
3028  EXPECT_EQ(
3029  state_.earlyWriteRecordLayer()->getEncryptionLevel(),
3030  EncryptionLevel::EarlyData);
3031 }
3032 
3033 TEST_F(ClientProtocolTest, TestEarlyEncryptionLevelRecvFinished) {
3034  setupExpectingServerHello();
3035  setMockEarlyRecord();
3036  state_.earlyDataType() = EarlyDataType::Attempted;
3037 
3038  auto actions = detail::processEvent(state_, TestMessages::serverHello());
3039  processStateMutations(actions);
3040  EXPECT_EQ(
3041  state_.writeRecordLayer()->getEncryptionLevel(),
3042  EncryptionLevel::Handshake);
3043  EXPECT_EQ(
3044  state_.earlyWriteRecordLayer()->getEncryptionLevel(),
3045  EncryptionLevel::EarlyData);
3046 }
3047 
3048 TEST_F(ClientProtocolTest, TestEarlyWriteCompat) {
3049  setupExpectingServerHello();
3050  setMockEarlyRecord();
3051  state_.earlyDataType() = EarlyDataType::Attempted;
3052  context_->setCompatibilityMode(true);
3053 
3054  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3055  expectActions<MutateState, WriteToSocket>(actions);
3056  auto write = expectAction<WriteToSocket>(actions);
3057  EXPECT_EQ(write.contents.size(), 2);
3058  EXPECT_EQ(write.contents[0].encryptionLevel, EncryptionLevel::Plaintext);
3059  EXPECT_EQ(write.contents[0].contentType, ContentType::change_cipher_spec);
3060  EXPECT_EQ(write.contents[1].encryptionLevel, EncryptionLevel::EarlyData);
3061  EXPECT_EQ(write.contents[1].contentType, ContentType::application_data);
3062  processStateMutations(actions);
3063  EXPECT_TRUE(state_.sentCCS());
3064 }
3065 
3066 TEST_F(ClientProtocolTest, TestEarlyWriteCompatCCSAlreadySent) {
3067  setupExpectingServerHello();
3068  setMockEarlyRecord();
3069  state_.earlyDataType() = EarlyDataType::Attempted;
3070  state_.sentCCS() = true;
3071  context_->setCompatibilityMode(true);
3072 
3073  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3074 
3075  expectActions<WriteToSocket>(actions);
3076  EXPECT_TRUE(state_.sentCCS());
3077 }
3078 
3079 TEST_F(ClientProtocolTest, TestEarlyAcceptedCompatNoEarlyData) {
3080  setupExpectingFinished();
3081  setMockEarlyRecord();
3082  state_.earlyDataType() = EarlyDataType::Accepted;
3083  context_->setCompatibilityMode(true);
3084 
3085  auto actions = detail::processEvent(state_, TestMessages::finished());
3086 
3087  expectActions<MutateState, WriteToSocket, ReportHandshakeSuccess>(actions);
3088  auto write = expectAction<WriteToSocket>(actions);
3089  ASSERT_EQ(write.contents.size(), 3);
3090  EXPECT_EQ(write.contents[0].contentType, ContentType::change_cipher_spec);
3091  EXPECT_EQ(write.contents[0].encryptionLevel, EncryptionLevel::Plaintext);
3092 
3093  EXPECT_EQ(write.contents[1].contentType, ContentType::handshake);
3094  EXPECT_EQ(write.contents[1].encryptionLevel, EncryptionLevel::EarlyData);
3095 
3096  EXPECT_EQ(write.contents[2].contentType, ContentType::handshake);
3097  EXPECT_EQ(write.contents[2].encryptionLevel, EncryptionLevel::Handshake);
3098 
3099  processStateMutations(actions);
3100  EXPECT_TRUE(state_.sentCCS());
3101 }
3102 
3103 TEST_F(ClientProtocolTest, TestExpectingSHEarlyWriteRejected) {
3104  setupExpectingServerHello();
3105  state_.earlyDataType() = EarlyDataType::Rejected;
3106 
3107  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3108  auto failedWrite =
3109  expectSingleAction<ReportEarlyWriteFailed>(std::move(actions));
3110  EXPECT_TRUE(
3111  IOBufEqualTo()(failedWrite.write.data, IOBuf::copyBuffer("appdata")));
3112 }
3113 
3114 TEST_F(ClientProtocolTest, TestExpectingEEEarlyWrite) {
3115  setupExpectingEncryptedExtensionsEarlySent();
3116  EXPECT_CALL(*mockEarlyWrite_, _write(_))
3117  .WillOnce(Invoke([&](TLSMessage& msg) {
3118  TLSContent content;
3119  content.contentType = msg.type;
3120  content.encryptionLevel = mockEarlyWrite_->getEncryptionLevel();
3121  EXPECT_EQ(msg.type, ContentType::application_data);
3122  EXPECT_TRUE(IOBufEqualTo()(msg.fragment, IOBuf::copyBuffer("appdata")));
3123  content.data = IOBuf::copyBuffer("writtenappdata");
3124  return content;
3125  }));
3126 
3127  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3128 
3129  auto write = expectSingleAction<WriteToSocket>(std::move(actions));
3130  EXPECT_TRUE(IOBufEqualTo()(
3131  write.contents[0].data, IOBuf::copyBuffer("writtenappdata")));
3132 }
3133 
3134 TEST_F(ClientProtocolTest, TestExpectingEEEarlyWriteRejected) {
3135  setupExpectingEncryptedExtensionsEarlySent();
3136  state_.earlyDataType() = EarlyDataType::Rejected;
3137 
3138  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3139  auto failedWrite =
3140  expectSingleAction<ReportEarlyWriteFailed>(std::move(actions));
3141  EXPECT_TRUE(
3142  IOBufEqualTo()(failedWrite.write.data, IOBuf::copyBuffer("appdata")));
3143 }
3144 
3145 TEST_F(ClientProtocolTest, TestExpectingCertEarlyWriteRejected) {
3146  setupExpectingEncryptedExtensionsEarlySent();
3147  state_.earlyDataType() = EarlyDataType::Rejected;
3148 
3149  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3150  auto failedWrite =
3151  expectSingleAction<ReportEarlyWriteFailed>(std::move(actions));
3152  EXPECT_TRUE(
3153  IOBufEqualTo()(failedWrite.write.data, IOBuf::copyBuffer("appdata")));
3154 }
3155 
3156 TEST_F(ClientProtocolTest, TestExpectingCertVerifyEarlyWriteRejected) {
3157  setupExpectingEncryptedExtensionsEarlySent();
3158  state_.earlyDataType() = EarlyDataType::Rejected;
3159 
3160  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3161  auto failedWrite =
3162  expectSingleAction<ReportEarlyWriteFailed>(std::move(actions));
3163  EXPECT_TRUE(
3164  IOBufEqualTo()(failedWrite.write.data, IOBuf::copyBuffer("appdata")));
3165 }
3166 
3167 TEST_F(ClientProtocolTest, TestExpectingFinishedEarlyWrite) {
3168  setupExpectingFinished();
3169  setMockEarlyRecord();
3170  state_.earlyDataType() = EarlyDataType::Accepted;
3171  EXPECT_CALL(*mockEarlyWrite_, _write(_))
3172  .WillOnce(Invoke([&](TLSMessage& msg) {
3173  TLSContent content;
3174  content.contentType = msg.type;
3175  content.encryptionLevel = mockEarlyWrite_->getEncryptionLevel();
3176  EXPECT_EQ(msg.type, ContentType::application_data);
3177  EXPECT_TRUE(IOBufEqualTo()(msg.fragment, IOBuf::copyBuffer("appdata")));
3178  content.data = IOBuf::copyBuffer("writtenappdata");
3179  return content;
3180  }));
3181 
3182  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3183 
3184  auto write = expectSingleAction<WriteToSocket>(std::move(actions));
3185  EXPECT_TRUE(IOBufEqualTo()(
3186  write.contents[0].data, IOBuf::copyBuffer("writtenappdata")));
3187 }
3188 
3189 TEST_F(ClientProtocolTest, TestExpectingFinishedEarlyWriteRejected) {
3190  setupExpectingFinished();
3191  state_.earlyDataType() = EarlyDataType::Rejected;
3192 
3193  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3194  auto failedWrite =
3195  expectSingleAction<ReportEarlyWriteFailed>(std::move(actions));
3196  EXPECT_TRUE(
3197  IOBufEqualTo()(failedWrite.write.data, IOBuf::copyBuffer("appdata")));
3198 }
3199 
3200 TEST_F(ClientProtocolTest, TestEstablishedEarlyWrite) {
3201  setupAcceptingData();
3202  state_.earlyDataType() = EarlyDataType::Accepted;
3203  EXPECT_CALL(*mockWrite_, _write(_)).WillOnce(Invoke([&](TLSMessage& msg) {
3204  TLSContent content;
3205  content.contentType = msg.type;
3206  content.encryptionLevel = mockWrite_->getEncryptionLevel();
3207  EXPECT_EQ(msg.type, ContentType::application_data);
3208  EXPECT_TRUE(IOBufEqualTo()(msg.fragment, IOBuf::copyBuffer("appdata")));
3209  content.data = IOBuf::copyBuffer("writtenappdata");
3210  return content;
3211  }));
3212 
3213  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3214 
3215  auto write = expectSingleAction<WriteToSocket>(std::move(actions));
3216  EXPECT_TRUE(IOBufEqualTo()(
3217  write.contents[0].data, IOBuf::copyBuffer("writtenappdata")));
3218 }
3219 
3220 TEST_F(ClientProtocolTest, TestEstablishedEarlyWriteRejected) {
3221  setupAcceptingData();
3222  state_.earlyDataType() = EarlyDataType::Rejected;
3223 
3224  auto actions = detail::processEvent(state_, TestMessages::earlyAppWrite());
3225  auto failedWrite =
3226  expectSingleAction<ReportEarlyWriteFailed>(std::move(actions));
3227  EXPECT_TRUE(
3228  IOBufEqualTo()(failedWrite.write.data, IOBuf::copyBuffer("appdata")));
3229 }
3230 } // namespace test
3231 } // namespace client
3232 } // namespace fizz
fizz::client::ClientAuthType
ClientAuthType
Definition: State.h:42
fizz::client::EarlyDataParams::serverCert
std::shared_ptr< const Cert > serverCert
Definition: State.h:52
fizz::TLSMessage::fragment
Buf fragment
Definition: Types.h:56
fizz::client::test::ClientProtocolTest::mockWrite_
MockPlaintextWriteRecordLayer * mockWrite_
Definition: ClientProtocolTest.cpp:242
fizz::Connect::context
std::shared_ptr< const client::FizzClientContext > context
Definition: Params.h:39
fizz::encodeHandshake
Buf encodeHandshake(T &&handshakeMsg)
Definition: Types-inl.h:515
fizz::Connect::verifier
std::shared_ptr< const CertificateVerifier > verifier
Definition: Params.h:40
random
Integral2 random(Integral1 low, Integral2 up)
Definition: FBStringBenchmark.cpp:42
fizz::Connect::cachedPsk
folly::Optional< client::CachedPsk > cachedPsk
Definition: Params.h:42
fizz::findExtension
std::vector< Extension >::const_iterator findExtension(const std::vector< Extension > &extensions, ExtensionType type)
Definition: Extensions-inl.h:15
fizz::sm::getEarlyDataParams
static Optional< EarlyDataParams > getEarlyDataParams(const FizzClientContext &context, const Optional< CachedPsk > &psk)
Definition: ClientProtocol.cpp:498
fizz::client::CachedPsk::clientCert
std::shared_ptr< const Cert > clientCert
Definition: PskCache.h:29
verify
void verify(int extras)
Definition: StlVectorTest.cpp:1475
fizz::CompressedCertificate::algorithm
CertificateCompressionAlgorithm algorithm
Definition: Types.h:245
fizz::detail::write
void write(const T &in, folly::io::Appender &appender)
Definition: Types-inl.h:112
fizz::TicketEarlyData::max_early_data_size
uint32_t max_early_data_size
Definition: Extensions.h:83
folly::netops::connect
int connect(NetworkSocket s, const sockaddr *name, socklen_t namelen)
Definition: NetOps.cpp:94
fizz::CertificateCompressionAlgorithm
CertificateCompressionAlgorithm
Definition: Types.h:167
ASSERT_EQ
#define ASSERT_EQ(val1, val2)
Definition: gtest.h:1956
chlo
static const std::string chlo
Definition: HandshakeTypesTest.cpp:23
folly::IOBuf::create
static std::unique_ptr< IOBuf > create(std::size_t capacity)
Definition: IOBuf.cpp:229
fizz::test::TestMessages::newSessionTicket
static NewSessionTicket newSessionTicket()
Definition: TestMessages.h:203
cookie
StringPiece cookie
Definition: ExtensionsTest.cpp:28
fizz::Connect::extensions
std::shared_ptr< ClientExtensions > extensions
Definition: Params.h:43
EXPECT_EQ
#define EXPECT_EQ(val1, val2)
Definition: gtest.h:1922
fizz::ServerKeyShare::server_share
KeyShareEntry server_share
Definition: Extensions.h:41
fizz::NamedGroup
NamedGroup
Definition: Types.h:302
now
std::chrono::steady_clock::time_point now()
Definition: TimekeeperTest.cpp:31
folly::gen::move
constexpr detail::Map< Move > move
Definition: Base-inl.h:2567
fizz::client::test::ClientProtocolTest::pskCache_
std::shared_ptr< MockPskCache > pskCache_
Definition: ClientProtocolTest.cpp:253
fizz::CipherSuite
CipherSuite
Definition: Types.h:153
fizz::test::TestMessages::certificate
static CertificateMsg certificate()
Definition: TestMessages.h:158
fizz::CompressedCertificate::uncompressed_length
uint32_t uncompressed_length
Definition: Types.h:246
fizz::Extension::extension_data
Buf extension_data
Definition: Types.h:175
cc
The non test part of the code is expected to have failures gtest_output_test_ cc
Definition: gtest_output_test_golden_lin.txt:10
folly
—— Concurrent Priority Queue Implementation ——
Definition: AtomicBitSet.h:29
fizz::test::TestMessages::earlyAppWrite
static EarlyAppWrite earlyAppWrite()
Definition: TestMessages.h:223
fizz::client::EarlyDataParams::clientCert
std::shared_ptr< const Cert > clientCert
Definition: State.h:53
fizz::client::test::ClientProtocolTest::mockLeaf_
std::shared_ptr< MockPeerCert > mockLeaf_
Definition: ClientProtocolTest.cpp:249
testing::InvokeWithoutArgs
PolymorphicAction< internal::InvokeWithoutArgsAction< FunctionImpl > > InvokeWithoutArgs(FunctionImpl function_impl)
Definition: gmock-actions.h:1168
fizz::ClientKeyShare::client_shares
std::vector< KeyShareEntry > client_shares
Definition: Extensions.h:34
fizz::test::TestMessages::serverHello
static ServerHello serverHello()
Definition: TestMessages.h:109
fizz::test::TestMessages::finished
static Finished finished()
Definition: TestMessages.h:196
fizz::KeyShareEntry::group
NamedGroup group
Definition: Extensions.h:29
folly::gen::range
Gen range(Value begin, Value end)
Definition: Base.h:467
fizz::client::test::getTestPsk
CachedPsk getTestPsk(std::string pskName, std::chrono::system_clock::time_point issueTime)
Definition: Utilities.h:16
fizz::ServerSupportedVersions::selected_version
ProtocolVersion selected_version
Definition: Extensions.h:99
params
constexpr Params params[]
Definition: FlatCombiningTest.cpp:94
fizz::client::ClientStateMachine::processAppWrite
virtual Actions processAppWrite(const State &, AppWrite)
Definition: ClientProtocol.cpp:189
fizz::test::TestMessages::certificateRequest
static CertificateRequest certificateRequest()
Definition: TestMessages.h:183
testing::HasSubstr
PolymorphicMatcher< internal::HasSubstrMatcher< internal::string > > HasSubstr(const internal::string &substring)
Definition: gmock-matchers.h:3984
testing::Invoke
PolymorphicAction< internal::InvokeAction< FunctionImpl > > Invoke(FunctionImpl function_impl)
Definition: gmock-more-actions.h:114
fizz::test::TestMessages::appWrite
static AppWrite appWrite()
Definition: TestMessages.h:217
fizz::test::TestMessages::encryptedExt
static EncryptedExtensions encryptedExt()
Definition: TestMessages.h:141
fizz::SignatureAlgorithms::supported_signature_algorithms
std::vector< SignatureScheme > supported_signature_algorithms
Definition: Extensions.h:17
fizz::TLSContent::encryptionLevel
EncryptionLevel encryptionLevel
Definition: RecordLayer.h:21
fizz::client::test::ClientProtocolTest::mockRead_
MockPlaintextReadRecordLayer * mockRead_
Definition: ClientProtocolTest.cpp:241
fizz
Definition: Actions.h:16
fizz::client::ClientStateMachine::processWriteNewSessionTicket
virtual Actions processWriteNewSessionTicket(const State &, WriteNewSessionTicket)
Definition: ClientProtocol.cpp:183
fizz::test::TestMessages::certificateVerify
static CertificateVerify certificateVerify()
Definition: TestMessages.h:175
fizz::test::TestMessages::compressedCertificate
static CompressedCertificate compressedCertificate()
Definition: TestMessages.h:165
makeRandom
std::unique_ptr< folly::IOBuf > makeRandom(size_t n)
Definition: EncryptedRecordBench.cpp:16
fizz::test::TestMessages::removeExtension
static void removeExtension(T &msg, ExtensionType ext)
Definition: TestMessages.h:21
fizz::test::TestMessages::appData
static AppData appData()
Definition: TestMessages.h:212
fizz::client::CachedPsk::serverCert
std::shared_ptr< const Cert > serverCert
Definition: PskCache.h:28
fizz::detail::getFinishedData
Buf getFinishedData(std::unique_ptr< KeyDerivation > &deriver, Buf &finishedMacKey, const Buf &finishedTranscript)
Definition: ExportedAuthenticator.cpp:299
fizz::client::test::ClientProtocolTest::mockEarlyWrite_
MockEncryptedWriteRecordLayer * mockEarlyWrite_
Definition: ClientProtocolTest.cpp:243
fizz::client::detail::actions
Actions actions(Args &&...act)
Definition: Actions.h:86
EXPECT_TRUE
#define EXPECT_TRUE(condition)
Definition: gtest.h:1859
EXPECT_THAT
#define EXPECT_THAT(value, matcher)
Definition: gmock-matchers.h:4390
fizz::test::TEST_F
TEST_F(RSAPSSTest, TestSignVerify)
Definition: RSAPSSSignatureTest.cpp:38
nst
static const std::string nst
Definition: HandshakeTypesTest.cpp:77
fizz::test::TestMessages::helloRetryRequest
static HelloRetryRequest helloRetryRequest()
Definition: TestMessages.h:95
string
const char * string
Definition: Conv.cpp:212
fizz::Extension::extension_type
ExtensionType extension_type
Definition: Types.h:174
fizz::TLSContent::contentType
ContentType contentType
Definition: RecordLayer.h:20
fizz::client::test::ClientProtocolTest::mockHandshakeWrite_
MockEncryptedWriteRecordLayer * mockHandshakeWrite_
Definition: ClientProtocolTest.cpp:244
fizz::Buf
std::unique_ptr< folly::IOBuf > Buf
Definition: Types.h:22
verifier_
std::shared_ptr< const CertificateVerifier > verifier_
Definition: FizzClientCommand.cpp:204
fizz::client::test::ClientProtocolTest::mockClientCert_
std::shared_ptr< MockSelfCert > mockClientCert_
Definition: ClientProtocolTest.cpp:251
EXPECT_CALL
#define EXPECT_CALL(obj, call)
Definition: gmock-spec-builders.h:1845
testing::_
const internal::AnythingMatcher _
Definition: gmock-matchers.h:3729
fizz::client::EarlyDataParams::alpn
folly::Optional< std::string > alpn
Definition: State.h:54
fizz::test::TestMessages::keyUpdate
static KeyUpdate keyUpdate(bool reqUpdate)
Definition: TestMessages.h:229
EXPECT_FALSE
#define EXPECT_FALSE(condition)
Definition: gtest.h:1862
fizz::client::test::ClientProtocolTest::mockIntermediate_
std::shared_ptr< MockPeerCert > mockIntermediate_
Definition: ClientProtocolTest.cpp:250
fizz::encodeExtension
Extension encodeExtension(const TokenBindingParameters &params)
Definition: Types.cpp:113
fizz::TLSMessage::type
ContentType type
Definition: Types.h:55
folly::StringPiece
Range< const char * > StringPiece
Definition: ScopedEventBaseThread.h:29
fizz::Connect::sni
folly::Optional< std::string > sni
Definition: Params.h:41
fizz::client::detail::processEvent
Actions processEvent(const State &state, Param param)
Definition: ClientProtocol.cpp:207
folly::IOBuf::copyBuffer
static std::unique_ptr< IOBuf > copyBuffer(const void *buf, std::size_t size, std::size_t headroom=0, std::size_t minTailroom=0)
Definition: IOBuf.h:1587
fizz::test::TestMessages::clientHello
static ClientHello clientHello()
Definition: TestMessages.h:26
fizz::client::EarlyDataParams::version
ProtocolVersion version
Definition: State.h:50
fizz::client::test::ClientProtocolTest::mockHandshakeRead_
MockEncryptedReadRecordLayer * mockHandshakeRead_
Definition: ClientProtocolTest.cpp:245
fizz::client::test::ClientProtocolTest::context_
std::shared_ptr< FizzClientContext > context_
Definition: ClientProtocolTest.cpp:240
fizz::test::TestProtocolVersion
constexpr ProtocolVersion TestProtocolVersion
Definition: ProtocolTest.h:22
folly::none
constexpr None none
Definition: Optional.h:87
fizz::test::TestMessages::serverHelloPsk
static ServerHello serverHelloPsk()
Definition: TestMessages.h:127
testing::Return
internal::ReturnAction< R > Return(R value)
Definition: gmock-actions.h:1061
fizz::client::test::ClientProtocolTest::verifier_
std::shared_ptr< MockCertificateVerifier > verifier_
Definition: ClientProtocolTest.cpp:252