Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 0b1bb12ce806e69a99ff48e01dd7d1069ca0b173 / . / ssl / test / runner / runner.go
blob: 5103c5572ac50f04f19a5a29fbf20f71371c737f [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]25 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]26 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]27 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]28 "flag"
29 "fmt"
30 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]31 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]32 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]33 "net"
34 "os"
35 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]36 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]37 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]38 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]39 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]40 "strings"
41 "sync"
42 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]43 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]44)
45
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]46var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]47 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
48 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
49 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
50 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
51 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
52 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
53 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
54 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]55 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]56 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
57 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
58 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
59 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
60 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
61 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
62 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
63 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]64 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]65 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
66 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]67 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]68)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]69
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]70// ShimConfigurations is used with the “json” package and represents a shim
71// config file.
72type ShimConfiguration struct {
73 // DisabledTests maps from a glob-based pattern to a freeform string.
74 // The glob pattern is used to exclude tests from being run and the
75 // freeform string is unparsed but expected to explain why the test is
76 // disabled.
77 DisabledTests map[string]string
78
79 // ErrorMap maps from expected error strings to the correct error
80 // string for the shim in question. For example, it might map
81 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
82 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
83 ErrorMap map[string]string
84}
85
86var shimConfig ShimConfiguration
87
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]88type testCert int
89
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]90const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]91 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]92 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]93 testCertRSAChain
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]94 testCertECDSAP256
95 testCertECDSAP384
96 testCertECDSAP521
97)
98
99const (
100 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]101 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]102 rsaChainCertificateFile = "rsa_chain_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]103 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
104 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
105 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]106)
107
108const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]109 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]110 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]111 rsaChainKeyFile = "rsa_chain_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]112 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
113 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
114 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]115 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]116)
117
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]118var (
119 rsaCertificate Certificate
120 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]121 rsaChainCertificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]122 ecdsaP256Certificate Certificate
123 ecdsaP384Certificate Certificate
124 ecdsaP521Certificate Certificate
125)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]126
127var testCerts = []struct {
128 id testCert
129 certFile, keyFile string
130 cert *Certificate
131}{
132 {
133 id: testCertRSA,
134 certFile: rsaCertificateFile,
135 keyFile: rsaKeyFile,
136 cert: &rsaCertificate,
137 },
138 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]139 id: testCertRSA1024,
140 certFile: rsa1024CertificateFile,
141 keyFile: rsa1024KeyFile,
142 cert: &rsa1024Certificate,
143 },
144 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]145 id: testCertRSAChain,
146 certFile: rsaChainCertificateFile,
147 keyFile: rsaChainKeyFile,
148 cert: &rsaChainCertificate,
149 },
150 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]151 id: testCertECDSAP256,
152 certFile: ecdsaP256CertificateFile,
153 keyFile: ecdsaP256KeyFile,
154 cert: &ecdsaP256Certificate,
155 },
156 {
157 id: testCertECDSAP384,
158 certFile: ecdsaP384CertificateFile,
159 keyFile: ecdsaP384KeyFile,
160 cert: &ecdsaP384Certificate,
161 },
162 {
163 id: testCertECDSAP521,
164 certFile: ecdsaP521CertificateFile,
165 keyFile: ecdsaP521KeyFile,
166 cert: &ecdsaP521Certificate,
167 },
168}
169
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]170var channelIDKey *ecdsa.PrivateKey
171var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]172
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]173var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]174var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]175
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]176var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]177var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]178
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]179func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]180 for i := range testCerts {
181 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
182 if err != nil {
183 panic(err)
184 }
185 cert.OCSPStaple = testOCSPResponse
186 cert.SignedCertificateTimestampList = testSCTList
187 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]188 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]189
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]190 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]191 if err != nil {
192 panic(err)
193 }
194 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
195 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
196 panic("bad key type")
197 }
198 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
199 if err != nil {
200 panic(err)
201 }
202 if channelIDKey.Curve != elliptic.P256() {
203 panic("bad curve")
204 }
205
206 channelIDBytes = make([]byte, 64)
207 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
208 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]209}
210
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]211func getRunnerCertificate(t testCert) Certificate {
212 for _, cert := range testCerts {
213 if cert.id == t {
214 return *cert.cert
215 }
216 }
217 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]218}
219
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]220func getShimCertificate(t testCert) string {
221 for _, cert := range testCerts {
222 if cert.id == t {
223 return cert.certFile
224 }
225 }
226 panic("Unknown test certificate")
227}
228
229func getShimKey(t testCert) string {
230 for _, cert := range testCerts {
231 if cert.id == t {
232 return cert.keyFile
233 }
234 }
235 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]236}
237
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]238type testType int
239
240const (
241 clientTest testType = iota
242 serverTest
243)
244
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]245type protocol int
246
247const (
248 tls protocol = iota
249 dtls
250)
251
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]252const (
253 alpn = 1
254 npn = 2
255)
256
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]257type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]258 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]259 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]260 name string
261 config Config
262 shouldFail bool
263 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]264 // expectedLocalError, if not empty, contains a substring that must be
265 // found in the local error.
266 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]267 // expectedVersion, if non-zero, specifies the TLS version that must be
268 // negotiated.
269 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]270 // expectedResumeVersion, if non-zero, specifies the TLS version that
271 // must be negotiated on resumption. If zero, expectedVersion is used.
272 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]273 // expectedCipher, if non-zero, specifies the TLS cipher suite that
274 // should be negotiated.
275 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]276 // expectChannelID controls whether the connection should have
277 // negotiated a Channel ID with channelIDKey.
278 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]279 // expectedNextProto controls whether the connection should
280 // negotiate a next protocol via NPN or ALPN.
281 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]282 // expectNoNextProto, if true, means that no next protocol should be
283 // negotiated.
284 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]285 // expectedNextProtoType, if non-zero, is the expected next
286 // protocol negotiation mechanism.
287 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]288 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
289 // should be negotiated. If zero, none should be negotiated.
290 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]291 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
292 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]293 // expectedSCTList, if not nil, is the expected SCT list to be received.
294 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]295 // expectedPeerSignatureAlgorithm, if not zero, is the signature
296 // algorithm that the peer should have used in the handshake.
297 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]298 // expectedCurveID, if not zero, is the curve that the handshake should
299 // have used.
300 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]301 // messageLen is the length, in bytes, of the test message that will be
302 // sent.
303 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]304 // messageCount is the number of test messages that will be sent.
305 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]306 // certFile is the path to the certificate to use for the server.
307 certFile string
308 // keyFile is the path to the private key to use for the server.
309 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]310 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]311 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]312 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]313 // resumeRenewedSession controls whether a third connection should be
314 // tested which attempts to resume the second connection's session.
315 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]316 // expectResumeRejected, if true, specifies that the attempted
317 // resumption must be rejected by the client. This is only valid for a
318 // serverTest.
319 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]320 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]321 // resumption. Unless newSessionsOnResume is set,
322 // SessionTicketKey, ServerSessionCache, and
323 // ClientSessionCache are copied from the initial connection's
324 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]325 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]326 // newSessionsOnResume, if true, will cause resumeConfig to
327 // use a different session resumption context.
328 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]329 // noSessionCache, if true, will cause the server to run without a
330 // session cache.
331 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]332 // sendPrefix sends a prefix on the socket before actually performing a
333 // handshake.
334 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]335 // shimWritesFirst controls whether the shim sends an initial "hello"
336 // message before doing a roundtrip with the runner.
337 shimWritesFirst bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]338 // shimShutsDown, if true, runs a test where the shim shuts down the
339 // connection immediately after the handshake rather than echoing
340 // messages from the runner.
341 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]342 // renegotiate indicates the number of times the connection should be
343 // renegotiated during the exchange.
344 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]345 // sendHalfHelloRequest, if true, causes the server to send half a
346 // HelloRequest when the handshake completes.
347 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]348 // renegotiateCiphers is a list of ciphersuite ids that will be
349 // switched in just before renegotiation.
350 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]351 // replayWrites, if true, configures the underlying transport
352 // to replay every write it makes in DTLS tests.
353 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]354 // damageFirstWrite, if true, configures the underlying transport to
355 // damage the final byte of the first application data write.
356 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]357 // exportKeyingMaterial, if non-zero, configures the test to exchange
358 // keying material and verify they match.
359 exportKeyingMaterial int
360 exportLabel string
361 exportContext string
362 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]363 // flags, if not empty, contains a list of command-line flags that will
364 // be passed to the shim program.
365 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]366 // testTLSUnique, if true, causes the shim to send the tls-unique value
367 // which will be compared against the expected value.
368 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]369 // sendEmptyRecords is the number of consecutive empty records to send
370 // before and after the test message.
371 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]372 // sendWarningAlerts is the number of consecutive warning alerts to send
373 // before and after the test message.
374 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]375 // sendKeyUpdates is the number of consecutive key updates to send
376 // before and after the test message.
377 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]378 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
379 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]380 // expectMessageDropped, if true, means the test message is expected to
381 // be dropped by the client rather than echoed back.
382 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]383 // expectPeerCertificate, if not nil, is the certificate chain the peer
384 // is expected to send.
385 expectPeerCertificate *Certificate
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]386 // expectShortHeader is whether the short header extension should be negotiated.
387 expectShortHeader bool
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]388}
389
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]390var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]391
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]392func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]393 if len(data) == 0 {
394 return
395 }
396
397 protocol := "tls"
398 if test.protocol == dtls {
399 protocol = "dtls"
400 }
401
402 side := "client"
403 if test.testType == serverTest {
404 side = "server"
405 }
406
407 dir := path.Join(*transcriptDir, protocol, side)
408 if err := os.MkdirAll(dir, 0755); err != nil {
409 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
410 return
411 }
412
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]413 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]414 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
415 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
416 }
417}
418
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]419// A timeoutConn implements an idle timeout on each Read and Write operation.
420type timeoutConn struct {
421 net.Conn
422 timeout time.Duration
423}
424
425func (t *timeoutConn) Read(b []byte) (int, error) {
426 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
427 return 0, err
428 }
429 return t.Conn.Read(b)
430}
431
432func (t *timeoutConn) Write(b []byte) (int, error) {
433 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
434 return 0, err
435 }
436 return t.Conn.Write(b)
437}
438
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]439func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]440 if !test.noSessionCache {
441 if config.ClientSessionCache == nil {
442 config.ClientSessionCache = NewLRUClientSessionCache(1)
443 }
444 if config.ServerSessionCache == nil {
445 config.ServerSessionCache = NewLRUServerSessionCache(1)
446 }
447 }
448 if test.testType == clientTest {
449 if len(config.Certificates) == 0 {
450 config.Certificates = []Certificate{rsaCertificate}
451 }
452 } else {
453 // Supply a ServerName to ensure a constant session cache key,
454 // rather than falling back to net.Conn.RemoteAddr.
455 if len(config.ServerName) == 0 {
456 config.ServerName = "test"
457 }
458 }
459 if *fuzzer {
460 config.Bugs.NullAllCiphers = true
461 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]462 if *deterministic {
463 config.Time = func() time.Time { return time.Unix(1234, 1234) }
464 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]465
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]466 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]467
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]468 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]469 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
470 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]471 }
472
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]473 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]474 local, peer := "client", "server"
475 if test.testType == clientTest {
476 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]477 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]478 connDebug := &recordingConn{
479 Conn: conn,
480 isDatagram: test.protocol == dtls,
481 local: local,
482 peer: peer,
483 }
484 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]485 if *flagDebug {
486 defer connDebug.WriteTo(os.Stdout)
487 }
488 if len(*transcriptDir) != 0 {
489 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]490 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]491 }()
492 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]493
494 if config.Bugs.PacketAdaptor != nil {
495 config.Bugs.PacketAdaptor.debug = connDebug
496 }
497 }
498
499 if test.replayWrites {
500 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]501 }
502
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]503 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]504 if test.damageFirstWrite {
505 connDamage = newDamageAdaptor(conn)
506 conn = connDamage
507 }
508
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]509 if test.sendPrefix != "" {
510 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
511 return err
512 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]513 }
514
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]515 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]516 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]517 if test.protocol == dtls {
518 tlsConn = DTLSServer(conn, config)
519 } else {
520 tlsConn = Server(conn, config)
521 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]522 } else {
523 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]524 if test.protocol == dtls {
525 tlsConn = DTLSClient(conn, config)
526 } else {
527 tlsConn = Client(conn, config)
528 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]529 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]530 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]531
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]532 if err := tlsConn.Handshake(); err != nil {
533 return err
534 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]535
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]536 // TODO(davidben): move all per-connection expectations into a dedicated
537 // expectations struct that can be specified separately for the two
538 // legs.
539 expectedVersion := test.expectedVersion
540 if isResume && test.expectedResumeVersion != 0 {
541 expectedVersion = test.expectedResumeVersion
542 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]543 connState := tlsConn.ConnectionState()
544 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]545 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]546 }
547
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]548 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]549 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
550 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]551 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
552 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
553 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]554
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]555 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]556 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]557 if channelID == nil {
558 return fmt.Errorf("no channel ID negotiated")
559 }
560 if channelID.Curve != channelIDKey.Curve ||
561 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
562 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
563 return fmt.Errorf("incorrect channel ID")
564 }
565 }
566
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]567 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]568 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]569 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
570 }
571 }
572
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]573 if test.expectNoNextProto {
574 if actual := connState.NegotiatedProtocol; actual != "" {
575 return fmt.Errorf("got unexpected next proto %s", actual)
576 }
577 }
578
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]579 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]580 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]581 return fmt.Errorf("next proto type mismatch")
582 }
583 }
584
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]585 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]586 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
587 }
588
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]589 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]590 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]591 }
592
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]593 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
594 return fmt.Errorf("SCT list mismatch")
595 }
596
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]597 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
598 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]599 }
600
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]601 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
602 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
603 }
604
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]605 if test.expectPeerCertificate != nil {
606 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
607 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
608 }
609 for i, cert := range connState.PeerCertificates {
610 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
611 return fmt.Errorf("peer certificate %d did not match", i+1)
612 }
613 }
614 }
615
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]616 if test.expectShortHeader != connState.ShortHeader {
617 return fmt.Errorf("ShortHeader is %t, but we expected the opposite", connState.ShortHeader)
618 }
619
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]620 if test.exportKeyingMaterial > 0 {
621 actual := make([]byte, test.exportKeyingMaterial)
622 if _, err := io.ReadFull(tlsConn, actual); err != nil {
623 return err
624 }
625 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
626 if err != nil {
627 return err
628 }
629 if !bytes.Equal(actual, expected) {
630 return fmt.Errorf("keying material mismatch")
631 }
632 }
633
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]634 if test.testTLSUnique {
635 var peersValue [12]byte
636 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
637 return err
638 }
639 expected := tlsConn.ConnectionState().TLSUnique
640 if !bytes.Equal(peersValue[:], expected) {
641 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
642 }
643 }
644
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]645 if test.shimWritesFirst {
646 var buf [5]byte
647 _, err := io.ReadFull(tlsConn, buf[:])
648 if err != nil {
649 return err
650 }
651 if string(buf[:]) != "hello" {
652 return fmt.Errorf("bad initial message")
653 }
654 }
655
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]656 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]657 if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil {
David Benjamin7f0965a2016-09-30 15:14:01 -0400[diff] [blame]658 return err
659 }
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]660 }
661
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]662 for i := 0; i < test.sendEmptyRecords; i++ {
663 tlsConn.Write(nil)
664 }
665
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]666 for i := 0; i < test.sendWarningAlerts; i++ {
667 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
668 }
669
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]670 if test.sendHalfHelloRequest {
671 tlsConn.SendHalfHelloRequest()
672 }
673
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]674 if test.renegotiate > 0 {
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]675 if test.renegotiateCiphers != nil {
676 config.CipherSuites = test.renegotiateCiphers
677 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]678 for i := 0; i < test.renegotiate; i++ {
679 if err := tlsConn.Renegotiate(); err != nil {
680 return err
681 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]682 }
683 } else if test.renegotiateCiphers != nil {
684 panic("renegotiateCiphers without renegotiate")
685 }
686
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]687 if test.damageFirstWrite {
688 connDamage.setDamage(true)
689 tlsConn.Write([]byte("DAMAGED WRITE"))
690 connDamage.setDamage(false)
691 }
692
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]693 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]694 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]695 if test.protocol == dtls {
696 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
697 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]698 // Read until EOF.
699 _, err := io.Copy(ioutil.Discard, tlsConn)
700 return err
701 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]702 if messageLen == 0 {
703 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]704 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]705
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]706 messageCount := test.messageCount
707 if messageCount == 0 {
708 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]709 }
710
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]711 for j := 0; j < messageCount; j++ {
712 testMessage := make([]byte, messageLen)
713 for i := range testMessage {
714 testMessage[i] = 0x42 ^ byte(j)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]715 }
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]716 tlsConn.Write(testMessage)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]717
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]718 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]719 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]720 }
721
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]722 for i := 0; i < test.sendEmptyRecords; i++ {
723 tlsConn.Write(nil)
724 }
725
726 for i := 0; i < test.sendWarningAlerts; i++ {
727 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
728 }
729
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]730 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]731 // The shim will not respond.
732 continue
733 }
734
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]735 buf := make([]byte, len(testMessage))
736 if test.protocol == dtls {
737 bufTmp := make([]byte, len(buf)+1)
738 n, err := tlsConn.Read(bufTmp)
739 if err != nil {
740 return err
741 }
742 if n != len(buf) {
743 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
744 }
745 copy(buf, bufTmp)
746 } else {
747 _, err := io.ReadFull(tlsConn, buf)
748 if err != nil {
749 return err
750 }
751 }
752
753 for i, v := range buf {
754 if v != testMessage[i]^0xff {
755 return fmt.Errorf("bad reply contents at byte %d", i)
756 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]757 }
758 }
759
760 return nil
761}
762
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]763func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]764 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]765 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]766 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]767 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]768 valgrindArgs = append(valgrindArgs, path)
769 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]770
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]771 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]772}
773
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]774func gdbOf(path string, args ...string) *exec.Cmd {
775 xtermArgs := []string{"-e", "gdb", "--args"}
776 xtermArgs = append(xtermArgs, path)
777 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]778
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]779 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]780}
781
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]782func lldbOf(path string, args ...string) *exec.Cmd {
783 xtermArgs := []string{"-e", "lldb", "--"}
784 xtermArgs = append(xtermArgs, path)
785 xtermArgs = append(xtermArgs, args...)
786
787 return exec.Command("xterm", xtermArgs...)
788}
789
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]790var (
791 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
792 errUnimplemented = errors.New("child process does not implement needed flags")
793)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]794
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]795// accept accepts a connection from listener, unless waitChan signals a process
796// exit first.
797func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
798 type connOrError struct {
799 conn net.Conn
800 err error
801 }
802 connChan := make(chan connOrError, 1)
803 go func() {
804 conn, err := listener.Accept()
805 connChan <- connOrError{conn, err}
806 close(connChan)
807 }()
808 select {
809 case result := <-connChan:
810 return result.conn, result.err
811 case childErr := <-waitChan:
812 waitChan <- childErr
813 return nil, fmt.Errorf("child exited early: %s", childErr)
814 }
815}
816
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]817func translateExpectedError(errorStr string) string {
818 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
819 return translated
820 }
821
822 if *looseErrors {
823 return ""
824 }
825
826 return errorStr
827}
828
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]829func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]830 // Help debugging panics on the Go side.
831 defer func() {
832 if r := recover(); r != nil {
833 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
834 panic(r)
835 }
836 }()
837
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]838 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
839 panic("Error expected without shouldFail in " + test.name)
840 }
841
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]842 if test.expectResumeRejected && !test.resumeSession {
843 panic("expectResumeRejected without resumeSession in " + test.name)
844 }
845
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]846 for _, ver := range tlsVersions {
847 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
848 continue
849 }
850
851 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
852 continue
853 }
854
855 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
856 }
857
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]858 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
859 if err != nil {
860 panic(err)
861 }
862 defer func() {
863 if listener != nil {
864 listener.Close()
865 }
866 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]867
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]868 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]869 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]870 flags = append(flags, "-server")
871
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]872 flags = append(flags, "-key-file")
873 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]874 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]875 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]876 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]877 }
878
879 flags = append(flags, "-cert-file")
880 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]881 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]882 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]883 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]884 }
885 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]886
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]887 if test.protocol == dtls {
888 flags = append(flags, "-dtls")
889 }
890
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]891 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]892 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]893 resumeCount++
894 if test.resumeRenewedSession {
895 resumeCount++
896 }
897 }
898
899 if resumeCount > 0 {
900 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]901 }
902
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]903 if test.shimWritesFirst {
904 flags = append(flags, "-shim-writes-first")
905 }
906
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]907 if test.shimShutsDown {
908 flags = append(flags, "-shim-shuts-down")
909 }
910
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]911 if test.exportKeyingMaterial > 0 {
912 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
913 flags = append(flags, "-export-label", test.exportLabel)
914 flags = append(flags, "-export-context", test.exportContext)
915 if test.useExportContext {
916 flags = append(flags, "-use-export-context")
917 }
918 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]919 if test.expectResumeRejected {
920 flags = append(flags, "-expect-session-miss")
921 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]922
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]923 if test.testTLSUnique {
924 flags = append(flags, "-tls-unique")
925 }
926
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]927 flags = append(flags, test.flags...)
928
929 var shim *exec.Cmd
930 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]931 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]932 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]933 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]934 } else if *useLLDB {
935 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]936 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]937 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]938 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]939 shim.Stdin = os.Stdin
940 var stdoutBuf, stderrBuf bytes.Buffer
941 shim.Stdout = &stdoutBuf
942 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]943 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]944 shim.Env = os.Environ()
945 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]946 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]947 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]948 }
949 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
950 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]951
952 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]953 panic(err)
954 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]955 waitChan := make(chan error, 1)
956 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]957
958 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]959
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]960 if *deterministic {
961 config.Rand = &deterministicRand{}
962 }
963
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]964 conn, err := acceptOrWait(listener, waitChan)
965 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]966 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]967 conn.Close()
968 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]969
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]970 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]971 var resumeConfig Config
972 if test.resumeConfig != nil {
973 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]974 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]975 resumeConfig.SessionTicketKey = config.SessionTicketKey
976 resumeConfig.ClientSessionCache = config.ClientSessionCache
977 resumeConfig.ServerSessionCache = config.ServerSessionCache
978 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]979 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]980 } else {
981 resumeConfig = config
982 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]983 var connResume net.Conn
984 connResume, err = acceptOrWait(listener, waitChan)
985 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]986 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]987 connResume.Close()
988 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]989 }
990
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]991 // Close the listener now. This is to avoid hangs should the shim try to
992 // open more connections than expected.
993 listener.Close()
994 listener = nil
995
996 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]997 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]998 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]999 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1000 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1001 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1002 case 89:
1003 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1004 case 99:
1005 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1006 }
1007 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1008
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1009 // Account for Windows line endings.
1010 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1011 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1012
1013 // Separate the errors from the shim and those from tools like
1014 // AddressSanitizer.
1015 var extraStderr string
1016 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1017 stderr = stderrParts[0]
1018 extraStderr = stderrParts[1]
1019 }
1020
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1021 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1022 expectedError := translateExpectedError(test.expectedError)
1023 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1024
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1025 localError := "none"
1026 if err != nil {
1027 localError = err.Error()
1028 }
1029 if len(test.expectedLocalError) != 0 {
1030 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1031 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1032
1033 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1034 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1035 if childErr != nil {
1036 childError = childErr.Error()
1037 }
1038
1039 var msg string
1040 switch {
1041 case failed && !test.shouldFail:
1042 msg = "unexpected failure"
1043 case !failed && test.shouldFail:
1044 msg = "unexpected success"
1045 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1046 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1047 default:
1048 panic("internal error")
1049 }
1050
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1051 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1052 }
1053
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1054 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1055 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1056 }
1057
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1058 if *useValgrind && isValgrindError {
1059 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1060 }
1061
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1062 return nil
1063}
1064
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1065type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1066 name string
1067 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1068 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1069 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1070}
1071
1072var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1073 {"SSL3", VersionSSL30, "-no-ssl3", false},
1074 {"TLS1", VersionTLS10, "-no-tls1", true},
1075 {"TLS11", VersionTLS11, "-no-tls11", false},
1076 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1077 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1078}
1079
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1080type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1081 name string
1082 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1083}
1084
1085var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1086 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1087 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1088 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1089 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1090 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1091 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1092 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1093 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1094 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1095 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1096 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
1097 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1098 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1099 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1100 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1101 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1102 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1103 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1104 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1105 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1106 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1107 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1108 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1109 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1110 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1111 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1112 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1113 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1114 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1115 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1116 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1117 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1118 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1119 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1120 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1121 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1122}
1123
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1124func hasComponent(suiteName, component string) bool {
1125 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1126}
1127
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1128func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1129 return hasComponent(suiteName, "GCM") ||
1130 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1131 hasComponent(suiteName, "SHA384") ||
1132 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1133}
1134
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1135func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1136 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1137}
1138
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1139func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1140 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1141}
1142
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1143func bigFromHex(hex string) *big.Int {
1144 ret, ok := new(big.Int).SetString(hex, 16)
1145 if !ok {
1146 panic("failed to parse hex number 0x" + hex)
1147 }
1148 return ret
1149}
1150
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1151func addBasicTests() {
1152 basicTests := []testCase{
1153 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1154 name: "NoFallbackSCSV",
1155 config: Config{
1156 Bugs: ProtocolBugs{
1157 FailIfNotFallbackSCSV: true,
1158 },
1159 },
1160 shouldFail: true,
1161 expectedLocalError: "no fallback SCSV found",
1162 },
1163 {
1164 name: "SendFallbackSCSV",
1165 config: Config{
1166 Bugs: ProtocolBugs{
1167 FailIfNotFallbackSCSV: true,
1168 },
1169 },
1170 flags: []string{"-fallback-scsv"},
1171 },
1172 {
1173 name: "ClientCertificateTypes",
1174 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1175 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1176 ClientAuth: RequestClientCert,
1177 ClientCertificateTypes: []byte{
1178 CertTypeDSSSign,
1179 CertTypeRSASign,
1180 CertTypeECDSASign,
1181 },
1182 },
1183 flags: []string{
1184 "-expect-certificate-types",
1185 base64.StdEncoding.EncodeToString([]byte{
1186 CertTypeDSSSign,
1187 CertTypeRSASign,
1188 CertTypeECDSASign,
1189 }),
1190 },
1191 },
1192 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1193 name: "UnauthenticatedECDH",
1194 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1195 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1196 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1197 Bugs: ProtocolBugs{
1198 UnauthenticatedECDH: true,
1199 },
1200 },
1201 shouldFail: true,
1202 expectedError: ":UNEXPECTED_MESSAGE:",
1203 },
1204 {
1205 name: "SkipCertificateStatus",
1206 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1207 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1208 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1209 Bugs: ProtocolBugs{
1210 SkipCertificateStatus: true,
1211 },
1212 },
1213 flags: []string{
1214 "-enable-ocsp-stapling",
1215 },
1216 },
1217 {
1218 name: "SkipServerKeyExchange",
1219 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1220 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1221 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1222 Bugs: ProtocolBugs{
1223 SkipServerKeyExchange: true,
1224 },
1225 },
1226 shouldFail: true,
1227 expectedError: ":UNEXPECTED_MESSAGE:",
1228 },
1229 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1230 testType: serverTest,
1231 name: "Alert",
1232 config: Config{
1233 Bugs: ProtocolBugs{
1234 SendSpuriousAlert: alertRecordOverflow,
1235 },
1236 },
1237 shouldFail: true,
1238 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1239 },
1240 {
1241 protocol: dtls,
1242 testType: serverTest,
1243 name: "Alert-DTLS",
1244 config: Config{
1245 Bugs: ProtocolBugs{
1246 SendSpuriousAlert: alertRecordOverflow,
1247 },
1248 },
1249 shouldFail: true,
1250 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1251 },
1252 {
1253 testType: serverTest,
1254 name: "FragmentAlert",
1255 config: Config{
1256 Bugs: ProtocolBugs{
1257 FragmentAlert: true,
1258 SendSpuriousAlert: alertRecordOverflow,
1259 },
1260 },
1261 shouldFail: true,
1262 expectedError: ":BAD_ALERT:",
1263 },
1264 {
1265 protocol: dtls,
1266 testType: serverTest,
1267 name: "FragmentAlert-DTLS",
1268 config: Config{
1269 Bugs: ProtocolBugs{
1270 FragmentAlert: true,
1271 SendSpuriousAlert: alertRecordOverflow,
1272 },
1273 },
1274 shouldFail: true,
1275 expectedError: ":BAD_ALERT:",
1276 },
1277 {
1278 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1279 name: "DoubleAlert",
1280 config: Config{
1281 Bugs: ProtocolBugs{
1282 DoubleAlert: true,
1283 SendSpuriousAlert: alertRecordOverflow,
1284 },
1285 },
1286 shouldFail: true,
1287 expectedError: ":BAD_ALERT:",
1288 },
1289 {
1290 protocol: dtls,
1291 testType: serverTest,
1292 name: "DoubleAlert-DTLS",
1293 config: Config{
1294 Bugs: ProtocolBugs{
1295 DoubleAlert: true,
1296 SendSpuriousAlert: alertRecordOverflow,
1297 },
1298 },
1299 shouldFail: true,
1300 expectedError: ":BAD_ALERT:",
1301 },
1302 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1303 name: "SkipNewSessionTicket",
1304 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1305 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1306 Bugs: ProtocolBugs{
1307 SkipNewSessionTicket: true,
1308 },
1309 },
1310 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1311 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1312 },
1313 {
1314 testType: serverTest,
1315 name: "FallbackSCSV",
1316 config: Config{
1317 MaxVersion: VersionTLS11,
1318 Bugs: ProtocolBugs{
1319 SendFallbackSCSV: true,
1320 },
1321 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1322 shouldFail: true,
1323 expectedError: ":INAPPROPRIATE_FALLBACK:",
1324 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1325 },
1326 {
1327 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1328 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1329 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1330 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1331 Bugs: ProtocolBugs{
1332 SendFallbackSCSV: true,
1333 },
1334 },
1335 },
1336 {
1337 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1338 name: "FallbackSCSV-VersionMatch-TLS12",
1339 config: Config{
1340 MaxVersion: VersionTLS12,
1341 Bugs: ProtocolBugs{
1342 SendFallbackSCSV: true,
1343 },
1344 },
1345 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1346 },
1347 {
1348 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1349 name: "FragmentedClientVersion",
1350 config: Config{
1351 Bugs: ProtocolBugs{
1352 MaxHandshakeRecordLength: 1,
1353 FragmentClientVersion: true,
1354 },
1355 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1356 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1357 },
1358 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1359 testType: serverTest,
1360 name: "HttpGET",
1361 sendPrefix: "GET / HTTP/1.0\n",
1362 shouldFail: true,
1363 expectedError: ":HTTP_REQUEST:",
1364 },
1365 {
1366 testType: serverTest,
1367 name: "HttpPOST",
1368 sendPrefix: "POST / HTTP/1.0\n",
1369 shouldFail: true,
1370 expectedError: ":HTTP_REQUEST:",
1371 },
1372 {
1373 testType: serverTest,
1374 name: "HttpHEAD",
1375 sendPrefix: "HEAD / HTTP/1.0\n",
1376 shouldFail: true,
1377 expectedError: ":HTTP_REQUEST:",
1378 },
1379 {
1380 testType: serverTest,
1381 name: "HttpPUT",
1382 sendPrefix: "PUT / HTTP/1.0\n",
1383 shouldFail: true,
1384 expectedError: ":HTTP_REQUEST:",
1385 },
1386 {
1387 testType: serverTest,
1388 name: "HttpCONNECT",
1389 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1390 shouldFail: true,
1391 expectedError: ":HTTPS_PROXY_REQUEST:",
1392 },
1393 {
1394 testType: serverTest,
1395 name: "Garbage",
1396 sendPrefix: "blah",
1397 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1398 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1399 },
1400 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1401 name: "RSAEphemeralKey",
1402 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1403 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1404 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1405 Bugs: ProtocolBugs{
1406 RSAEphemeralKey: true,
1407 },
1408 },
1409 shouldFail: true,
1410 expectedError: ":UNEXPECTED_MESSAGE:",
1411 },
1412 {
1413 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1414 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1415 shouldFail: true,
1416 expectedError: ":WRONG_SSL_VERSION:",
1417 },
1418 {
1419 protocol: dtls,
1420 name: "DisableEverything-DTLS",
1421 flags: []string{"-no-tls12", "-no-tls1"},
1422 shouldFail: true,
1423 expectedError: ":WRONG_SSL_VERSION:",
1424 },
1425 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1426 protocol: dtls,
1427 testType: serverTest,
1428 name: "MTU",
1429 config: Config{
1430 Bugs: ProtocolBugs{
1431 MaxPacketLength: 256,
1432 },
1433 },
1434 flags: []string{"-mtu", "256"},
1435 },
1436 {
1437 protocol: dtls,
1438 testType: serverTest,
1439 name: "MTUExceeded",
1440 config: Config{
1441 Bugs: ProtocolBugs{
1442 MaxPacketLength: 255,
1443 },
1444 },
1445 flags: []string{"-mtu", "256"},
1446 shouldFail: true,
1447 expectedLocalError: "dtls: exceeded maximum packet length",
1448 },
1449 {
1450 name: "CertMismatchRSA",
1451 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1452 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1453 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1454 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1455 Bugs: ProtocolBugs{
1456 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1457 },
1458 },
1459 shouldFail: true,
1460 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1461 },
1462 {
1463 name: "CertMismatchECDSA",
1464 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1465 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1466 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1467 Certificates: []Certificate{rsaCertificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1468 Bugs: ProtocolBugs{
1469 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1470 },
1471 },
1472 shouldFail: true,
1473 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1474 },
1475 {
1476 name: "EmptyCertificateList",
1477 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1478 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1479 Bugs: ProtocolBugs{
1480 EmptyCertificateList: true,
1481 },
1482 },
1483 shouldFail: true,
1484 expectedError: ":DECODE_ERROR:",
1485 },
1486 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1487 name: "EmptyCertificateList-TLS13",
1488 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1489 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1490 Bugs: ProtocolBugs{
1491 EmptyCertificateList: true,
1492 },
1493 },
1494 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1495 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1496 },
1497 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1498 name: "TLSFatalBadPackets",
1499 damageFirstWrite: true,
1500 shouldFail: true,
1501 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1502 },
1503 {
1504 protocol: dtls,
1505 name: "DTLSIgnoreBadPackets",
1506 damageFirstWrite: true,
1507 },
1508 {
1509 protocol: dtls,
1510 name: "DTLSIgnoreBadPackets-Async",
1511 damageFirstWrite: true,
1512 flags: []string{"-async"},
1513 },
1514 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1515 name: "AppDataBeforeHandshake",
1516 config: Config{
1517 Bugs: ProtocolBugs{
1518 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1519 },
1520 },
1521 shouldFail: true,
1522 expectedError: ":UNEXPECTED_RECORD:",
1523 },
1524 {
1525 name: "AppDataBeforeHandshake-Empty",
1526 config: Config{
1527 Bugs: ProtocolBugs{
1528 AppDataBeforeHandshake: []byte{},
1529 },
1530 },
1531 shouldFail: true,
1532 expectedError: ":UNEXPECTED_RECORD:",
1533 },
1534 {
1535 protocol: dtls,
1536 name: "AppDataBeforeHandshake-DTLS",
1537 config: Config{
1538 Bugs: ProtocolBugs{
1539 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1540 },
1541 },
1542 shouldFail: true,
1543 expectedError: ":UNEXPECTED_RECORD:",
1544 },
1545 {
1546 protocol: dtls,
1547 name: "AppDataBeforeHandshake-DTLS-Empty",
1548 config: Config{
1549 Bugs: ProtocolBugs{
1550 AppDataBeforeHandshake: []byte{},
1551 },
1552 },
1553 shouldFail: true,
1554 expectedError: ":UNEXPECTED_RECORD:",
1555 },
1556 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1557 name: "AppDataAfterChangeCipherSpec",
1558 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1559 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1560 Bugs: ProtocolBugs{
1561 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1562 },
1563 },
1564 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1565 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1566 },
1567 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1568 name: "AppDataAfterChangeCipherSpec-Empty",
1569 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1570 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1571 Bugs: ProtocolBugs{
1572 AppDataAfterChangeCipherSpec: []byte{},
1573 },
1574 },
1575 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1576 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1577 },
1578 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1579 protocol: dtls,
1580 name: "AppDataAfterChangeCipherSpec-DTLS",
1581 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1582 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1583 Bugs: ProtocolBugs{
1584 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1585 },
1586 },
1587 // BoringSSL's DTLS implementation will drop the out-of-order
1588 // application data.
1589 },
1590 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1591 protocol: dtls,
1592 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1593 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1594 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1595 Bugs: ProtocolBugs{
1596 AppDataAfterChangeCipherSpec: []byte{},
1597 },
1598 },
1599 // BoringSSL's DTLS implementation will drop the out-of-order
1600 // application data.
1601 },
1602 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1603 name: "AlertAfterChangeCipherSpec",
1604 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1605 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1606 Bugs: ProtocolBugs{
1607 AlertAfterChangeCipherSpec: alertRecordOverflow,
1608 },
1609 },
1610 shouldFail: true,
1611 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1612 },
1613 {
1614 protocol: dtls,
1615 name: "AlertAfterChangeCipherSpec-DTLS",
1616 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1617 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1618 Bugs: ProtocolBugs{
1619 AlertAfterChangeCipherSpec: alertRecordOverflow,
1620 },
1621 },
1622 shouldFail: true,
1623 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1624 },
1625 {
1626 protocol: dtls,
1627 name: "ReorderHandshakeFragments-Small-DTLS",
1628 config: Config{
1629 Bugs: ProtocolBugs{
1630 ReorderHandshakeFragments: true,
1631 // Small enough that every handshake message is
1632 // fragmented.
1633 MaxHandshakeRecordLength: 2,
1634 },
1635 },
1636 },
1637 {
1638 protocol: dtls,
1639 name: "ReorderHandshakeFragments-Large-DTLS",
1640 config: Config{
1641 Bugs: ProtocolBugs{
1642 ReorderHandshakeFragments: true,
1643 // Large enough that no handshake message is
1644 // fragmented.
1645 MaxHandshakeRecordLength: 2048,
1646 },
1647 },
1648 },
1649 {
1650 protocol: dtls,
1651 name: "MixCompleteMessageWithFragments-DTLS",
1652 config: Config{
1653 Bugs: ProtocolBugs{
1654 ReorderHandshakeFragments: true,
1655 MixCompleteMessageWithFragments: true,
1656 MaxHandshakeRecordLength: 2,
1657 },
1658 },
1659 },
1660 {
1661 name: "SendInvalidRecordType",
1662 config: Config{
1663 Bugs: ProtocolBugs{
1664 SendInvalidRecordType: true,
1665 },
1666 },
1667 shouldFail: true,
1668 expectedError: ":UNEXPECTED_RECORD:",
1669 },
1670 {
1671 protocol: dtls,
1672 name: "SendInvalidRecordType-DTLS",
1673 config: Config{
1674 Bugs: ProtocolBugs{
1675 SendInvalidRecordType: true,
1676 },
1677 },
1678 shouldFail: true,
1679 expectedError: ":UNEXPECTED_RECORD:",
1680 },
1681 {
1682 name: "FalseStart-SkipServerSecondLeg",
1683 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1684 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1685 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1686 NextProtos: []string{"foo"},
1687 Bugs: ProtocolBugs{
1688 SkipNewSessionTicket: true,
1689 SkipChangeCipherSpec: true,
1690 SkipFinished: true,
1691 ExpectFalseStart: true,
1692 },
1693 },
1694 flags: []string{
1695 "-false-start",
1696 "-handshake-never-done",
1697 "-advertise-alpn", "\x03foo",
1698 },
1699 shimWritesFirst: true,
1700 shouldFail: true,
1701 expectedError: ":UNEXPECTED_RECORD:",
1702 },
1703 {
1704 name: "FalseStart-SkipServerSecondLeg-Implicit",
1705 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1706 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1707 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1708 NextProtos: []string{"foo"},
1709 Bugs: ProtocolBugs{
1710 SkipNewSessionTicket: true,
1711 SkipChangeCipherSpec: true,
1712 SkipFinished: true,
1713 },
1714 },
1715 flags: []string{
1716 "-implicit-handshake",
1717 "-false-start",
1718 "-handshake-never-done",
1719 "-advertise-alpn", "\x03foo",
1720 },
1721 shouldFail: true,
1722 expectedError: ":UNEXPECTED_RECORD:",
1723 },
1724 {
1725 testType: serverTest,
1726 name: "FailEarlyCallback",
1727 flags: []string{"-fail-early-callback"},
1728 shouldFail: true,
1729 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1730 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1731 },
1732 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1733 name: "FailCertCallback-Client-TLS12",
1734 config: Config{
1735 MaxVersion: VersionTLS12,
1736 ClientAuth: RequestClientCert,
1737 },
1738 flags: []string{"-fail-cert-callback"},
1739 shouldFail: true,
1740 expectedError: ":CERT_CB_ERROR:",
1741 expectedLocalError: "remote error: internal error",
1742 },
1743 {
1744 testType: serverTest,
1745 name: "FailCertCallback-Server-TLS12",
1746 config: Config{
1747 MaxVersion: VersionTLS12,
1748 },
1749 flags: []string{"-fail-cert-callback"},
1750 shouldFail: true,
1751 expectedError: ":CERT_CB_ERROR:",
1752 expectedLocalError: "remote error: internal error",
1753 },
1754 {
1755 name: "FailCertCallback-Client-TLS13",
1756 config: Config{
1757 MaxVersion: VersionTLS13,
1758 ClientAuth: RequestClientCert,
1759 },
1760 flags: []string{"-fail-cert-callback"},
1761 shouldFail: true,
1762 expectedError: ":CERT_CB_ERROR:",
1763 expectedLocalError: "remote error: internal error",
1764 },
1765 {
1766 testType: serverTest,
1767 name: "FailCertCallback-Server-TLS13",
1768 config: Config{
1769 MaxVersion: VersionTLS13,
1770 },
1771 flags: []string{"-fail-cert-callback"},
1772 shouldFail: true,
1773 expectedError: ":CERT_CB_ERROR:",
1774 expectedLocalError: "remote error: internal error",
1775 },
1776 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1777 protocol: dtls,
1778 name: "FragmentMessageTypeMismatch-DTLS",
1779 config: Config{
1780 Bugs: ProtocolBugs{
1781 MaxHandshakeRecordLength: 2,
1782 FragmentMessageTypeMismatch: true,
1783 },
1784 },
1785 shouldFail: true,
1786 expectedError: ":FRAGMENT_MISMATCH:",
1787 },
1788 {
1789 protocol: dtls,
1790 name: "FragmentMessageLengthMismatch-DTLS",
1791 config: Config{
1792 Bugs: ProtocolBugs{
1793 MaxHandshakeRecordLength: 2,
1794 FragmentMessageLengthMismatch: true,
1795 },
1796 },
1797 shouldFail: true,
1798 expectedError: ":FRAGMENT_MISMATCH:",
1799 },
1800 {
1801 protocol: dtls,
1802 name: "SplitFragments-Header-DTLS",
1803 config: Config{
1804 Bugs: ProtocolBugs{
1805 SplitFragments: 2,
1806 },
1807 },
1808 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1809 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1810 },
1811 {
1812 protocol: dtls,
1813 name: "SplitFragments-Boundary-DTLS",
1814 config: Config{
1815 Bugs: ProtocolBugs{
1816 SplitFragments: dtlsRecordHeaderLen,
1817 },
1818 },
1819 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1820 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1821 },
1822 {
1823 protocol: dtls,
1824 name: "SplitFragments-Body-DTLS",
1825 config: Config{
1826 Bugs: ProtocolBugs{
1827 SplitFragments: dtlsRecordHeaderLen + 1,
1828 },
1829 },
1830 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1831 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1832 },
1833 {
1834 protocol: dtls,
1835 name: "SendEmptyFragments-DTLS",
1836 config: Config{
1837 Bugs: ProtocolBugs{
1838 SendEmptyFragments: true,
1839 },
1840 },
1841 },
1842 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1843 name: "BadFinished-Client",
1844 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1845 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1846 Bugs: ProtocolBugs{
1847 BadFinished: true,
1848 },
1849 },
1850 shouldFail: true,
1851 expectedError: ":DIGEST_CHECK_FAILED:",
1852 },
1853 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1854 name: "BadFinished-Client-TLS13",
1855 config: Config{
1856 MaxVersion: VersionTLS13,
1857 Bugs: ProtocolBugs{
1858 BadFinished: true,
1859 },
1860 },
1861 shouldFail: true,
1862 expectedError: ":DIGEST_CHECK_FAILED:",
1863 },
1864 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1865 testType: serverTest,
1866 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1867 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1868 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1869 Bugs: ProtocolBugs{
1870 BadFinished: true,
1871 },
1872 },
1873 shouldFail: true,
1874 expectedError: ":DIGEST_CHECK_FAILED:",
1875 },
1876 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1877 testType: serverTest,
1878 name: "BadFinished-Server-TLS13",
1879 config: Config{
1880 MaxVersion: VersionTLS13,
1881 Bugs: ProtocolBugs{
1882 BadFinished: true,
1883 },
1884 },
1885 shouldFail: true,
1886 expectedError: ":DIGEST_CHECK_FAILED:",
1887 },
1888 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1889 name: "FalseStart-BadFinished",
1890 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1891 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1892 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1893 NextProtos: []string{"foo"},
1894 Bugs: ProtocolBugs{
1895 BadFinished: true,
1896 ExpectFalseStart: true,
1897 },
1898 },
1899 flags: []string{
1900 "-false-start",
1901 "-handshake-never-done",
1902 "-advertise-alpn", "\x03foo",
1903 },
1904 shimWritesFirst: true,
1905 shouldFail: true,
1906 expectedError: ":DIGEST_CHECK_FAILED:",
1907 },
1908 {
1909 name: "NoFalseStart-NoALPN",
1910 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1911 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1912 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1913 Bugs: ProtocolBugs{
1914 ExpectFalseStart: true,
1915 AlertBeforeFalseStartTest: alertAccessDenied,
1916 },
1917 },
1918 flags: []string{
1919 "-false-start",
1920 },
1921 shimWritesFirst: true,
1922 shouldFail: true,
1923 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1924 expectedLocalError: "tls: peer did not false start: EOF",
1925 },
1926 {
1927 name: "NoFalseStart-NoAEAD",
1928 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1929 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1930 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1931 NextProtos: []string{"foo"},
1932 Bugs: ProtocolBugs{
1933 ExpectFalseStart: true,
1934 AlertBeforeFalseStartTest: alertAccessDenied,
1935 },
1936 },
1937 flags: []string{
1938 "-false-start",
1939 "-advertise-alpn", "\x03foo",
1940 },
1941 shimWritesFirst: true,
1942 shouldFail: true,
1943 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1944 expectedLocalError: "tls: peer did not false start: EOF",
1945 },
1946 {
1947 name: "NoFalseStart-RSA",
1948 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1949 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1950 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1951 NextProtos: []string{"foo"},
1952 Bugs: ProtocolBugs{
1953 ExpectFalseStart: true,
1954 AlertBeforeFalseStartTest: alertAccessDenied,
1955 },
1956 },
1957 flags: []string{
1958 "-false-start",
1959 "-advertise-alpn", "\x03foo",
1960 },
1961 shimWritesFirst: true,
1962 shouldFail: true,
1963 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1964 expectedLocalError: "tls: peer did not false start: EOF",
1965 },
1966 {
1967 name: "NoFalseStart-DHE_RSA",
1968 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1969 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1970 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1971 NextProtos: []string{"foo"},
1972 Bugs: ProtocolBugs{
1973 ExpectFalseStart: true,
1974 AlertBeforeFalseStartTest: alertAccessDenied,
1975 },
1976 },
1977 flags: []string{
1978 "-false-start",
1979 "-advertise-alpn", "\x03foo",
1980 },
1981 shimWritesFirst: true,
1982 shouldFail: true,
1983 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1984 expectedLocalError: "tls: peer did not false start: EOF",
1985 },
1986 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1987 protocol: dtls,
1988 name: "SendSplitAlert-Sync",
1989 config: Config{
1990 Bugs: ProtocolBugs{
1991 SendSplitAlert: true,
1992 },
1993 },
1994 },
1995 {
1996 protocol: dtls,
1997 name: "SendSplitAlert-Async",
1998 config: Config{
1999 Bugs: ProtocolBugs{
2000 SendSplitAlert: true,
2001 },
2002 },
2003 flags: []string{"-async"},
2004 },
2005 {
2006 protocol: dtls,
2007 name: "PackDTLSHandshake",
2008 config: Config{
2009 Bugs: ProtocolBugs{
2010 MaxHandshakeRecordLength: 2,
2011 PackHandshakeFragments: 20,
2012 PackHandshakeRecords: 200,
2013 },
2014 },
2015 },
2016 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2017 name: "SendEmptyRecords-Pass",
2018 sendEmptyRecords: 32,
2019 },
2020 {
2021 name: "SendEmptyRecords",
2022 sendEmptyRecords: 33,
2023 shouldFail: true,
2024 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2025 },
2026 {
2027 name: "SendEmptyRecords-Async",
2028 sendEmptyRecords: 33,
2029 flags: []string{"-async"},
2030 shouldFail: true,
2031 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2032 },
2033 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2034 name: "SendWarningAlerts-Pass",
2035 config: Config{
2036 MaxVersion: VersionTLS12,
2037 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2038 sendWarningAlerts: 4,
2039 },
2040 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2041 protocol: dtls,
2042 name: "SendWarningAlerts-DTLS-Pass",
2043 config: Config{
2044 MaxVersion: VersionTLS12,
2045 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2046 sendWarningAlerts: 4,
2047 },
2048 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2049 name: "SendWarningAlerts-TLS13",
2050 config: Config{
2051 MaxVersion: VersionTLS13,
2052 },
2053 sendWarningAlerts: 4,
2054 shouldFail: true,
2055 expectedError: ":BAD_ALERT:",
2056 expectedLocalError: "remote error: error decoding message",
2057 },
2058 {
2059 name: "SendWarningAlerts",
2060 config: Config{
2061 MaxVersion: VersionTLS12,
2062 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2063 sendWarningAlerts: 5,
2064 shouldFail: true,
2065 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2066 },
2067 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2068 name: "SendWarningAlerts-Async",
2069 config: Config{
2070 MaxVersion: VersionTLS12,
2071 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2072 sendWarningAlerts: 5,
2073 flags: []string{"-async"},
2074 shouldFail: true,
2075 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2076 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2077 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2078 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2079 config: Config{
2080 MaxVersion: VersionTLS13,
2081 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2082 sendKeyUpdates: 33,
2083 keyUpdateRequest: keyUpdateNotRequested,
2084 shouldFail: true,
2085 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2086 },
2087 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2088 name: "EmptySessionID",
2089 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2090 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2091 SessionTicketsDisabled: true,
2092 },
2093 noSessionCache: true,
2094 flags: []string{"-expect-no-session"},
2095 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2096 {
2097 name: "Unclean-Shutdown",
2098 config: Config{
2099 Bugs: ProtocolBugs{
2100 NoCloseNotify: true,
2101 ExpectCloseNotify: true,
2102 },
2103 },
2104 shimShutsDown: true,
2105 flags: []string{"-check-close-notify"},
2106 shouldFail: true,
2107 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2108 },
2109 {
2110 name: "Unclean-Shutdown-Ignored",
2111 config: Config{
2112 Bugs: ProtocolBugs{
2113 NoCloseNotify: true,
2114 },
2115 },
2116 shimShutsDown: true,
2117 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2118 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2119 name: "Unclean-Shutdown-Alert",
2120 config: Config{
2121 Bugs: ProtocolBugs{
2122 SendAlertOnShutdown: alertDecompressionFailure,
2123 ExpectCloseNotify: true,
2124 },
2125 },
2126 shimShutsDown: true,
2127 flags: []string{"-check-close-notify"},
2128 shouldFail: true,
2129 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2130 },
2131 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2132 name: "LargePlaintext",
2133 config: Config{
2134 Bugs: ProtocolBugs{
2135 SendLargeRecords: true,
2136 },
2137 },
2138 messageLen: maxPlaintext + 1,
2139 shouldFail: true,
2140 expectedError: ":DATA_LENGTH_TOO_LONG:",
2141 },
2142 {
2143 protocol: dtls,
2144 name: "LargePlaintext-DTLS",
2145 config: Config{
2146 Bugs: ProtocolBugs{
2147 SendLargeRecords: true,
2148 },
2149 },
2150 messageLen: maxPlaintext + 1,
2151 shouldFail: true,
2152 expectedError: ":DATA_LENGTH_TOO_LONG:",
2153 },
2154 {
2155 name: "LargeCiphertext",
2156 config: Config{
2157 Bugs: ProtocolBugs{
2158 SendLargeRecords: true,
2159 },
2160 },
2161 messageLen: maxPlaintext * 2,
2162 shouldFail: true,
2163 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2164 },
2165 {
2166 protocol: dtls,
2167 name: "LargeCiphertext-DTLS",
2168 config: Config{
2169 Bugs: ProtocolBugs{
2170 SendLargeRecords: true,
2171 },
2172 },
2173 messageLen: maxPlaintext * 2,
2174 // Unlike the other four cases, DTLS drops records which
2175 // are invalid before authentication, so the connection
2176 // does not fail.
2177 expectMessageDropped: true,
2178 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2179 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2180 name: "BadHelloRequest-1",
2181 renegotiate: 1,
2182 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2183 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2184 Bugs: ProtocolBugs{
2185 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2186 },
2187 },
2188 flags: []string{
2189 "-renegotiate-freely",
2190 "-expect-total-renegotiations", "1",
2191 },
2192 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2193 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2194 },
2195 {
2196 name: "BadHelloRequest-2",
2197 renegotiate: 1,
2198 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2199 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2200 Bugs: ProtocolBugs{
2201 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2202 },
2203 },
2204 flags: []string{
2205 "-renegotiate-freely",
2206 "-expect-total-renegotiations", "1",
2207 },
2208 shouldFail: true,
2209 expectedError: ":BAD_HELLO_REQUEST:",
2210 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2211 {
2212 testType: serverTest,
2213 name: "SupportTicketsWithSessionID",
2214 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2215 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2216 SessionTicketsDisabled: true,
2217 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2218 resumeConfig: &Config{
2219 MaxVersion: VersionTLS12,
2220 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2221 resumeSession: true,
2222 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2223 {
2224 protocol: dtls,
2225 name: "DTLS-SendExtraFinished",
2226 config: Config{
2227 Bugs: ProtocolBugs{
2228 SendExtraFinished: true,
2229 },
2230 },
2231 shouldFail: true,
2232 expectedError: ":UNEXPECTED_RECORD:",
2233 },
2234 {
2235 protocol: dtls,
2236 name: "DTLS-SendExtraFinished-Reordered",
2237 config: Config{
2238 Bugs: ProtocolBugs{
2239 MaxHandshakeRecordLength: 2,
2240 ReorderHandshakeFragments: true,
2241 SendExtraFinished: true,
2242 },
2243 },
2244 shouldFail: true,
2245 expectedError: ":UNEXPECTED_RECORD:",
2246 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2247 {
2248 testType: serverTest,
2249 name: "V2ClientHello-EmptyRecordPrefix",
2250 config: Config{
2251 // Choose a cipher suite that does not involve
2252 // elliptic curves, so no extensions are
2253 // involved.
2254 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2255 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2256 Bugs: ProtocolBugs{
2257 SendV2ClientHello: true,
2258 },
2259 },
2260 sendPrefix: string([]byte{
2261 byte(recordTypeHandshake),
2262 3, 1, // version
2263 0, 0, // length
2264 }),
2265 // A no-op empty record may not be sent before V2ClientHello.
2266 shouldFail: true,
2267 expectedError: ":WRONG_VERSION_NUMBER:",
2268 },
2269 {
2270 testType: serverTest,
2271 name: "V2ClientHello-WarningAlertPrefix",
2272 config: Config{
2273 // Choose a cipher suite that does not involve
2274 // elliptic curves, so no extensions are
2275 // involved.
2276 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2277 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2278 Bugs: ProtocolBugs{
2279 SendV2ClientHello: true,
2280 },
2281 },
2282 sendPrefix: string([]byte{
2283 byte(recordTypeAlert),
2284 3, 1, // version
2285 0, 2, // length
2286 alertLevelWarning, byte(alertDecompressionFailure),
2287 }),
2288 // A no-op warning alert may not be sent before V2ClientHello.
2289 shouldFail: true,
2290 expectedError: ":WRONG_VERSION_NUMBER:",
2291 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2292 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2293 name: "KeyUpdate",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2294 config: Config{
2295 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2296 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2297 sendKeyUpdates: 1,
2298 keyUpdateRequest: keyUpdateNotRequested,
2299 },
2300 {
2301 name: "KeyUpdate-InvalidRequestMode",
2302 config: Config{
2303 MaxVersion: VersionTLS13,
2304 },
2305 sendKeyUpdates: 1,
2306 keyUpdateRequest: 42,
2307 shouldFail: true,
2308 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2309 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2310 {
2311 name: "SendSNIWarningAlert",
2312 config: Config{
2313 MaxVersion: VersionTLS12,
2314 Bugs: ProtocolBugs{
2315 SendSNIWarningAlert: true,
2316 },
2317 },
2318 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2319 {
2320 testType: serverTest,
2321 name: "ExtraCompressionMethods-TLS12",
2322 config: Config{
2323 MaxVersion: VersionTLS12,
2324 Bugs: ProtocolBugs{
2325 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2326 },
2327 },
2328 },
2329 {
2330 testType: serverTest,
2331 name: "ExtraCompressionMethods-TLS13",
2332 config: Config{
2333 MaxVersion: VersionTLS13,
2334 Bugs: ProtocolBugs{
2335 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2336 },
2337 },
2338 shouldFail: true,
2339 expectedError: ":INVALID_COMPRESSION_LIST:",
2340 expectedLocalError: "remote error: illegal parameter",
2341 },
2342 {
2343 testType: serverTest,
2344 name: "NoNullCompression-TLS12",
2345 config: Config{
2346 MaxVersion: VersionTLS12,
2347 Bugs: ProtocolBugs{
2348 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2349 },
2350 },
2351 shouldFail: true,
2352 expectedError: ":NO_COMPRESSION_SPECIFIED:",
2353 expectedLocalError: "remote error: illegal parameter",
2354 },
2355 {
2356 testType: serverTest,
2357 name: "NoNullCompression-TLS13",
2358 config: Config{
2359 MaxVersion: VersionTLS13,
2360 Bugs: ProtocolBugs{
2361 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2362 },
2363 },
2364 shouldFail: true,
2365 expectedError: ":INVALID_COMPRESSION_LIST:",
2366 expectedLocalError: "remote error: illegal parameter",
2367 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2368 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2369 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2370 config: Config{
2371 MaxVersion: VersionTLS12,
2372 Bugs: ProtocolBugs{
2373 ExpectGREASE: true,
2374 },
2375 },
2376 flags: []string{"-enable-grease"},
2377 },
2378 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2379 name: "GREASE-Client-TLS13",
2380 config: Config{
2381 MaxVersion: VersionTLS13,
2382 Bugs: ProtocolBugs{
2383 ExpectGREASE: true,
2384 },
2385 },
2386 flags: []string{"-enable-grease"},
2387 },
2388 {
2389 testType: serverTest,
2390 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2391 config: Config{
2392 MaxVersion: VersionTLS13,
2393 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2394 // TLS 1.3 servers are expected to
2395 // always enable GREASE. TLS 1.3 is new,
2396 // so there is no existing ecosystem to
2397 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2398 ExpectGREASE: true,
2399 },
2400 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2401 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2402 {
2403 // Test the server so there is a large certificate as
2404 // well as application data.
2405 testType: serverTest,
2406 name: "MaxSendFragment",
2407 config: Config{
2408 Bugs: ProtocolBugs{
2409 MaxReceivePlaintext: 512,
2410 },
2411 },
2412 messageLen: 1024,
2413 flags: []string{
2414 "-max-send-fragment", "512",
2415 "-read-size", "1024",
2416 },
2417 },
2418 {
2419 // Test the server so there is a large certificate as
2420 // well as application data.
2421 testType: serverTest,
2422 name: "MaxSendFragment-TooLarge",
2423 config: Config{
2424 Bugs: ProtocolBugs{
2425 // Ensure that some of the records are
2426 // 512.
2427 MaxReceivePlaintext: 511,
2428 },
2429 },
2430 messageLen: 1024,
2431 flags: []string{
2432 "-max-send-fragment", "512",
2433 "-read-size", "1024",
2434 },
2435 shouldFail: true,
2436 expectedLocalError: "local error: record overflow",
2437 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2438 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2439 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2440
2441 // Test that very large messages can be received.
2442 cert := rsaCertificate
2443 for i := 0; i < 50; i++ {
2444 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2445 }
2446 testCases = append(testCases, testCase{
2447 name: "LargeMessage",
2448 config: Config{
2449 Certificates: []Certificate{cert},
2450 },
2451 })
2452 testCases = append(testCases, testCase{
2453 protocol: dtls,
2454 name: "LargeMessage-DTLS",
2455 config: Config{
2456 Certificates: []Certificate{cert},
2457 },
2458 })
2459
2460 // They are rejected if the maximum certificate chain length is capped.
2461 testCases = append(testCases, testCase{
2462 name: "LargeMessage-Reject",
2463 config: Config{
2464 Certificates: []Certificate{cert},
2465 },
2466 flags: []string{"-max-cert-list", "16384"},
2467 shouldFail: true,
2468 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2469 })
2470 testCases = append(testCases, testCase{
2471 protocol: dtls,
2472 name: "LargeMessage-Reject-DTLS",
2473 config: Config{
2474 Certificates: []Certificate{cert},
2475 },
2476 flags: []string{"-max-cert-list", "16384"},
2477 shouldFail: true,
2478 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2479 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2480}
2481
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2482func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2483 const psk = "12345"
2484 const pskIdentity = "luggage combo"
2485
2486 var prefix string
2487 if protocol == dtls {
2488 if !ver.hasDTLS {
2489 return
2490 }
2491 prefix = "D"
2492 }
2493
2494 var cert Certificate
2495 var certFile string
2496 var keyFile string
2497 if hasComponent(suite.name, "ECDSA") {
2498 cert = ecdsaP256Certificate
2499 certFile = ecdsaP256CertificateFile
2500 keyFile = ecdsaP256KeyFile
2501 } else {
2502 cert = rsaCertificate
2503 certFile = rsaCertificateFile
2504 keyFile = rsaKeyFile
2505 }
2506
2507 var flags []string
2508 if hasComponent(suite.name, "PSK") {
2509 flags = append(flags,
2510 "-psk", psk,
2511 "-psk-identity", pskIdentity)
2512 }
2513 if hasComponent(suite.name, "NULL") {
2514 // NULL ciphers must be explicitly enabled.
2515 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2516 }
2517 if hasComponent(suite.name, "ECDHE-PSK") && hasComponent(suite.name, "GCM") {
2518 // ECDHE_PSK AES_GCM ciphers must be explicitly enabled
2519 // for now.
2520 flags = append(flags, "-cipher", suite.name)
2521 }
2522
2523 var shouldServerFail, shouldClientFail bool
2524 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2525 // BoringSSL clients accept ECDHE on SSLv3, but
2526 // a BoringSSL server will never select it
2527 // because the extension is missing.
2528 shouldServerFail = true
2529 }
2530 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2531 shouldClientFail = true
2532 shouldServerFail = true
2533 }
2534 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2535 shouldClientFail = true
2536 shouldServerFail = true
2537 }
2538 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2539 shouldClientFail = true
2540 shouldServerFail = true
2541 }
2542 if !isDTLSCipher(suite.name) && protocol == dtls {
2543 shouldClientFail = true
2544 shouldServerFail = true
2545 }
2546
2547 var sendCipherSuite uint16
2548 var expectedServerError, expectedClientError string
2549 serverCipherSuites := []uint16{suite.id}
2550 if shouldServerFail {
2551 expectedServerError = ":NO_SHARED_CIPHER:"
2552 }
2553 if shouldClientFail {
2554 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2555 // Configure the server to select ciphers as normal but
2556 // select an incompatible cipher in ServerHello.
2557 serverCipherSuites = nil
2558 sendCipherSuite = suite.id
2559 }
2560
2561 testCases = append(testCases, testCase{
2562 testType: serverTest,
2563 protocol: protocol,
2564 name: prefix + ver.name + "-" + suite.name + "-server",
2565 config: Config{
2566 MinVersion: ver.version,
2567 MaxVersion: ver.version,
2568 CipherSuites: []uint16{suite.id},
2569 Certificates: []Certificate{cert},
2570 PreSharedKey: []byte(psk),
2571 PreSharedKeyIdentity: pskIdentity,
2572 Bugs: ProtocolBugs{
2573 AdvertiseAllConfiguredCiphers: true,
2574 },
2575 },
2576 certFile: certFile,
2577 keyFile: keyFile,
2578 flags: flags,
2579 resumeSession: true,
2580 shouldFail: shouldServerFail,
2581 expectedError: expectedServerError,
2582 })
2583
2584 testCases = append(testCases, testCase{
2585 testType: clientTest,
2586 protocol: protocol,
2587 name: prefix + ver.name + "-" + suite.name + "-client",
2588 config: Config{
2589 MinVersion: ver.version,
2590 MaxVersion: ver.version,
2591 CipherSuites: serverCipherSuites,
2592 Certificates: []Certificate{cert},
2593 PreSharedKey: []byte(psk),
2594 PreSharedKeyIdentity: pskIdentity,
2595 Bugs: ProtocolBugs{
2596 IgnorePeerCipherPreferences: shouldClientFail,
2597 SendCipherSuite: sendCipherSuite,
2598 },
2599 },
2600 flags: flags,
2601 resumeSession: true,
2602 shouldFail: shouldClientFail,
2603 expectedError: expectedClientError,
2604 })
2605
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2606 if shouldClientFail {
2607 return
2608 }
2609
2610 // Ensure the maximum record size is accepted.
2611 testCases = append(testCases, testCase{
2612 protocol: protocol,
2613 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2614 config: Config{
2615 MinVersion: ver.version,
2616 MaxVersion: ver.version,
2617 CipherSuites: []uint16{suite.id},
2618 Certificates: []Certificate{cert},
2619 PreSharedKey: []byte(psk),
2620 PreSharedKeyIdentity: pskIdentity,
2621 },
2622 flags: flags,
2623 messageLen: maxPlaintext,
2624 })
2625
2626 // Test bad records for all ciphers. Bad records are fatal in TLS
2627 // and ignored in DTLS.
2628 var shouldFail bool
2629 var expectedError string
2630 if protocol == tls {
2631 shouldFail = true
2632 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2633 }
2634
2635 testCases = append(testCases, testCase{
2636 protocol: protocol,
2637 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2638 config: Config{
2639 MinVersion: ver.version,
2640 MaxVersion: ver.version,
2641 CipherSuites: []uint16{suite.id},
2642 Certificates: []Certificate{cert},
2643 PreSharedKey: []byte(psk),
2644 PreSharedKeyIdentity: pskIdentity,
2645 },
2646 flags: flags,
2647 damageFirstWrite: true,
2648 messageLen: maxPlaintext,
2649 shouldFail: shouldFail,
2650 expectedError: expectedError,
2651 })
2652
2653 if ver.version >= VersionTLS13 {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2654 testCases = append(testCases, testCase{
2655 protocol: protocol,
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2656 name: prefix + ver.name + "-" + suite.name + "-ShortHeader",
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2657 config: Config{
2658 MinVersion: ver.version,
2659 MaxVersion: ver.version,
2660 CipherSuites: []uint16{suite.id},
2661 Certificates: []Certificate{cert},
2662 PreSharedKey: []byte(psk),
2663 PreSharedKeyIdentity: pskIdentity,
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2664 Bugs: ProtocolBugs{
2665 EnableShortHeader: true,
2666 },
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2667 },
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2668 flags: append([]string{"-enable-short-header"}, flags...),
2669 resumeSession: true,
2670 expectShortHeader: true,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2671 })
2672 }
2673}
2674
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2675func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2676 const bogusCipher = 0xfe00
2677
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2678 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2679 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2680 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2681 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2682 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2683 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2684 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2685
2686 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2687 name: "NoSharedCipher",
2688 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2689 MaxVersion: VersionTLS12,
2690 CipherSuites: []uint16{},
2691 },
2692 shouldFail: true,
2693 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2694 })
2695
2696 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2697 name: "NoSharedCipher-TLS13",
2698 config: Config{
2699 MaxVersion: VersionTLS13,
2700 CipherSuites: []uint16{},
2701 },
2702 shouldFail: true,
2703 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2704 })
2705
2706 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2707 name: "UnsupportedCipherSuite",
2708 config: Config{
2709 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2710 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2711 Bugs: ProtocolBugs{
2712 IgnorePeerCipherPreferences: true,
2713 },
2714 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2715 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2716 shouldFail: true,
2717 expectedError: ":WRONG_CIPHER_RETURNED:",
2718 })
2719
2720 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2721 name: "ServerHelloBogusCipher",
2722 config: Config{
2723 MaxVersion: VersionTLS12,
2724 Bugs: ProtocolBugs{
2725 SendCipherSuite: bogusCipher,
2726 },
2727 },
2728 shouldFail: true,
2729 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2730 })
2731 testCases = append(testCases, testCase{
2732 name: "ServerHelloBogusCipher-TLS13",
2733 config: Config{
2734 MaxVersion: VersionTLS13,
2735 Bugs: ProtocolBugs{
2736 SendCipherSuite: bogusCipher,
2737 },
2738 },
2739 shouldFail: true,
2740 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2741 })
2742
2743 testCases = append(testCases, testCase{
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2744 name: "WeakDH",
2745 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2746 MaxVersion: VersionTLS12,
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2747 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2748 Bugs: ProtocolBugs{
2749 // This is a 1023-bit prime number, generated
2750 // with:
2751 // openssl gendh 1023 | openssl asn1parse -i
2752 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
2753 },
2754 },
2755 shouldFail: true,
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2756 expectedError: ":BAD_DH_P_LENGTH:",
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2757 })
Adam Langleycef75832015-09-03 14:51:12 -0700[diff] [blame]2758
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2759 testCases = append(testCases, testCase{
2760 name: "SillyDH",
2761 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2762 MaxVersion: VersionTLS12,
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2763 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2764 Bugs: ProtocolBugs{
2765 // This is a 4097-bit prime number, generated
2766 // with:
2767 // openssl gendh 4097 | openssl asn1parse -i
2768 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
2769 },
2770 },
2771 shouldFail: true,
2772 expectedError: ":DH_P_TOO_LONG:",
2773 })
2774
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2775 // This test ensures that Diffie-Hellman public values are padded with
2776 // zeros so that they're the same length as the prime. This is to avoid
2777 // hitting a bug in yaSSL.
2778 testCases = append(testCases, testCase{
2779 testType: serverTest,
2780 name: "DHPublicValuePadded",
2781 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2782 MaxVersion: VersionTLS12,
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2783 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2784 Bugs: ProtocolBugs{
2785 RequireDHPublicValueLen: (1025 + 7) / 8,
2786 },
2787 },
2788 flags: []string{"-use-sparse-dh-prime"},
2789 })
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2790
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2791 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2792 testCases = append(testCases, testCase{
2793 testType: serverTest,
2794 name: "UnknownCipher",
2795 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2796 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2797 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2798 Bugs: ProtocolBugs{
2799 AdvertiseAllConfiguredCiphers: true,
2800 },
2801 },
2802 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2803
2804 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2805 testCases = append(testCases, testCase{
2806 testType: serverTest,
2807 name: "UnknownCipher-TLS13",
2808 config: Config{
2809 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2810 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2811 Bugs: ProtocolBugs{
2812 AdvertiseAllConfiguredCiphers: true,
2813 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2814 },
2815 })
2816
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2817 // Test empty ECDHE_PSK identity hints work as expected.
2818 testCases = append(testCases, testCase{
2819 name: "EmptyECDHEPSKHint",
2820 config: Config{
2821 MaxVersion: VersionTLS12,
2822 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2823 PreSharedKey: []byte("secret"),
2824 },
2825 flags: []string{"-psk", "secret"},
2826 })
2827
2828 // Test empty PSK identity hints work as expected, even if an explicit
2829 // ServerKeyExchange is sent.
2830 testCases = append(testCases, testCase{
2831 name: "ExplicitEmptyPSKHint",
2832 config: Config{
2833 MaxVersion: VersionTLS12,
2834 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2835 PreSharedKey: []byte("secret"),
2836 Bugs: ProtocolBugs{
2837 AlwaysSendPreSharedKeyIdentityHint: true,
2838 },
2839 },
2840 flags: []string{"-psk", "secret"},
2841 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2842}
2843
2844func addBadECDSASignatureTests() {
2845 for badR := BadValue(1); badR < NumBadValues; badR++ {
2846 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2847 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2848 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2849 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2850 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2851 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2852 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2853 Bugs: ProtocolBugs{
2854 BadECDSAR: badR,
2855 BadECDSAS: badS,
2856 },
2857 },
2858 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2859 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2860 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2861 testCases = append(testCases, testCase{
2862 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2863 config: Config{
2864 MaxVersion: VersionTLS13,
2865 Certificates: []Certificate{ecdsaP256Certificate},
2866 Bugs: ProtocolBugs{
2867 BadECDSAR: badR,
2868 BadECDSAS: badS,
2869 },
2870 },
2871 shouldFail: true,
2872 expectedError: ":BAD_SIGNATURE:",
2873 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2874 }
2875 }
2876}
2877
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2878func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2879 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2880 name: "MaxCBCPadding",
2881 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2882 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2883 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2884 Bugs: ProtocolBugs{
2885 MaxPadding: true,
2886 },
2887 },
2888 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2889 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2890 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2891 name: "BadCBCPadding",
2892 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2893 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2894 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2895 Bugs: ProtocolBugs{
2896 PaddingFirstByteBad: true,
2897 },
2898 },
2899 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2900 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2901 })
2902 // OpenSSL previously had an issue where the first byte of padding in
2903 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2904 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2905 name: "BadCBCPadding255",
2906 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2907 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2908 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2909 Bugs: ProtocolBugs{
2910 MaxPadding: true,
2911 PaddingFirstByteBadIf255: true,
2912 },
2913 },
2914 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2915 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2916 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2917 })
2918}
2919
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2920func addCBCSplittingTests() {
2921 testCases = append(testCases, testCase{
2922 name: "CBCRecordSplitting",
2923 config: Config{
2924 MaxVersion: VersionTLS10,
2925 MinVersion: VersionTLS10,
2926 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2927 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]2928 messageLen: -1, // read until EOF
2929 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2930 flags: []string{
2931 "-async",
2932 "-write-different-record-sizes",
2933 "-cbc-record-splitting",
2934 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]2935 })
2936 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2937 name: "CBCRecordSplittingPartialWrite",
2938 config: Config{
2939 MaxVersion: VersionTLS10,
2940 MinVersion: VersionTLS10,
2941 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2942 },
2943 messageLen: -1, // read until EOF
2944 flags: []string{
2945 "-async",
2946 "-write-different-record-sizes",
2947 "-cbc-record-splitting",
2948 "-partial-write",
2949 },
2950 })
2951}
2952
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2953func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2954 // Add a dummy cert pool to stress certificate authority parsing.
2955 // TODO(davidben): Add tests that those values parse out correctly.
2956 certPool := x509.NewCertPool()
2957 cert, err := x509.ParseCertificate(rsaCertificate.Certificate[0])
2958 if err != nil {
2959 panic(err)
2960 }
2961 certPool.AddCert(cert)
2962
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2963 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2964 testCases = append(testCases, testCase{
2965 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2966 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2967 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2968 MinVersion: ver.version,
2969 MaxVersion: ver.version,
2970 ClientAuth: RequireAnyClientCert,
2971 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2972 },
2973 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2974 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2975 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2976 },
2977 })
2978 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2979 testType: serverTest,
2980 name: ver.name + "-Server-ClientAuth-RSA",
2981 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2982 MinVersion: ver.version,
2983 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2984 Certificates: []Certificate{rsaCertificate},
2985 },
2986 flags: []string{"-require-any-client-certificate"},
2987 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2988 if ver.version != VersionSSL30 {
2989 testCases = append(testCases, testCase{
2990 testType: serverTest,
2991 name: ver.name + "-Server-ClientAuth-ECDSA",
2992 config: Config{
2993 MinVersion: ver.version,
2994 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2995 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2996 },
2997 flags: []string{"-require-any-client-certificate"},
2998 })
2999 testCases = append(testCases, testCase{
3000 testType: clientTest,
3001 name: ver.name + "-Client-ClientAuth-ECDSA",
3002 config: Config{
3003 MinVersion: ver.version,
3004 MaxVersion: ver.version,
3005 ClientAuth: RequireAnyClientCert,
3006 ClientCAs: certPool,
3007 },
3008 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3009 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3010 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3011 },
3012 })
3013 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3014
3015 testCases = append(testCases, testCase{
3016 name: "NoClientCertificate-" + ver.name,
3017 config: Config{
3018 MinVersion: ver.version,
3019 MaxVersion: ver.version,
3020 ClientAuth: RequireAnyClientCert,
3021 },
3022 shouldFail: true,
3023 expectedLocalError: "client didn't provide a certificate",
3024 })
3025
3026 testCases = append(testCases, testCase{
3027 // Even if not configured to expect a certificate, OpenSSL will
3028 // return X509_V_OK as the verify_result.
3029 testType: serverTest,
3030 name: "NoClientCertificateRequested-Server-" + ver.name,
3031 config: Config{
3032 MinVersion: ver.version,
3033 MaxVersion: ver.version,
3034 },
3035 flags: []string{
3036 "-expect-verify-result",
3037 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3038 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3039 })
3040
3041 testCases = append(testCases, testCase{
3042 // If a client certificate is not provided, OpenSSL will still
3043 // return X509_V_OK as the verify_result.
3044 testType: serverTest,
3045 name: "NoClientCertificate-Server-" + ver.name,
3046 config: Config{
3047 MinVersion: ver.version,
3048 MaxVersion: ver.version,
3049 },
3050 flags: []string{
3051 "-expect-verify-result",
3052 "-verify-peer",
3053 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3054 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3055 })
3056
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3057 certificateRequired := "remote error: certificate required"
3058 if ver.version < VersionTLS13 {
3059 // Prior to TLS 1.3, the generic handshake_failure alert
3060 // was used.
3061 certificateRequired = "remote error: handshake failure"
3062 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3063 testCases = append(testCases, testCase{
3064 testType: serverTest,
3065 name: "RequireAnyClientCertificate-" + ver.name,
3066 config: Config{
3067 MinVersion: ver.version,
3068 MaxVersion: ver.version,
3069 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3070 flags: []string{"-require-any-client-certificate"},
3071 shouldFail: true,
3072 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3073 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3074 })
3075
3076 if ver.version != VersionSSL30 {
3077 testCases = append(testCases, testCase{
3078 testType: serverTest,
3079 name: "SkipClientCertificate-" + ver.name,
3080 config: Config{
3081 MinVersion: ver.version,
3082 MaxVersion: ver.version,
3083 Bugs: ProtocolBugs{
3084 SkipClientCertificate: true,
3085 },
3086 },
3087 // Setting SSL_VERIFY_PEER allows anonymous clients.
3088 flags: []string{"-verify-peer"},
3089 shouldFail: true,
3090 expectedError: ":UNEXPECTED_MESSAGE:",
3091 })
3092 }
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3093 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3094
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3095 // Client auth is only legal in certificate-based ciphers.
3096 testCases = append(testCases, testCase{
3097 testType: clientTest,
3098 name: "ClientAuth-PSK",
3099 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3100 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3101 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3102 PreSharedKey: []byte("secret"),
3103 ClientAuth: RequireAnyClientCert,
3104 },
3105 flags: []string{
3106 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3107 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3108 "-psk", "secret",
3109 },
3110 shouldFail: true,
3111 expectedError: ":UNEXPECTED_MESSAGE:",
3112 })
3113 testCases = append(testCases, testCase{
3114 testType: clientTest,
3115 name: "ClientAuth-ECDHE_PSK",
3116 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3117 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3118 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3119 PreSharedKey: []byte("secret"),
3120 ClientAuth: RequireAnyClientCert,
3121 },
3122 flags: []string{
3123 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3124 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3125 "-psk", "secret",
3126 },
3127 shouldFail: true,
3128 expectedError: ":UNEXPECTED_MESSAGE:",
3129 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3130
3131 // Regression test for a bug where the client CA list, if explicitly
3132 // set to NULL, was mis-encoded.
3133 testCases = append(testCases, testCase{
3134 testType: serverTest,
3135 name: "Null-Client-CA-List",
3136 config: Config{
3137 MaxVersion: VersionTLS12,
3138 Certificates: []Certificate{rsaCertificate},
3139 },
3140 flags: []string{
3141 "-require-any-client-certificate",
3142 "-use-null-client-ca-list",
3143 },
3144 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3145}
3146
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3147func addExtendedMasterSecretTests() {
3148 const expectEMSFlag = "-expect-extended-master-secret"
3149
3150 for _, with := range []bool{false, true} {
3151 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3152 if with {
3153 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3154 }
3155
3156 for _, isClient := range []bool{false, true} {
3157 suffix := "-Server"
3158 testType := serverTest
3159 if isClient {
3160 suffix = "-Client"
3161 testType = clientTest
3162 }
3163
3164 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3165 // In TLS 1.3, the extension is irrelevant and
3166 // always reports as enabled.
3167 var flags []string
3168 if with || ver.version >= VersionTLS13 {
3169 flags = []string{expectEMSFlag}
3170 }
3171
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3172 test := testCase{
3173 testType: testType,
3174 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3175 config: Config{
3176 MinVersion: ver.version,
3177 MaxVersion: ver.version,
3178 Bugs: ProtocolBugs{
3179 NoExtendedMasterSecret: !with,
3180 RequireExtendedMasterSecret: with,
3181 },
3182 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3183 flags: flags,
3184 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3185 }
3186 if test.shouldFail {
3187 test.expectedLocalError = "extended master secret required but not supported by peer"
3188 }
3189 testCases = append(testCases, test)
3190 }
3191 }
3192 }
3193
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3194 for _, isClient := range []bool{false, true} {
3195 for _, supportedInFirstConnection := range []bool{false, true} {
3196 for _, supportedInResumeConnection := range []bool{false, true} {
3197 boolToWord := func(b bool) string {
3198 if b {
3199 return "Yes"
3200 }
3201 return "No"
3202 }
3203 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3204 if isClient {
3205 suffix += "Client"
3206 } else {
3207 suffix += "Server"
3208 }
3209
3210 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3211 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3212 Bugs: ProtocolBugs{
3213 RequireExtendedMasterSecret: true,
3214 },
3215 }
3216
3217 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3218 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3219 Bugs: ProtocolBugs{
3220 NoExtendedMasterSecret: true,
3221 },
3222 }
3223
3224 test := testCase{
3225 name: "ExtendedMasterSecret-" + suffix,
3226 resumeSession: true,
3227 }
3228
3229 if !isClient {
3230 test.testType = serverTest
3231 }
3232
3233 if supportedInFirstConnection {
3234 test.config = supportedConfig
3235 } else {
3236 test.config = noSupportConfig
3237 }
3238
3239 if supportedInResumeConnection {
3240 test.resumeConfig = &supportedConfig
3241 } else {
3242 test.resumeConfig = &noSupportConfig
3243 }
3244
3245 switch suffix {
3246 case "YesToYes-Client", "YesToYes-Server":
3247 // When a session is resumed, it should
3248 // still be aware that its master
3249 // secret was generated via EMS and
3250 // thus it's safe to use tls-unique.
3251 test.flags = []string{expectEMSFlag}
3252 case "NoToYes-Server":
3253 // If an original connection did not
3254 // contain EMS, but a resumption
3255 // handshake does, then a server should
3256 // not resume the session.
3257 test.expectResumeRejected = true
3258 case "YesToNo-Server":
3259 // Resuming an EMS session without the
3260 // EMS extension should cause the
3261 // server to abort the connection.
3262 test.shouldFail = true
3263 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3264 case "NoToYes-Client":
3265 // A client should abort a connection
3266 // where the server resumed a non-EMS
3267 // session but echoed the EMS
3268 // extension.
3269 test.shouldFail = true
3270 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3271 case "YesToNo-Client":
3272 // A client should abort a connection
3273 // where the server didn't echo EMS
3274 // when the session used it.
3275 test.shouldFail = true
3276 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3277 }
3278
3279 testCases = append(testCases, test)
3280 }
3281 }
3282 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3283
3284 // Switching EMS on renegotiation is forbidden.
3285 testCases = append(testCases, testCase{
3286 name: "ExtendedMasterSecret-Renego-NoEMS",
3287 config: Config{
3288 MaxVersion: VersionTLS12,
3289 Bugs: ProtocolBugs{
3290 NoExtendedMasterSecret: true,
3291 NoExtendedMasterSecretOnRenegotiation: true,
3292 },
3293 },
3294 renegotiate: 1,
3295 flags: []string{
3296 "-renegotiate-freely",
3297 "-expect-total-renegotiations", "1",
3298 },
3299 })
3300
3301 testCases = append(testCases, testCase{
3302 name: "ExtendedMasterSecret-Renego-Upgrade",
3303 config: Config{
3304 MaxVersion: VersionTLS12,
3305 Bugs: ProtocolBugs{
3306 NoExtendedMasterSecret: true,
3307 },
3308 },
3309 renegotiate: 1,
3310 flags: []string{
3311 "-renegotiate-freely",
3312 "-expect-total-renegotiations", "1",
3313 },
3314 shouldFail: true,
3315 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3316 })
3317
3318 testCases = append(testCases, testCase{
3319 name: "ExtendedMasterSecret-Renego-Downgrade",
3320 config: Config{
3321 MaxVersion: VersionTLS12,
3322 Bugs: ProtocolBugs{
3323 NoExtendedMasterSecretOnRenegotiation: true,
3324 },
3325 },
3326 renegotiate: 1,
3327 flags: []string{
3328 "-renegotiate-freely",
3329 "-expect-total-renegotiations", "1",
3330 },
3331 shouldFail: true,
3332 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3333 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3334}
3335
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3336type stateMachineTestConfig struct {
3337 protocol protocol
3338 async bool
3339 splitHandshake, packHandshakeFlight bool
3340}
3341
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3342// Adds tests that try to cover the range of the handshake state machine, under
3343// various conditions. Some of these are redundant with other tests, but they
3344// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3345func addAllStateMachineCoverageTests() {
3346 for _, async := range []bool{false, true} {
3347 for _, protocol := range []protocol{tls, dtls} {
3348 addStateMachineCoverageTests(stateMachineTestConfig{
3349 protocol: protocol,
3350 async: async,
3351 })
3352 addStateMachineCoverageTests(stateMachineTestConfig{
3353 protocol: protocol,
3354 async: async,
3355 splitHandshake: true,
3356 })
3357 if protocol == tls {
3358 addStateMachineCoverageTests(stateMachineTestConfig{
3359 protocol: protocol,
3360 async: async,
3361 packHandshakeFlight: true,
3362 })
3363 }
3364 }
3365 }
3366}
3367
3368func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3369 var tests []testCase
3370
3371 // Basic handshake, with resumption. Client and server,
3372 // session ID and session ticket.
3373 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3374 name: "Basic-Client",
3375 config: Config{
3376 MaxVersion: VersionTLS12,
3377 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3378 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3379 // Ensure session tickets are used, not session IDs.
3380 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3381 })
3382 tests = append(tests, testCase{
3383 name: "Basic-Client-RenewTicket",
3384 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3385 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3386 Bugs: ProtocolBugs{
3387 RenewTicketOnResume: true,
3388 },
3389 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3390 flags: []string{"-expect-ticket-renewal"},
3391 resumeSession: true,
3392 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3393 })
3394 tests = append(tests, testCase{
3395 name: "Basic-Client-NoTicket",
3396 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3397 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3398 SessionTicketsDisabled: true,
3399 },
3400 resumeSession: true,
3401 })
3402 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3403 name: "Basic-Client-Implicit",
3404 config: Config{
3405 MaxVersion: VersionTLS12,
3406 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3407 flags: []string{"-implicit-handshake"},
3408 resumeSession: true,
3409 })
3410 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3411 testType: serverTest,
3412 name: "Basic-Server",
3413 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3414 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3415 Bugs: ProtocolBugs{
3416 RequireSessionTickets: true,
3417 },
3418 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3419 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3420 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3421 })
3422 tests = append(tests, testCase{
3423 testType: serverTest,
3424 name: "Basic-Server-NoTickets",
3425 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3426 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3427 SessionTicketsDisabled: true,
3428 },
3429 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3430 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3431 })
3432 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3433 testType: serverTest,
3434 name: "Basic-Server-Implicit",
3435 config: Config{
3436 MaxVersion: VersionTLS12,
3437 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3438 flags: []string{"-implicit-handshake"},
3439 resumeSession: true,
3440 })
3441 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3442 testType: serverTest,
3443 name: "Basic-Server-EarlyCallback",
3444 config: Config{
3445 MaxVersion: VersionTLS12,
3446 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3447 flags: []string{"-use-early-callback"},
3448 resumeSession: true,
3449 })
3450
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3451 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3452 if config.protocol == tls {
3453 tests = append(tests, testCase{
3454 name: "TLS13-1RTT-Client",
3455 config: Config{
3456 MaxVersion: VersionTLS13,
3457 MinVersion: VersionTLS13,
3458 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3459 resumeSession: true,
3460 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3461 })
3462
3463 tests = append(tests, testCase{
3464 testType: serverTest,
3465 name: "TLS13-1RTT-Server",
3466 config: Config{
3467 MaxVersion: VersionTLS13,
3468 MinVersion: VersionTLS13,
3469 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3470 resumeSession: true,
3471 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3472 // TLS 1.3 uses tickets, so the session should not be
3473 // cached statefully.
3474 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3475 })
3476
3477 tests = append(tests, testCase{
3478 name: "TLS13-HelloRetryRequest-Client",
3479 config: Config{
3480 MaxVersion: VersionTLS13,
3481 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3482 // P-384 requires a HelloRetryRequest against BoringSSL's default
3483 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3484 CurvePreferences: []CurveID{CurveP384},
3485 Bugs: ProtocolBugs{
3486 ExpectMissingKeyShare: true,
3487 },
3488 },
3489 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3490 resumeSession: true,
3491 })
3492
3493 tests = append(tests, testCase{
3494 testType: serverTest,
3495 name: "TLS13-HelloRetryRequest-Server",
3496 config: Config{
3497 MaxVersion: VersionTLS13,
3498 MinVersion: VersionTLS13,
3499 // Require a HelloRetryRequest for every curve.
3500 DefaultCurves: []CurveID{},
3501 },
3502 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3503 resumeSession: true,
3504 })
3505 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3506
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3507 // TLS client auth.
3508 tests = append(tests, testCase{
3509 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3510 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3511 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3512 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3513 ClientAuth: RequestClientCert,
3514 },
3515 })
3516 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3517 testType: serverTest,
3518 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3519 config: Config{
3520 MaxVersion: VersionTLS12,
3521 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3522 // Setting SSL_VERIFY_PEER allows anonymous clients.
3523 flags: []string{"-verify-peer"},
3524 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3525 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3526 tests = append(tests, testCase{
3527 testType: clientTest,
3528 name: "ClientAuth-NoCertificate-Client-SSL3",
3529 config: Config{
3530 MaxVersion: VersionSSL30,
3531 ClientAuth: RequestClientCert,
3532 },
3533 })
3534 tests = append(tests, testCase{
3535 testType: serverTest,
3536 name: "ClientAuth-NoCertificate-Server-SSL3",
3537 config: Config{
3538 MaxVersion: VersionSSL30,
3539 },
3540 // Setting SSL_VERIFY_PEER allows anonymous clients.
3541 flags: []string{"-verify-peer"},
3542 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3543 tests = append(tests, testCase{
3544 testType: clientTest,
3545 name: "ClientAuth-NoCertificate-Client-TLS13",
3546 config: Config{
3547 MaxVersion: VersionTLS13,
3548 ClientAuth: RequestClientCert,
3549 },
3550 })
3551 tests = append(tests, testCase{
3552 testType: serverTest,
3553 name: "ClientAuth-NoCertificate-Server-TLS13",
3554 config: Config{
3555 MaxVersion: VersionTLS13,
3556 },
3557 // Setting SSL_VERIFY_PEER allows anonymous clients.
3558 flags: []string{"-verify-peer"},
3559 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3560 }
3561 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3562 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3563 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3564 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3565 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3566 ClientAuth: RequireAnyClientCert,
3567 },
3568 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3569 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3570 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3571 },
3572 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3573 tests = append(tests, testCase{
3574 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3575 name: "ClientAuth-RSA-Client-TLS13",
3576 config: Config{
3577 MaxVersion: VersionTLS13,
3578 ClientAuth: RequireAnyClientCert,
3579 },
3580 flags: []string{
3581 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3582 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3583 },
3584 })
3585 tests = append(tests, testCase{
3586 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3587 name: "ClientAuth-ECDSA-Client",
3588 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3589 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3590 ClientAuth: RequireAnyClientCert,
3591 },
3592 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3593 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3594 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3595 },
3596 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3597 tests = append(tests, testCase{
3598 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3599 name: "ClientAuth-ECDSA-Client-TLS13",
3600 config: Config{
3601 MaxVersion: VersionTLS13,
3602 ClientAuth: RequireAnyClientCert,
3603 },
3604 flags: []string{
3605 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3606 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3607 },
3608 })
3609 tests = append(tests, testCase{
3610 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3611 name: "ClientAuth-NoCertificate-OldCallback",
3612 config: Config{
3613 MaxVersion: VersionTLS12,
3614 ClientAuth: RequestClientCert,
3615 },
3616 flags: []string{"-use-old-client-cert-callback"},
3617 })
3618 tests = append(tests, testCase{
3619 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3620 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3621 config: Config{
3622 MaxVersion: VersionTLS13,
3623 ClientAuth: RequestClientCert,
3624 },
3625 flags: []string{"-use-old-client-cert-callback"},
3626 })
3627 tests = append(tests, testCase{
3628 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3629 name: "ClientAuth-OldCallback",
3630 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3631 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3632 ClientAuth: RequireAnyClientCert,
3633 },
3634 flags: []string{
3635 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3636 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3637 "-use-old-client-cert-callback",
3638 },
3639 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3640 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3641 testType: clientTest,
3642 name: "ClientAuth-OldCallback-TLS13",
3643 config: Config{
3644 MaxVersion: VersionTLS13,
3645 ClientAuth: RequireAnyClientCert,
3646 },
3647 flags: []string{
3648 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3649 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3650 "-use-old-client-cert-callback",
3651 },
3652 })
3653 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3654 testType: serverTest,
3655 name: "ClientAuth-Server",
3656 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3657 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3658 Certificates: []Certificate{rsaCertificate},
3659 },
3660 flags: []string{"-require-any-client-certificate"},
3661 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3662 tests = append(tests, testCase{
3663 testType: serverTest,
3664 name: "ClientAuth-Server-TLS13",
3665 config: Config{
3666 MaxVersion: VersionTLS13,
3667 Certificates: []Certificate{rsaCertificate},
3668 },
3669 flags: []string{"-require-any-client-certificate"},
3670 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3671
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3672 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3673 tests = append(tests, testCase{
3674 testType: serverTest,
3675 name: "Basic-Server-RSA",
3676 config: Config{
3677 MaxVersion: VersionTLS12,
3678 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3679 },
3680 flags: []string{
3681 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3682 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3683 },
3684 })
3685 tests = append(tests, testCase{
3686 testType: serverTest,
3687 name: "Basic-Server-ECDHE-RSA",
3688 config: Config{
3689 MaxVersion: VersionTLS12,
3690 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3691 },
3692 flags: []string{
3693 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3694 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3695 },
3696 })
3697 tests = append(tests, testCase{
3698 testType: serverTest,
3699 name: "Basic-Server-ECDHE-ECDSA",
3700 config: Config{
3701 MaxVersion: VersionTLS12,
3702 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3703 },
3704 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3705 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3706 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3707 },
3708 })
3709
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3710 // No session ticket support; server doesn't send NewSessionTicket.
3711 tests = append(tests, testCase{
3712 name: "SessionTicketsDisabled-Client",
3713 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3714 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3715 SessionTicketsDisabled: true,
3716 },
3717 })
3718 tests = append(tests, testCase{
3719 testType: serverTest,
3720 name: "SessionTicketsDisabled-Server",
3721 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3722 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3723 SessionTicketsDisabled: true,
3724 },
3725 })
3726
3727 // Skip ServerKeyExchange in PSK key exchange if there's no
3728 // identity hint.
3729 tests = append(tests, testCase{
3730 name: "EmptyPSKHint-Client",
3731 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3732 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3733 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3734 PreSharedKey: []byte("secret"),
3735 },
3736 flags: []string{"-psk", "secret"},
3737 })
3738 tests = append(tests, testCase{
3739 testType: serverTest,
3740 name: "EmptyPSKHint-Server",
3741 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3742 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3743 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3744 PreSharedKey: []byte("secret"),
3745 },
3746 flags: []string{"-psk", "secret"},
3747 })
3748
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3749 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3750 tests = append(tests, testCase{
3751 testType: clientTest,
3752 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3753 config: Config{
3754 MaxVersion: VersionTLS12,
3755 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3756 flags: []string{
3757 "-enable-ocsp-stapling",
3758 "-expect-ocsp-response",
3759 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3760 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3761 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3762 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3763 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3764 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3765 testType: serverTest,
3766 name: "OCSPStapling-Server",
3767 config: Config{
3768 MaxVersion: VersionTLS12,
3769 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3770 expectedOCSPResponse: testOCSPResponse,
3771 flags: []string{
3772 "-ocsp-response",
3773 base64.StdEncoding.EncodeToString(testOCSPResponse),
3774 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3775 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3776 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3777 tests = append(tests, testCase{
3778 testType: clientTest,
3779 name: "OCSPStapling-Client-TLS13",
3780 config: Config{
3781 MaxVersion: VersionTLS13,
3782 },
3783 flags: []string{
3784 "-enable-ocsp-stapling",
3785 "-expect-ocsp-response",
3786 base64.StdEncoding.EncodeToString(testOCSPResponse),
3787 "-verify-peer",
3788 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3789 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3790 })
3791 tests = append(tests, testCase{
3792 testType: serverTest,
3793 name: "OCSPStapling-Server-TLS13",
3794 config: Config{
3795 MaxVersion: VersionTLS13,
3796 },
3797 expectedOCSPResponse: testOCSPResponse,
3798 flags: []string{
3799 "-ocsp-response",
3800 base64.StdEncoding.EncodeToString(testOCSPResponse),
3801 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3802 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3803 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3804
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3805 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3806 for _, vers := range tlsVersions {
3807 if config.protocol == dtls && !vers.hasDTLS {
3808 continue
3809 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3810 for _, testType := range []testType{clientTest, serverTest} {
3811 suffix := "-Client"
3812 if testType == serverTest {
3813 suffix = "-Server"
3814 }
3815 suffix += "-" + vers.name
3816
3817 flag := "-verify-peer"
3818 if testType == serverTest {
3819 flag = "-require-any-client-certificate"
3820 }
3821
3822 tests = append(tests, testCase{
3823 testType: testType,
3824 name: "CertificateVerificationSucceed" + suffix,
3825 config: Config{
3826 MaxVersion: vers.version,
3827 Certificates: []Certificate{rsaCertificate},
3828 },
3829 flags: []string{
3830 flag,
3831 "-expect-verify-result",
3832 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3833 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3834 })
3835 tests = append(tests, testCase{
3836 testType: testType,
3837 name: "CertificateVerificationFail" + suffix,
3838 config: Config{
3839 MaxVersion: vers.version,
3840 Certificates: []Certificate{rsaCertificate},
3841 },
3842 flags: []string{
3843 flag,
3844 "-verify-fail",
3845 },
3846 shouldFail: true,
3847 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
3848 })
3849 }
3850
3851 // By default, the client is in a soft fail mode where the peer
3852 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3853 tests = append(tests, testCase{
3854 testType: clientTest,
3855 name: "CertificateVerificationSoftFail-" + vers.name,
3856 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3857 MaxVersion: vers.version,
3858 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3859 },
3860 flags: []string{
3861 "-verify-fail",
3862 "-expect-verify-result",
3863 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3864 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3865 })
3866 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3867
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]3868 tests = append(tests, testCase{
3869 name: "ShimSendAlert",
3870 flags: []string{"-send-alert"},
3871 shimWritesFirst: true,
3872 shouldFail: true,
3873 expectedLocalError: "remote error: decompression failure",
3874 })
3875
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3876 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3877 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3878 name: "Renegotiate-Client",
3879 config: Config{
3880 MaxVersion: VersionTLS12,
3881 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]3882 renegotiate: 1,
3883 flags: []string{
3884 "-renegotiate-freely",
3885 "-expect-total-renegotiations", "1",
3886 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3887 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3888
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]3889 tests = append(tests, testCase{
3890 name: "SendHalfHelloRequest",
3891 config: Config{
3892 MaxVersion: VersionTLS12,
3893 Bugs: ProtocolBugs{
3894 PackHelloRequestWithFinished: config.packHandshakeFlight,
3895 },
3896 },
3897 sendHalfHelloRequest: true,
3898 flags: []string{"-renegotiate-ignore"},
3899 shouldFail: true,
3900 expectedError: ":UNEXPECTED_RECORD:",
3901 })
3902
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3903 // NPN on client and server; results in post-handshake message.
3904 tests = append(tests, testCase{
3905 name: "NPN-Client",
3906 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3907 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3908 NextProtos: []string{"foo"},
3909 },
3910 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]3911 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3912 expectedNextProto: "foo",
3913 expectedNextProtoType: npn,
3914 })
3915 tests = append(tests, testCase{
3916 testType: serverTest,
3917 name: "NPN-Server",
3918 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3919 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3920 NextProtos: []string{"bar"},
3921 },
3922 flags: []string{
3923 "-advertise-npn", "\x03foo\x03bar\x03baz",
3924 "-expect-next-proto", "bar",
3925 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]3926 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3927 expectedNextProto: "bar",
3928 expectedNextProtoType: npn,
3929 })
3930
3931 // TODO(davidben): Add tests for when False Start doesn't trigger.
3932
3933 // Client does False Start and negotiates NPN.
3934 tests = append(tests, testCase{
3935 name: "FalseStart",
3936 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3937 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3938 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3939 NextProtos: []string{"foo"},
3940 Bugs: ProtocolBugs{
3941 ExpectFalseStart: true,
3942 },
3943 },
3944 flags: []string{
3945 "-false-start",
3946 "-select-next-proto", "foo",
3947 },
3948 shimWritesFirst: true,
3949 resumeSession: true,
3950 })
3951
3952 // Client does False Start and negotiates ALPN.
3953 tests = append(tests, testCase{
3954 name: "FalseStart-ALPN",
3955 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3956 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3957 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3958 NextProtos: []string{"foo"},
3959 Bugs: ProtocolBugs{
3960 ExpectFalseStart: true,
3961 },
3962 },
3963 flags: []string{
3964 "-false-start",
3965 "-advertise-alpn", "\x03foo",
3966 },
3967 shimWritesFirst: true,
3968 resumeSession: true,
3969 })
3970
3971 // Client does False Start but doesn't explicitly call
3972 // SSL_connect.
3973 tests = append(tests, testCase{
3974 name: "FalseStart-Implicit",
3975 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3976 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3977 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3978 NextProtos: []string{"foo"},
3979 },
3980 flags: []string{
3981 "-implicit-handshake",
3982 "-false-start",
3983 "-advertise-alpn", "\x03foo",
3984 },
3985 })
3986
3987 // False Start without session tickets.
3988 tests = append(tests, testCase{
3989 name: "FalseStart-SessionTicketsDisabled",
3990 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3991 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3992 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3993 NextProtos: []string{"foo"},
3994 SessionTicketsDisabled: true,
3995 Bugs: ProtocolBugs{
3996 ExpectFalseStart: true,
3997 },
3998 },
3999 flags: []string{
4000 "-false-start",
4001 "-select-next-proto", "foo",
4002 },
4003 shimWritesFirst: true,
4004 })
4005
4006 // Server parses a V2ClientHello.
4007 tests = append(tests, testCase{
4008 testType: serverTest,
4009 name: "SendV2ClientHello",
4010 config: Config{
4011 // Choose a cipher suite that does not involve
4012 // elliptic curves, so no extensions are
4013 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4014 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4015 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4016 Bugs: ProtocolBugs{
4017 SendV2ClientHello: true,
4018 },
4019 },
4020 })
4021
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4022 // Test Channel ID
4023 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4024 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4025 continue
4026 }
4027 // Client sends a Channel ID.
4028 tests = append(tests, testCase{
4029 name: "ChannelID-Client-" + ver.name,
4030 config: Config{
4031 MaxVersion: ver.version,
4032 RequestChannelID: true,
4033 },
4034 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4035 resumeSession: true,
4036 expectChannelID: true,
4037 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4038
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4039 // Server accepts a Channel ID.
4040 tests = append(tests, testCase{
4041 testType: serverTest,
4042 name: "ChannelID-Server-" + ver.name,
4043 config: Config{
4044 MaxVersion: ver.version,
4045 ChannelID: channelIDKey,
4046 },
4047 flags: []string{
4048 "-expect-channel-id",
4049 base64.StdEncoding.EncodeToString(channelIDBytes),
4050 },
4051 resumeSession: true,
4052 expectChannelID: true,
4053 })
4054
4055 tests = append(tests, testCase{
4056 testType: serverTest,
4057 name: "InvalidChannelIDSignature-" + ver.name,
4058 config: Config{
4059 MaxVersion: ver.version,
4060 ChannelID: channelIDKey,
4061 Bugs: ProtocolBugs{
4062 InvalidChannelIDSignature: true,
4063 },
4064 },
4065 flags: []string{"-enable-channel-id"},
4066 shouldFail: true,
4067 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4068 })
4069 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4070
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4071 // Channel ID and NPN at the same time, to ensure their relative
4072 // ordering is correct.
4073 tests = append(tests, testCase{
4074 name: "ChannelID-NPN-Client",
4075 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4076 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4077 RequestChannelID: true,
4078 NextProtos: []string{"foo"},
4079 },
4080 flags: []string{
4081 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4082 "-select-next-proto", "foo",
4083 },
4084 resumeSession: true,
4085 expectChannelID: true,
4086 expectedNextProto: "foo",
4087 expectedNextProtoType: npn,
4088 })
4089 tests = append(tests, testCase{
4090 testType: serverTest,
4091 name: "ChannelID-NPN-Server",
4092 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4093 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4094 ChannelID: channelIDKey,
4095 NextProtos: []string{"bar"},
4096 },
4097 flags: []string{
4098 "-expect-channel-id",
4099 base64.StdEncoding.EncodeToString(channelIDBytes),
4100 "-advertise-npn", "\x03foo\x03bar\x03baz",
4101 "-expect-next-proto", "bar",
4102 },
4103 resumeSession: true,
4104 expectChannelID: true,
4105 expectedNextProto: "bar",
4106 expectedNextProtoType: npn,
4107 })
4108
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4109 // Bidirectional shutdown with the runner initiating.
4110 tests = append(tests, testCase{
4111 name: "Shutdown-Runner",
4112 config: Config{
4113 Bugs: ProtocolBugs{
4114 ExpectCloseNotify: true,
4115 },
4116 },
4117 flags: []string{"-check-close-notify"},
4118 })
4119
4120 // Bidirectional shutdown with the shim initiating. The runner,
4121 // in the meantime, sends garbage before the close_notify which
4122 // the shim must ignore.
4123 tests = append(tests, testCase{
4124 name: "Shutdown-Shim",
4125 config: Config{
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]4126 MaxVersion: VersionTLS12,
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4127 Bugs: ProtocolBugs{
4128 ExpectCloseNotify: true,
4129 },
4130 },
4131 shimShutsDown: true,
4132 sendEmptyRecords: 1,
4133 sendWarningAlerts: 1,
4134 flags: []string{"-check-close-notify"},
4135 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4136 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4137 // TODO(davidben): DTLS 1.3 will want a similar thing for
4138 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4139 tests = append(tests, testCase{
4140 name: "SkipHelloVerifyRequest",
4141 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4142 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4143 Bugs: ProtocolBugs{
4144 SkipHelloVerifyRequest: true,
4145 },
4146 },
4147 })
4148 }
4149
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4150 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4151 test.protocol = config.protocol
4152 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4153 test.name += "-DTLS"
4154 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4155 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4156 test.name += "-Async"
4157 test.flags = append(test.flags, "-async")
4158 } else {
4159 test.name += "-Sync"
4160 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4161 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4162 test.name += "-SplitHandshakeRecords"
4163 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4164 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4165 test.config.Bugs.MaxPacketLength = 256
4166 test.flags = append(test.flags, "-mtu", "256")
4167 }
4168 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4169 if config.packHandshakeFlight {
4170 test.name += "-PackHandshakeFlight"
4171 test.config.Bugs.PackHandshakeFlight = true
4172 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4173 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4174 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4175}
4176
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4177func addDDoSCallbackTests() {
4178 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4179 for _, resume := range []bool{false, true} {
4180 suffix := "Resume"
4181 if resume {
4182 suffix = "No" + suffix
4183 }
4184
4185 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4186 testType: serverTest,
4187 name: "Server-DDoS-OK-" + suffix,
4188 config: Config{
4189 MaxVersion: VersionTLS12,
4190 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4191 flags: []string{"-install-ddos-callback"},
4192 resumeSession: resume,
4193 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4194 testCases = append(testCases, testCase{
4195 testType: serverTest,
4196 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4197 config: Config{
4198 MaxVersion: VersionTLS13,
4199 },
4200 flags: []string{"-install-ddos-callback"},
4201 resumeSession: resume,
4202 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4203
4204 failFlag := "-fail-ddos-callback"
4205 if resume {
4206 failFlag = "-fail-second-ddos-callback"
4207 }
4208 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4209 testType: serverTest,
4210 name: "Server-DDoS-Reject-" + suffix,
4211 config: Config{
4212 MaxVersion: VersionTLS12,
4213 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4214 flags: []string{"-install-ddos-callback", failFlag},
4215 resumeSession: resume,
4216 shouldFail: true,
4217 expectedError: ":CONNECTION_REJECTED:",
4218 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4219 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4220 testCases = append(testCases, testCase{
4221 testType: serverTest,
4222 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4223 config: Config{
4224 MaxVersion: VersionTLS13,
4225 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4226 flags: []string{"-install-ddos-callback", failFlag},
4227 resumeSession: resume,
4228 shouldFail: true,
4229 expectedError: ":CONNECTION_REJECTED:",
4230 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4231 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4232 }
4233}
4234
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4235func addVersionNegotiationTests() {
4236 for i, shimVers := range tlsVersions {
4237 // Assemble flags to disable all newer versions on the shim.
4238 var flags []string
4239 for _, vers := range tlsVersions[i+1:] {
4240 flags = append(flags, vers.flag)
4241 }
4242
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4243 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4244 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4245 protocols := []protocol{tls}
4246 if runnerVers.hasDTLS && shimVers.hasDTLS {
4247 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4248 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4249 for _, protocol := range protocols {
4250 expectedVersion := shimVers.version
4251 if runnerVers.version < shimVers.version {
4252 expectedVersion = runnerVers.version
4253 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4254
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4255 suffix := shimVers.name + "-" + runnerVers.name
4256 if protocol == dtls {
4257 suffix += "-DTLS"
4258 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4259
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4260 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4261
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4262 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4263 clientVers := shimVers.version
4264 if clientVers > VersionTLS10 {
4265 clientVers = VersionTLS10
4266 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4267 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4268 serverVers := expectedVersion
4269 if expectedVersion >= VersionTLS13 {
4270 serverVers = VersionTLS10
4271 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4272 serverVers = versionToWire(serverVers, protocol == dtls)
4273
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4274 testCases = append(testCases, testCase{
4275 protocol: protocol,
4276 testType: clientTest,
4277 name: "VersionNegotiation-Client-" + suffix,
4278 config: Config{
4279 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4280 Bugs: ProtocolBugs{
4281 ExpectInitialRecordVersion: clientVers,
4282 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4283 },
4284 flags: flags,
4285 expectedVersion: expectedVersion,
4286 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4287 testCases = append(testCases, testCase{
4288 protocol: protocol,
4289 testType: clientTest,
4290 name: "VersionNegotiation-Client2-" + suffix,
4291 config: Config{
4292 MaxVersion: runnerVers.version,
4293 Bugs: ProtocolBugs{
4294 ExpectInitialRecordVersion: clientVers,
4295 },
4296 },
4297 flags: []string{"-max-version", shimVersFlag},
4298 expectedVersion: expectedVersion,
4299 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4300
4301 testCases = append(testCases, testCase{
4302 protocol: protocol,
4303 testType: serverTest,
4304 name: "VersionNegotiation-Server-" + suffix,
4305 config: Config{
4306 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4307 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4308 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4309 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4310 },
4311 flags: flags,
4312 expectedVersion: expectedVersion,
4313 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4314 testCases = append(testCases, testCase{
4315 protocol: protocol,
4316 testType: serverTest,
4317 name: "VersionNegotiation-Server2-" + suffix,
4318 config: Config{
4319 MaxVersion: runnerVers.version,
4320 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4321 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4322 },
4323 },
4324 flags: []string{"-max-version", shimVersFlag},
4325 expectedVersion: expectedVersion,
4326 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4327 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4328 }
4329 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4330
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4331 // Test the version extension at all versions.
4332 for _, vers := range tlsVersions {
4333 protocols := []protocol{tls}
4334 if vers.hasDTLS {
4335 protocols = append(protocols, dtls)
4336 }
4337 for _, protocol := range protocols {
4338 suffix := vers.name
4339 if protocol == dtls {
4340 suffix += "-DTLS"
4341 }
4342
4343 wireVersion := versionToWire(vers.version, protocol == dtls)
4344 testCases = append(testCases, testCase{
4345 protocol: protocol,
4346 testType: serverTest,
4347 name: "VersionNegotiationExtension-" + suffix,
4348 config: Config{
4349 Bugs: ProtocolBugs{
4350 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4351 },
4352 },
4353 expectedVersion: vers.version,
4354 })
4355 }
4356
4357 }
4358
4359 // If all versions are unknown, negotiation fails.
4360 testCases = append(testCases, testCase{
4361 testType: serverTest,
4362 name: "NoSupportedVersions",
4363 config: Config{
4364 Bugs: ProtocolBugs{
4365 SendSupportedVersions: []uint16{0x1111},
4366 },
4367 },
4368 shouldFail: true,
4369 expectedError: ":UNSUPPORTED_PROTOCOL:",
4370 })
4371 testCases = append(testCases, testCase{
4372 protocol: dtls,
4373 testType: serverTest,
4374 name: "NoSupportedVersions-DTLS",
4375 config: Config{
4376 Bugs: ProtocolBugs{
4377 SendSupportedVersions: []uint16{0x1111},
4378 },
4379 },
4380 shouldFail: true,
4381 expectedError: ":UNSUPPORTED_PROTOCOL:",
4382 })
4383
4384 testCases = append(testCases, testCase{
4385 testType: serverTest,
4386 name: "ClientHelloVersionTooHigh",
4387 config: Config{
4388 MaxVersion: VersionTLS13,
4389 Bugs: ProtocolBugs{
4390 SendClientVersion: 0x0304,
4391 OmitSupportedVersions: true,
4392 },
4393 },
4394 expectedVersion: VersionTLS12,
4395 })
4396
4397 testCases = append(testCases, testCase{
4398 testType: serverTest,
4399 name: "ConflictingVersionNegotiation",
4400 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4401 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4402 SendClientVersion: VersionTLS12,
4403 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4404 },
4405 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4406 // The extension takes precedence over the ClientHello version.
4407 expectedVersion: VersionTLS11,
4408 })
4409
4410 testCases = append(testCases, testCase{
4411 testType: serverTest,
4412 name: "ConflictingVersionNegotiation-2",
4413 config: Config{
4414 Bugs: ProtocolBugs{
4415 SendClientVersion: VersionTLS11,
4416 SendSupportedVersions: []uint16{VersionTLS12},
4417 },
4418 },
4419 // The extension takes precedence over the ClientHello version.
4420 expectedVersion: VersionTLS12,
4421 })
4422
4423 testCases = append(testCases, testCase{
4424 testType: serverTest,
4425 name: "RejectFinalTLS13",
4426 config: Config{
4427 Bugs: ProtocolBugs{
4428 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4429 },
4430 },
4431 // We currently implement a draft TLS 1.3 version. Ensure that
4432 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4433 expectedVersion: VersionTLS12,
4434 })
4435
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4436 // Test that the maximum version is selected regardless of the
4437 // client-sent order.
4438 testCases = append(testCases, testCase{
4439 testType: serverTest,
4440 name: "IgnoreClientVersionOrder",
4441 config: Config{
4442 Bugs: ProtocolBugs{
4443 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4444 },
4445 },
4446 expectedVersion: VersionTLS13,
4447 })
4448
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4449 // Test for version tolerance.
4450 testCases = append(testCases, testCase{
4451 testType: serverTest,
4452 name: "MinorVersionTolerance",
4453 config: Config{
4454 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4455 SendClientVersion: 0x03ff,
4456 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4457 },
4458 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4459 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4460 })
4461 testCases = append(testCases, testCase{
4462 testType: serverTest,
4463 name: "MajorVersionTolerance",
4464 config: Config{
4465 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4466 SendClientVersion: 0x0400,
4467 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4468 },
4469 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4470 // TLS 1.3 must be negotiated with the supported_versions
4471 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4472 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4473 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4474 testCases = append(testCases, testCase{
4475 testType: serverTest,
4476 name: "VersionTolerance-TLS13",
4477 config: Config{
4478 Bugs: ProtocolBugs{
4479 // Although TLS 1.3 does not use
4480 // ClientHello.version, it still tolerates high
4481 // values there.
4482 SendClientVersion: 0x0400,
4483 },
4484 },
4485 expectedVersion: VersionTLS13,
4486 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4487
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4488 testCases = append(testCases, testCase{
4489 protocol: dtls,
4490 testType: serverTest,
4491 name: "MinorVersionTolerance-DTLS",
4492 config: Config{
4493 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4494 SendClientVersion: 0xfe00,
4495 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4496 },
4497 },
4498 expectedVersion: VersionTLS12,
4499 })
4500 testCases = append(testCases, testCase{
4501 protocol: dtls,
4502 testType: serverTest,
4503 name: "MajorVersionTolerance-DTLS",
4504 config: Config{
4505 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4506 SendClientVersion: 0xfdff,
4507 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4508 },
4509 },
4510 expectedVersion: VersionTLS12,
4511 })
4512
4513 // Test that versions below 3.0 are rejected.
4514 testCases = append(testCases, testCase{
4515 testType: serverTest,
4516 name: "VersionTooLow",
4517 config: Config{
4518 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4519 SendClientVersion: 0x0200,
4520 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4521 },
4522 },
4523 shouldFail: true,
4524 expectedError: ":UNSUPPORTED_PROTOCOL:",
4525 })
4526 testCases = append(testCases, testCase{
4527 protocol: dtls,
4528 testType: serverTest,
4529 name: "VersionTooLow-DTLS",
4530 config: Config{
4531 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4532 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4533 },
4534 },
4535 shouldFail: true,
4536 expectedError: ":UNSUPPORTED_PROTOCOL:",
4537 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4538
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4539 testCases = append(testCases, testCase{
4540 name: "ServerBogusVersion",
4541 config: Config{
4542 Bugs: ProtocolBugs{
4543 SendServerHelloVersion: 0x1234,
4544 },
4545 },
4546 shouldFail: true,
4547 expectedError: ":UNSUPPORTED_PROTOCOL:",
4548 })
4549
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4550 // Test TLS 1.3's downgrade signal.
4551 testCases = append(testCases, testCase{
4552 name: "Downgrade-TLS12-Client",
4553 config: Config{
4554 Bugs: ProtocolBugs{
4555 NegotiateVersion: VersionTLS12,
4556 },
4557 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4558 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4559 // TODO(davidben): This test should fail once TLS 1.3 is final
4560 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4561 })
4562 testCases = append(testCases, testCase{
4563 testType: serverTest,
4564 name: "Downgrade-TLS12-Server",
4565 config: Config{
4566 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4567 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4568 },
4569 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4570 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4571 // TODO(davidben): This test should fail once TLS 1.3 is final
4572 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4573 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4574}
4575
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4576func addMinimumVersionTests() {
4577 for i, shimVers := range tlsVersions {
4578 // Assemble flags to disable all older versions on the shim.
4579 var flags []string
4580 for _, vers := range tlsVersions[:i] {
4581 flags = append(flags, vers.flag)
4582 }
4583
4584 for _, runnerVers := range tlsVersions {
4585 protocols := []protocol{tls}
4586 if runnerVers.hasDTLS && shimVers.hasDTLS {
4587 protocols = append(protocols, dtls)
4588 }
4589 for _, protocol := range protocols {
4590 suffix := shimVers.name + "-" + runnerVers.name
4591 if protocol == dtls {
4592 suffix += "-DTLS"
4593 }
4594 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4595
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4596 var expectedVersion uint16
4597 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4598 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4599 if runnerVers.version >= shimVers.version {
4600 expectedVersion = runnerVers.version
4601 } else {
4602 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4603 expectedError = ":UNSUPPORTED_PROTOCOL:"
4604 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4605 }
4606
4607 testCases = append(testCases, testCase{
4608 protocol: protocol,
4609 testType: clientTest,
4610 name: "MinimumVersion-Client-" + suffix,
4611 config: Config{
4612 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4613 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4614 // Ensure the server does not decline to
4615 // select a version (versions extension) or
4616 // cipher (some ciphers depend on versions).
4617 NegotiateVersion: runnerVers.version,
4618 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4619 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4620 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4621 flags: flags,
4622 expectedVersion: expectedVersion,
4623 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4624 expectedError: expectedError,
4625 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4626 })
4627 testCases = append(testCases, testCase{
4628 protocol: protocol,
4629 testType: clientTest,
4630 name: "MinimumVersion-Client2-" + suffix,
4631 config: Config{
4632 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4633 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4634 // Ensure the server does not decline to
4635 // select a version (versions extension) or
4636 // cipher (some ciphers depend on versions).
4637 NegotiateVersion: runnerVers.version,
4638 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4639 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4640 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4641 flags: []string{"-min-version", shimVersFlag},
4642 expectedVersion: expectedVersion,
4643 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4644 expectedError: expectedError,
4645 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4646 })
4647
4648 testCases = append(testCases, testCase{
4649 protocol: protocol,
4650 testType: serverTest,
4651 name: "MinimumVersion-Server-" + suffix,
4652 config: Config{
4653 MaxVersion: runnerVers.version,
4654 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4655 flags: flags,
4656 expectedVersion: expectedVersion,
4657 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4658 expectedError: expectedError,
4659 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4660 })
4661 testCases = append(testCases, testCase{
4662 protocol: protocol,
4663 testType: serverTest,
4664 name: "MinimumVersion-Server2-" + suffix,
4665 config: Config{
4666 MaxVersion: runnerVers.version,
4667 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4668 flags: []string{"-min-version", shimVersFlag},
4669 expectedVersion: expectedVersion,
4670 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4671 expectedError: expectedError,
4672 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4673 })
4674 }
4675 }
4676 }
4677}
4678
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4679func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4680 // TODO(davidben): Extensions, where applicable, all move their server
4681 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4682 // tests for both. Also test interaction with 0-RTT when implemented.
4683
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4684 // Repeat extensions tests all versions except SSL 3.0.
4685 for _, ver := range tlsVersions {
4686 if ver.version == VersionSSL30 {
4687 continue
4688 }
4689
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4690 // Test that duplicate extensions are rejected.
4691 testCases = append(testCases, testCase{
4692 testType: clientTest,
4693 name: "DuplicateExtensionClient-" + ver.name,
4694 config: Config{
4695 MaxVersion: ver.version,
4696 Bugs: ProtocolBugs{
4697 DuplicateExtension: true,
4698 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4699 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4700 shouldFail: true,
4701 expectedLocalError: "remote error: error decoding message",
4702 })
4703 testCases = append(testCases, testCase{
4704 testType: serverTest,
4705 name: "DuplicateExtensionServer-" + ver.name,
4706 config: Config{
4707 MaxVersion: ver.version,
4708 Bugs: ProtocolBugs{
4709 DuplicateExtension: true,
4710 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4711 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4712 shouldFail: true,
4713 expectedLocalError: "remote error: error decoding message",
4714 })
4715
4716 // Test SNI.
4717 testCases = append(testCases, testCase{
4718 testType: clientTest,
4719 name: "ServerNameExtensionClient-" + ver.name,
4720 config: Config{
4721 MaxVersion: ver.version,
4722 Bugs: ProtocolBugs{
4723 ExpectServerName: "example.com",
4724 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4725 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4726 flags: []string{"-host-name", "example.com"},
4727 })
4728 testCases = append(testCases, testCase{
4729 testType: clientTest,
4730 name: "ServerNameExtensionClientMismatch-" + ver.name,
4731 config: Config{
4732 MaxVersion: ver.version,
4733 Bugs: ProtocolBugs{
4734 ExpectServerName: "mismatch.com",
4735 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4736 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4737 flags: []string{"-host-name", "example.com"},
4738 shouldFail: true,
4739 expectedLocalError: "tls: unexpected server name",
4740 })
4741 testCases = append(testCases, testCase{
4742 testType: clientTest,
4743 name: "ServerNameExtensionClientMissing-" + ver.name,
4744 config: Config{
4745 MaxVersion: ver.version,
4746 Bugs: ProtocolBugs{
4747 ExpectServerName: "missing.com",
4748 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4749 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4750 shouldFail: true,
4751 expectedLocalError: "tls: unexpected server name",
4752 })
4753 testCases = append(testCases, testCase{
4754 testType: serverTest,
4755 name: "ServerNameExtensionServer-" + ver.name,
4756 config: Config{
4757 MaxVersion: ver.version,
4758 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4759 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4760 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4761 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4762 })
4763
4764 // Test ALPN.
4765 testCases = append(testCases, testCase{
4766 testType: clientTest,
4767 name: "ALPNClient-" + ver.name,
4768 config: Config{
4769 MaxVersion: ver.version,
4770 NextProtos: []string{"foo"},
4771 },
4772 flags: []string{
4773 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4774 "-expect-alpn", "foo",
4775 },
4776 expectedNextProto: "foo",
4777 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4778 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4779 })
4780 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4781 testType: clientTest,
4782 name: "ALPNClient-Mismatch-" + ver.name,
4783 config: Config{
4784 MaxVersion: ver.version,
4785 Bugs: ProtocolBugs{
4786 SendALPN: "baz",
4787 },
4788 },
4789 flags: []string{
4790 "-advertise-alpn", "\x03foo\x03bar",
4791 },
4792 shouldFail: true,
4793 expectedError: ":INVALID_ALPN_PROTOCOL:",
4794 expectedLocalError: "remote error: illegal parameter",
4795 })
4796 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4797 testType: serverTest,
4798 name: "ALPNServer-" + ver.name,
4799 config: Config{
4800 MaxVersion: ver.version,
4801 NextProtos: []string{"foo", "bar", "baz"},
4802 },
4803 flags: []string{
4804 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4805 "-select-alpn", "foo",
4806 },
4807 expectedNextProto: "foo",
4808 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4809 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4810 })
4811 testCases = append(testCases, testCase{
4812 testType: serverTest,
4813 name: "ALPNServer-Decline-" + ver.name,
4814 config: Config{
4815 MaxVersion: ver.version,
4816 NextProtos: []string{"foo", "bar", "baz"},
4817 },
4818 flags: []string{"-decline-alpn"},
4819 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4820 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4821 })
4822
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4823 // Test ALPN in async mode as well to ensure that extensions callbacks are only
4824 // called once.
4825 testCases = append(testCases, testCase{
4826 testType: serverTest,
4827 name: "ALPNServer-Async-" + ver.name,
4828 config: Config{
4829 MaxVersion: ver.version,
4830 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]4831 // Prior to TLS 1.3, exercise the asynchronous session callback.
4832 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4833 },
4834 flags: []string{
4835 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4836 "-select-alpn", "foo",
4837 "-async",
4838 },
4839 expectedNextProto: "foo",
4840 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4841 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4842 })
4843
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4844 var emptyString string
4845 testCases = append(testCases, testCase{
4846 testType: clientTest,
4847 name: "ALPNClient-EmptyProtocolName-" + ver.name,
4848 config: Config{
4849 MaxVersion: ver.version,
4850 NextProtos: []string{""},
4851 Bugs: ProtocolBugs{
4852 // A server returning an empty ALPN protocol
4853 // should be rejected.
4854 ALPNProtocol: &emptyString,
4855 },
4856 },
4857 flags: []string{
4858 "-advertise-alpn", "\x03foo",
4859 },
4860 shouldFail: true,
4861 expectedError: ":PARSE_TLSEXT:",
4862 })
4863 testCases = append(testCases, testCase{
4864 testType: serverTest,
4865 name: "ALPNServer-EmptyProtocolName-" + ver.name,
4866 config: Config{
4867 MaxVersion: ver.version,
4868 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4869 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4870 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4871 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4872 flags: []string{
4873 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]4874 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4875 shouldFail: true,
4876 expectedError: ":PARSE_TLSEXT:",
4877 })
4878
4879 // Test NPN and the interaction with ALPN.
4880 if ver.version < VersionTLS13 {
4881 // Test that the server prefers ALPN over NPN.
4882 testCases = append(testCases, testCase{
4883 testType: serverTest,
4884 name: "ALPNServer-Preferred-" + ver.name,
4885 config: Config{
4886 MaxVersion: ver.version,
4887 NextProtos: []string{"foo", "bar", "baz"},
4888 },
4889 flags: []string{
4890 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4891 "-select-alpn", "foo",
4892 "-advertise-npn", "\x03foo\x03bar\x03baz",
4893 },
4894 expectedNextProto: "foo",
4895 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4896 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4897 })
4898 testCases = append(testCases, testCase{
4899 testType: serverTest,
4900 name: "ALPNServer-Preferred-Swapped-" + ver.name,
4901 config: Config{
4902 MaxVersion: ver.version,
4903 NextProtos: []string{"foo", "bar", "baz"},
4904 Bugs: ProtocolBugs{
4905 SwapNPNAndALPN: true,
4906 },
4907 },
4908 flags: []string{
4909 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4910 "-select-alpn", "foo",
4911 "-advertise-npn", "\x03foo\x03bar\x03baz",
4912 },
4913 expectedNextProto: "foo",
4914 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4915 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4916 })
4917
4918 // Test that negotiating both NPN and ALPN is forbidden.
4919 testCases = append(testCases, testCase{
4920 name: "NegotiateALPNAndNPN-" + ver.name,
4921 config: Config{
4922 MaxVersion: ver.version,
4923 NextProtos: []string{"foo", "bar", "baz"},
4924 Bugs: ProtocolBugs{
4925 NegotiateALPNAndNPN: true,
4926 },
4927 },
4928 flags: []string{
4929 "-advertise-alpn", "\x03foo",
4930 "-select-next-proto", "foo",
4931 },
4932 shouldFail: true,
4933 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4934 })
4935 testCases = append(testCases, testCase{
4936 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
4937 config: Config{
4938 MaxVersion: ver.version,
4939 NextProtos: []string{"foo", "bar", "baz"},
4940 Bugs: ProtocolBugs{
4941 NegotiateALPNAndNPN: true,
4942 SwapNPNAndALPN: true,
4943 },
4944 },
4945 flags: []string{
4946 "-advertise-alpn", "\x03foo",
4947 "-select-next-proto", "foo",
4948 },
4949 shouldFail: true,
4950 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4951 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4952 }
4953
4954 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4955
4956 // Resume with a corrupt ticket.
4957 testCases = append(testCases, testCase{
4958 testType: serverTest,
4959 name: "CorruptTicket-" + ver.name,
4960 config: Config{
4961 MaxVersion: ver.version,
4962 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]4963 FilterTicket: func(in []byte) ([]byte, error) {
4964 in[len(in)-1] ^= 1
4965 return in, nil
4966 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4967 },
4968 },
4969 resumeSession: true,
4970 expectResumeRejected: true,
4971 })
4972 // Test the ticket callback, with and without renewal.
4973 testCases = append(testCases, testCase{
4974 testType: serverTest,
4975 name: "TicketCallback-" + ver.name,
4976 config: Config{
4977 MaxVersion: ver.version,
4978 },
4979 resumeSession: true,
4980 flags: []string{"-use-ticket-callback"},
4981 })
4982 testCases = append(testCases, testCase{
4983 testType: serverTest,
4984 name: "TicketCallback-Renew-" + ver.name,
4985 config: Config{
4986 MaxVersion: ver.version,
4987 Bugs: ProtocolBugs{
4988 ExpectNewTicket: true,
4989 },
4990 },
4991 flags: []string{"-use-ticket-callback", "-renew-ticket"},
4992 resumeSession: true,
4993 })
4994
4995 // Test that the ticket callback is only called once when everything before
4996 // it in the ClientHello is asynchronous. This corrupts the ticket so
4997 // certificate selection callbacks run.
4998 testCases = append(testCases, testCase{
4999 testType: serverTest,
5000 name: "TicketCallback-SingleCall-" + ver.name,
5001 config: Config{
5002 MaxVersion: ver.version,
5003 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5004 FilterTicket: func(in []byte) ([]byte, error) {
5005 in[len(in)-1] ^= 1
5006 return in, nil
5007 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5008 },
5009 },
5010 resumeSession: true,
5011 expectResumeRejected: true,
5012 flags: []string{
5013 "-use-ticket-callback",
5014 "-async",
5015 },
5016 })
5017
5018 // Resume with an oversized session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5019 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5020 testCases = append(testCases, testCase{
5021 testType: serverTest,
5022 name: "OversizedSessionId-" + ver.name,
5023 config: Config{
5024 MaxVersion: ver.version,
5025 Bugs: ProtocolBugs{
5026 OversizedSessionId: true,
5027 },
5028 },
5029 resumeSession: true,
5030 shouldFail: true,
5031 expectedError: ":DECODE_ERROR:",
5032 })
5033 }
5034
5035 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5036 // are ignored.
5037 if ver.hasDTLS {
5038 testCases = append(testCases, testCase{
5039 protocol: dtls,
5040 name: "SRTP-Client-" + ver.name,
5041 config: Config{
5042 MaxVersion: ver.version,
5043 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5044 },
5045 flags: []string{
5046 "-srtp-profiles",
5047 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5048 },
5049 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5050 })
5051 testCases = append(testCases, testCase{
5052 protocol: dtls,
5053 testType: serverTest,
5054 name: "SRTP-Server-" + ver.name,
5055 config: Config{
5056 MaxVersion: ver.version,
5057 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5058 },
5059 flags: []string{
5060 "-srtp-profiles",
5061 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5062 },
5063 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5064 })
5065 // Test that the MKI is ignored.
5066 testCases = append(testCases, testCase{
5067 protocol: dtls,
5068 testType: serverTest,
5069 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5070 config: Config{
5071 MaxVersion: ver.version,
5072 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5073 Bugs: ProtocolBugs{
5074 SRTPMasterKeyIdentifer: "bogus",
5075 },
5076 },
5077 flags: []string{
5078 "-srtp-profiles",
5079 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5080 },
5081 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5082 })
5083 // Test that SRTP isn't negotiated on the server if there were
5084 // no matching profiles.
5085 testCases = append(testCases, testCase{
5086 protocol: dtls,
5087 testType: serverTest,
5088 name: "SRTP-Server-NoMatch-" + ver.name,
5089 config: Config{
5090 MaxVersion: ver.version,
5091 SRTPProtectionProfiles: []uint16{100, 101, 102},
5092 },
5093 flags: []string{
5094 "-srtp-profiles",
5095 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5096 },
5097 expectedSRTPProtectionProfile: 0,
5098 })
5099 // Test that the server returning an invalid SRTP profile is
5100 // flagged as an error by the client.
5101 testCases = append(testCases, testCase{
5102 protocol: dtls,
5103 name: "SRTP-Client-NoMatch-" + ver.name,
5104 config: Config{
5105 MaxVersion: ver.version,
5106 Bugs: ProtocolBugs{
5107 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5108 },
5109 },
5110 flags: []string{
5111 "-srtp-profiles",
5112 "SRTP_AES128_CM_SHA1_80",
5113 },
5114 shouldFail: true,
5115 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5116 })
5117 }
5118
5119 // Test SCT list.
5120 testCases = append(testCases, testCase{
5121 name: "SignedCertificateTimestampList-Client-" + ver.name,
5122 testType: clientTest,
5123 config: Config{
5124 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5125 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5126 flags: []string{
5127 "-enable-signed-cert-timestamps",
5128 "-expect-signed-cert-timestamps",
5129 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5130 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5131 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5132 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5133
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5134 var differentSCTList []byte
5135 differentSCTList = append(differentSCTList, testSCTList...)
5136 differentSCTList[len(differentSCTList)-1] ^= 1
5137
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5138 // The SCT extension did not specify that it must only be sent on resumption as it
5139 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5140 testCases = append(testCases, testCase{
5141 name: "SendSCTListOnResume-" + ver.name,
5142 config: Config{
5143 MaxVersion: ver.version,
5144 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5145 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5146 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5147 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5148 flags: []string{
5149 "-enable-signed-cert-timestamps",
5150 "-expect-signed-cert-timestamps",
5151 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5152 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5153 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5154 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5155
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5156 testCases = append(testCases, testCase{
5157 name: "SignedCertificateTimestampList-Server-" + ver.name,
5158 testType: serverTest,
5159 config: Config{
5160 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5161 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5162 flags: []string{
5163 "-signed-cert-timestamps",
5164 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5165 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5166 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5167 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5168 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5169
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5170 emptySCTListCert := *testCerts[0].cert
5171 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5172
5173 // Test empty SCT list.
5174 testCases = append(testCases, testCase{
5175 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5176 testType: clientTest,
5177 config: Config{
5178 MaxVersion: ver.version,
5179 Certificates: []Certificate{emptySCTListCert},
5180 },
5181 flags: []string{
5182 "-enable-signed-cert-timestamps",
5183 },
5184 shouldFail: true,
5185 expectedError: ":ERROR_PARSING_EXTENSION:",
5186 })
5187
5188 emptySCTCert := *testCerts[0].cert
5189 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5190
5191 // Test empty SCT in non-empty list.
5192 testCases = append(testCases, testCase{
5193 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5194 testType: clientTest,
5195 config: Config{
5196 MaxVersion: ver.version,
5197 Certificates: []Certificate{emptySCTCert},
5198 },
5199 flags: []string{
5200 "-enable-signed-cert-timestamps",
5201 },
5202 shouldFail: true,
5203 expectedError: ":ERROR_PARSING_EXTENSION:",
5204 })
5205
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5206 // Test that certificate-related extensions are not sent unsolicited.
5207 testCases = append(testCases, testCase{
5208 testType: serverTest,
5209 name: "UnsolicitedCertificateExtensions-" + ver.name,
5210 config: Config{
5211 MaxVersion: ver.version,
5212 Bugs: ProtocolBugs{
5213 NoOCSPStapling: true,
5214 NoSignedCertificateTimestamps: true,
5215 },
5216 },
5217 flags: []string{
5218 "-ocsp-response",
5219 base64.StdEncoding.EncodeToString(testOCSPResponse),
5220 "-signed-cert-timestamps",
5221 base64.StdEncoding.EncodeToString(testSCTList),
5222 },
5223 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5224 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5225
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5226 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5227 testType: clientTest,
5228 name: "ClientHelloPadding",
5229 config: Config{
5230 Bugs: ProtocolBugs{
5231 RequireClientHelloSize: 512,
5232 },
5233 },
5234 // This hostname just needs to be long enough to push the
5235 // ClientHello into F5's danger zone between 256 and 511 bytes
5236 // long.
5237 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5238 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5239
5240 // Extensions should not function in SSL 3.0.
5241 testCases = append(testCases, testCase{
5242 testType: serverTest,
5243 name: "SSLv3Extensions-NoALPN",
5244 config: Config{
5245 MaxVersion: VersionSSL30,
5246 NextProtos: []string{"foo", "bar", "baz"},
5247 },
5248 flags: []string{
5249 "-select-alpn", "foo",
5250 },
5251 expectNoNextProto: true,
5252 })
5253
5254 // Test session tickets separately as they follow a different codepath.
5255 testCases = append(testCases, testCase{
5256 testType: serverTest,
5257 name: "SSLv3Extensions-NoTickets",
5258 config: Config{
5259 MaxVersion: VersionSSL30,
5260 Bugs: ProtocolBugs{
5261 // Historically, session tickets in SSL 3.0
5262 // failed in different ways depending on whether
5263 // the client supported renegotiation_info.
5264 NoRenegotiationInfo: true,
5265 },
5266 },
5267 resumeSession: true,
5268 })
5269 testCases = append(testCases, testCase{
5270 testType: serverTest,
5271 name: "SSLv3Extensions-NoTickets2",
5272 config: Config{
5273 MaxVersion: VersionSSL30,
5274 },
5275 resumeSession: true,
5276 })
5277
5278 // But SSL 3.0 does send and process renegotiation_info.
5279 testCases = append(testCases, testCase{
5280 testType: serverTest,
5281 name: "SSLv3Extensions-RenegotiationInfo",
5282 config: Config{
5283 MaxVersion: VersionSSL30,
5284 Bugs: ProtocolBugs{
5285 RequireRenegotiationInfo: true,
5286 },
5287 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5288 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5289 })
5290 testCases = append(testCases, testCase{
5291 testType: serverTest,
5292 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5293 config: Config{
5294 MaxVersion: VersionSSL30,
5295 Bugs: ProtocolBugs{
5296 NoRenegotiationInfo: true,
5297 SendRenegotiationSCSV: true,
5298 RequireRenegotiationInfo: true,
5299 },
5300 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5301 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5302 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5303
5304 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5305 // in ServerHello.
5306 testCases = append(testCases, testCase{
5307 name: "NPN-Forbidden-TLS13",
5308 config: Config{
5309 MaxVersion: VersionTLS13,
5310 NextProtos: []string{"foo"},
5311 Bugs: ProtocolBugs{
5312 NegotiateNPNAtAllVersions: true,
5313 },
5314 },
5315 flags: []string{"-select-next-proto", "foo"},
5316 shouldFail: true,
5317 expectedError: ":ERROR_PARSING_EXTENSION:",
5318 })
5319 testCases = append(testCases, testCase{
5320 name: "EMS-Forbidden-TLS13",
5321 config: Config{
5322 MaxVersion: VersionTLS13,
5323 Bugs: ProtocolBugs{
5324 NegotiateEMSAtAllVersions: true,
5325 },
5326 },
5327 shouldFail: true,
5328 expectedError: ":ERROR_PARSING_EXTENSION:",
5329 })
5330 testCases = append(testCases, testCase{
5331 name: "RenegotiationInfo-Forbidden-TLS13",
5332 config: Config{
5333 MaxVersion: VersionTLS13,
5334 Bugs: ProtocolBugs{
5335 NegotiateRenegotiationInfoAtAllVersions: true,
5336 },
5337 },
5338 shouldFail: true,
5339 expectedError: ":ERROR_PARSING_EXTENSION:",
5340 })
5341 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5342 name: "Ticket-Forbidden-TLS13",
5343 config: Config{
5344 MaxVersion: VersionTLS12,
5345 },
5346 resumeConfig: &Config{
5347 MaxVersion: VersionTLS13,
5348 Bugs: ProtocolBugs{
5349 AdvertiseTicketExtension: true,
5350 },
5351 },
5352 resumeSession: true,
5353 shouldFail: true,
5354 expectedError: ":ERROR_PARSING_EXTENSION:",
5355 })
5356
5357 // Test that illegal extensions in TLS 1.3 are declined by the server if
5358 // offered in ClientHello. The runner's server will fail if this occurs,
5359 // so we exercise the offering path. (EMS and Renegotiation Info are
5360 // implicit in every test.)
5361 testCases = append(testCases, testCase{
5362 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5363 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5364 config: Config{
5365 MaxVersion: VersionTLS13,
5366 NextProtos: []string{"bar"},
5367 },
5368 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5369 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5370
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5371 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5372 // tolerated.
5373 testCases = append(testCases, testCase{
5374 name: "SendOCSPResponseOnResume-TLS12",
5375 config: Config{
5376 MaxVersion: VersionTLS12,
5377 Bugs: ProtocolBugs{
5378 SendOCSPResponseOnResume: []byte("bogus"),
5379 },
5380 },
5381 flags: []string{
5382 "-enable-ocsp-stapling",
5383 "-expect-ocsp-response",
5384 base64.StdEncoding.EncodeToString(testOCSPResponse),
5385 },
5386 resumeSession: true,
5387 })
5388
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5389 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5390 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5391 config: Config{
5392 MaxVersion: VersionTLS13,
5393 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5394 SendExtensionOnCertificate: testOCSPExtension,
5395 },
5396 },
5397 shouldFail: true,
5398 expectedError: ":UNEXPECTED_EXTENSION:",
5399 })
5400
5401 testCases = append(testCases, testCase{
5402 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5403 config: Config{
5404 MaxVersion: VersionTLS13,
5405 Bugs: ProtocolBugs{
5406 SendExtensionOnCertificate: testSCTExtension,
5407 },
5408 },
5409 shouldFail: true,
5410 expectedError: ":UNEXPECTED_EXTENSION:",
5411 })
5412
5413 // Test that extensions on client certificates are never accepted.
5414 testCases = append(testCases, testCase{
5415 name: "SendExtensionOnClientCertificate-TLS13",
5416 testType: serverTest,
5417 config: Config{
5418 MaxVersion: VersionTLS13,
5419 Certificates: []Certificate{rsaCertificate},
5420 Bugs: ProtocolBugs{
5421 SendExtensionOnCertificate: testOCSPExtension,
5422 },
5423 },
5424 flags: []string{
5425 "-enable-ocsp-stapling",
5426 "-require-any-client-certificate",
5427 },
5428 shouldFail: true,
5429 expectedError: ":UNEXPECTED_EXTENSION:",
5430 })
5431
5432 testCases = append(testCases, testCase{
5433 name: "SendUnknownExtensionOnCertificate-TLS13",
5434 config: Config{
5435 MaxVersion: VersionTLS13,
5436 Bugs: ProtocolBugs{
5437 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5438 },
5439 },
5440 shouldFail: true,
5441 expectedError: ":UNEXPECTED_EXTENSION:",
5442 })
5443
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5444 var differentSCTList []byte
5445 differentSCTList = append(differentSCTList, testSCTList...)
5446 differentSCTList[len(differentSCTList)-1] ^= 1
5447
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5448 // Test that extensions on intermediates are allowed but ignored.
5449 testCases = append(testCases, testCase{
5450 name: "IgnoreExtensionsOnIntermediates-TLS13",
5451 config: Config{
5452 MaxVersion: VersionTLS13,
5453 Certificates: []Certificate{rsaChainCertificate},
5454 Bugs: ProtocolBugs{
5455 // Send different values on the intermediate. This tests
5456 // the intermediate's extensions do not override the
5457 // leaf's.
5458 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5459 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5460 },
5461 },
5462 flags: []string{
5463 "-enable-ocsp-stapling",
5464 "-expect-ocsp-response",
5465 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5466 "-enable-signed-cert-timestamps",
5467 "-expect-signed-cert-timestamps",
5468 base64.StdEncoding.EncodeToString(testSCTList),
5469 },
5470 resumeSession: true,
5471 })
5472
5473 // Test that extensions are not sent on intermediates when configured
5474 // only for a leaf.
5475 testCases = append(testCases, testCase{
5476 testType: serverTest,
5477 name: "SendNoExtensionsOnIntermediate-TLS13",
5478 config: Config{
5479 MaxVersion: VersionTLS13,
5480 Bugs: ProtocolBugs{
5481 ExpectNoExtensionsOnIntermediate: true,
5482 },
5483 },
5484 flags: []string{
5485 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5486 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5487 "-ocsp-response",
5488 base64.StdEncoding.EncodeToString(testOCSPResponse),
5489 "-signed-cert-timestamps",
5490 base64.StdEncoding.EncodeToString(testSCTList),
5491 },
5492 })
5493
5494 // Test that extensions are not sent on client certificates.
5495 testCases = append(testCases, testCase{
5496 name: "SendNoClientCertificateExtensions-TLS13",
5497 config: Config{
5498 MaxVersion: VersionTLS13,
5499 ClientAuth: RequireAnyClientCert,
5500 },
5501 flags: []string{
5502 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5503 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5504 "-ocsp-response",
5505 base64.StdEncoding.EncodeToString(testOCSPResponse),
5506 "-signed-cert-timestamps",
5507 base64.StdEncoding.EncodeToString(testSCTList),
5508 },
5509 })
5510
5511 testCases = append(testCases, testCase{
5512 name: "SendDuplicateExtensionsOnCerts-TLS13",
5513 config: Config{
5514 MaxVersion: VersionTLS13,
5515 Bugs: ProtocolBugs{
5516 SendDuplicateCertExtensions: true,
5517 },
5518 },
5519 flags: []string{
5520 "-enable-ocsp-stapling",
5521 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5522 },
5523 resumeSession: true,
5524 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5525 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5526 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5527
5528 testCases = append(testCases, testCase{
5529 name: "SignedCertificateTimestampListInvalid-Server",
5530 testType: serverTest,
5531 flags: []string{
5532 "-signed-cert-timestamps",
5533 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5534 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5535 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5536 expectedError: ":INVALID_SCT_LIST:",
5537 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5538}
5539
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5540func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5541 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5542 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5543 // SSL 3.0 does not have tickets and TLS 1.3 does not
5544 // have session IDs, so skip their cross-resumption
5545 // tests.
5546 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5547 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5548 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5549 }
5550
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5551 protocols := []protocol{tls}
5552 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5553 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5554 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5555 for _, protocol := range protocols {
5556 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5557 if protocol == dtls {
5558 suffix += "-DTLS"
5559 }
5560
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5561 if sessionVers.version == resumeVers.version {
5562 testCases = append(testCases, testCase{
5563 protocol: protocol,
5564 name: "Resume-Client" + suffix,
5565 resumeSession: true,
5566 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5567 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5568 Bugs: ProtocolBugs{
5569 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5570 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5571 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5572 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5573 expectedVersion: sessionVers.version,
5574 expectedResumeVersion: resumeVers.version,
5575 })
5576 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5577 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5578
5579 // Offering a TLS 1.3 session sends an empty session ID, so
5580 // there is no way to convince a non-lookahead client the
5581 // session was resumed. It will appear to the client that a
5582 // stray ChangeCipherSpec was sent.
5583 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5584 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5585 }
5586
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5587 testCases = append(testCases, testCase{
5588 protocol: protocol,
5589 name: "Resume-Client-Mismatch" + suffix,
5590 resumeSession: true,
5591 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5592 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5593 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5594 expectedVersion: sessionVers.version,
5595 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5596 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5597 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5598 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5599 },
5600 },
5601 expectedResumeVersion: resumeVers.version,
5602 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5603 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5604 })
5605 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5606
5607 testCases = append(testCases, testCase{
5608 protocol: protocol,
5609 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5610 resumeSession: true,
5611 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5612 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5613 },
5614 expectedVersion: sessionVers.version,
5615 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5616 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5617 },
5618 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5619 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5620 expectedResumeVersion: resumeVers.version,
5621 })
5622
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5623 testCases = append(testCases, testCase{
5624 protocol: protocol,
5625 testType: serverTest,
5626 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5627 resumeSession: true,
5628 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5629 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5630 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5631 expectedVersion: sessionVers.version,
5632 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5633 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5634 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5635 Bugs: ProtocolBugs{
5636 SendBothTickets: true,
5637 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5638 },
5639 expectedResumeVersion: resumeVers.version,
5640 })
5641 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5642 }
5643 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5644
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5645 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5646 testCases = append(testCases, testCase{
5647 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5648 name: "ShimTicketRewritable",
5649 resumeSession: true,
5650 config: Config{
5651 MaxVersion: VersionTLS12,
5652 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5653 Bugs: ProtocolBugs{
5654 FilterTicket: func(in []byte) ([]byte, error) {
5655 in, err := SetShimTicketVersion(in, VersionTLS12)
5656 if err != nil {
5657 return nil, err
5658 }
5659 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5660 },
5661 },
5662 },
5663 flags: []string{
5664 "-ticket-key",
5665 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5666 },
5667 })
5668
5669 // Resumptions are declined if the version does not match.
5670 testCases = append(testCases, testCase{
5671 testType: serverTest,
5672 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5673 resumeSession: true,
5674 config: Config{
5675 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5676 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5677 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5678 FilterTicket: func(in []byte) ([]byte, error) {
5679 return SetShimTicketVersion(in, VersionTLS13)
5680 },
5681 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5682 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5683 flags: []string{
5684 "-ticket-key",
5685 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5686 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5687 expectResumeRejected: true,
5688 })
5689
5690 testCases = append(testCases, testCase{
5691 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5692 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5693 resumeSession: true,
5694 config: Config{
5695 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5696 Bugs: ProtocolBugs{
5697 FilterTicket: func(in []byte) ([]byte, error) {
5698 return SetShimTicketVersion(in, VersionTLS12)
5699 },
5700 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5701 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5702 flags: []string{
5703 "-ticket-key",
5704 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5705 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5706 expectResumeRejected: true,
5707 })
5708
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5709 // Resumptions are declined if the cipher is invalid or disabled.
5710 testCases = append(testCases, testCase{
5711 testType: serverTest,
5712 name: "Resume-Server-DeclineBadCipher",
5713 resumeSession: true,
5714 config: Config{
5715 MaxVersion: VersionTLS12,
5716 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5717 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5718 FilterTicket: func(in []byte) ([]byte, error) {
5719 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5720 },
5721 },
5722 },
5723 flags: []string{
5724 "-ticket-key",
5725 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5726 },
5727 expectResumeRejected: true,
5728 })
5729
5730 testCases = append(testCases, testCase{
5731 testType: serverTest,
5732 name: "Resume-Server-DeclineBadCipher-2",
5733 resumeSession: true,
5734 config: Config{
5735 MaxVersion: VersionTLS12,
5736 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5737 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5738 FilterTicket: func(in []byte) ([]byte, error) {
5739 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5740 },
5741 },
5742 },
5743 flags: []string{
5744 "-cipher", "AES128",
5745 "-ticket-key",
5746 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5747 },
5748 expectResumeRejected: true,
5749 })
5750
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5751 // Sessions are not resumed if they do not use the preferred cipher.
5752 testCases = append(testCases, testCase{
5753 testType: serverTest,
5754 name: "Resume-Server-CipherNotPreferred",
5755 resumeSession: true,
5756 config: Config{
5757 MaxVersion: VersionTLS12,
5758 Bugs: ProtocolBugs{
5759 ExpectNewTicket: true,
5760 FilterTicket: func(in []byte) ([]byte, error) {
5761 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
5762 },
5763 },
5764 },
5765 flags: []string{
5766 "-ticket-key",
5767 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5768 },
5769 shouldFail: false,
5770 expectResumeRejected: true,
5771 })
5772
5773 // TLS 1.3 allows sessions to be resumed at a different cipher if their
5774 // PRF hashes match, but BoringSSL will always decline such resumptions.
5775 testCases = append(testCases, testCase{
5776 testType: serverTest,
5777 name: "Resume-Server-CipherNotPreferred-TLS13",
5778 resumeSession: true,
5779 config: Config{
5780 MaxVersion: VersionTLS13,
5781 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
5782 Bugs: ProtocolBugs{
5783 FilterTicket: func(in []byte) ([]byte, error) {
5784 // If the client (runner) offers ChaCha20-Poly1305 first, the
5785 // server (shim) always prefers it. Switch it to AES-GCM.
5786 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5787 },
5788 },
5789 },
5790 flags: []string{
5791 "-ticket-key",
5792 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5793 },
5794 shouldFail: false,
5795 expectResumeRejected: true,
5796 })
5797
5798 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5799 testCases = append(testCases, testCase{
5800 testType: serverTest,
5801 name: "Resume-Server-DeclineBadCipher-TLS13",
5802 resumeSession: true,
5803 config: Config{
5804 MaxVersion: VersionTLS13,
5805 Bugs: ProtocolBugs{
5806 FilterTicket: func(in []byte) ([]byte, error) {
5807 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5808 },
5809 },
5810 },
5811 flags: []string{
5812 "-ticket-key",
5813 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5814 },
5815 expectResumeRejected: true,
5816 })
5817
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5818 // If the client does not offer the cipher from the session, decline to
5819 // resume. Clients are forbidden from doing this, but BoringSSL selects
5820 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5821 testCases = append(testCases, testCase{
5822 testType: serverTest,
5823 name: "Resume-Server-UnofferedCipher",
5824 resumeSession: true,
5825 config: Config{
5826 MaxVersion: VersionTLS12,
5827 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5828 },
5829 resumeConfig: &Config{
5830 MaxVersion: VersionTLS12,
5831 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5832 Bugs: ProtocolBugs{
5833 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5834 },
5835 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5836 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5837 })
5838
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5839 // In TLS 1.3, clients may advertise a cipher list which does not
5840 // include the selected cipher. Test that we tolerate this. Servers may
5841 // resume at another cipher if the PRF matches, but BoringSSL will
5842 // always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5843 testCases = append(testCases, testCase{
5844 testType: serverTest,
5845 name: "Resume-Server-UnofferedCipher-TLS13",
5846 resumeSession: true,
5847 config: Config{
5848 MaxVersion: VersionTLS13,
5849 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5850 },
5851 resumeConfig: &Config{
5852 MaxVersion: VersionTLS13,
5853 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5854 Bugs: ProtocolBugs{
5855 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
5856 },
5857 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5858 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5859 })
5860
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5861 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5862 testCases = append(testCases, testCase{
5863 name: "Resume-Client-CipherMismatch",
5864 resumeSession: true,
5865 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5866 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5867 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5868 },
5869 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5870 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5871 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5872 Bugs: ProtocolBugs{
5873 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
5874 },
5875 },
5876 shouldFail: true,
5877 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
5878 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5879
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5880 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
5881 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5882 testCases = append(testCases, testCase{
5883 name: "Resume-Client-CipherMismatch-TLS13",
5884 resumeSession: true,
5885 config: Config{
5886 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5887 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5888 },
5889 resumeConfig: &Config{
5890 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5891 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5892 },
5893 })
5894
5895 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
5896 testCases = append(testCases, testCase{
5897 name: "Resume-Client-PRFMismatch-TLS13",
5898 resumeSession: true,
5899 config: Config{
5900 MaxVersion: VersionTLS13,
5901 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
5902 },
5903 resumeConfig: &Config{
5904 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5905 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5906 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5907 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5908 },
5909 },
5910 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5911 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5912 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5913
5914 testCases = append(testCases, testCase{
5915 testType: serverTest,
5916 name: "Resume-Server-BinderWrongLength",
5917 resumeSession: true,
5918 config: Config{
5919 MaxVersion: VersionTLS13,
5920 Bugs: ProtocolBugs{
5921 SendShortPSKBinder: true,
5922 },
5923 },
5924 shouldFail: true,
5925 expectedLocalError: "remote error: error decrypting message",
5926 expectedError: ":DIGEST_CHECK_FAILED:",
5927 })
5928
5929 testCases = append(testCases, testCase{
5930 testType: serverTest,
5931 name: "Resume-Server-NoPSKBinder",
5932 resumeSession: true,
5933 config: Config{
5934 MaxVersion: VersionTLS13,
5935 Bugs: ProtocolBugs{
5936 SendNoPSKBinder: true,
5937 },
5938 },
5939 shouldFail: true,
5940 expectedLocalError: "remote error: error decoding message",
5941 expectedError: ":DECODE_ERROR:",
5942 })
5943
5944 testCases = append(testCases, testCase{
5945 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]5946 name: "Resume-Server-ExtraPSKBinder",
5947 resumeSession: true,
5948 config: Config{
5949 MaxVersion: VersionTLS13,
5950 Bugs: ProtocolBugs{
5951 SendExtraPSKBinder: true,
5952 },
5953 },
5954 shouldFail: true,
5955 expectedLocalError: "remote error: illegal parameter",
5956 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
5957 })
5958
5959 testCases = append(testCases, testCase{
5960 testType: serverTest,
5961 name: "Resume-Server-ExtraIdentityNoBinder",
5962 resumeSession: true,
5963 config: Config{
5964 MaxVersion: VersionTLS13,
5965 Bugs: ProtocolBugs{
5966 ExtraPSKIdentity: true,
5967 },
5968 },
5969 shouldFail: true,
5970 expectedLocalError: "remote error: illegal parameter",
5971 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
5972 })
5973
5974 testCases = append(testCases, testCase{
5975 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5976 name: "Resume-Server-InvalidPSKBinder",
5977 resumeSession: true,
5978 config: Config{
5979 MaxVersion: VersionTLS13,
5980 Bugs: ProtocolBugs{
5981 SendInvalidPSKBinder: true,
5982 },
5983 },
5984 shouldFail: true,
5985 expectedLocalError: "remote error: error decrypting message",
5986 expectedError: ":DIGEST_CHECK_FAILED:",
5987 })
5988
5989 testCases = append(testCases, testCase{
5990 testType: serverTest,
5991 name: "Resume-Server-PSKBinderFirstExtension",
5992 resumeSession: true,
5993 config: Config{
5994 MaxVersion: VersionTLS13,
5995 Bugs: ProtocolBugs{
5996 PSKBinderFirst: true,
5997 },
5998 },
5999 shouldFail: true,
6000 expectedLocalError: "remote error: illegal parameter",
6001 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6002 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6003}
6004
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6005func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6006 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6007 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6008 testType: serverTest,
6009 name: "Renegotiate-Server-Forbidden",
6010 config: Config{
6011 MaxVersion: VersionTLS12,
6012 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6013 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6014 shouldFail: true,
6015 expectedError: ":NO_RENEGOTIATION:",
6016 expectedLocalError: "remote error: no renegotiation",
6017 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6018 // The server shouldn't echo the renegotiation extension unless
6019 // requested by the client.
6020 testCases = append(testCases, testCase{
6021 testType: serverTest,
6022 name: "Renegotiate-Server-NoExt",
6023 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6024 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6025 Bugs: ProtocolBugs{
6026 NoRenegotiationInfo: true,
6027 RequireRenegotiationInfo: true,
6028 },
6029 },
6030 shouldFail: true,
6031 expectedLocalError: "renegotiation extension missing",
6032 })
6033 // The renegotiation SCSV should be sufficient for the server to echo
6034 // the extension.
6035 testCases = append(testCases, testCase{
6036 testType: serverTest,
6037 name: "Renegotiate-Server-NoExt-SCSV",
6038 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6039 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6040 Bugs: ProtocolBugs{
6041 NoRenegotiationInfo: true,
6042 SendRenegotiationSCSV: true,
6043 RequireRenegotiationInfo: true,
6044 },
6045 },
6046 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6047 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6048 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6049 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6050 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6051 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6052 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6053 },
6054 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6055 renegotiate: 1,
6056 flags: []string{
6057 "-renegotiate-freely",
6058 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6059 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6060 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6061 })
6062 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6063 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6064 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6065 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6066 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6067 Bugs: ProtocolBugs{
6068 EmptyRenegotiationInfo: true,
6069 },
6070 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6071 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6072 shouldFail: true,
6073 expectedError: ":RENEGOTIATION_MISMATCH:",
6074 })
6075 testCases = append(testCases, testCase{
6076 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6077 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6078 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6079 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6080 Bugs: ProtocolBugs{
6081 BadRenegotiationInfo: true,
6082 },
6083 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6084 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6085 shouldFail: true,
6086 expectedError: ":RENEGOTIATION_MISMATCH:",
6087 })
6088 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6089 name: "Renegotiate-Client-Downgrade",
6090 renegotiate: 1,
6091 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6092 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6093 Bugs: ProtocolBugs{
6094 NoRenegotiationInfoAfterInitial: true,
6095 },
6096 },
6097 flags: []string{"-renegotiate-freely"},
6098 shouldFail: true,
6099 expectedError: ":RENEGOTIATION_MISMATCH:",
6100 })
6101 testCases = append(testCases, testCase{
6102 name: "Renegotiate-Client-Upgrade",
6103 renegotiate: 1,
6104 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6105 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6106 Bugs: ProtocolBugs{
6107 NoRenegotiationInfoInInitial: true,
6108 },
6109 },
6110 flags: []string{"-renegotiate-freely"},
6111 shouldFail: true,
6112 expectedError: ":RENEGOTIATION_MISMATCH:",
6113 })
6114 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6115 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6116 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6117 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6118 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6119 Bugs: ProtocolBugs{
6120 NoRenegotiationInfo: true,
6121 },
6122 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6123 flags: []string{
6124 "-renegotiate-freely",
6125 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6126 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6127 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6128 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6129
6130 // Test that the server may switch ciphers on renegotiation without
6131 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6132 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6133 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6134 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6135 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6136 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6137 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6138 },
6139 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6140 flags: []string{
6141 "-renegotiate-freely",
6142 "-expect-total-renegotiations", "1",
6143 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6144 })
6145 testCases = append(testCases, testCase{
6146 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6147 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6148 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6149 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6150 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6151 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6152 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6153 flags: []string{
6154 "-renegotiate-freely",
6155 "-expect-total-renegotiations", "1",
6156 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6157 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6158
6159 // Test that the server may not switch versions on renegotiation.
6160 testCases = append(testCases, testCase{
6161 name: "Renegotiate-Client-SwitchVersion",
6162 config: Config{
6163 MaxVersion: VersionTLS12,
6164 // Pick a cipher which exists at both versions.
6165 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6166 Bugs: ProtocolBugs{
6167 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6168 // Avoid failing early at the record layer.
6169 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6170 },
6171 },
6172 renegotiate: 1,
6173 flags: []string{
6174 "-renegotiate-freely",
6175 "-expect-total-renegotiations", "1",
6176 },
6177 shouldFail: true,
6178 expectedError: ":WRONG_SSL_VERSION:",
6179 })
6180
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6181 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6182 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6183 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6184 config: Config{
6185 MaxVersion: VersionTLS10,
6186 Bugs: ProtocolBugs{
6187 RequireSameRenegoClientVersion: true,
6188 },
6189 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6190 flags: []string{
6191 "-renegotiate-freely",
6192 "-expect-total-renegotiations", "1",
6193 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6194 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6195 testCases = append(testCases, testCase{
6196 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6197 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6198 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6199 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6200 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6201 NextProtos: []string{"foo"},
6202 },
6203 flags: []string{
6204 "-false-start",
6205 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6206 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6207 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6208 },
6209 shimWritesFirst: true,
6210 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6211
6212 // Client-side renegotiation controls.
6213 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6214 name: "Renegotiate-Client-Forbidden-1",
6215 config: Config{
6216 MaxVersion: VersionTLS12,
6217 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6218 renegotiate: 1,
6219 shouldFail: true,
6220 expectedError: ":NO_RENEGOTIATION:",
6221 expectedLocalError: "remote error: no renegotiation",
6222 })
6223 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6224 name: "Renegotiate-Client-Once-1",
6225 config: Config{
6226 MaxVersion: VersionTLS12,
6227 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6228 renegotiate: 1,
6229 flags: []string{
6230 "-renegotiate-once",
6231 "-expect-total-renegotiations", "1",
6232 },
6233 })
6234 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6235 name: "Renegotiate-Client-Freely-1",
6236 config: Config{
6237 MaxVersion: VersionTLS12,
6238 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6239 renegotiate: 1,
6240 flags: []string{
6241 "-renegotiate-freely",
6242 "-expect-total-renegotiations", "1",
6243 },
6244 })
6245 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6246 name: "Renegotiate-Client-Once-2",
6247 config: Config{
6248 MaxVersion: VersionTLS12,
6249 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6250 renegotiate: 2,
6251 flags: []string{"-renegotiate-once"},
6252 shouldFail: true,
6253 expectedError: ":NO_RENEGOTIATION:",
6254 expectedLocalError: "remote error: no renegotiation",
6255 })
6256 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6257 name: "Renegotiate-Client-Freely-2",
6258 config: Config{
6259 MaxVersion: VersionTLS12,
6260 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6261 renegotiate: 2,
6262 flags: []string{
6263 "-renegotiate-freely",
6264 "-expect-total-renegotiations", "2",
6265 },
6266 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6267 testCases = append(testCases, testCase{
6268 name: "Renegotiate-Client-NoIgnore",
6269 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6270 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6271 Bugs: ProtocolBugs{
6272 SendHelloRequestBeforeEveryAppDataRecord: true,
6273 },
6274 },
6275 shouldFail: true,
6276 expectedError: ":NO_RENEGOTIATION:",
6277 })
6278 testCases = append(testCases, testCase{
6279 name: "Renegotiate-Client-Ignore",
6280 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6281 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6282 Bugs: ProtocolBugs{
6283 SendHelloRequestBeforeEveryAppDataRecord: true,
6284 },
6285 },
6286 flags: []string{
6287 "-renegotiate-ignore",
6288 "-expect-total-renegotiations", "0",
6289 },
6290 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6291
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6292 // Renegotiation is not allowed at SSL 3.0.
6293 testCases = append(testCases, testCase{
6294 name: "Renegotiate-Client-SSL3",
6295 config: Config{
6296 MaxVersion: VersionSSL30,
6297 },
6298 renegotiate: 1,
6299 flags: []string{
6300 "-renegotiate-freely",
6301 "-expect-total-renegotiations", "1",
6302 },
6303 shouldFail: true,
6304 expectedError: ":NO_RENEGOTIATION:",
6305 expectedLocalError: "remote error: no renegotiation",
6306 })
6307
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6308 // Renegotiation is not allowed when there is an unfinished write.
6309 testCases = append(testCases, testCase{
6310 name: "Renegotiate-Client-UnfinishedWrite",
6311 config: Config{
6312 MaxVersion: VersionTLS12,
6313 },
6314 renegotiate: 1,
6315 flags: []string{
6316 "-async",
6317 "-renegotiate-freely",
6318 "-read-with-unfinished-write",
6319 },
6320 shouldFail: true,
6321 expectedError: ":NO_RENEGOTIATION:",
6322 // We do not successfully send the no_renegotiation alert in
6323 // this case. https://crbug.com/boringssl/130
6324 })
6325
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6326 // Stray HelloRequests during the handshake are ignored in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6327 testCases = append(testCases, testCase{
6328 name: "StrayHelloRequest",
6329 config: Config{
6330 MaxVersion: VersionTLS12,
6331 Bugs: ProtocolBugs{
6332 SendHelloRequestBeforeEveryHandshakeMessage: true,
6333 },
6334 },
6335 })
6336 testCases = append(testCases, testCase{
6337 name: "StrayHelloRequest-Packed",
6338 config: Config{
6339 MaxVersion: VersionTLS12,
6340 Bugs: ProtocolBugs{
6341 PackHandshakeFlight: true,
6342 SendHelloRequestBeforeEveryHandshakeMessage: true,
6343 },
6344 },
6345 })
6346
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6347 // Test renegotiation works if HelloRequest and server Finished come in
6348 // the same record.
6349 testCases = append(testCases, testCase{
6350 name: "Renegotiate-Client-Packed",
6351 config: Config{
6352 MaxVersion: VersionTLS12,
6353 Bugs: ProtocolBugs{
6354 PackHandshakeFlight: true,
6355 PackHelloRequestWithFinished: true,
6356 },
6357 },
6358 renegotiate: 1,
6359 flags: []string{
6360 "-renegotiate-freely",
6361 "-expect-total-renegotiations", "1",
6362 },
6363 })
6364
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6365 // Renegotiation is forbidden in TLS 1.3.
6366 testCases = append(testCases, testCase{
6367 name: "Renegotiate-Client-TLS13",
6368 config: Config{
6369 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6370 Bugs: ProtocolBugs{
6371 SendHelloRequestBeforeEveryAppDataRecord: true,
6372 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6373 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6374 flags: []string{
6375 "-renegotiate-freely",
6376 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6377 shouldFail: true,
6378 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6379 })
6380
6381 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6382 testCases = append(testCases, testCase{
6383 name: "StrayHelloRequest-TLS13",
6384 config: Config{
6385 MaxVersion: VersionTLS13,
6386 Bugs: ProtocolBugs{
6387 SendHelloRequestBeforeEveryHandshakeMessage: true,
6388 },
6389 },
6390 shouldFail: true,
6391 expectedError: ":UNEXPECTED_MESSAGE:",
6392 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6393
6394 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6395 // always reads as supporting it, regardless of whether it was
6396 // negotiated.
6397 testCases = append(testCases, testCase{
6398 name: "AlwaysReportRenegotiationInfo-TLS13",
6399 config: Config{
6400 MaxVersion: VersionTLS13,
6401 Bugs: ProtocolBugs{
6402 NoRenegotiationInfo: true,
6403 },
6404 },
6405 flags: []string{
6406 "-expect-secure-renegotiation",
6407 },
6408 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6409}
6410
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6411func addDTLSReplayTests() {
6412 // Test that sequence number replays are detected.
6413 testCases = append(testCases, testCase{
6414 protocol: dtls,
6415 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6416 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6417 replayWrites: true,
6418 })
6419
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6420 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6421 // than the retransmit window.
6422 testCases = append(testCases, testCase{
6423 protocol: dtls,
6424 name: "DTLS-Replay-LargeGaps",
6425 config: Config{
6426 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6427 SequenceNumberMapping: func(in uint64) uint64 {
6428 return in * 127
6429 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6430 },
6431 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6432 messageCount: 200,
6433 replayWrites: true,
6434 })
6435
6436 // Test the incoming sequence number changing non-monotonically.
6437 testCases = append(testCases, testCase{
6438 protocol: dtls,
6439 name: "DTLS-Replay-NonMonotonic",
6440 config: Config{
6441 Bugs: ProtocolBugs{
6442 SequenceNumberMapping: func(in uint64) uint64 {
6443 return in ^ 31
6444 },
6445 },
6446 },
6447 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6448 replayWrites: true,
6449 })
6450}
6451
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6452var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6453 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6454 id signatureAlgorithm
6455 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6456}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6457 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6458 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6459 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6460 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6461 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6462 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6463 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6464 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6465 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6466 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6467 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6468 // Tests for key types prior to TLS 1.2.
6469 {"RSA", 0, testCertRSA},
6470 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6471}
6472
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6473const fakeSigAlg1 signatureAlgorithm = 0x2a01
6474const fakeSigAlg2 signatureAlgorithm = 0xff01
6475
6476func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6477 // Not all ciphers involve a signature. Advertise a list which gives all
6478 // versions a signing cipher.
6479 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6480 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6481 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6482 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6483 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6484 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
6485 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
6486 }
6487
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6488 var allAlgorithms []signatureAlgorithm
6489 for _, alg := range testSignatureAlgorithms {
6490 if alg.id != 0 {
6491 allAlgorithms = append(allAlgorithms, alg.id)
6492 }
6493 }
6494
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6495 // Make sure each signature algorithm works. Include some fake values in
6496 // the list and ensure they're ignored.
6497 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6498 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6499 if (ver.version < VersionTLS12) != (alg.id == 0) {
6500 continue
6501 }
6502
6503 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6504 // or remove it in C.
6505 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6506 continue
6507 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6508
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6509 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6510 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6511 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6512 shouldSignFail = true
6513 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6514 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6515 // RSA-PKCS1 does not exist in TLS 1.3.
6516 if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6517 shouldSignFail = true
6518 shouldVerifyFail = true
6519 }
6520
6521 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6522 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6523 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6524 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6525
6526 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6527 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6528 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6529 }
6530 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6531 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6532 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6533
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6534 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6535
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6536 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6537 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6538 config: Config{
6539 MaxVersion: ver.version,
6540 ClientAuth: RequireAnyClientCert,
6541 VerifySignatureAlgorithms: []signatureAlgorithm{
6542 fakeSigAlg1,
6543 alg.id,
6544 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6545 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6546 },
6547 flags: []string{
6548 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6549 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6550 "-enable-all-curves",
6551 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6552 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6553 expectedError: signError,
6554 expectedPeerSignatureAlgorithm: alg.id,
6555 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6556
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6557 testCases = append(testCases, testCase{
6558 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6559 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6560 config: Config{
6561 MaxVersion: ver.version,
6562 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6563 SignSignatureAlgorithms: []signatureAlgorithm{
6564 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6565 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6566 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6567 SkipECDSACurveCheck: shouldVerifyFail,
6568 IgnoreSignatureVersionChecks: shouldVerifyFail,
6569 // Some signature algorithms may not be advertised.
6570 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6571 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6572 },
6573 flags: []string{
6574 "-require-any-client-certificate",
6575 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6576 "-enable-all-curves",
6577 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6578 // Resume the session to assert the peer signature
6579 // algorithm is reported on both handshakes.
6580 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6581 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6582 expectedError: verifyError,
6583 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6584
6585 testCases = append(testCases, testCase{
6586 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6587 name: "ServerAuth-Sign" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6588 config: Config{
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6589 MaxVersion: ver.version,
6590 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6591 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6592 fakeSigAlg1,
6593 alg.id,
6594 fakeSigAlg2,
6595 },
6596 },
6597 flags: []string{
6598 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6599 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6600 "-enable-all-curves",
6601 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6602 shouldFail: shouldSignFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6603 expectedError: signError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6604 expectedPeerSignatureAlgorithm: alg.id,
6605 })
6606
6607 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6608 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6609 config: Config{
6610 MaxVersion: ver.version,
6611 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6612 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6613 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6614 alg.id,
6615 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6616 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6617 SkipECDSACurveCheck: shouldVerifyFail,
6618 IgnoreSignatureVersionChecks: shouldVerifyFail,
6619 // Some signature algorithms may not be advertised.
6620 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6621 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6622 },
6623 flags: []string{
6624 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6625 "-enable-all-curves",
6626 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6627 // Resume the session to assert the peer signature
6628 // algorithm is reported on both handshakes.
6629 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6630 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6631 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6632 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6633
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6634 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6635 testCases = append(testCases, testCase{
6636 testType: serverTest,
6637 name: "ClientAuth-InvalidSignature" + suffix,
6638 config: Config{
6639 MaxVersion: ver.version,
6640 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6641 SignSignatureAlgorithms: []signatureAlgorithm{
6642 alg.id,
6643 },
6644 Bugs: ProtocolBugs{
6645 InvalidSignature: true,
6646 },
6647 },
6648 flags: []string{
6649 "-require-any-client-certificate",
6650 "-enable-all-curves",
6651 },
6652 shouldFail: true,
6653 expectedError: ":BAD_SIGNATURE:",
6654 })
6655
6656 testCases = append(testCases, testCase{
6657 name: "ServerAuth-InvalidSignature" + suffix,
6658 config: Config{
6659 MaxVersion: ver.version,
6660 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6661 CipherSuites: signingCiphers,
6662 SignSignatureAlgorithms: []signatureAlgorithm{
6663 alg.id,
6664 },
6665 Bugs: ProtocolBugs{
6666 InvalidSignature: true,
6667 },
6668 },
6669 flags: []string{"-enable-all-curves"},
6670 shouldFail: true,
6671 expectedError: ":BAD_SIGNATURE:",
6672 })
6673 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6674
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6675 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6676 testCases = append(testCases, testCase{
6677 name: "ClientAuth-Sign-Negotiate" + suffix,
6678 config: Config{
6679 MaxVersion: ver.version,
6680 ClientAuth: RequireAnyClientCert,
6681 VerifySignatureAlgorithms: allAlgorithms,
6682 },
6683 flags: []string{
6684 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6685 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6686 "-enable-all-curves",
6687 "-signing-prefs", strconv.Itoa(int(alg.id)),
6688 },
6689 expectedPeerSignatureAlgorithm: alg.id,
6690 })
6691
6692 testCases = append(testCases, testCase{
6693 testType: serverTest,
6694 name: "ServerAuth-Sign-Negotiate" + suffix,
6695 config: Config{
6696 MaxVersion: ver.version,
6697 CipherSuites: signingCiphers,
6698 VerifySignatureAlgorithms: allAlgorithms,
6699 },
6700 flags: []string{
6701 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6702 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6703 "-enable-all-curves",
6704 "-signing-prefs", strconv.Itoa(int(alg.id)),
6705 },
6706 expectedPeerSignatureAlgorithm: alg.id,
6707 })
6708 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6709 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6710 }
6711
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6712 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6713 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6714 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6715 config: Config{
6716 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6717 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6718 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6719 signatureECDSAWithP521AndSHA512,
6720 signatureRSAPKCS1WithSHA384,
6721 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6722 },
6723 },
6724 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]6725 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6726 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6727 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6728 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6729 })
6730
6731 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6732 name: "ClientAuth-SignatureType-TLS13",
6733 config: Config{
6734 ClientAuth: RequireAnyClientCert,
6735 MaxVersion: VersionTLS13,
6736 VerifySignatureAlgorithms: []signatureAlgorithm{
6737 signatureECDSAWithP521AndSHA512,
6738 signatureRSAPKCS1WithSHA384,
6739 signatureRSAPSSWithSHA384,
6740 signatureECDSAWithSHA1,
6741 },
6742 },
6743 flags: []string{
6744 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6745 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6746 },
6747 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6748 })
6749
6750 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6751 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6752 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6753 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6754 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6755 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6756 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6757 signatureECDSAWithP521AndSHA512,
6758 signatureRSAPKCS1WithSHA384,
6759 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6760 },
6761 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6762 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6763 })
6764
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6765 testCases = append(testCases, testCase{
6766 testType: serverTest,
6767 name: "ServerAuth-SignatureType-TLS13",
6768 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6769 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6770 VerifySignatureAlgorithms: []signatureAlgorithm{
6771 signatureECDSAWithP521AndSHA512,
6772 signatureRSAPKCS1WithSHA384,
6773 signatureRSAPSSWithSHA384,
6774 signatureECDSAWithSHA1,
6775 },
6776 },
6777 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6778 })
6779
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6780 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6781 testCases = append(testCases, testCase{
6782 testType: serverTest,
6783 name: "Verify-ClientAuth-SignatureType",
6784 config: Config{
6785 MaxVersion: VersionTLS12,
6786 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6787 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6788 signatureRSAPKCS1WithSHA256,
6789 },
6790 Bugs: ProtocolBugs{
6791 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6792 },
6793 },
6794 flags: []string{
6795 "-require-any-client-certificate",
6796 },
6797 shouldFail: true,
6798 expectedError: ":WRONG_SIGNATURE_TYPE:",
6799 })
6800
6801 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6802 testType: serverTest,
6803 name: "Verify-ClientAuth-SignatureType-TLS13",
6804 config: Config{
6805 MaxVersion: VersionTLS13,
6806 Certificates: []Certificate{rsaCertificate},
6807 SignSignatureAlgorithms: []signatureAlgorithm{
6808 signatureRSAPSSWithSHA256,
6809 },
6810 Bugs: ProtocolBugs{
6811 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6812 },
6813 },
6814 flags: []string{
6815 "-require-any-client-certificate",
6816 },
6817 shouldFail: true,
6818 expectedError: ":WRONG_SIGNATURE_TYPE:",
6819 })
6820
6821 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6822 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6823 config: Config{
6824 MaxVersion: VersionTLS12,
6825 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6826 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6827 signatureRSAPKCS1WithSHA256,
6828 },
6829 Bugs: ProtocolBugs{
6830 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6831 },
6832 },
6833 shouldFail: true,
6834 expectedError: ":WRONG_SIGNATURE_TYPE:",
6835 })
6836
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6837 testCases = append(testCases, testCase{
6838 name: "Verify-ServerAuth-SignatureType-TLS13",
6839 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6840 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6841 SignSignatureAlgorithms: []signatureAlgorithm{
6842 signatureRSAPSSWithSHA256,
6843 },
6844 Bugs: ProtocolBugs{
6845 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6846 },
6847 },
6848 shouldFail: true,
6849 expectedError: ":WRONG_SIGNATURE_TYPE:",
6850 })
6851
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6852 // Test that, if the list is missing, the peer falls back to SHA-1 in
6853 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6854 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6855 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6856 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6857 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6858 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6859 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6860 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6861 },
6862 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6863 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6864 },
6865 },
6866 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]6867 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6868 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6869 },
6870 })
6871
6872 testCases = append(testCases, testCase{
6873 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6874 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6875 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6876 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6877 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6878 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6879 },
6880 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6881 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6882 },
6883 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6884 flags: []string{
6885 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6886 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6887 },
6888 })
6889
6890 testCases = append(testCases, testCase{
6891 name: "ClientAuth-SHA1-Fallback-ECDSA",
6892 config: Config{
6893 MaxVersion: VersionTLS12,
6894 ClientAuth: RequireAnyClientCert,
6895 VerifySignatureAlgorithms: []signatureAlgorithm{
6896 signatureECDSAWithSHA1,
6897 },
6898 Bugs: ProtocolBugs{
6899 NoSignatureAlgorithms: true,
6900 },
6901 },
6902 flags: []string{
6903 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6904 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6905 },
6906 })
6907
6908 testCases = append(testCases, testCase{
6909 testType: serverTest,
6910 name: "ServerAuth-SHA1-Fallback-ECDSA",
6911 config: Config{
6912 MaxVersion: VersionTLS12,
6913 VerifySignatureAlgorithms: []signatureAlgorithm{
6914 signatureECDSAWithSHA1,
6915 },
6916 Bugs: ProtocolBugs{
6917 NoSignatureAlgorithms: true,
6918 },
6919 },
6920 flags: []string{
6921 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6922 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6923 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6924 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6925
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6926 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6927 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6928 config: Config{
6929 MaxVersion: VersionTLS13,
6930 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6931 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6932 signatureRSAPKCS1WithSHA1,
6933 },
6934 Bugs: ProtocolBugs{
6935 NoSignatureAlgorithms: true,
6936 },
6937 },
6938 flags: []string{
6939 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6940 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6941 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]6942 shouldFail: true,
6943 // An empty CertificateRequest signature algorithm list is a
6944 // syntax error in TLS 1.3.
6945 expectedError: ":DECODE_ERROR:",
6946 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6947 })
6948
6949 testCases = append(testCases, testCase{
6950 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6951 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6952 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6953 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6954 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6955 signatureRSAPKCS1WithSHA1,
6956 },
6957 Bugs: ProtocolBugs{
6958 NoSignatureAlgorithms: true,
6959 },
6960 },
6961 shouldFail: true,
6962 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6963 })
6964
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]6965 // Test that hash preferences are enforced. BoringSSL does not implement
6966 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6967 testCases = append(testCases, testCase{
6968 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6969 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6970 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6971 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6972 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6973 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6974 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6975 },
6976 Bugs: ProtocolBugs{
6977 IgnorePeerSignatureAlgorithmPreferences: true,
6978 },
6979 },
6980 flags: []string{"-require-any-client-certificate"},
6981 shouldFail: true,
6982 expectedError: ":WRONG_SIGNATURE_TYPE:",
6983 })
6984
6985 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6986 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6987 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6988 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6989 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6990 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6991 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6992 },
6993 Bugs: ProtocolBugs{
6994 IgnorePeerSignatureAlgorithmPreferences: true,
6995 },
6996 },
6997 shouldFail: true,
6998 expectedError: ":WRONG_SIGNATURE_TYPE:",
6999 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7000 testCases = append(testCases, testCase{
7001 testType: serverTest,
7002 name: "ClientAuth-Enforced-TLS13",
7003 config: Config{
7004 MaxVersion: VersionTLS13,
7005 Certificates: []Certificate{rsaCertificate},
7006 SignSignatureAlgorithms: []signatureAlgorithm{
7007 signatureRSAPKCS1WithMD5,
7008 },
7009 Bugs: ProtocolBugs{
7010 IgnorePeerSignatureAlgorithmPreferences: true,
7011 IgnoreSignatureVersionChecks: true,
7012 },
7013 },
7014 flags: []string{"-require-any-client-certificate"},
7015 shouldFail: true,
7016 expectedError: ":WRONG_SIGNATURE_TYPE:",
7017 })
7018
7019 testCases = append(testCases, testCase{
7020 name: "ServerAuth-Enforced-TLS13",
7021 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7022 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7023 SignSignatureAlgorithms: []signatureAlgorithm{
7024 signatureRSAPKCS1WithMD5,
7025 },
7026 Bugs: ProtocolBugs{
7027 IgnorePeerSignatureAlgorithmPreferences: true,
7028 IgnoreSignatureVersionChecks: true,
7029 },
7030 },
7031 shouldFail: true,
7032 expectedError: ":WRONG_SIGNATURE_TYPE:",
7033 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7034
7035 // Test that the agreed upon digest respects the client preferences and
7036 // the server digests.
7037 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7038 name: "NoCommonAlgorithms-Digests",
7039 config: Config{
7040 MaxVersion: VersionTLS12,
7041 ClientAuth: RequireAnyClientCert,
7042 VerifySignatureAlgorithms: []signatureAlgorithm{
7043 signatureRSAPKCS1WithSHA512,
7044 signatureRSAPKCS1WithSHA1,
7045 },
7046 },
7047 flags: []string{
7048 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7049 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7050 "-digest-prefs", "SHA256",
7051 },
7052 shouldFail: true,
7053 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7054 })
7055 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7056 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7057 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7058 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7059 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7060 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7061 signatureRSAPKCS1WithSHA512,
7062 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7063 },
7064 },
7065 flags: []string{
7066 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7067 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7068 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7069 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7070 shouldFail: true,
7071 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7072 })
7073 testCases = append(testCases, testCase{
7074 name: "NoCommonAlgorithms-TLS13",
7075 config: Config{
7076 MaxVersion: VersionTLS13,
7077 ClientAuth: RequireAnyClientCert,
7078 VerifySignatureAlgorithms: []signatureAlgorithm{
7079 signatureRSAPSSWithSHA512,
7080 signatureRSAPSSWithSHA384,
7081 },
7082 },
7083 flags: []string{
7084 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7085 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7086 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7087 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7088 shouldFail: true,
7089 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7090 })
7091 testCases = append(testCases, testCase{
7092 name: "Agree-Digest-SHA256",
7093 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7094 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7095 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7096 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7097 signatureRSAPKCS1WithSHA1,
7098 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7099 },
7100 },
7101 flags: []string{
7102 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7103 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7104 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7105 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7106 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7107 })
7108 testCases = append(testCases, testCase{
7109 name: "Agree-Digest-SHA1",
7110 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7111 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7112 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7113 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7114 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7115 },
7116 },
7117 flags: []string{
7118 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7119 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7120 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7121 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7122 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7123 })
7124 testCases = append(testCases, testCase{
7125 name: "Agree-Digest-Default",
7126 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7127 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7128 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7129 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7130 signatureRSAPKCS1WithSHA256,
7131 signatureECDSAWithP256AndSHA256,
7132 signatureRSAPKCS1WithSHA1,
7133 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7134 },
7135 },
7136 flags: []string{
7137 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7138 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7139 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7140 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7141 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7142
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7143 // Test that the signing preference list may include extra algorithms
7144 // without negotiation problems.
7145 testCases = append(testCases, testCase{
7146 testType: serverTest,
7147 name: "FilterExtraAlgorithms",
7148 config: Config{
7149 MaxVersion: VersionTLS12,
7150 VerifySignatureAlgorithms: []signatureAlgorithm{
7151 signatureRSAPKCS1WithSHA256,
7152 },
7153 },
7154 flags: []string{
7155 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7156 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7157 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7158 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7159 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7160 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7161 },
7162 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7163 })
7164
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7165 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7166 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7167 testCases = append(testCases, testCase{
7168 name: "CheckLeafCurve",
7169 config: Config{
7170 MaxVersion: VersionTLS12,
7171 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7172 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7173 },
7174 flags: []string{"-p384-only"},
7175 shouldFail: true,
7176 expectedError: ":BAD_ECC_CERT:",
7177 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7178
7179 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7180 testCases = append(testCases, testCase{
7181 name: "CheckLeafCurve-TLS13",
7182 config: Config{
7183 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7184 Certificates: []Certificate{ecdsaP256Certificate},
7185 },
7186 flags: []string{"-p384-only"},
7187 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7188
7189 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7190 testCases = append(testCases, testCase{
7191 name: "ECDSACurveMismatch-Verify-TLS12",
7192 config: Config{
7193 MaxVersion: VersionTLS12,
7194 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7195 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7196 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7197 signatureECDSAWithP384AndSHA384,
7198 },
7199 },
7200 })
7201
7202 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7203 testCases = append(testCases, testCase{
7204 name: "ECDSACurveMismatch-Verify-TLS13",
7205 config: Config{
7206 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7207 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7208 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7209 signatureECDSAWithP384AndSHA384,
7210 },
7211 Bugs: ProtocolBugs{
7212 SkipECDSACurveCheck: true,
7213 },
7214 },
7215 shouldFail: true,
7216 expectedError: ":WRONG_SIGNATURE_TYPE:",
7217 })
7218
7219 // Signature algorithm selection in TLS 1.3 should take the curve into
7220 // account.
7221 testCases = append(testCases, testCase{
7222 testType: serverTest,
7223 name: "ECDSACurveMismatch-Sign-TLS13",
7224 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7225 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7226 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7227 signatureECDSAWithP384AndSHA384,
7228 signatureECDSAWithP256AndSHA256,
7229 },
7230 },
7231 flags: []string{
7232 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7233 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7234 },
7235 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7236 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7237
7238 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7239 // server does not attempt to sign in that case.
7240 testCases = append(testCases, testCase{
7241 testType: serverTest,
7242 name: "RSA-PSS-Large",
7243 config: Config{
7244 MaxVersion: VersionTLS13,
7245 VerifySignatureAlgorithms: []signatureAlgorithm{
7246 signatureRSAPSSWithSHA512,
7247 },
7248 },
7249 flags: []string{
7250 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7251 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7252 },
7253 shouldFail: true,
7254 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7255 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7256
7257 // Test that RSA-PSS is enabled by default for TLS 1.2.
7258 testCases = append(testCases, testCase{
7259 testType: clientTest,
7260 name: "RSA-PSS-Default-Verify",
7261 config: Config{
7262 MaxVersion: VersionTLS12,
7263 SignSignatureAlgorithms: []signatureAlgorithm{
7264 signatureRSAPSSWithSHA256,
7265 },
7266 },
7267 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7268 })
7269
7270 testCases = append(testCases, testCase{
7271 testType: serverTest,
7272 name: "RSA-PSS-Default-Sign",
7273 config: Config{
7274 MaxVersion: VersionTLS12,
7275 VerifySignatureAlgorithms: []signatureAlgorithm{
7276 signatureRSAPSSWithSHA256,
7277 },
7278 },
7279 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7280 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7281}
7282
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7283// timeouts is the retransmit schedule for BoringSSL. It doubles and
7284// caps at 60 seconds. On the 13th timeout, it gives up.
7285var timeouts = []time.Duration{
7286 1 * time.Second,
7287 2 * time.Second,
7288 4 * time.Second,
7289 8 * time.Second,
7290 16 * time.Second,
7291 32 * time.Second,
7292 60 * time.Second,
7293 60 * time.Second,
7294 60 * time.Second,
7295 60 * time.Second,
7296 60 * time.Second,
7297 60 * time.Second,
7298 60 * time.Second,
7299}
7300
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7301// shortTimeouts is an alternate set of timeouts which would occur if the
7302// initial timeout duration was set to 250ms.
7303var shortTimeouts = []time.Duration{
7304 250 * time.Millisecond,
7305 500 * time.Millisecond,
7306 1 * time.Second,
7307 2 * time.Second,
7308 4 * time.Second,
7309 8 * time.Second,
7310 16 * time.Second,
7311 32 * time.Second,
7312 60 * time.Second,
7313 60 * time.Second,
7314 60 * time.Second,
7315 60 * time.Second,
7316 60 * time.Second,
7317}
7318
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7319func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7320 // These tests work by coordinating some behavior on both the shim and
7321 // the runner.
7322 //
7323 // TimeoutSchedule configures the runner to send a series of timeout
7324 // opcodes to the shim (see packetAdaptor) immediately before reading
7325 // each peer handshake flight N. The timeout opcode both simulates a
7326 // timeout in the shim and acts as a synchronization point to help the
7327 // runner bracket each handshake flight.
7328 //
7329 // We assume the shim does not read from the channel eagerly. It must
7330 // first wait until it has sent flight N and is ready to receive
7331 // handshake flight N+1. At this point, it will process the timeout
7332 // opcode. It must then immediately respond with a timeout ACK and act
7333 // as if the shim was idle for the specified amount of time.
7334 //
7335 // The runner then drops all packets received before the ACK and
7336 // continues waiting for flight N. This ordering results in one attempt
7337 // at sending flight N to be dropped. For the test to complete, the
7338 // shim must send flight N again, testing that the shim implements DTLS
7339 // retransmit on a timeout.
7340
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7341 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7342 // likely be more epochs to cross and the final message's retransmit may
7343 // be more complex.
7344
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7345 for _, async := range []bool{true, false} {
7346 var tests []testCase
7347
7348 // Test that this is indeed the timeout schedule. Stress all
7349 // four patterns of handshake.
7350 for i := 1; i < len(timeouts); i++ {
7351 number := strconv.Itoa(i)
7352 tests = append(tests, testCase{
7353 protocol: dtls,
7354 name: "DTLS-Retransmit-Client-" + number,
7355 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7356 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7357 Bugs: ProtocolBugs{
7358 TimeoutSchedule: timeouts[:i],
7359 },
7360 },
7361 resumeSession: true,
7362 })
7363 tests = append(tests, testCase{
7364 protocol: dtls,
7365 testType: serverTest,
7366 name: "DTLS-Retransmit-Server-" + number,
7367 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7368 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7369 Bugs: ProtocolBugs{
7370 TimeoutSchedule: timeouts[:i],
7371 },
7372 },
7373 resumeSession: true,
7374 })
7375 }
7376
7377 // Test that exceeding the timeout schedule hits a read
7378 // timeout.
7379 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7380 protocol: dtls,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7381 name: "DTLS-Retransmit-Timeout",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7382 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7383 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7384 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7385 TimeoutSchedule: timeouts,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7386 },
7387 },
7388 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7389 shouldFail: true,
7390 expectedError: ":READ_TIMEOUT_EXPIRED:",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7391 })
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7392
7393 if async {
7394 // Test that timeout handling has a fudge factor, due to API
7395 // problems.
7396 tests = append(tests, testCase{
7397 protocol: dtls,
7398 name: "DTLS-Retransmit-Fudge",
7399 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7400 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7401 Bugs: ProtocolBugs{
7402 TimeoutSchedule: []time.Duration{
7403 timeouts[0] - 10*time.Millisecond,
7404 },
7405 },
7406 },
7407 resumeSession: true,
7408 })
7409 }
7410
7411 // Test that the final Finished retransmitting isn't
7412 // duplicated if the peer badly fragments everything.
7413 tests = append(tests, testCase{
7414 testType: serverTest,
7415 protocol: dtls,
7416 name: "DTLS-Retransmit-Fragmented",
7417 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7418 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7419 Bugs: ProtocolBugs{
7420 TimeoutSchedule: []time.Duration{timeouts[0]},
7421 MaxHandshakeRecordLength: 2,
7422 },
7423 },
7424 })
7425
7426 // Test the timeout schedule when a shorter initial timeout duration is set.
7427 tests = append(tests, testCase{
7428 protocol: dtls,
7429 name: "DTLS-Retransmit-Short-Client",
7430 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7431 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7432 Bugs: ProtocolBugs{
7433 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7434 },
7435 },
7436 resumeSession: true,
7437 flags: []string{"-initial-timeout-duration-ms", "250"},
7438 })
7439 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7440 protocol: dtls,
7441 testType: serverTest,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7442 name: "DTLS-Retransmit-Short-Server",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7443 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7444 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7445 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7446 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7447 },
7448 },
7449 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7450 flags: []string{"-initial-timeout-duration-ms", "250"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7451 })
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7452
7453 for _, test := range tests {
7454 if async {
7455 test.name += "-Async"
7456 test.flags = append(test.flags, "-async")
7457 }
7458
7459 testCases = append(testCases, test)
7460 }
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7461 }
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7462}
7463
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7464func addExportKeyingMaterialTests() {
7465 for _, vers := range tlsVersions {
7466 if vers.version == VersionSSL30 {
7467 continue
7468 }
7469 testCases = append(testCases, testCase{
7470 name: "ExportKeyingMaterial-" + vers.name,
7471 config: Config{
7472 MaxVersion: vers.version,
7473 },
7474 exportKeyingMaterial: 1024,
7475 exportLabel: "label",
7476 exportContext: "context",
7477 useExportContext: true,
7478 })
7479 testCases = append(testCases, testCase{
7480 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7481 config: Config{
7482 MaxVersion: vers.version,
7483 },
7484 exportKeyingMaterial: 1024,
7485 })
7486 testCases = append(testCases, testCase{
7487 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7488 config: Config{
7489 MaxVersion: vers.version,
7490 },
7491 exportKeyingMaterial: 1024,
7492 useExportContext: true,
7493 })
7494 testCases = append(testCases, testCase{
7495 name: "ExportKeyingMaterial-Small-" + vers.name,
7496 config: Config{
7497 MaxVersion: vers.version,
7498 },
7499 exportKeyingMaterial: 1,
7500 exportLabel: "label",
7501 exportContext: "context",
7502 useExportContext: true,
7503 })
7504 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7505
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7506 testCases = append(testCases, testCase{
7507 name: "ExportKeyingMaterial-SSL3",
7508 config: Config{
7509 MaxVersion: VersionSSL30,
7510 },
7511 exportKeyingMaterial: 1024,
7512 exportLabel: "label",
7513 exportContext: "context",
7514 useExportContext: true,
7515 shouldFail: true,
7516 expectedError: "failed to export keying material",
7517 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7518
7519 // Exporters work during a False Start.
7520 testCases = append(testCases, testCase{
7521 name: "ExportKeyingMaterial-FalseStart",
7522 config: Config{
7523 MaxVersion: VersionTLS12,
7524 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7525 NextProtos: []string{"foo"},
7526 Bugs: ProtocolBugs{
7527 ExpectFalseStart: true,
7528 },
7529 },
7530 flags: []string{
7531 "-false-start",
7532 "-advertise-alpn", "\x03foo",
7533 },
7534 shimWritesFirst: true,
7535 exportKeyingMaterial: 1024,
7536 exportLabel: "label",
7537 exportContext: "context",
7538 useExportContext: true,
7539 })
7540
7541 // Exporters do not work in the middle of a renegotiation. Test this by
7542 // triggering the exporter after every SSL_read call and configuring the
7543 // shim to run asynchronously.
7544 testCases = append(testCases, testCase{
7545 name: "ExportKeyingMaterial-Renegotiate",
7546 config: Config{
7547 MaxVersion: VersionTLS12,
7548 },
7549 renegotiate: 1,
7550 flags: []string{
7551 "-async",
7552 "-use-exporter-between-reads",
7553 "-renegotiate-freely",
7554 "-expect-total-renegotiations", "1",
7555 },
7556 shouldFail: true,
7557 expectedError: "failed to export keying material",
7558 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7559}
7560
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7561func addTLSUniqueTests() {
7562 for _, isClient := range []bool{false, true} {
7563 for _, isResumption := range []bool{false, true} {
7564 for _, hasEMS := range []bool{false, true} {
7565 var suffix string
7566 if isResumption {
7567 suffix = "Resume-"
7568 } else {
7569 suffix = "Full-"
7570 }
7571
7572 if hasEMS {
7573 suffix += "EMS-"
7574 } else {
7575 suffix += "NoEMS-"
7576 }
7577
7578 if isClient {
7579 suffix += "Client"
7580 } else {
7581 suffix += "Server"
7582 }
7583
7584 test := testCase{
7585 name: "TLSUnique-" + suffix,
7586 testTLSUnique: true,
7587 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7588 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7589 Bugs: ProtocolBugs{
7590 NoExtendedMasterSecret: !hasEMS,
7591 },
7592 },
7593 }
7594
7595 if isResumption {
7596 test.resumeSession = true
7597 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7598 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7599 Bugs: ProtocolBugs{
7600 NoExtendedMasterSecret: !hasEMS,
7601 },
7602 }
7603 }
7604
7605 if isResumption && !hasEMS {
7606 test.shouldFail = true
7607 test.expectedError = "failed to get tls-unique"
7608 }
7609
7610 testCases = append(testCases, test)
7611 }
7612 }
7613 }
7614}
7615
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7616func addCustomExtensionTests() {
7617 expectedContents := "custom extension"
7618 emptyString := ""
7619
7620 for _, isClient := range []bool{false, true} {
7621 suffix := "Server"
7622 flag := "-enable-server-custom-extension"
7623 testType := serverTest
7624 if isClient {
7625 suffix = "Client"
7626 flag = "-enable-client-custom-extension"
7627 testType = clientTest
7628 }
7629
7630 testCases = append(testCases, testCase{
7631 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7632 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7633 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7634 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7635 Bugs: ProtocolBugs{
7636 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7637 ExpectedCustomExtension: &expectedContents,
7638 },
7639 },
7640 flags: []string{flag},
7641 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7642 testCases = append(testCases, testCase{
7643 testType: testType,
7644 name: "CustomExtensions-" + suffix + "-TLS13",
7645 config: Config{
7646 MaxVersion: VersionTLS13,
7647 Bugs: ProtocolBugs{
7648 CustomExtension: expectedContents,
7649 ExpectedCustomExtension: &expectedContents,
7650 },
7651 },
7652 flags: []string{flag},
7653 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7654
7655 // If the parse callback fails, the handshake should also fail.
7656 testCases = append(testCases, testCase{
7657 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7658 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7659 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7660 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7661 Bugs: ProtocolBugs{
7662 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7663 ExpectedCustomExtension: &expectedContents,
7664 },
7665 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7666 flags: []string{flag},
7667 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7668 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7669 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7670 testCases = append(testCases, testCase{
7671 testType: testType,
7672 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
7673 config: Config{
7674 MaxVersion: VersionTLS13,
7675 Bugs: ProtocolBugs{
7676 CustomExtension: expectedContents + "foo",
7677 ExpectedCustomExtension: &expectedContents,
7678 },
7679 },
7680 flags: []string{flag},
7681 shouldFail: true,
7682 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7683 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7684
7685 // If the add callback fails, the handshake should also fail.
7686 testCases = append(testCases, testCase{
7687 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7688 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7689 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7690 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7691 Bugs: ProtocolBugs{
7692 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7693 ExpectedCustomExtension: &expectedContents,
7694 },
7695 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7696 flags: []string{flag, "-custom-extension-fail-add"},
7697 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7698 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7699 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7700 testCases = append(testCases, testCase{
7701 testType: testType,
7702 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
7703 config: Config{
7704 MaxVersion: VersionTLS13,
7705 Bugs: ProtocolBugs{
7706 CustomExtension: expectedContents,
7707 ExpectedCustomExtension: &expectedContents,
7708 },
7709 },
7710 flags: []string{flag, "-custom-extension-fail-add"},
7711 shouldFail: true,
7712 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7713 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7714
7715 // If the add callback returns zero, no extension should be
7716 // added.
7717 skipCustomExtension := expectedContents
7718 if isClient {
7719 // For the case where the client skips sending the
7720 // custom extension, the server must not “echo” it.
7721 skipCustomExtension = ""
7722 }
7723 testCases = append(testCases, testCase{
7724 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7725 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7726 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7727 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7728 Bugs: ProtocolBugs{
7729 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7730 ExpectedCustomExtension: &emptyString,
7731 },
7732 },
7733 flags: []string{flag, "-custom-extension-skip"},
7734 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7735 testCases = append(testCases, testCase{
7736 testType: testType,
7737 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
7738 config: Config{
7739 MaxVersion: VersionTLS13,
7740 Bugs: ProtocolBugs{
7741 CustomExtension: skipCustomExtension,
7742 ExpectedCustomExtension: &emptyString,
7743 },
7744 },
7745 flags: []string{flag, "-custom-extension-skip"},
7746 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7747 }
7748
7749 // The custom extension add callback should not be called if the client
7750 // doesn't send the extension.
7751 testCases = append(testCases, testCase{
7752 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7753 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7754 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7755 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7756 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7757 ExpectedCustomExtension: &emptyString,
7758 },
7759 },
7760 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7761 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7762
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7763 testCases = append(testCases, testCase{
7764 testType: serverTest,
7765 name: "CustomExtensions-NotCalled-Server-TLS13",
7766 config: Config{
7767 MaxVersion: VersionTLS13,
7768 Bugs: ProtocolBugs{
7769 ExpectedCustomExtension: &emptyString,
7770 },
7771 },
7772 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7773 })
7774
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7775 // Test an unknown extension from the server.
7776 testCases = append(testCases, testCase{
7777 testType: clientTest,
7778 name: "UnknownExtension-Client",
7779 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7780 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7781 Bugs: ProtocolBugs{
7782 CustomExtension: expectedContents,
7783 },
7784 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7785 shouldFail: true,
7786 expectedError: ":UNEXPECTED_EXTENSION:",
7787 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7788 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7789 testCases = append(testCases, testCase{
7790 testType: clientTest,
7791 name: "UnknownExtension-Client-TLS13",
7792 config: Config{
7793 MaxVersion: VersionTLS13,
7794 Bugs: ProtocolBugs{
7795 CustomExtension: expectedContents,
7796 },
7797 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7798 shouldFail: true,
7799 expectedError: ":UNEXPECTED_EXTENSION:",
7800 expectedLocalError: "remote error: unsupported extension",
7801 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]7802 testCases = append(testCases, testCase{
7803 testType: clientTest,
7804 name: "UnknownUnencryptedExtension-Client-TLS13",
7805 config: Config{
7806 MaxVersion: VersionTLS13,
7807 Bugs: ProtocolBugs{
7808 CustomUnencryptedExtension: expectedContents,
7809 },
7810 },
7811 shouldFail: true,
7812 expectedError: ":UNEXPECTED_EXTENSION:",
7813 // The shim must send an alert, but alerts at this point do not
7814 // get successfully decrypted by the runner.
7815 expectedLocalError: "local error: bad record MAC",
7816 })
7817 testCases = append(testCases, testCase{
7818 testType: clientTest,
7819 name: "UnexpectedUnencryptedExtension-Client-TLS13",
7820 config: Config{
7821 MaxVersion: VersionTLS13,
7822 Bugs: ProtocolBugs{
7823 SendUnencryptedALPN: "foo",
7824 },
7825 },
7826 flags: []string{
7827 "-advertise-alpn", "\x03foo\x03bar",
7828 },
7829 shouldFail: true,
7830 expectedError: ":UNEXPECTED_EXTENSION:",
7831 // The shim must send an alert, but alerts at this point do not
7832 // get successfully decrypted by the runner.
7833 expectedLocalError: "local error: bad record MAC",
7834 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7835
7836 // Test a known but unoffered extension from the server.
7837 testCases = append(testCases, testCase{
7838 testType: clientTest,
7839 name: "UnofferedExtension-Client",
7840 config: Config{
7841 MaxVersion: VersionTLS12,
7842 Bugs: ProtocolBugs{
7843 SendALPN: "alpn",
7844 },
7845 },
7846 shouldFail: true,
7847 expectedError: ":UNEXPECTED_EXTENSION:",
7848 expectedLocalError: "remote error: unsupported extension",
7849 })
7850 testCases = append(testCases, testCase{
7851 testType: clientTest,
7852 name: "UnofferedExtension-Client-TLS13",
7853 config: Config{
7854 MaxVersion: VersionTLS13,
7855 Bugs: ProtocolBugs{
7856 SendALPN: "alpn",
7857 },
7858 },
7859 shouldFail: true,
7860 expectedError: ":UNEXPECTED_EXTENSION:",
7861 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7862 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7863}
7864
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7865func addRSAClientKeyExchangeTests() {
7866 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
7867 testCases = append(testCases, testCase{
7868 testType: serverTest,
7869 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
7870 config: Config{
7871 // Ensure the ClientHello version and final
7872 // version are different, to detect if the
7873 // server uses the wrong one.
7874 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]7875 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7876 Bugs: ProtocolBugs{
7877 BadRSAClientKeyExchange: bad,
7878 },
7879 },
7880 shouldFail: true,
7881 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7882 })
7883 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]7884
7885 // The server must compare whatever was in ClientHello.version for the
7886 // RSA premaster.
7887 testCases = append(testCases, testCase{
7888 testType: serverTest,
7889 name: "SendClientVersion-RSA",
7890 config: Config{
7891 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
7892 Bugs: ProtocolBugs{
7893 SendClientVersion: 0x1234,
7894 },
7895 },
7896 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7897 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7898}
7899
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7900var testCurves = []struct {
7901 name string
7902 id CurveID
7903}{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7904 {"P-256", CurveP256},
7905 {"P-384", CurveP384},
7906 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]7907 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7908}
7909
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7910const bogusCurve = 0x1234
7911
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7912func addCurveTests() {
7913 for _, curve := range testCurves {
7914 testCases = append(testCases, testCase{
7915 name: "CurveTest-Client-" + curve.name,
7916 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7917 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7918 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7919 CurvePreferences: []CurveID{curve.id},
7920 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7921 flags: []string{
7922 "-enable-all-curves",
7923 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7924 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7925 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7926 })
7927 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7928 name: "CurveTest-Client-" + curve.name + "-TLS13",
7929 config: Config{
7930 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7931 CurvePreferences: []CurveID{curve.id},
7932 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7933 flags: []string{
7934 "-enable-all-curves",
7935 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7936 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7937 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7938 })
7939 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7940 testType: serverTest,
7941 name: "CurveTest-Server-" + curve.name,
7942 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7943 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7944 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7945 CurvePreferences: []CurveID{curve.id},
7946 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7947 flags: []string{
7948 "-enable-all-curves",
7949 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7950 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7951 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7952 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7953 testCases = append(testCases, testCase{
7954 testType: serverTest,
7955 name: "CurveTest-Server-" + curve.name + "-TLS13",
7956 config: Config{
7957 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7958 CurvePreferences: []CurveID{curve.id},
7959 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7960 flags: []string{
7961 "-enable-all-curves",
7962 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7963 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7964 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7965 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7966 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7967
7968 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7969 testCases = append(testCases, testCase{
7970 testType: serverTest,
7971 name: "UnknownCurve",
7972 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7973 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7974 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7975 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7976 },
7977 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7978
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7979 // The server must be tolerant to bogus curves.
7980 testCases = append(testCases, testCase{
7981 testType: serverTest,
7982 name: "UnknownCurve-TLS13",
7983 config: Config{
7984 MaxVersion: VersionTLS13,
7985 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7986 },
7987 })
7988
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7989 // The server must not consider ECDHE ciphers when there are no
7990 // supported curves.
7991 testCases = append(testCases, testCase{
7992 testType: serverTest,
7993 name: "NoSupportedCurves",
7994 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7995 MaxVersion: VersionTLS12,
7996 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7997 Bugs: ProtocolBugs{
7998 NoSupportedCurves: true,
7999 },
8000 },
8001 shouldFail: true,
8002 expectedError: ":NO_SHARED_CIPHER:",
8003 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8004 testCases = append(testCases, testCase{
8005 testType: serverTest,
8006 name: "NoSupportedCurves-TLS13",
8007 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8008 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8009 Bugs: ProtocolBugs{
8010 NoSupportedCurves: true,
8011 },
8012 },
8013 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8014 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8015 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8016
8017 // The server must fall back to another cipher when there are no
8018 // supported curves.
8019 testCases = append(testCases, testCase{
8020 testType: serverTest,
8021 name: "NoCommonCurves",
8022 config: Config{
8023 MaxVersion: VersionTLS12,
8024 CipherSuites: []uint16{
8025 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
8026 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
8027 },
8028 CurvePreferences: []CurveID{CurveP224},
8029 },
8030 expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
8031 })
8032
8033 // The client must reject bogus curves and disabled curves.
8034 testCases = append(testCases, testCase{
8035 name: "BadECDHECurve",
8036 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8037 MaxVersion: VersionTLS12,
8038 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8039 Bugs: ProtocolBugs{
8040 SendCurve: bogusCurve,
8041 },
8042 },
8043 shouldFail: true,
8044 expectedError: ":WRONG_CURVE:",
8045 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8046 testCases = append(testCases, testCase{
8047 name: "BadECDHECurve-TLS13",
8048 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8049 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8050 Bugs: ProtocolBugs{
8051 SendCurve: bogusCurve,
8052 },
8053 },
8054 shouldFail: true,
8055 expectedError: ":WRONG_CURVE:",
8056 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8057
8058 testCases = append(testCases, testCase{
8059 name: "UnsupportedCurve",
8060 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8061 MaxVersion: VersionTLS12,
8062 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8063 CurvePreferences: []CurveID{CurveP256},
8064 Bugs: ProtocolBugs{
8065 IgnorePeerCurvePreferences: true,
8066 },
8067 },
8068 flags: []string{"-p384-only"},
8069 shouldFail: true,
8070 expectedError: ":WRONG_CURVE:",
8071 })
8072
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8073 testCases = append(testCases, testCase{
8074 // TODO(davidben): Add a TLS 1.3 version where
8075 // HelloRetryRequest requests an unsupported curve.
8076 name: "UnsupportedCurve-ServerHello-TLS13",
8077 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8078 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8079 CurvePreferences: []CurveID{CurveP384},
8080 Bugs: ProtocolBugs{
8081 SendCurve: CurveP256,
8082 },
8083 },
8084 flags: []string{"-p384-only"},
8085 shouldFail: true,
8086 expectedError: ":WRONG_CURVE:",
8087 })
8088
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8089 // Test invalid curve points.
8090 testCases = append(testCases, testCase{
8091 name: "InvalidECDHPoint-Client",
8092 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8093 MaxVersion: VersionTLS12,
8094 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8095 CurvePreferences: []CurveID{CurveP256},
8096 Bugs: ProtocolBugs{
8097 InvalidECDHPoint: true,
8098 },
8099 },
8100 shouldFail: true,
8101 expectedError: ":INVALID_ENCODING:",
8102 })
8103 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8104 name: "InvalidECDHPoint-Client-TLS13",
8105 config: Config{
8106 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8107 CurvePreferences: []CurveID{CurveP256},
8108 Bugs: ProtocolBugs{
8109 InvalidECDHPoint: true,
8110 },
8111 },
8112 shouldFail: true,
8113 expectedError: ":INVALID_ENCODING:",
8114 })
8115 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8116 testType: serverTest,
8117 name: "InvalidECDHPoint-Server",
8118 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8119 MaxVersion: VersionTLS12,
8120 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8121 CurvePreferences: []CurveID{CurveP256},
8122 Bugs: ProtocolBugs{
8123 InvalidECDHPoint: true,
8124 },
8125 },
8126 shouldFail: true,
8127 expectedError: ":INVALID_ENCODING:",
8128 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8129 testCases = append(testCases, testCase{
8130 testType: serverTest,
8131 name: "InvalidECDHPoint-Server-TLS13",
8132 config: Config{
8133 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8134 CurvePreferences: []CurveID{CurveP256},
8135 Bugs: ProtocolBugs{
8136 InvalidECDHPoint: true,
8137 },
8138 },
8139 shouldFail: true,
8140 expectedError: ":INVALID_ENCODING:",
8141 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8142
8143 // The previous curve ID should be reported on TLS 1.2 resumption.
8144 testCases = append(testCases, testCase{
8145 name: "CurveID-Resume-Client",
8146 config: Config{
8147 MaxVersion: VersionTLS12,
8148 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8149 CurvePreferences: []CurveID{CurveX25519},
8150 },
8151 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8152 resumeSession: true,
8153 })
8154 testCases = append(testCases, testCase{
8155 testType: serverTest,
8156 name: "CurveID-Resume-Server",
8157 config: Config{
8158 MaxVersion: VersionTLS12,
8159 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8160 CurvePreferences: []CurveID{CurveX25519},
8161 },
8162 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8163 resumeSession: true,
8164 })
8165
8166 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8167 // one should be reported.
8168 testCases = append(testCases, testCase{
8169 name: "CurveID-Resume-Client-TLS13",
8170 config: Config{
8171 MaxVersion: VersionTLS13,
8172 CurvePreferences: []CurveID{CurveX25519},
8173 },
8174 resumeConfig: &Config{
8175 MaxVersion: VersionTLS13,
8176 CurvePreferences: []CurveID{CurveP256},
8177 },
8178 flags: []string{
8179 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8180 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8181 },
8182 resumeSession: true,
8183 })
8184 testCases = append(testCases, testCase{
8185 testType: serverTest,
8186 name: "CurveID-Resume-Server-TLS13",
8187 config: Config{
8188 MaxVersion: VersionTLS13,
8189 CurvePreferences: []CurveID{CurveX25519},
8190 },
8191 resumeConfig: &Config{
8192 MaxVersion: VersionTLS13,
8193 CurvePreferences: []CurveID{CurveP256},
8194 },
8195 flags: []string{
8196 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8197 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8198 },
8199 resumeSession: true,
8200 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8201
8202 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8203 testCases = append(testCases, testCase{
8204 name: "PointFormat-ServerHello-TLS12",
8205 config: Config{
8206 MaxVersion: VersionTLS12,
8207 Bugs: ProtocolBugs{
8208 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8209 },
8210 },
8211 })
8212 testCases = append(testCases, testCase{
8213 name: "PointFormat-EncryptedExtensions-TLS13",
8214 config: Config{
8215 MaxVersion: VersionTLS13,
8216 Bugs: ProtocolBugs{
8217 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8218 },
8219 },
8220 shouldFail: true,
8221 expectedError: ":ERROR_PARSING_EXTENSION:",
8222 })
8223
8224 // Test that we tolerate unknown point formats, as long as
8225 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8226 // check they are still functional.
8227 testCases = append(testCases, testCase{
8228 name: "PointFormat-Client-Tolerance",
8229 config: Config{
8230 MaxVersion: VersionTLS12,
8231 Bugs: ProtocolBugs{
8232 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8233 },
8234 },
8235 })
8236 testCases = append(testCases, testCase{
8237 testType: serverTest,
8238 name: "PointFormat-Server-Tolerance",
8239 config: Config{
8240 MaxVersion: VersionTLS12,
8241 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8242 Bugs: ProtocolBugs{
8243 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8244 },
8245 },
8246 })
8247
8248 // Test TLS 1.2 does not require the point format extension to be
8249 // present.
8250 testCases = append(testCases, testCase{
8251 name: "PointFormat-Client-Missing",
8252 config: Config{
8253 MaxVersion: VersionTLS12,
8254 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8255 Bugs: ProtocolBugs{
8256 SendSupportedPointFormats: []byte{},
8257 },
8258 },
8259 })
8260 testCases = append(testCases, testCase{
8261 testType: serverTest,
8262 name: "PointFormat-Server-Missing",
8263 config: Config{
8264 MaxVersion: VersionTLS12,
8265 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8266 Bugs: ProtocolBugs{
8267 SendSupportedPointFormats: []byte{},
8268 },
8269 },
8270 })
8271
8272 // If the point format extension is present, uncompressed points must be
8273 // offered. BoringSSL requires this whether or not ECDHE is used.
8274 testCases = append(testCases, testCase{
8275 name: "PointFormat-Client-MissingUncompressed",
8276 config: Config{
8277 MaxVersion: VersionTLS12,
8278 Bugs: ProtocolBugs{
8279 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8280 },
8281 },
8282 shouldFail: true,
8283 expectedError: ":ERROR_PARSING_EXTENSION:",
8284 })
8285 testCases = append(testCases, testCase{
8286 testType: serverTest,
8287 name: "PointFormat-Server-MissingUncompressed",
8288 config: Config{
8289 MaxVersion: VersionTLS12,
8290 Bugs: ProtocolBugs{
8291 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8292 },
8293 },
8294 shouldFail: true,
8295 expectedError: ":ERROR_PARSING_EXTENSION:",
8296 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8297}
8298
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8299func addTLS13RecordTests() {
8300 testCases = append(testCases, testCase{
8301 name: "TLS13-RecordPadding",
8302 config: Config{
8303 MaxVersion: VersionTLS13,
8304 MinVersion: VersionTLS13,
8305 Bugs: ProtocolBugs{
8306 RecordPadding: 10,
8307 },
8308 },
8309 })
8310
8311 testCases = append(testCases, testCase{
8312 name: "TLS13-EmptyRecords",
8313 config: Config{
8314 MaxVersion: VersionTLS13,
8315 MinVersion: VersionTLS13,
8316 Bugs: ProtocolBugs{
8317 OmitRecordContents: true,
8318 },
8319 },
8320 shouldFail: true,
8321 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8322 })
8323
8324 testCases = append(testCases, testCase{
8325 name: "TLS13-OnlyPadding",
8326 config: Config{
8327 MaxVersion: VersionTLS13,
8328 MinVersion: VersionTLS13,
8329 Bugs: ProtocolBugs{
8330 OmitRecordContents: true,
8331 RecordPadding: 10,
8332 },
8333 },
8334 shouldFail: true,
8335 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8336 })
8337
8338 testCases = append(testCases, testCase{
8339 name: "TLS13-WrongOuterRecord",
8340 config: Config{
8341 MaxVersion: VersionTLS13,
8342 MinVersion: VersionTLS13,
8343 Bugs: ProtocolBugs{
8344 OuterRecordType: recordTypeHandshake,
8345 },
8346 },
8347 shouldFail: true,
8348 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8349 })
8350}
8351
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8352func addSessionTicketTests() {
8353 testCases = append(testCases, testCase{
8354 // In TLS 1.2 and below, empty NewSessionTicket messages
8355 // mean the server changed its mind on sending a ticket.
8356 name: "SendEmptySessionTicket",
8357 config: Config{
8358 MaxVersion: VersionTLS12,
8359 Bugs: ProtocolBugs{
8360 SendEmptySessionTicket: true,
8361 },
8362 },
8363 flags: []string{"-expect-no-session"},
8364 })
8365
8366 // Test that the server ignores unknown PSK modes.
8367 testCases = append(testCases, testCase{
8368 testType: serverTest,
8369 name: "TLS13-SendUnknownModeSessionTicket-Server",
8370 config: Config{
8371 MaxVersion: VersionTLS13,
8372 Bugs: ProtocolBugs{
8373 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8374 },
8375 },
8376 resumeSession: true,
8377 expectedResumeVersion: VersionTLS13,
8378 })
8379
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8380 // Test that the server does not send session tickets with no matching key exchange mode.
8381 testCases = append(testCases, testCase{
8382 testType: serverTest,
8383 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8384 config: Config{
8385 MaxVersion: VersionTLS13,
8386 Bugs: ProtocolBugs{
8387 SendPSKKeyExchangeModes: []byte{0x1a},
8388 ExpectNoNewSessionTicket: true,
8389 },
8390 },
8391 })
8392
8393 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8394 testCases = append(testCases, testCase{
8395 testType: serverTest,
8396 name: "TLS13-SendBadKEModeSessionTicket-Server",
8397 config: Config{
8398 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8399 },
8400 resumeConfig: &Config{
8401 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8402 Bugs: ProtocolBugs{
8403 SendPSKKeyExchangeModes: []byte{0x1a},
8404 },
8405 },
8406 resumeSession: true,
8407 expectResumeRejected: true,
8408 })
8409
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8410 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8411 testCases = append(testCases, testCase{
8412 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8413 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8414 config: Config{
8415 MaxVersion: VersionTLS13,
8416 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8417 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8418 },
8419 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8420 resumeSession: true,
8421 flags: []string{
8422 "-resumption-delay", "10",
8423 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8424 })
8425
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8426 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8427 testCases = append(testCases, testCase{
8428 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8429 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8430 config: Config{
8431 MaxVersion: VersionTLS13,
8432 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8433 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8434 },
8435 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8436 resumeSession: true,
8437 shouldFail: true,
8438 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8439 })
8440
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8441 testCases = append(testCases, testCase{
8442 testType: clientTest,
8443 name: "TLS13-SendTicketEarlyDataInfo",
8444 config: Config{
8445 MaxVersion: VersionTLS13,
8446 Bugs: ProtocolBugs{
8447 SendTicketEarlyDataInfo: 16384,
8448 },
8449 },
8450 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8451 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8452 "-expect-early-data-info",
8453 },
8454 })
8455
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8456 // Test that 0-RTT tickets are ignored in clients unless opted in.
8457 testCases = append(testCases, testCase{
8458 testType: clientTest,
8459 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8460 config: Config{
8461 MaxVersion: VersionTLS13,
8462 Bugs: ProtocolBugs{
8463 SendTicketEarlyDataInfo: 16384,
8464 },
8465 },
8466 })
8467
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8468 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8469 testType: clientTest,
8470 name: "TLS13-DuplicateTicketEarlyDataInfo",
8471 config: Config{
8472 MaxVersion: VersionTLS13,
8473 Bugs: ProtocolBugs{
8474 SendTicketEarlyDataInfo: 16384,
8475 DuplicateTicketEarlyDataInfo: true,
8476 },
8477 },
8478 shouldFail: true,
8479 expectedError: ":DUPLICATE_EXTENSION:",
8480 expectedLocalError: "remote error: illegal parameter",
8481 })
8482
8483 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8484 testType: serverTest,
8485 name: "TLS13-ExpectTicketEarlyDataInfo",
8486 config: Config{
8487 MaxVersion: VersionTLS13,
8488 Bugs: ProtocolBugs{
8489 ExpectTicketEarlyDataInfo: true,
8490 },
8491 },
8492 flags: []string{
8493 "-enable-early-data",
8494 },
8495 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8496}
8497
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8498func addChangeCipherSpecTests() {
8499 // Test missing ChangeCipherSpecs.
8500 testCases = append(testCases, testCase{
8501 name: "SkipChangeCipherSpec-Client",
8502 config: Config{
8503 MaxVersion: VersionTLS12,
8504 Bugs: ProtocolBugs{
8505 SkipChangeCipherSpec: true,
8506 },
8507 },
8508 shouldFail: true,
8509 expectedError: ":UNEXPECTED_RECORD:",
8510 })
8511 testCases = append(testCases, testCase{
8512 testType: serverTest,
8513 name: "SkipChangeCipherSpec-Server",
8514 config: Config{
8515 MaxVersion: VersionTLS12,
8516 Bugs: ProtocolBugs{
8517 SkipChangeCipherSpec: true,
8518 },
8519 },
8520 shouldFail: true,
8521 expectedError: ":UNEXPECTED_RECORD:",
8522 })
8523 testCases = append(testCases, testCase{
8524 testType: serverTest,
8525 name: "SkipChangeCipherSpec-Server-NPN",
8526 config: Config{
8527 MaxVersion: VersionTLS12,
8528 NextProtos: []string{"bar"},
8529 Bugs: ProtocolBugs{
8530 SkipChangeCipherSpec: true,
8531 },
8532 },
8533 flags: []string{
8534 "-advertise-npn", "\x03foo\x03bar\x03baz",
8535 },
8536 shouldFail: true,
8537 expectedError: ":UNEXPECTED_RECORD:",
8538 })
8539
8540 // Test synchronization between the handshake and ChangeCipherSpec.
8541 // Partial post-CCS handshake messages before ChangeCipherSpec should be
8542 // rejected. Test both with and without handshake packing to handle both
8543 // when the partial post-CCS message is in its own record and when it is
8544 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8545 for _, packed := range []bool{false, true} {
8546 var suffix string
8547 if packed {
8548 suffix = "-Packed"
8549 }
8550
8551 testCases = append(testCases, testCase{
8552 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
8553 config: Config{
8554 MaxVersion: VersionTLS12,
8555 Bugs: ProtocolBugs{
8556 FragmentAcrossChangeCipherSpec: true,
8557 PackHandshakeFlight: packed,
8558 },
8559 },
8560 shouldFail: true,
8561 expectedError: ":UNEXPECTED_RECORD:",
8562 })
8563 testCases = append(testCases, testCase{
8564 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
8565 config: Config{
8566 MaxVersion: VersionTLS12,
8567 },
8568 resumeSession: true,
8569 resumeConfig: &Config{
8570 MaxVersion: VersionTLS12,
8571 Bugs: ProtocolBugs{
8572 FragmentAcrossChangeCipherSpec: true,
8573 PackHandshakeFlight: packed,
8574 },
8575 },
8576 shouldFail: true,
8577 expectedError: ":UNEXPECTED_RECORD:",
8578 })
8579 testCases = append(testCases, testCase{
8580 testType: serverTest,
8581 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
8582 config: Config{
8583 MaxVersion: VersionTLS12,
8584 Bugs: ProtocolBugs{
8585 FragmentAcrossChangeCipherSpec: true,
8586 PackHandshakeFlight: packed,
8587 },
8588 },
8589 shouldFail: true,
8590 expectedError: ":UNEXPECTED_RECORD:",
8591 })
8592 testCases = append(testCases, testCase{
8593 testType: serverTest,
8594 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
8595 config: Config{
8596 MaxVersion: VersionTLS12,
8597 },
8598 resumeSession: true,
8599 resumeConfig: &Config{
8600 MaxVersion: VersionTLS12,
8601 Bugs: ProtocolBugs{
8602 FragmentAcrossChangeCipherSpec: true,
8603 PackHandshakeFlight: packed,
8604 },
8605 },
8606 shouldFail: true,
8607 expectedError: ":UNEXPECTED_RECORD:",
8608 })
8609 testCases = append(testCases, testCase{
8610 testType: serverTest,
8611 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
8612 config: Config{
8613 MaxVersion: VersionTLS12,
8614 NextProtos: []string{"bar"},
8615 Bugs: ProtocolBugs{
8616 FragmentAcrossChangeCipherSpec: true,
8617 PackHandshakeFlight: packed,
8618 },
8619 },
8620 flags: []string{
8621 "-advertise-npn", "\x03foo\x03bar\x03baz",
8622 },
8623 shouldFail: true,
8624 expectedError: ":UNEXPECTED_RECORD:",
8625 })
8626 }
8627
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]8628 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
8629 // messages in the handshake queue. Do this by testing the server
8630 // reading the client Finished, reversing the flight so Finished comes
8631 // first.
8632 testCases = append(testCases, testCase{
8633 protocol: dtls,
8634 testType: serverTest,
8635 name: "SendUnencryptedFinished-DTLS",
8636 config: Config{
8637 MaxVersion: VersionTLS12,
8638 Bugs: ProtocolBugs{
8639 SendUnencryptedFinished: true,
8640 ReverseHandshakeFragments: true,
8641 },
8642 },
8643 shouldFail: true,
8644 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8645 })
8646
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8647 // Test synchronization between encryption changes and the handshake in
8648 // TLS 1.3, where ChangeCipherSpec is implicit.
8649 testCases = append(testCases, testCase{
8650 name: "PartialEncryptedExtensionsWithServerHello",
8651 config: Config{
8652 MaxVersion: VersionTLS13,
8653 Bugs: ProtocolBugs{
8654 PartialEncryptedExtensionsWithServerHello: true,
8655 },
8656 },
8657 shouldFail: true,
8658 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8659 })
8660 testCases = append(testCases, testCase{
8661 testType: serverTest,
8662 name: "PartialClientFinishedWithClientHello",
8663 config: Config{
8664 MaxVersion: VersionTLS13,
8665 Bugs: ProtocolBugs{
8666 PartialClientFinishedWithClientHello: true,
8667 },
8668 },
8669 shouldFail: true,
8670 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8671 })
8672
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8673 // Test that early ChangeCipherSpecs are handled correctly.
8674 testCases = append(testCases, testCase{
8675 testType: serverTest,
8676 name: "EarlyChangeCipherSpec-server-1",
8677 config: Config{
8678 MaxVersion: VersionTLS12,
8679 Bugs: ProtocolBugs{
8680 EarlyChangeCipherSpec: 1,
8681 },
8682 },
8683 shouldFail: true,
8684 expectedError: ":UNEXPECTED_RECORD:",
8685 })
8686 testCases = append(testCases, testCase{
8687 testType: serverTest,
8688 name: "EarlyChangeCipherSpec-server-2",
8689 config: Config{
8690 MaxVersion: VersionTLS12,
8691 Bugs: ProtocolBugs{
8692 EarlyChangeCipherSpec: 2,
8693 },
8694 },
8695 shouldFail: true,
8696 expectedError: ":UNEXPECTED_RECORD:",
8697 })
8698 testCases = append(testCases, testCase{
8699 protocol: dtls,
8700 name: "StrayChangeCipherSpec",
8701 config: Config{
8702 // TODO(davidben): Once DTLS 1.3 exists, test
8703 // that stray ChangeCipherSpec messages are
8704 // rejected.
8705 MaxVersion: VersionTLS12,
8706 Bugs: ProtocolBugs{
8707 StrayChangeCipherSpec: true,
8708 },
8709 },
8710 })
8711
8712 // Test that the contents of ChangeCipherSpec are checked.
8713 testCases = append(testCases, testCase{
8714 name: "BadChangeCipherSpec-1",
8715 config: Config{
8716 MaxVersion: VersionTLS12,
8717 Bugs: ProtocolBugs{
8718 BadChangeCipherSpec: []byte{2},
8719 },
8720 },
8721 shouldFail: true,
8722 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8723 })
8724 testCases = append(testCases, testCase{
8725 name: "BadChangeCipherSpec-2",
8726 config: Config{
8727 MaxVersion: VersionTLS12,
8728 Bugs: ProtocolBugs{
8729 BadChangeCipherSpec: []byte{1, 1},
8730 },
8731 },
8732 shouldFail: true,
8733 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8734 })
8735 testCases = append(testCases, testCase{
8736 protocol: dtls,
8737 name: "BadChangeCipherSpec-DTLS-1",
8738 config: Config{
8739 MaxVersion: VersionTLS12,
8740 Bugs: ProtocolBugs{
8741 BadChangeCipherSpec: []byte{2},
8742 },
8743 },
8744 shouldFail: true,
8745 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8746 })
8747 testCases = append(testCases, testCase{
8748 protocol: dtls,
8749 name: "BadChangeCipherSpec-DTLS-2",
8750 config: Config{
8751 MaxVersion: VersionTLS12,
8752 Bugs: ProtocolBugs{
8753 BadChangeCipherSpec: []byte{1, 1},
8754 },
8755 },
8756 shouldFail: true,
8757 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8758 })
8759}
8760
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8761type perMessageTest struct {
8762 messageType uint8
8763 test testCase
8764}
8765
8766// makePerMessageTests returns a series of test templates which cover each
8767// message in the TLS handshake. These may be used with bugs like
8768// WrongMessageType to fully test a per-message bug.
8769func makePerMessageTests() []perMessageTest {
8770 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8771 for _, protocol := range []protocol{tls, dtls} {
8772 var suffix string
8773 if protocol == dtls {
8774 suffix = "-DTLS"
8775 }
8776
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8777 ret = append(ret, perMessageTest{
8778 messageType: typeClientHello,
8779 test: testCase{
8780 protocol: protocol,
8781 testType: serverTest,
8782 name: "ClientHello" + suffix,
8783 config: Config{
8784 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8785 },
8786 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8787 })
8788
8789 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8790 ret = append(ret, perMessageTest{
8791 messageType: typeHelloVerifyRequest,
8792 test: testCase{
8793 protocol: protocol,
8794 name: "HelloVerifyRequest" + suffix,
8795 config: Config{
8796 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8797 },
8798 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8799 })
8800 }
8801
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8802 ret = append(ret, perMessageTest{
8803 messageType: typeServerHello,
8804 test: testCase{
8805 protocol: protocol,
8806 name: "ServerHello" + suffix,
8807 config: Config{
8808 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8809 },
8810 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8811 })
8812
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8813 ret = append(ret, perMessageTest{
8814 messageType: typeCertificate,
8815 test: testCase{
8816 protocol: protocol,
8817 name: "ServerCertificate" + suffix,
8818 config: Config{
8819 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8820 },
8821 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8822 })
8823
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8824 ret = append(ret, perMessageTest{
8825 messageType: typeCertificateStatus,
8826 test: testCase{
8827 protocol: protocol,
8828 name: "CertificateStatus" + suffix,
8829 config: Config{
8830 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8831 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8832 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8833 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8834 })
8835
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8836 ret = append(ret, perMessageTest{
8837 messageType: typeServerKeyExchange,
8838 test: testCase{
8839 protocol: protocol,
8840 name: "ServerKeyExchange" + suffix,
8841 config: Config{
8842 MaxVersion: VersionTLS12,
8843 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8844 },
8845 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8846 })
8847
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8848 ret = append(ret, perMessageTest{
8849 messageType: typeCertificateRequest,
8850 test: testCase{
8851 protocol: protocol,
8852 name: "CertificateRequest" + suffix,
8853 config: Config{
8854 MaxVersion: VersionTLS12,
8855 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8856 },
8857 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8858 })
8859
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8860 ret = append(ret, perMessageTest{
8861 messageType: typeServerHelloDone,
8862 test: testCase{
8863 protocol: protocol,
8864 name: "ServerHelloDone" + suffix,
8865 config: Config{
8866 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8867 },
8868 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8869 })
8870
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8871 ret = append(ret, perMessageTest{
8872 messageType: typeCertificate,
8873 test: testCase{
8874 testType: serverTest,
8875 protocol: protocol,
8876 name: "ClientCertificate" + suffix,
8877 config: Config{
8878 Certificates: []Certificate{rsaCertificate},
8879 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8880 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8881 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8882 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8883 })
8884
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8885 ret = append(ret, perMessageTest{
8886 messageType: typeCertificateVerify,
8887 test: testCase{
8888 testType: serverTest,
8889 protocol: protocol,
8890 name: "CertificateVerify" + suffix,
8891 config: Config{
8892 Certificates: []Certificate{rsaCertificate},
8893 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8894 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8895 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8896 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8897 })
8898
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8899 ret = append(ret, perMessageTest{
8900 messageType: typeClientKeyExchange,
8901 test: testCase{
8902 testType: serverTest,
8903 protocol: protocol,
8904 name: "ClientKeyExchange" + suffix,
8905 config: Config{
8906 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8907 },
8908 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8909 })
8910
8911 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8912 ret = append(ret, perMessageTest{
8913 messageType: typeNextProtocol,
8914 test: testCase{
8915 testType: serverTest,
8916 protocol: protocol,
8917 name: "NextProtocol" + suffix,
8918 config: Config{
8919 MaxVersion: VersionTLS12,
8920 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8921 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8922 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8923 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8924 })
8925
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8926 ret = append(ret, perMessageTest{
8927 messageType: typeChannelID,
8928 test: testCase{
8929 testType: serverTest,
8930 protocol: protocol,
8931 name: "ChannelID" + suffix,
8932 config: Config{
8933 MaxVersion: VersionTLS12,
8934 ChannelID: channelIDKey,
8935 },
8936 flags: []string{
8937 "-expect-channel-id",
8938 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8939 },
8940 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8941 })
8942 }
8943
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8944 ret = append(ret, perMessageTest{
8945 messageType: typeFinished,
8946 test: testCase{
8947 testType: serverTest,
8948 protocol: protocol,
8949 name: "ClientFinished" + suffix,
8950 config: Config{
8951 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8952 },
8953 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8954 })
8955
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8956 ret = append(ret, perMessageTest{
8957 messageType: typeNewSessionTicket,
8958 test: testCase{
8959 protocol: protocol,
8960 name: "NewSessionTicket" + suffix,
8961 config: Config{
8962 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8963 },
8964 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8965 })
8966
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8967 ret = append(ret, perMessageTest{
8968 messageType: typeFinished,
8969 test: testCase{
8970 protocol: protocol,
8971 name: "ServerFinished" + suffix,
8972 config: Config{
8973 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8974 },
8975 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8976 })
8977
8978 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8979
8980 ret = append(ret, perMessageTest{
8981 messageType: typeClientHello,
8982 test: testCase{
8983 testType: serverTest,
8984 name: "TLS13-ClientHello",
8985 config: Config{
8986 MaxVersion: VersionTLS13,
8987 },
8988 },
8989 })
8990
8991 ret = append(ret, perMessageTest{
8992 messageType: typeServerHello,
8993 test: testCase{
8994 name: "TLS13-ServerHello",
8995 config: Config{
8996 MaxVersion: VersionTLS13,
8997 },
8998 },
8999 })
9000
9001 ret = append(ret, perMessageTest{
9002 messageType: typeEncryptedExtensions,
9003 test: testCase{
9004 name: "TLS13-EncryptedExtensions",
9005 config: Config{
9006 MaxVersion: VersionTLS13,
9007 },
9008 },
9009 })
9010
9011 ret = append(ret, perMessageTest{
9012 messageType: typeCertificateRequest,
9013 test: testCase{
9014 name: "TLS13-CertificateRequest",
9015 config: Config{
9016 MaxVersion: VersionTLS13,
9017 ClientAuth: RequireAnyClientCert,
9018 },
9019 },
9020 })
9021
9022 ret = append(ret, perMessageTest{
9023 messageType: typeCertificate,
9024 test: testCase{
9025 name: "TLS13-ServerCertificate",
9026 config: Config{
9027 MaxVersion: VersionTLS13,
9028 },
9029 },
9030 })
9031
9032 ret = append(ret, perMessageTest{
9033 messageType: typeCertificateVerify,
9034 test: testCase{
9035 name: "TLS13-ServerCertificateVerify",
9036 config: Config{
9037 MaxVersion: VersionTLS13,
9038 },
9039 },
9040 })
9041
9042 ret = append(ret, perMessageTest{
9043 messageType: typeFinished,
9044 test: testCase{
9045 name: "TLS13-ServerFinished",
9046 config: Config{
9047 MaxVersion: VersionTLS13,
9048 },
9049 },
9050 })
9051
9052 ret = append(ret, perMessageTest{
9053 messageType: typeCertificate,
9054 test: testCase{
9055 testType: serverTest,
9056 name: "TLS13-ClientCertificate",
9057 config: Config{
9058 Certificates: []Certificate{rsaCertificate},
9059 MaxVersion: VersionTLS13,
9060 },
9061 flags: []string{"-require-any-client-certificate"},
9062 },
9063 })
9064
9065 ret = append(ret, perMessageTest{
9066 messageType: typeCertificateVerify,
9067 test: testCase{
9068 testType: serverTest,
9069 name: "TLS13-ClientCertificateVerify",
9070 config: Config{
9071 Certificates: []Certificate{rsaCertificate},
9072 MaxVersion: VersionTLS13,
9073 },
9074 flags: []string{"-require-any-client-certificate"},
9075 },
9076 })
9077
9078 ret = append(ret, perMessageTest{
9079 messageType: typeFinished,
9080 test: testCase{
9081 testType: serverTest,
9082 name: "TLS13-ClientFinished",
9083 config: Config{
9084 MaxVersion: VersionTLS13,
9085 },
9086 },
9087 })
9088
9089 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9090}
9091
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9092func addWrongMessageTypeTests() {
9093 for _, t := range makePerMessageTests() {
9094 t.test.name = "WrongMessageType-" + t.test.name
9095 t.test.config.Bugs.SendWrongMessageType = t.messageType
9096 t.test.shouldFail = true
9097 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9098 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9099
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9100 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9101 // In TLS 1.3, a bad ServerHello means the client sends
9102 // an unencrypted alert while the server expects
9103 // encryption, so the alert is not readable by runner.
9104 t.test.expectedLocalError = "local error: bad record MAC"
9105 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9106
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9107 testCases = append(testCases, t.test)
9108 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9109}
9110
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9111func addTrailingMessageDataTests() {
9112 for _, t := range makePerMessageTests() {
9113 t.test.name = "TrailingMessageData-" + t.test.name
9114 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9115 t.test.shouldFail = true
9116 t.test.expectedError = ":DECODE_ERROR:"
9117 t.test.expectedLocalError = "remote error: error decoding message"
9118
9119 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9120 // In TLS 1.3, a bad ServerHello means the client sends
9121 // an unencrypted alert while the server expects
9122 // encryption, so the alert is not readable by runner.
9123 t.test.expectedLocalError = "local error: bad record MAC"
9124 }
9125
9126 if t.messageType == typeFinished {
9127 // Bad Finished messages read as the verify data having
9128 // the wrong length.
9129 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9130 t.test.expectedLocalError = "remote error: error decrypting message"
9131 }
9132
9133 testCases = append(testCases, t.test)
9134 }
9135}
9136
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9137func addTLS13HandshakeTests() {
9138 testCases = append(testCases, testCase{
9139 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9140 name: "NegotiatePSKResumption-TLS13",
9141 config: Config{
9142 MaxVersion: VersionTLS13,
9143 Bugs: ProtocolBugs{
9144 NegotiatePSKResumption: true,
9145 },
9146 },
9147 resumeSession: true,
9148 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9149 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9150 })
9151
9152 testCases = append(testCases, testCase{
9153 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9154 name: "MissingKeyShare-Client",
9155 config: Config{
9156 MaxVersion: VersionTLS13,
9157 Bugs: ProtocolBugs{
9158 MissingKeyShare: true,
9159 },
9160 },
9161 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9162 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9163 })
9164
9165 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9166 testType: serverTest,
9167 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9168 config: Config{
9169 MaxVersion: VersionTLS13,
9170 Bugs: ProtocolBugs{
9171 MissingKeyShare: true,
9172 },
9173 },
9174 shouldFail: true,
9175 expectedError: ":MISSING_KEY_SHARE:",
9176 })
9177
9178 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9179 testType: serverTest,
9180 name: "DuplicateKeyShares",
9181 config: Config{
9182 MaxVersion: VersionTLS13,
9183 Bugs: ProtocolBugs{
9184 DuplicateKeyShares: true,
9185 },
9186 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9187 shouldFail: true,
9188 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9189 })
9190
9191 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9192 testType: serverTest,
9193 name: "SkipEarlyData",
9194 config: Config{
9195 MaxVersion: VersionTLS13,
9196 Bugs: ProtocolBugs{
9197 SendEarlyDataLength: 4,
9198 },
9199 },
9200 })
9201
9202 testCases = append(testCases, testCase{
9203 testType: serverTest,
9204 name: "SkipEarlyData-OmitEarlyDataExtension",
9205 config: Config{
9206 MaxVersion: VersionTLS13,
9207 Bugs: ProtocolBugs{
9208 SendEarlyDataLength: 4,
9209 OmitEarlyDataExtension: true,
9210 },
9211 },
9212 shouldFail: true,
9213 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9214 })
9215
9216 testCases = append(testCases, testCase{
9217 testType: serverTest,
9218 name: "SkipEarlyData-TooMuchData",
9219 config: Config{
9220 MaxVersion: VersionTLS13,
9221 Bugs: ProtocolBugs{
9222 SendEarlyDataLength: 16384 + 1,
9223 },
9224 },
9225 shouldFail: true,
9226 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9227 })
9228
9229 testCases = append(testCases, testCase{
9230 testType: serverTest,
9231 name: "SkipEarlyData-Interleaved",
9232 config: Config{
9233 MaxVersion: VersionTLS13,
9234 Bugs: ProtocolBugs{
9235 SendEarlyDataLength: 4,
9236 InterleaveEarlyData: true,
9237 },
9238 },
9239 shouldFail: true,
9240 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9241 })
9242
9243 testCases = append(testCases, testCase{
9244 testType: serverTest,
9245 name: "SkipEarlyData-EarlyDataInTLS12",
9246 config: Config{
9247 MaxVersion: VersionTLS13,
9248 Bugs: ProtocolBugs{
9249 SendEarlyDataLength: 4,
9250 },
9251 },
9252 shouldFail: true,
9253 expectedError: ":UNEXPECTED_RECORD:",
9254 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9255 })
9256
9257 testCases = append(testCases, testCase{
9258 testType: serverTest,
9259 name: "SkipEarlyData-HRR",
9260 config: Config{
9261 MaxVersion: VersionTLS13,
9262 Bugs: ProtocolBugs{
9263 SendEarlyDataLength: 4,
9264 },
9265 DefaultCurves: []CurveID{},
9266 },
9267 })
9268
9269 testCases = append(testCases, testCase{
9270 testType: serverTest,
9271 name: "SkipEarlyData-HRR-Interleaved",
9272 config: Config{
9273 MaxVersion: VersionTLS13,
9274 Bugs: ProtocolBugs{
9275 SendEarlyDataLength: 4,
9276 InterleaveEarlyData: true,
9277 },
9278 DefaultCurves: []CurveID{},
9279 },
9280 shouldFail: true,
9281 expectedError: ":UNEXPECTED_RECORD:",
9282 })
9283
9284 testCases = append(testCases, testCase{
9285 testType: serverTest,
9286 name: "SkipEarlyData-HRR-TooMuchData",
9287 config: Config{
9288 MaxVersion: VersionTLS13,
9289 Bugs: ProtocolBugs{
9290 SendEarlyDataLength: 16384 + 1,
9291 },
9292 DefaultCurves: []CurveID{},
9293 },
9294 shouldFail: true,
9295 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9296 })
9297
9298 // Test that skipping early data looking for cleartext correctly
9299 // processes an alert record.
9300 testCases = append(testCases, testCase{
9301 testType: serverTest,
9302 name: "SkipEarlyData-HRR-FatalAlert",
9303 config: Config{
9304 MaxVersion: VersionTLS13,
9305 Bugs: ProtocolBugs{
9306 SendEarlyAlert: true,
9307 SendEarlyDataLength: 4,
9308 },
9309 DefaultCurves: []CurveID{},
9310 },
9311 shouldFail: true,
9312 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9313 })
9314
9315 testCases = append(testCases, testCase{
9316 testType: serverTest,
9317 name: "SkipEarlyData-SecondClientHelloEarlyData",
9318 config: Config{
9319 MaxVersion: VersionTLS13,
9320 Bugs: ProtocolBugs{
9321 SendEarlyDataOnSecondClientHello: true,
9322 },
9323 DefaultCurves: []CurveID{},
9324 },
9325 shouldFail: true,
9326 expectedLocalError: "remote error: bad record MAC",
9327 })
9328
9329 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9330 testType: clientTest,
9331 name: "EmptyEncryptedExtensions",
9332 config: Config{
9333 MaxVersion: VersionTLS13,
9334 Bugs: ProtocolBugs{
9335 EmptyEncryptedExtensions: true,
9336 },
9337 },
9338 shouldFail: true,
9339 expectedLocalError: "remote error: error decoding message",
9340 })
9341
9342 testCases = append(testCases, testCase{
9343 testType: clientTest,
9344 name: "EncryptedExtensionsWithKeyShare",
9345 config: Config{
9346 MaxVersion: VersionTLS13,
9347 Bugs: ProtocolBugs{
9348 EncryptedExtensionsWithKeyShare: true,
9349 },
9350 },
9351 shouldFail: true,
9352 expectedLocalError: "remote error: unsupported extension",
9353 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9354
9355 testCases = append(testCases, testCase{
9356 testType: serverTest,
9357 name: "SendHelloRetryRequest",
9358 config: Config{
9359 MaxVersion: VersionTLS13,
9360 // Require a HelloRetryRequest for every curve.
9361 DefaultCurves: []CurveID{},
9362 },
9363 expectedCurveID: CurveX25519,
9364 })
9365
9366 testCases = append(testCases, testCase{
9367 testType: serverTest,
9368 name: "SendHelloRetryRequest-2",
9369 config: Config{
9370 MaxVersion: VersionTLS13,
9371 DefaultCurves: []CurveID{CurveP384},
9372 },
9373 // Although the ClientHello did not predict our preferred curve,
9374 // we always select it whether it is predicted or not.
9375 expectedCurveID: CurveX25519,
9376 })
9377
9378 testCases = append(testCases, testCase{
9379 name: "UnknownCurve-HelloRetryRequest",
9380 config: Config{
9381 MaxVersion: VersionTLS13,
9382 // P-384 requires HelloRetryRequest in BoringSSL.
9383 CurvePreferences: []CurveID{CurveP384},
9384 Bugs: ProtocolBugs{
9385 SendHelloRetryRequestCurve: bogusCurve,
9386 },
9387 },
9388 shouldFail: true,
9389 expectedError: ":WRONG_CURVE:",
9390 })
9391
9392 testCases = append(testCases, testCase{
9393 name: "DisabledCurve-HelloRetryRequest",
9394 config: Config{
9395 MaxVersion: VersionTLS13,
9396 CurvePreferences: []CurveID{CurveP256},
9397 Bugs: ProtocolBugs{
9398 IgnorePeerCurvePreferences: true,
9399 },
9400 },
9401 flags: []string{"-p384-only"},
9402 shouldFail: true,
9403 expectedError: ":WRONG_CURVE:",
9404 })
9405
9406 testCases = append(testCases, testCase{
9407 name: "UnnecessaryHelloRetryRequest",
9408 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9409 MaxVersion: VersionTLS13,
9410 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9411 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9412 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9413 },
9414 },
9415 shouldFail: true,
9416 expectedError: ":WRONG_CURVE:",
9417 })
9418
9419 testCases = append(testCases, testCase{
9420 name: "SecondHelloRetryRequest",
9421 config: Config{
9422 MaxVersion: VersionTLS13,
9423 // P-384 requires HelloRetryRequest in BoringSSL.
9424 CurvePreferences: []CurveID{CurveP384},
9425 Bugs: ProtocolBugs{
9426 SecondHelloRetryRequest: true,
9427 },
9428 },
9429 shouldFail: true,
9430 expectedError: ":UNEXPECTED_MESSAGE:",
9431 })
9432
9433 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9434 name: "HelloRetryRequest-Empty",
9435 config: Config{
9436 MaxVersion: VersionTLS13,
9437 Bugs: ProtocolBugs{
9438 AlwaysSendHelloRetryRequest: true,
9439 },
9440 },
9441 shouldFail: true,
9442 expectedError: ":DECODE_ERROR:",
9443 })
9444
9445 testCases = append(testCases, testCase{
9446 name: "HelloRetryRequest-DuplicateCurve",
9447 config: Config{
9448 MaxVersion: VersionTLS13,
9449 // P-384 requires a HelloRetryRequest against BoringSSL's default
9450 // configuration. Assert this ExpectMissingKeyShare.
9451 CurvePreferences: []CurveID{CurveP384},
9452 Bugs: ProtocolBugs{
9453 ExpectMissingKeyShare: true,
9454 DuplicateHelloRetryRequestExtensions: true,
9455 },
9456 },
9457 shouldFail: true,
9458 expectedError: ":DUPLICATE_EXTENSION:",
9459 expectedLocalError: "remote error: illegal parameter",
9460 })
9461
9462 testCases = append(testCases, testCase{
9463 name: "HelloRetryRequest-Cookie",
9464 config: Config{
9465 MaxVersion: VersionTLS13,
9466 Bugs: ProtocolBugs{
9467 SendHelloRetryRequestCookie: []byte("cookie"),
9468 },
9469 },
9470 })
9471
9472 testCases = append(testCases, testCase{
9473 name: "HelloRetryRequest-DuplicateCookie",
9474 config: Config{
9475 MaxVersion: VersionTLS13,
9476 Bugs: ProtocolBugs{
9477 SendHelloRetryRequestCookie: []byte("cookie"),
9478 DuplicateHelloRetryRequestExtensions: true,
9479 },
9480 },
9481 shouldFail: true,
9482 expectedError: ":DUPLICATE_EXTENSION:",
9483 expectedLocalError: "remote error: illegal parameter",
9484 })
9485
9486 testCases = append(testCases, testCase{
9487 name: "HelloRetryRequest-EmptyCookie",
9488 config: Config{
9489 MaxVersion: VersionTLS13,
9490 Bugs: ProtocolBugs{
9491 SendHelloRetryRequestCookie: []byte{},
9492 },
9493 },
9494 shouldFail: true,
9495 expectedError: ":DECODE_ERROR:",
9496 })
9497
9498 testCases = append(testCases, testCase{
9499 name: "HelloRetryRequest-Cookie-Curve",
9500 config: Config{
9501 MaxVersion: VersionTLS13,
9502 // P-384 requires HelloRetryRequest in BoringSSL.
9503 CurvePreferences: []CurveID{CurveP384},
9504 Bugs: ProtocolBugs{
9505 SendHelloRetryRequestCookie: []byte("cookie"),
9506 ExpectMissingKeyShare: true,
9507 },
9508 },
9509 })
9510
9511 testCases = append(testCases, testCase{
9512 name: "HelloRetryRequest-Unknown",
9513 config: Config{
9514 MaxVersion: VersionTLS13,
9515 Bugs: ProtocolBugs{
9516 CustomHelloRetryRequestExtension: "extension",
9517 },
9518 },
9519 shouldFail: true,
9520 expectedError: ":UNEXPECTED_EXTENSION:",
9521 expectedLocalError: "remote error: unsupported extension",
9522 })
9523
9524 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9525 testType: serverTest,
9526 name: "SecondClientHelloMissingKeyShare",
9527 config: Config{
9528 MaxVersion: VersionTLS13,
9529 DefaultCurves: []CurveID{},
9530 Bugs: ProtocolBugs{
9531 SecondClientHelloMissingKeyShare: true,
9532 },
9533 },
9534 shouldFail: true,
9535 expectedError: ":MISSING_KEY_SHARE:",
9536 })
9537
9538 testCases = append(testCases, testCase{
9539 testType: serverTest,
9540 name: "SecondClientHelloWrongCurve",
9541 config: Config{
9542 MaxVersion: VersionTLS13,
9543 DefaultCurves: []CurveID{},
9544 Bugs: ProtocolBugs{
9545 MisinterpretHelloRetryRequestCurve: CurveP521,
9546 },
9547 },
9548 shouldFail: true,
9549 expectedError: ":WRONG_CURVE:",
9550 })
9551
9552 testCases = append(testCases, testCase{
9553 name: "HelloRetryRequestVersionMismatch",
9554 config: Config{
9555 MaxVersion: VersionTLS13,
9556 // P-384 requires HelloRetryRequest in BoringSSL.
9557 CurvePreferences: []CurveID{CurveP384},
9558 Bugs: ProtocolBugs{
9559 SendServerHelloVersion: 0x0305,
9560 },
9561 },
9562 shouldFail: true,
9563 expectedError: ":WRONG_VERSION_NUMBER:",
9564 })
9565
9566 testCases = append(testCases, testCase{
9567 name: "HelloRetryRequestCurveMismatch",
9568 config: Config{
9569 MaxVersion: VersionTLS13,
9570 // P-384 requires HelloRetryRequest in BoringSSL.
9571 CurvePreferences: []CurveID{CurveP384},
9572 Bugs: ProtocolBugs{
9573 // Send P-384 (correct) in the HelloRetryRequest.
9574 SendHelloRetryRequestCurve: CurveP384,
9575 // But send P-256 in the ServerHello.
9576 SendCurve: CurveP256,
9577 },
9578 },
9579 shouldFail: true,
9580 expectedError: ":WRONG_CURVE:",
9581 })
9582
9583 // Test the server selecting a curve that requires a HelloRetryRequest
9584 // without sending it.
9585 testCases = append(testCases, testCase{
9586 name: "SkipHelloRetryRequest",
9587 config: Config{
9588 MaxVersion: VersionTLS13,
9589 // P-384 requires HelloRetryRequest in BoringSSL.
9590 CurvePreferences: []CurveID{CurveP384},
9591 Bugs: ProtocolBugs{
9592 SkipHelloRetryRequest: true,
9593 },
9594 },
9595 shouldFail: true,
9596 expectedError: ":WRONG_CURVE:",
9597 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]9598
9599 testCases = append(testCases, testCase{
9600 name: "TLS13-RequestContextInHandshake",
9601 config: Config{
9602 MaxVersion: VersionTLS13,
9603 MinVersion: VersionTLS13,
9604 ClientAuth: RequireAnyClientCert,
9605 Bugs: ProtocolBugs{
9606 SendRequestContext: []byte("request context"),
9607 },
9608 },
9609 flags: []string{
9610 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9611 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9612 },
9613 shouldFail: true,
9614 expectedError: ":DECODE_ERROR:",
9615 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9616
9617 testCases = append(testCases, testCase{
9618 testType: serverTest,
9619 name: "TLS13-TrailingKeyShareData",
9620 config: Config{
9621 MaxVersion: VersionTLS13,
9622 Bugs: ProtocolBugs{
9623 TrailingKeyShareData: true,
9624 },
9625 },
9626 shouldFail: true,
9627 expectedError: ":DECODE_ERROR:",
9628 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]9629
9630 testCases = append(testCases, testCase{
9631 name: "TLS13-AlwaysSelectPSKIdentity",
9632 config: Config{
9633 MaxVersion: VersionTLS13,
9634 Bugs: ProtocolBugs{
9635 AlwaysSelectPSKIdentity: true,
9636 },
9637 },
9638 shouldFail: true,
9639 expectedError: ":UNEXPECTED_EXTENSION:",
9640 })
9641
9642 testCases = append(testCases, testCase{
9643 name: "TLS13-InvalidPSKIdentity",
9644 config: Config{
9645 MaxVersion: VersionTLS13,
9646 Bugs: ProtocolBugs{
9647 SelectPSKIdentityOnResume: 1,
9648 },
9649 },
9650 resumeSession: true,
9651 shouldFail: true,
9652 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
9653 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9654
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9655 testCases = append(testCases, testCase{
9656 testType: serverTest,
9657 name: "TLS13-ExtraPSKIdentity",
9658 config: Config{
9659 MaxVersion: VersionTLS13,
9660 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]9661 ExtraPSKIdentity: true,
9662 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9663 },
9664 },
9665 resumeSession: true,
9666 })
9667
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9668 // Test that unknown NewSessionTicket extensions are tolerated.
9669 testCases = append(testCases, testCase{
9670 name: "TLS13-CustomTicketExtension",
9671 config: Config{
9672 MaxVersion: VersionTLS13,
9673 Bugs: ProtocolBugs{
9674 CustomTicketExtension: "1234",
9675 },
9676 },
9677 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9678}
9679
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]9680func addTLS13CipherPreferenceTests() {
9681 // Test that client preference is honored if the shim has AES hardware
9682 // and ChaCha20-Poly1305 is preferred otherwise.
9683 testCases = append(testCases, testCase{
9684 testType: serverTest,
9685 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
9686 config: Config{
9687 MaxVersion: VersionTLS13,
9688 CipherSuites: []uint16{
9689 TLS_CHACHA20_POLY1305_SHA256,
9690 TLS_AES_128_GCM_SHA256,
9691 },
9692 },
9693 flags: []string{
9694 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9695 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9696 },
9697 })
9698
9699 testCases = append(testCases, testCase{
9700 testType: serverTest,
9701 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
9702 config: Config{
9703 MaxVersion: VersionTLS13,
9704 CipherSuites: []uint16{
9705 TLS_AES_128_GCM_SHA256,
9706 TLS_CHACHA20_POLY1305_SHA256,
9707 },
9708 },
9709 flags: []string{
9710 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
9711 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9712 },
9713 })
9714
9715 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
9716 // whether it has AES hardware.
9717 testCases = append(testCases, testCase{
9718 name: "TLS13-CipherPreference-Client",
9719 config: Config{
9720 MaxVersion: VersionTLS13,
9721 // Use the client cipher order. (This is the default but
9722 // is listed to be explicit.)
9723 PreferServerCipherSuites: false,
9724 },
9725 flags: []string{
9726 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
9727 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9728 },
9729 })
9730}
9731
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9732func addPeekTests() {
9733 // Test SSL_peek works, including on empty records.
9734 testCases = append(testCases, testCase{
9735 name: "Peek-Basic",
9736 sendEmptyRecords: 1,
9737 flags: []string{"-peek-then-read"},
9738 })
9739
9740 // Test SSL_peek can drive the initial handshake.
9741 testCases = append(testCases, testCase{
9742 name: "Peek-ImplicitHandshake",
9743 flags: []string{
9744 "-peek-then-read",
9745 "-implicit-handshake",
9746 },
9747 })
9748
9749 // Test SSL_peek can discover and drive a renegotiation.
9750 testCases = append(testCases, testCase{
9751 name: "Peek-Renegotiate",
9752 config: Config{
9753 MaxVersion: VersionTLS12,
9754 },
9755 renegotiate: 1,
9756 flags: []string{
9757 "-peek-then-read",
9758 "-renegotiate-freely",
9759 "-expect-total-renegotiations", "1",
9760 },
9761 })
9762
9763 // Test SSL_peek can discover a close_notify.
9764 testCases = append(testCases, testCase{
9765 name: "Peek-Shutdown",
9766 config: Config{
9767 Bugs: ProtocolBugs{
9768 ExpectCloseNotify: true,
9769 },
9770 },
9771 flags: []string{
9772 "-peek-then-read",
9773 "-check-close-notify",
9774 },
9775 })
9776
9777 // Test SSL_peek can discover an alert.
9778 testCases = append(testCases, testCase{
9779 name: "Peek-Alert",
9780 config: Config{
9781 Bugs: ProtocolBugs{
9782 SendSpuriousAlert: alertRecordOverflow,
9783 },
9784 },
9785 flags: []string{"-peek-then-read"},
9786 shouldFail: true,
9787 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
9788 })
9789
9790 // Test SSL_peek can handle KeyUpdate.
9791 testCases = append(testCases, testCase{
9792 name: "Peek-KeyUpdate",
9793 config: Config{
9794 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9795 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]9796 sendKeyUpdates: 1,
9797 keyUpdateRequest: keyUpdateNotRequested,
9798 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9799 })
9800}
9801
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]9802func addRecordVersionTests() {
9803 for _, ver := range tlsVersions {
9804 // Test that the record version is enforced.
9805 testCases = append(testCases, testCase{
9806 name: "CheckRecordVersion-" + ver.name,
9807 config: Config{
9808 MinVersion: ver.version,
9809 MaxVersion: ver.version,
9810 Bugs: ProtocolBugs{
9811 SendRecordVersion: 0x03ff,
9812 },
9813 },
9814 shouldFail: true,
9815 expectedError: ":WRONG_VERSION_NUMBER:",
9816 })
9817
9818 // Test that the ClientHello may use any record version, for
9819 // compatibility reasons.
9820 testCases = append(testCases, testCase{
9821 testType: serverTest,
9822 name: "LooseInitialRecordVersion-" + ver.name,
9823 config: Config{
9824 MinVersion: ver.version,
9825 MaxVersion: ver.version,
9826 Bugs: ProtocolBugs{
9827 SendInitialRecordVersion: 0x03ff,
9828 },
9829 },
9830 })
9831
9832 // Test that garbage ClientHello record versions are rejected.
9833 testCases = append(testCases, testCase{
9834 testType: serverTest,
9835 name: "GarbageInitialRecordVersion-" + ver.name,
9836 config: Config{
9837 MinVersion: ver.version,
9838 MaxVersion: ver.version,
9839 Bugs: ProtocolBugs{
9840 SendInitialRecordVersion: 0xffff,
9841 },
9842 },
9843 shouldFail: true,
9844 expectedError: ":WRONG_VERSION_NUMBER:",
9845 })
9846 }
9847}
9848
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9849func addCertificateTests() {
9850 // Test that a certificate chain with intermediate may be sent and
9851 // received as both client and server.
9852 for _, ver := range tlsVersions {
9853 testCases = append(testCases, testCase{
9854 testType: clientTest,
9855 name: "SendReceiveIntermediate-Client-" + ver.name,
9856 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]9857 MinVersion: ver.version,
9858 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9859 Certificates: []Certificate{rsaChainCertificate},
9860 ClientAuth: RequireAnyClientCert,
9861 },
9862 expectPeerCertificate: &rsaChainCertificate,
9863 flags: []string{
9864 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9865 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
9866 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9867 },
9868 })
9869
9870 testCases = append(testCases, testCase{
9871 testType: serverTest,
9872 name: "SendReceiveIntermediate-Server-" + ver.name,
9873 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]9874 MinVersion: ver.version,
9875 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9876 Certificates: []Certificate{rsaChainCertificate},
9877 },
9878 expectPeerCertificate: &rsaChainCertificate,
9879 flags: []string{
9880 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9881 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
9882 "-require-any-client-certificate",
9883 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9884 },
9885 })
9886 }
9887}
9888
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]9889func addRetainOnlySHA256ClientCertTests() {
9890 for _, ver := range tlsVersions {
9891 // Test that enabling
9892 // SSL_CTX_set_retain_only_sha256_of_client_certs without
9893 // actually requesting a client certificate is a no-op.
9894 testCases = append(testCases, testCase{
9895 testType: serverTest,
9896 name: "RetainOnlySHA256-NoCert-" + ver.name,
9897 config: Config{
9898 MinVersion: ver.version,
9899 MaxVersion: ver.version,
9900 },
9901 flags: []string{
9902 "-retain-only-sha256-client-cert-initial",
9903 "-retain-only-sha256-client-cert-resume",
9904 },
9905 resumeSession: true,
9906 })
9907
9908 // Test that when retaining only a SHA-256 certificate is
9909 // enabled, the hash appears as expected.
9910 testCases = append(testCases, testCase{
9911 testType: serverTest,
9912 name: "RetainOnlySHA256-Cert-" + ver.name,
9913 config: Config{
9914 MinVersion: ver.version,
9915 MaxVersion: ver.version,
9916 Certificates: []Certificate{rsaCertificate},
9917 },
9918 flags: []string{
9919 "-verify-peer",
9920 "-retain-only-sha256-client-cert-initial",
9921 "-retain-only-sha256-client-cert-resume",
9922 "-expect-sha256-client-cert-initial",
9923 "-expect-sha256-client-cert-resume",
9924 },
9925 resumeSession: true,
9926 })
9927
9928 // Test that when the config changes from on to off, a
9929 // resumption is rejected because the server now wants the full
9930 // certificate chain.
9931 testCases = append(testCases, testCase{
9932 testType: serverTest,
9933 name: "RetainOnlySHA256-OnOff-" + ver.name,
9934 config: Config{
9935 MinVersion: ver.version,
9936 MaxVersion: ver.version,
9937 Certificates: []Certificate{rsaCertificate},
9938 },
9939 flags: []string{
9940 "-verify-peer",
9941 "-retain-only-sha256-client-cert-initial",
9942 "-expect-sha256-client-cert-initial",
9943 },
9944 resumeSession: true,
9945 expectResumeRejected: true,
9946 })
9947
9948 // Test that when the config changes from off to on, a
9949 // resumption is rejected because the server now wants just the
9950 // hash.
9951 testCases = append(testCases, testCase{
9952 testType: serverTest,
9953 name: "RetainOnlySHA256-OffOn-" + ver.name,
9954 config: Config{
9955 MinVersion: ver.version,
9956 MaxVersion: ver.version,
9957 Certificates: []Certificate{rsaCertificate},
9958 },
9959 flags: []string{
9960 "-verify-peer",
9961 "-retain-only-sha256-client-cert-resume",
9962 "-expect-sha256-client-cert-resume",
9963 },
9964 resumeSession: true,
9965 expectResumeRejected: true,
9966 })
9967 }
9968}
9969
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]9970func addECDSAKeyUsageTests() {
9971 p256 := elliptic.P256()
9972 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
9973 if err != nil {
9974 panic(err)
9975 }
9976
9977 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
9978 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
9979 if err != nil {
9980 panic(err)
9981 }
9982
9983 template := x509.Certificate{
9984 SerialNumber: serialNumber,
9985 Subject: pkix.Name{
9986 Organization: []string{"Acme Co"},
9987 },
9988 NotBefore: time.Now(),
9989 NotAfter: time.Now(),
9990
9991 // An ECC certificate with only the keyAgreement key usgae may
9992 // be used with ECDH, but not ECDSA.
9993 KeyUsage: x509.KeyUsageKeyAgreement,
9994 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
9995 BasicConstraintsValid: true,
9996 }
9997
9998 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
9999 if err != nil {
10000 panic(err)
10001 }
10002
10003 cert := Certificate{
10004 Certificate: [][]byte{derBytes},
10005 PrivateKey: priv,
10006 }
10007
10008 for _, ver := range tlsVersions {
10009 if ver.version < VersionTLS12 {
10010 continue
10011 }
10012
10013 testCases = append(testCases, testCase{
10014 testType: clientTest,
10015 name: "ECDSAKeyUsage-" + ver.name,
10016 config: Config{
10017 MinVersion: ver.version,
10018 MaxVersion: ver.version,
10019 Certificates: []Certificate{cert},
10020 },
10021 shouldFail: true,
10022 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
10023 })
10024 }
10025}
10026
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]10027func addShortHeaderTests() {
10028 // The short header extension may be negotiated as either client or
10029 // server.
10030 testCases = append(testCases, testCase{
10031 name: "ShortHeader-Client",
10032 config: Config{
10033 MaxVersion: VersionTLS13,
10034 Bugs: ProtocolBugs{
10035 EnableShortHeader: true,
10036 },
10037 },
10038 flags: []string{"-enable-short-header"},
10039 expectShortHeader: true,
10040 })
10041 testCases = append(testCases, testCase{
10042 testType: serverTest,
10043 name: "ShortHeader-Server",
10044 config: Config{
10045 MaxVersion: VersionTLS13,
10046 Bugs: ProtocolBugs{
10047 EnableShortHeader: true,
10048 },
10049 },
10050 flags: []string{"-enable-short-header"},
10051 expectShortHeader: true,
10052 })
10053
10054 // If the peer doesn't support it, it will not be negotiated.
10055 testCases = append(testCases, testCase{
10056 name: "ShortHeader-No-Yes-Client",
10057 config: Config{
10058 MaxVersion: VersionTLS13,
10059 },
10060 flags: []string{"-enable-short-header"},
10061 })
10062 testCases = append(testCases, testCase{
10063 testType: serverTest,
10064 name: "ShortHeader-No-Yes-Server",
10065 config: Config{
10066 MaxVersion: VersionTLS13,
10067 },
10068 flags: []string{"-enable-short-header"},
10069 })
10070
10071 // If we don't support it, it will not be negotiated.
10072 testCases = append(testCases, testCase{
10073 name: "ShortHeader-Yes-No-Client",
10074 config: Config{
10075 MaxVersion: VersionTLS13,
10076 Bugs: ProtocolBugs{
10077 EnableShortHeader: true,
10078 },
10079 },
10080 })
10081 testCases = append(testCases, testCase{
10082 testType: serverTest,
10083 name: "ShortHeader-Yes-No-Server",
10084 config: Config{
10085 MaxVersion: VersionTLS13,
10086 Bugs: ProtocolBugs{
10087 EnableShortHeader: true,
10088 },
10089 },
10090 })
10091
10092 // It will not be negotiated at TLS 1.2.
10093 testCases = append(testCases, testCase{
10094 name: "ShortHeader-TLS12-Client",
10095 config: Config{
10096 MaxVersion: VersionTLS12,
10097 Bugs: ProtocolBugs{
10098 EnableShortHeader: true,
10099 },
10100 },
10101 flags: []string{"-enable-short-header"},
10102 })
10103 testCases = append(testCases, testCase{
10104 testType: serverTest,
10105 name: "ShortHeader-TLS12-Server",
10106 config: Config{
10107 MaxVersion: VersionTLS12,
10108 Bugs: ProtocolBugs{
10109 EnableShortHeader: true,
10110 },
10111 },
10112 flags: []string{"-enable-short-header"},
10113 })
10114
10115 // Servers reject early data and short header sent together.
10116 testCases = append(testCases, testCase{
10117 testType: serverTest,
10118 name: "ShortHeader-EarlyData",
10119 config: Config{
10120 MaxVersion: VersionTLS13,
10121 Bugs: ProtocolBugs{
10122 EnableShortHeader: true,
10123 SendEarlyDataLength: 1,
10124 },
10125 },
10126 flags: []string{"-enable-short-header"},
10127 shouldFail: true,
10128 expectedError: ":UNEXPECTED_EXTENSION:",
10129 })
10130
10131 // Clients reject unsolicited short header extensions.
10132 testCases = append(testCases, testCase{
10133 name: "ShortHeader-Unsolicited",
10134 config: Config{
10135 MaxVersion: VersionTLS13,
10136 Bugs: ProtocolBugs{
10137 AlwaysNegotiateShortHeader: true,
10138 },
10139 },
10140 shouldFail: true,
10141 expectedError: ":UNEXPECTED_EXTENSION:",
10142 })
10143 testCases = append(testCases, testCase{
10144 name: "ShortHeader-Unsolicited-TLS12",
10145 config: Config{
10146 MaxVersion: VersionTLS12,
10147 Bugs: ProtocolBugs{
10148 AlwaysNegotiateShortHeader: true,
10149 },
10150 },
10151 shouldFail: true,
10152 expectedError: ":UNEXPECTED_EXTENSION:",
10153 })
10154
10155 // The high bit must be checked in short headers.
10156 testCases = append(testCases, testCase{
10157 name: "ShortHeader-ClearShortHeaderBit",
10158 config: Config{
10159 Bugs: ProtocolBugs{
10160 EnableShortHeader: true,
10161 ClearShortHeaderBit: true,
10162 },
10163 },
10164 flags: []string{"-enable-short-header"},
10165 shouldFail: true,
10166 expectedError: ":DECODE_ERROR:",
10167 expectedLocalError: "remote error: error decoding message",
10168 })
10169}
10170
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10171func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10172 defer wg.Done()
10173
10174 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10175 var err error
10176
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10177 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10178 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
10179 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10180 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10181 if err != nil {
10182 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
10183 }
10184 break
10185 }
10186 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10187 } else if *repeatUntilFailure {
10188 for err == nil {
10189 statusChan <- statusMsg{test: test, started: true}
10190 err = runTest(test, shimPath, -1)
10191 }
10192 } else {
10193 statusChan <- statusMsg{test: test, started: true}
10194 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10195 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10196 statusChan <- statusMsg{test: test, err: err}
10197 }
10198}
10199
10200type statusMsg struct {
10201 test *testCase
10202 started bool
10203 err error
10204}
10205
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10206func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10207 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10208
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10209 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10210 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10211 if !*pipe {
10212 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]10213 var erase string
10214 for i := 0; i < lineLen; i++ {
10215 erase += "\b \b"
10216 }
10217 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10218 }
10219
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10220 if msg.started {
10221 started++
10222 } else {
10223 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10224
10225 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10226 if msg.err == errUnimplemented {
10227 if *pipe {
10228 // Print each test instead of a status line.
10229 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
10230 }
10231 unimplemented++
10232 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
10233 } else {
10234 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
10235 failed++
10236 testOutput.addResult(msg.test.name, "FAIL")
10237 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10238 } else {
10239 if *pipe {
10240 // Print each test instead of a status line.
10241 fmt.Printf("PASSED (%s)\n", msg.test.name)
10242 }
10243 testOutput.addResult(msg.test.name, "PASS")
10244 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10245 }
10246
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10247 if !*pipe {
10248 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10249 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10250 lineLen = len(line)
10251 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10252 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10253 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10254
10255 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10256}
10257
10258func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10259 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10260 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]10261 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10262
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10263 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10264 addCipherSuiteTests()
10265 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]10266 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]10267 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]10268 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]10269 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]10270 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]10271 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]10272 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]10273 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]10274 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]10275 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]10276 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]10277 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]10278 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]10279 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]10280 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]10281 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]10282 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]10283 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]10284 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]10285 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]10286 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]10287 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10288 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]10289 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10290 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10291 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10292 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10293 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10294 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10295 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10296 addECDSAKeyUsageTests()
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]10297 addShortHeaderTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10298
10299 var wg sync.WaitGroup
10300
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10301 statusChan := make(chan statusMsg, *numWorkers)
10302 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10303 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10304
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10305 if len(*shimConfigFile) != 0 {
10306 encoded, err := ioutil.ReadFile(*shimConfigFile)
10307 if err != nil {
10308 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
10309 os.Exit(1)
10310 }
10311
10312 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
10313 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
10314 os.Exit(1)
10315 }
10316 }
10317
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10318 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10319
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10320 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10321 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10322 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10323 }
10324
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10325 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10326 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10327 matched := true
10328 if len(*testToRun) != 0 {
10329 var err error
10330 matched, err = filepath.Match(*testToRun, testCases[i].name)
10331 if err != nil {
10332 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
10333 os.Exit(1)
10334 }
10335 }
10336
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10337 if !*includeDisabled {
10338 for pattern := range shimConfig.DisabledTests {
10339 isDisabled, err := filepath.Match(pattern, testCases[i].name)
10340 if err != nil {
10341 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
10342 os.Exit(1)
10343 }
10344
10345 if isDisabled {
10346 matched = false
10347 break
10348 }
10349 }
10350 }
10351
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10352 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10353 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10354 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10355
10356 // Only run one test if repeating until failure.
10357 if *repeatUntilFailure {
10358 break
10359 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10360 }
10361 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10362
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10363 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10364 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10365 os.Exit(1)
10366 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10367
10368 close(testChan)
10369 wg.Wait()
10370 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10371 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10372
10373 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10374
10375 if *jsonOutput != "" {
10376 if err := testOutput.writeTo(*jsonOutput); err != nil {
10377 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
10378 }
10379 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10380
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10381 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
10382 os.Exit(1)
10383 }
10384
10385 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10386 os.Exit(1)
10387 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10388}