Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 5e578c9dba73460c3eb17f771c77fc8e36f7812e / . / ssl / test / runner / runner.go
blob: 10e728eb65d0bd728bf082ae42d97a34add09829 [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]68 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]69)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]70
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]71// ShimConfigurations is used with the “json” package and represents a shim
72// config file.
73type ShimConfiguration struct {
74 // DisabledTests maps from a glob-based pattern to a freeform string.
75 // The glob pattern is used to exclude tests from being run and the
76 // freeform string is unparsed but expected to explain why the test is
77 // disabled.
78 DisabledTests map[string]string
79
80 // ErrorMap maps from expected error strings to the correct error
81 // string for the shim in question. For example, it might map
82 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
83 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
84 ErrorMap map[string]string
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]85
86 // HalfRTTTickets is the number of half-RTT tickets the client should
87 // expect before half-RTT data when testing 0-RTT.
88 HalfRTTTickets int
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]89}
90
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]91// Setup shimConfig defaults aligning with BoringSSL.
92var shimConfig ShimConfiguration = ShimConfiguration{
93 HalfRTTTickets: 2,
94}
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]95
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]96type testCert int
97
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]98const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]99 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]100 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]101 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]102 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]103 testCertECDSAP256
104 testCertECDSAP384
105 testCertECDSAP521
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]106 testCertEd25519
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]107)
108
109const (
110 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]111 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]112 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]113 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]114 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
115 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
116 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]117 ed25519CertificateFile = "ed25519_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]118)
119
120const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]121 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]122 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]123 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]124 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]125 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
126 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
127 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]128 ed25519KeyFile = "ed25519_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]129 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]130)
131
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]132var (
133 rsaCertificate Certificate
134 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]135 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]136 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]137 ecdsaP256Certificate Certificate
138 ecdsaP384Certificate Certificate
139 ecdsaP521Certificate Certificate
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]140 ed25519Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]141)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]142
143var testCerts = []struct {
144 id testCert
145 certFile, keyFile string
146 cert *Certificate
147}{
148 {
149 id: testCertRSA,
150 certFile: rsaCertificateFile,
151 keyFile: rsaKeyFile,
152 cert: &rsaCertificate,
153 },
154 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]155 id: testCertRSA1024,
156 certFile: rsa1024CertificateFile,
157 keyFile: rsa1024KeyFile,
158 cert: &rsa1024Certificate,
159 },
160 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]161 id: testCertRSAChain,
162 certFile: rsaChainCertificateFile,
163 keyFile: rsaChainKeyFile,
164 cert: &rsaChainCertificate,
165 },
166 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]167 id: testCertECDSAP224,
168 certFile: ecdsaP224CertificateFile,
169 keyFile: ecdsaP224KeyFile,
170 cert: &ecdsaP224Certificate,
171 },
172 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]173 id: testCertECDSAP256,
174 certFile: ecdsaP256CertificateFile,
175 keyFile: ecdsaP256KeyFile,
176 cert: &ecdsaP256Certificate,
177 },
178 {
179 id: testCertECDSAP384,
180 certFile: ecdsaP384CertificateFile,
181 keyFile: ecdsaP384KeyFile,
182 cert: &ecdsaP384Certificate,
183 },
184 {
185 id: testCertECDSAP521,
186 certFile: ecdsaP521CertificateFile,
187 keyFile: ecdsaP521KeyFile,
188 cert: &ecdsaP521Certificate,
189 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]190 {
191 id: testCertEd25519,
192 certFile: ed25519CertificateFile,
193 keyFile: ed25519KeyFile,
194 cert: &ed25519Certificate,
195 },
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]196}
197
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]198var channelIDKey *ecdsa.PrivateKey
199var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]200
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]201var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]202var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]203
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]204var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]205var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]206
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]207func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]208 for i := range testCerts {
209 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
210 if err != nil {
211 panic(err)
212 }
213 cert.OCSPStaple = testOCSPResponse
214 cert.SignedCertificateTimestampList = testSCTList
215 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]216 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]217
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]218 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]219 if err != nil {
220 panic(err)
221 }
222 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
223 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
224 panic("bad key type")
225 }
226 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
227 if err != nil {
228 panic(err)
229 }
230 if channelIDKey.Curve != elliptic.P256() {
231 panic("bad curve")
232 }
233
234 channelIDBytes = make([]byte, 64)
235 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
236 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]237}
238
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]239func getRunnerCertificate(t testCert) Certificate {
240 for _, cert := range testCerts {
241 if cert.id == t {
242 return *cert.cert
243 }
244 }
245 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]246}
247
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]248func getShimCertificate(t testCert) string {
249 for _, cert := range testCerts {
250 if cert.id == t {
251 return cert.certFile
252 }
253 }
254 panic("Unknown test certificate")
255}
256
257func getShimKey(t testCert) string {
258 for _, cert := range testCerts {
259 if cert.id == t {
260 return cert.keyFile
261 }
262 }
263 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]264}
265
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]266// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
267func encodeDERValues(values [][]byte) string {
268 var ret string
269 for i, v := range values {
270 if i > 0 {
271 ret += ","
272 }
273 ret += hex.EncodeToString(v)
274 }
275
276 return ret
277}
278
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]279type testType int
280
281const (
282 clientTest testType = iota
283 serverTest
284)
285
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]286type protocol int
287
288const (
289 tls protocol = iota
290 dtls
291)
292
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]293const (
294 alpn = 1
295 npn = 2
296)
297
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]298type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]299 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]300 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]301 name string
302 config Config
303 shouldFail bool
304 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]305 // expectedLocalError, if not empty, contains a substring that must be
306 // found in the local error.
307 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]308 // expectedVersion, if non-zero, specifies the TLS version that must be
309 // negotiated.
310 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]311 // expectedResumeVersion, if non-zero, specifies the TLS version that
312 // must be negotiated on resumption. If zero, expectedVersion is used.
313 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]314 // expectedCipher, if non-zero, specifies the TLS cipher suite that
315 // should be negotiated.
316 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]317 // expectChannelID controls whether the connection should have
318 // negotiated a Channel ID with channelIDKey.
319 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]320 // expectedNextProto controls whether the connection should
321 // negotiate a next protocol via NPN or ALPN.
322 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]323 // expectNoNextProto, if true, means that no next protocol should be
324 // negotiated.
325 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]326 // expectedNextProtoType, if non-zero, is the expected next
327 // protocol negotiation mechanism.
328 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]329 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
330 // should be negotiated. If zero, none should be negotiated.
331 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]332 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
333 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]334 // expectedSCTList, if not nil, is the expected SCT list to be received.
335 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]336 // expectedPeerSignatureAlgorithm, if not zero, is the signature
337 // algorithm that the peer should have used in the handshake.
338 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]339 // expectedCurveID, if not zero, is the curve that the handshake should
340 // have used.
341 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]342 // messageLen is the length, in bytes, of the test message that will be
343 // sent.
344 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]345 // messageCount is the number of test messages that will be sent.
346 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]347 // certFile is the path to the certificate to use for the server.
348 certFile string
349 // keyFile is the path to the private key to use for the server.
350 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]351 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]352 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]353 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]354 // resumeRenewedSession controls whether a third connection should be
355 // tested which attempts to resume the second connection's session.
356 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]357 // expectResumeRejected, if true, specifies that the attempted
358 // resumption must be rejected by the client. This is only valid for a
359 // serverTest.
360 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]361 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]362 // resumption. Unless newSessionsOnResume is set,
363 // SessionTicketKey, ServerSessionCache, and
364 // ClientSessionCache are copied from the initial connection's
365 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]366 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]367 // newSessionsOnResume, if true, will cause resumeConfig to
368 // use a different session resumption context.
369 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]370 // noSessionCache, if true, will cause the server to run without a
371 // session cache.
372 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]373 // sendPrefix sends a prefix on the socket before actually performing a
374 // handshake.
375 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]376 // shimWritesFirst controls whether the shim sends an initial "hello"
377 // message before doing a roundtrip with the runner.
378 shimWritesFirst bool
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]379 // readWithUnfinishedWrite behaves like shimWritesFirst, but the shim
380 // does not complete the write until responding to the first runner
381 // message.
382 readWithUnfinishedWrite bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]383 // shimShutsDown, if true, runs a test where the shim shuts down the
384 // connection immediately after the handshake rather than echoing
385 // messages from the runner.
386 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]387 // renegotiate indicates the number of times the connection should be
388 // renegotiated during the exchange.
389 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]390 // sendHalfHelloRequest, if true, causes the server to send half a
391 // HelloRequest when the handshake completes.
392 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]393 // renegotiateCiphers is a list of ciphersuite ids that will be
394 // switched in just before renegotiation.
395 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]396 // replayWrites, if true, configures the underlying transport
397 // to replay every write it makes in DTLS tests.
398 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]399 // damageFirstWrite, if true, configures the underlying transport to
400 // damage the final byte of the first application data write.
401 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]402 // exportKeyingMaterial, if non-zero, configures the test to exchange
403 // keying material and verify they match.
404 exportKeyingMaterial int
405 exportLabel string
406 exportContext string
407 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]408 // flags, if not empty, contains a list of command-line flags that will
409 // be passed to the shim program.
410 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]411 // testTLSUnique, if true, causes the shim to send the tls-unique value
412 // which will be compared against the expected value.
413 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]414 // sendEmptyRecords is the number of consecutive empty records to send
415 // before and after the test message.
416 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]417 // sendWarningAlerts is the number of consecutive warning alerts to send
418 // before and after the test message.
419 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]420 // sendKeyUpdates is the number of consecutive key updates to send
421 // before and after the test message.
422 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]423 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
424 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]425 // expectMessageDropped, if true, means the test message is expected to
426 // be dropped by the client rather than echoed back.
427 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]428 // expectPeerCertificate, if not nil, is the certificate chain the peer
429 // is expected to send.
430 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]431}
432
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]433var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]434
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]435func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]436 if len(data) == 0 {
437 return
438 }
439
440 protocol := "tls"
441 if test.protocol == dtls {
442 protocol = "dtls"
443 }
444
445 side := "client"
446 if test.testType == serverTest {
447 side = "server"
448 }
449
450 dir := path.Join(*transcriptDir, protocol, side)
451 if err := os.MkdirAll(dir, 0755); err != nil {
452 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
453 return
454 }
455
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]456 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]457 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
458 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
459 }
460}
461
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]462// A timeoutConn implements an idle timeout on each Read and Write operation.
463type timeoutConn struct {
464 net.Conn
465 timeout time.Duration
466}
467
468func (t *timeoutConn) Read(b []byte) (int, error) {
469 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
470 return 0, err
471 }
472 return t.Conn.Read(b)
473}
474
475func (t *timeoutConn) Write(b []byte) (int, error) {
476 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
477 return 0, err
478 }
479 return t.Conn.Write(b)
480}
481
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]482func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]483 if !test.noSessionCache {
484 if config.ClientSessionCache == nil {
485 config.ClientSessionCache = NewLRUClientSessionCache(1)
486 }
487 if config.ServerSessionCache == nil {
488 config.ServerSessionCache = NewLRUServerSessionCache(1)
489 }
490 }
491 if test.testType == clientTest {
492 if len(config.Certificates) == 0 {
493 config.Certificates = []Certificate{rsaCertificate}
494 }
495 } else {
496 // Supply a ServerName to ensure a constant session cache key,
497 // rather than falling back to net.Conn.RemoteAddr.
498 if len(config.ServerName) == 0 {
499 config.ServerName = "test"
500 }
501 }
502 if *fuzzer {
503 config.Bugs.NullAllCiphers = true
504 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]505 if *deterministic {
506 config.Time = func() time.Time { return time.Unix(1234, 1234) }
507 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]508
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]509 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]510
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]511 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]512 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
513 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]514 }
515
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]516 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]517 local, peer := "client", "server"
518 if test.testType == clientTest {
519 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]520 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]521 connDebug := &recordingConn{
522 Conn: conn,
523 isDatagram: test.protocol == dtls,
524 local: local,
525 peer: peer,
526 }
527 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]528 if *flagDebug {
529 defer connDebug.WriteTo(os.Stdout)
530 }
531 if len(*transcriptDir) != 0 {
532 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]533 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]534 }()
535 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]536
537 if config.Bugs.PacketAdaptor != nil {
538 config.Bugs.PacketAdaptor.debug = connDebug
539 }
540 }
541
542 if test.replayWrites {
543 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]544 }
545
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]546 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]547 if test.damageFirstWrite {
548 connDamage = newDamageAdaptor(conn)
549 conn = connDamage
550 }
551
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]552 if test.sendPrefix != "" {
553 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
554 return err
555 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]556 }
557
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]558 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]559 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]560 if test.protocol == dtls {
561 tlsConn = DTLSServer(conn, config)
562 } else {
563 tlsConn = Server(conn, config)
564 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]565 } else {
566 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]567 if test.protocol == dtls {
568 tlsConn = DTLSClient(conn, config)
569 } else {
570 tlsConn = Client(conn, config)
571 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]572 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]573 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]574
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]575 if err := tlsConn.Handshake(); err != nil {
576 return err
577 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]578
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]579 // TODO(davidben): move all per-connection expectations into a dedicated
580 // expectations struct that can be specified separately for the two
581 // legs.
582 expectedVersion := test.expectedVersion
583 if isResume && test.expectedResumeVersion != 0 {
584 expectedVersion = test.expectedResumeVersion
585 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]586 connState := tlsConn.ConnectionState()
587 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]588 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]589 }
590
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]591 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]592 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
593 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]594 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
595 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
596 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]597
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]598 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]599 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]600 if channelID == nil {
601 return fmt.Errorf("no channel ID negotiated")
602 }
603 if channelID.Curve != channelIDKey.Curve ||
604 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
605 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
606 return fmt.Errorf("incorrect channel ID")
607 }
608 }
609
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]610 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]611 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]612 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
613 }
614 }
615
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]616 if test.expectNoNextProto {
617 if actual := connState.NegotiatedProtocol; actual != "" {
618 return fmt.Errorf("got unexpected next proto %s", actual)
619 }
620 }
621
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]622 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]623 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]624 return fmt.Errorf("next proto type mismatch")
625 }
626 }
627
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]628 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]629 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
630 }
631
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]632 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]633 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]634 }
635
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]636 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
637 return fmt.Errorf("SCT list mismatch")
638 }
639
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]640 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
641 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]642 }
643
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]644 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
645 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
646 }
647
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]648 if test.expectPeerCertificate != nil {
649 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
650 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
651 }
652 for i, cert := range connState.PeerCertificates {
653 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
654 return fmt.Errorf("peer certificate %d did not match", i+1)
655 }
656 }
657 }
658
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]659 if test.exportKeyingMaterial > 0 {
660 actual := make([]byte, test.exportKeyingMaterial)
661 if _, err := io.ReadFull(tlsConn, actual); err != nil {
662 return err
663 }
664 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
665 if err != nil {
666 return err
667 }
668 if !bytes.Equal(actual, expected) {
669 return fmt.Errorf("keying material mismatch")
670 }
671 }
672
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]673 if test.testTLSUnique {
674 var peersValue [12]byte
675 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
676 return err
677 }
678 expected := tlsConn.ConnectionState().TLSUnique
679 if !bytes.Equal(peersValue[:], expected) {
680 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
681 }
682 }
683
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]684 if test.sendHalfHelloRequest {
685 tlsConn.SendHalfHelloRequest()
686 }
687
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]688 shimPrefixPending := test.shimWritesFirst || test.readWithUnfinishedWrite
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]689 if test.renegotiate > 0 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]690 // If readWithUnfinishedWrite is set, the shim prefix will be
691 // available later.
692 if shimPrefixPending && !test.readWithUnfinishedWrite {
693 var buf [5]byte
694 _, err := io.ReadFull(tlsConn, buf[:])
695 if err != nil {
696 return err
697 }
698 if string(buf[:]) != "hello" {
699 return fmt.Errorf("bad initial message")
700 }
701 shimPrefixPending = false
702 }
703
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]704 if test.renegotiateCiphers != nil {
705 config.CipherSuites = test.renegotiateCiphers
706 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]707 for i := 0; i < test.renegotiate; i++ {
708 if err := tlsConn.Renegotiate(); err != nil {
709 return err
710 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]711 }
712 } else if test.renegotiateCiphers != nil {
713 panic("renegotiateCiphers without renegotiate")
714 }
715
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]716 if test.damageFirstWrite {
717 connDamage.setDamage(true)
718 tlsConn.Write([]byte("DAMAGED WRITE"))
719 connDamage.setDamage(false)
720 }
721
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]722 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]723 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]724 if test.protocol == dtls {
725 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
726 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]727 // Read until EOF.
728 _, err := io.Copy(ioutil.Discard, tlsConn)
729 return err
730 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]731 if messageLen == 0 {
732 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]733 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]734
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]735 messageCount := test.messageCount
736 if messageCount == 0 {
737 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]738 }
739
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]740 for j := 0; j < messageCount; j++ {
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]741 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]742 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]743 }
744
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]745 for i := 0; i < test.sendEmptyRecords; i++ {
746 tlsConn.Write(nil)
747 }
748
749 for i := 0; i < test.sendWarningAlerts; i++ {
750 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
751 }
752
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]753 testMessage := make([]byte, messageLen)
754 for i := range testMessage {
755 testMessage[i] = 0x42 ^ byte(j)
756 }
757 tlsConn.Write(testMessage)
758
759 // Consume the shim prefix if needed.
760 if shimPrefixPending {
761 var buf [5]byte
762 _, err := io.ReadFull(tlsConn, buf[:])
763 if err != nil {
764 return err
765 }
766 if string(buf[:]) != "hello" {
767 return fmt.Errorf("bad initial message")
768 }
769 shimPrefixPending = false
770 }
771
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]772 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]773 // The shim will not respond.
774 continue
775 }
776
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]777 // Process the KeyUpdate ACK. However many KeyUpdates the runner
778 // sends, the shim should respond only once.
779 if test.sendKeyUpdates > 0 && test.keyUpdateRequest == keyUpdateRequested {
780 if err := tlsConn.ReadKeyUpdateACK(); err != nil {
781 return err
782 }
783 }
784
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]785 buf := make([]byte, len(testMessage))
786 if test.protocol == dtls {
787 bufTmp := make([]byte, len(buf)+1)
788 n, err := tlsConn.Read(bufTmp)
789 if err != nil {
790 return err
791 }
792 if n != len(buf) {
793 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
794 }
795 copy(buf, bufTmp)
796 } else {
797 _, err := io.ReadFull(tlsConn, buf)
798 if err != nil {
799 return err
800 }
801 }
802
803 for i, v := range buf {
804 if v != testMessage[i]^0xff {
805 return fmt.Errorf("bad reply contents at byte %d", i)
806 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]807 }
808 }
809
810 return nil
811}
812
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]813func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]814 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]815 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]816 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]817 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]818 valgrindArgs = append(valgrindArgs, path)
819 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]820
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]821 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]822}
823
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]824func gdbOf(path string, args ...string) *exec.Cmd {
825 xtermArgs := []string{"-e", "gdb", "--args"}
826 xtermArgs = append(xtermArgs, path)
827 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]828
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]829 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]830}
831
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]832func lldbOf(path string, args ...string) *exec.Cmd {
833 xtermArgs := []string{"-e", "lldb", "--"}
834 xtermArgs = append(xtermArgs, path)
835 xtermArgs = append(xtermArgs, args...)
836
837 return exec.Command("xterm", xtermArgs...)
838}
839
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]840var (
841 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
842 errUnimplemented = errors.New("child process does not implement needed flags")
843)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]844
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]845// accept accepts a connection from listener, unless waitChan signals a process
846// exit first.
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]847func acceptOrWait(listener *net.TCPListener, waitChan chan error) (net.Conn, error) {
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]848 type connOrError struct {
849 conn net.Conn
850 err error
851 }
852 connChan := make(chan connOrError, 1)
853 go func() {
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]854 listener.SetDeadline(time.Now().Add(*idleTimeout))
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]855 conn, err := listener.Accept()
856 connChan <- connOrError{conn, err}
857 close(connChan)
858 }()
859 select {
860 case result := <-connChan:
861 return result.conn, result.err
862 case childErr := <-waitChan:
863 waitChan <- childErr
864 return nil, fmt.Errorf("child exited early: %s", childErr)
865 }
866}
867
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]868func translateExpectedError(errorStr string) string {
869 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
870 return translated
871 }
872
873 if *looseErrors {
874 return ""
875 }
876
877 return errorStr
878}
879
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]880func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]881 // Help debugging panics on the Go side.
882 defer func() {
883 if r := recover(); r != nil {
884 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
885 panic(r)
886 }
887 }()
888
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]889 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
890 panic("Error expected without shouldFail in " + test.name)
891 }
892
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]893 if test.expectResumeRejected && !test.resumeSession {
894 panic("expectResumeRejected without resumeSession in " + test.name)
895 }
896
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]897 for _, ver := range tlsVersions {
898 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
899 continue
900 }
901
902 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
903 continue
904 }
905
906 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
907 }
908
Matthew Braithwaite2d04cf02017-05-19 18:13:25 -0700[diff] [blame]909 listener, err := net.ListenTCP("tcp", &net.TCPAddr{IP: net.IPv6loopback})
910 if err != nil {
911 listener, err = net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
912 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]913 if err != nil {
914 panic(err)
915 }
916 defer func() {
917 if listener != nil {
918 listener.Close()
919 }
920 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]921
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]922 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]923 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]924 flags = append(flags, "-server")
925
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]926 flags = append(flags, "-key-file")
927 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]928 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]929 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]930 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]931 }
932
933 flags = append(flags, "-cert-file")
934 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]935 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]936 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]937 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]938 }
939 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]940
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]941 if test.protocol == dtls {
942 flags = append(flags, "-dtls")
943 }
944
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]945 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]946 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]947 resumeCount++
948 if test.resumeRenewedSession {
949 resumeCount++
950 }
951 }
952
953 if resumeCount > 0 {
954 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]955 }
956
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]957 if test.shimWritesFirst {
958 flags = append(flags, "-shim-writes-first")
959 }
960
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]961 if test.readWithUnfinishedWrite {
962 flags = append(flags, "-read-with-unfinished-write")
963 }
964
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]965 if test.shimShutsDown {
966 flags = append(flags, "-shim-shuts-down")
967 }
968
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]969 if test.exportKeyingMaterial > 0 {
970 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
971 flags = append(flags, "-export-label", test.exportLabel)
972 flags = append(flags, "-export-context", test.exportContext)
973 if test.useExportContext {
974 flags = append(flags, "-use-export-context")
975 }
976 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]977 if test.expectResumeRejected {
978 flags = append(flags, "-expect-session-miss")
979 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]980
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]981 if test.testTLSUnique {
982 flags = append(flags, "-tls-unique")
983 }
984
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]985 flags = append(flags, test.flags...)
986
987 var shim *exec.Cmd
988 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]989 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]990 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]991 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]992 } else if *useLLDB {
993 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]994 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]995 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]996 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]997 shim.Stdin = os.Stdin
998 var stdoutBuf, stderrBuf bytes.Buffer
999 shim.Stdout = &stdoutBuf
1000 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1001 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]1002 shim.Env = os.Environ()
1003 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1004 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]1005 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1006 }
1007 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
1008 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1009
1010 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1011 panic(err)
1012 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1013 waitChan := make(chan error, 1)
1014 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1015
1016 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1017
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]1018 if *deterministic {
1019 config.Rand = &deterministicRand{}
1020 }
1021
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1022 conn, err := acceptOrWait(listener, waitChan)
1023 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1024 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1025 conn.Close()
1026 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]1027
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]1028 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1029 var resumeConfig Config
1030 if test.resumeConfig != nil {
1031 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]1032 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1033 resumeConfig.SessionTicketKey = config.SessionTicketKey
1034 resumeConfig.ClientSessionCache = config.ClientSessionCache
1035 resumeConfig.ServerSessionCache = config.ServerSessionCache
1036 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]1037 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1038 } else {
1039 resumeConfig = config
1040 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1041 var connResume net.Conn
1042 connResume, err = acceptOrWait(listener, waitChan)
1043 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1044 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1045 connResume.Close()
1046 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1047 }
1048
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1049 // Close the listener now. This is to avoid hangs should the shim try to
1050 // open more connections than expected.
1051 listener.Close()
1052 listener = nil
1053
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]1054 var shimKilledLock sync.Mutex
1055 var shimKilled bool
1056 waitTimeout := time.AfterFunc(*idleTimeout, func() {
1057 shimKilledLock.Lock()
1058 shimKilled = true
1059 shimKilledLock.Unlock()
1060 shim.Process.Kill()
1061 })
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1062 childErr := <-waitChan
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]1063 waitTimeout.Stop()
1064 shimKilledLock.Lock()
1065 if shimKilled && err == nil {
1066 err = errors.New("timeout waiting for the shim to exit.")
1067 }
1068 shimKilledLock.Unlock()
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1069 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1070 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1071 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1072 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1073 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1074 case 89:
1075 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1076 case 99:
1077 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1078 }
1079 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1080
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1081 // Account for Windows line endings.
1082 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1083 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1084
1085 // Separate the errors from the shim and those from tools like
1086 // AddressSanitizer.
1087 var extraStderr string
1088 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1089 stderr = stderrParts[0]
1090 extraStderr = stderrParts[1]
1091 }
1092
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1093 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1094 expectedError := translateExpectedError(test.expectedError)
1095 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1096
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1097 localError := "none"
1098 if err != nil {
1099 localError = err.Error()
1100 }
1101 if len(test.expectedLocalError) != 0 {
1102 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1103 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1104
1105 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1106 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1107 if childErr != nil {
1108 childError = childErr.Error()
1109 }
1110
1111 var msg string
1112 switch {
1113 case failed && !test.shouldFail:
1114 msg = "unexpected failure"
1115 case !failed && test.shouldFail:
1116 msg = "unexpected success"
1117 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1118 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1119 default:
1120 panic("internal error")
1121 }
1122
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1123 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1124 }
1125
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1126 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
Adam Langleyc88f2452017-04-27 14:15:37 -0700[diff] [blame]1127 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1128 }
1129
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1130 if *useValgrind && isValgrindError {
1131 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1132 }
1133
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1134 return nil
1135}
1136
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1137type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1138 name string
1139 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1140 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1141 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1142}
1143
1144var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1145 {"SSL3", VersionSSL30, "-no-ssl3", false},
1146 {"TLS1", VersionTLS10, "-no-tls1", true},
1147 {"TLS11", VersionTLS11, "-no-tls11", false},
1148 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1149 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1150}
1151
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1152type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1153 name string
1154 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1155}
1156
1157var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1158 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1159 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1160 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1161 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1162 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1163 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1164 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1165 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1166 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1167 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1168 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1169 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1170 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1171 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1172 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1173 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1174 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1175 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1176 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1177 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1178 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1179 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1180 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1181 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1182 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1183 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1184 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1185 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1186 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1187 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1188}
1189
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1190func hasComponent(suiteName, component string) bool {
1191 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1192}
1193
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1194func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1195 return hasComponent(suiteName, "GCM") ||
1196 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1197 hasComponent(suiteName, "SHA384") ||
1198 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1199}
1200
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1201func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1202 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1203}
1204
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1205func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1206 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1207}
1208
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1209func bigFromHex(hex string) *big.Int {
1210 ret, ok := new(big.Int).SetString(hex, 16)
1211 if !ok {
1212 panic("failed to parse hex number 0x" + hex)
1213 }
1214 return ret
1215}
1216
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1217func addBasicTests() {
1218 basicTests := []testCase{
1219 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1220 name: "NoFallbackSCSV",
1221 config: Config{
1222 Bugs: ProtocolBugs{
1223 FailIfNotFallbackSCSV: true,
1224 },
1225 },
1226 shouldFail: true,
1227 expectedLocalError: "no fallback SCSV found",
1228 },
1229 {
1230 name: "SendFallbackSCSV",
1231 config: Config{
1232 Bugs: ProtocolBugs{
1233 FailIfNotFallbackSCSV: true,
1234 },
1235 },
1236 flags: []string{"-fallback-scsv"},
1237 },
1238 {
1239 name: "ClientCertificateTypes",
1240 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1241 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1242 ClientAuth: RequestClientCert,
1243 ClientCertificateTypes: []byte{
1244 CertTypeDSSSign,
1245 CertTypeRSASign,
1246 CertTypeECDSASign,
1247 },
1248 },
1249 flags: []string{
1250 "-expect-certificate-types",
1251 base64.StdEncoding.EncodeToString([]byte{
1252 CertTypeDSSSign,
1253 CertTypeRSASign,
1254 CertTypeECDSASign,
1255 }),
1256 },
1257 },
1258 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1259 name: "UnauthenticatedECDH",
1260 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1261 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1262 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1263 Bugs: ProtocolBugs{
1264 UnauthenticatedECDH: true,
1265 },
1266 },
1267 shouldFail: true,
1268 expectedError: ":UNEXPECTED_MESSAGE:",
1269 },
1270 {
1271 name: "SkipCertificateStatus",
1272 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1273 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1274 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1275 Bugs: ProtocolBugs{
1276 SkipCertificateStatus: true,
1277 },
1278 },
1279 flags: []string{
1280 "-enable-ocsp-stapling",
1281 },
1282 },
1283 {
1284 name: "SkipServerKeyExchange",
1285 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1286 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1287 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1288 Bugs: ProtocolBugs{
1289 SkipServerKeyExchange: true,
1290 },
1291 },
1292 shouldFail: true,
1293 expectedError: ":UNEXPECTED_MESSAGE:",
1294 },
1295 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1296 testType: serverTest,
1297 name: "Alert",
1298 config: Config{
1299 Bugs: ProtocolBugs{
1300 SendSpuriousAlert: alertRecordOverflow,
1301 },
1302 },
1303 shouldFail: true,
1304 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1305 },
1306 {
1307 protocol: dtls,
1308 testType: serverTest,
1309 name: "Alert-DTLS",
1310 config: Config{
1311 Bugs: ProtocolBugs{
1312 SendSpuriousAlert: alertRecordOverflow,
1313 },
1314 },
1315 shouldFail: true,
1316 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1317 },
1318 {
1319 testType: serverTest,
1320 name: "FragmentAlert",
1321 config: Config{
1322 Bugs: ProtocolBugs{
1323 FragmentAlert: true,
1324 SendSpuriousAlert: alertRecordOverflow,
1325 },
1326 },
1327 shouldFail: true,
1328 expectedError: ":BAD_ALERT:",
1329 },
1330 {
1331 protocol: dtls,
1332 testType: serverTest,
1333 name: "FragmentAlert-DTLS",
1334 config: Config{
1335 Bugs: ProtocolBugs{
1336 FragmentAlert: true,
1337 SendSpuriousAlert: alertRecordOverflow,
1338 },
1339 },
1340 shouldFail: true,
1341 expectedError: ":BAD_ALERT:",
1342 },
1343 {
1344 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1345 name: "DoubleAlert",
1346 config: Config{
1347 Bugs: ProtocolBugs{
1348 DoubleAlert: true,
1349 SendSpuriousAlert: alertRecordOverflow,
1350 },
1351 },
1352 shouldFail: true,
1353 expectedError: ":BAD_ALERT:",
1354 },
1355 {
1356 protocol: dtls,
1357 testType: serverTest,
1358 name: "DoubleAlert-DTLS",
1359 config: Config{
1360 Bugs: ProtocolBugs{
1361 DoubleAlert: true,
1362 SendSpuriousAlert: alertRecordOverflow,
1363 },
1364 },
1365 shouldFail: true,
1366 expectedError: ":BAD_ALERT:",
1367 },
1368 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1369 name: "SkipNewSessionTicket",
1370 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1371 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1372 Bugs: ProtocolBugs{
1373 SkipNewSessionTicket: true,
1374 },
1375 },
1376 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1377 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1378 },
1379 {
1380 testType: serverTest,
1381 name: "FallbackSCSV",
1382 config: Config{
1383 MaxVersion: VersionTLS11,
1384 Bugs: ProtocolBugs{
1385 SendFallbackSCSV: true,
1386 },
1387 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1388 shouldFail: true,
1389 expectedError: ":INAPPROPRIATE_FALLBACK:",
1390 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1391 },
1392 {
1393 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1394 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1395 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1396 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1397 Bugs: ProtocolBugs{
1398 SendFallbackSCSV: true,
1399 },
1400 },
1401 },
1402 {
1403 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1404 name: "FallbackSCSV-VersionMatch-TLS12",
1405 config: Config{
1406 MaxVersion: VersionTLS12,
1407 Bugs: ProtocolBugs{
1408 SendFallbackSCSV: true,
1409 },
1410 },
1411 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1412 },
1413 {
1414 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1415 name: "FragmentedClientVersion",
1416 config: Config{
1417 Bugs: ProtocolBugs{
1418 MaxHandshakeRecordLength: 1,
1419 FragmentClientVersion: true,
1420 },
1421 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1422 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1423 },
1424 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1425 testType: serverTest,
1426 name: "HttpGET",
1427 sendPrefix: "GET / HTTP/1.0\n",
1428 shouldFail: true,
1429 expectedError: ":HTTP_REQUEST:",
1430 },
1431 {
1432 testType: serverTest,
1433 name: "HttpPOST",
1434 sendPrefix: "POST / HTTP/1.0\n",
1435 shouldFail: true,
1436 expectedError: ":HTTP_REQUEST:",
1437 },
1438 {
1439 testType: serverTest,
1440 name: "HttpHEAD",
1441 sendPrefix: "HEAD / HTTP/1.0\n",
1442 shouldFail: true,
1443 expectedError: ":HTTP_REQUEST:",
1444 },
1445 {
1446 testType: serverTest,
1447 name: "HttpPUT",
1448 sendPrefix: "PUT / HTTP/1.0\n",
1449 shouldFail: true,
1450 expectedError: ":HTTP_REQUEST:",
1451 },
1452 {
1453 testType: serverTest,
1454 name: "HttpCONNECT",
1455 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1456 shouldFail: true,
1457 expectedError: ":HTTPS_PROXY_REQUEST:",
1458 },
1459 {
1460 testType: serverTest,
1461 name: "Garbage",
1462 sendPrefix: "blah",
1463 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1464 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1465 },
1466 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1467 name: "RSAEphemeralKey",
1468 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1469 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1470 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1471 Bugs: ProtocolBugs{
1472 RSAEphemeralKey: true,
1473 },
1474 },
1475 shouldFail: true,
1476 expectedError: ":UNEXPECTED_MESSAGE:",
1477 },
1478 {
1479 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1480 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1481 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1482 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1483 },
1484 {
1485 protocol: dtls,
1486 name: "DisableEverything-DTLS",
1487 flags: []string{"-no-tls12", "-no-tls1"},
1488 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1489 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1490 },
1491 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1492 protocol: dtls,
1493 testType: serverTest,
1494 name: "MTU",
1495 config: Config{
1496 Bugs: ProtocolBugs{
1497 MaxPacketLength: 256,
1498 },
1499 },
1500 flags: []string{"-mtu", "256"},
1501 },
1502 {
1503 protocol: dtls,
1504 testType: serverTest,
1505 name: "MTUExceeded",
1506 config: Config{
1507 Bugs: ProtocolBugs{
1508 MaxPacketLength: 255,
1509 },
1510 },
1511 flags: []string{"-mtu", "256"},
1512 shouldFail: true,
1513 expectedLocalError: "dtls: exceeded maximum packet length",
1514 },
1515 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1516 name: "EmptyCertificateList",
1517 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1518 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1519 Bugs: ProtocolBugs{
1520 EmptyCertificateList: true,
1521 },
1522 },
1523 shouldFail: true,
1524 expectedError: ":DECODE_ERROR:",
1525 },
1526 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1527 name: "EmptyCertificateList-TLS13",
1528 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1529 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1530 Bugs: ProtocolBugs{
1531 EmptyCertificateList: true,
1532 },
1533 },
1534 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1535 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1536 },
1537 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1538 name: "TLSFatalBadPackets",
1539 damageFirstWrite: true,
1540 shouldFail: true,
1541 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1542 },
1543 {
1544 protocol: dtls,
1545 name: "DTLSIgnoreBadPackets",
1546 damageFirstWrite: true,
1547 },
1548 {
1549 protocol: dtls,
1550 name: "DTLSIgnoreBadPackets-Async",
1551 damageFirstWrite: true,
1552 flags: []string{"-async"},
1553 },
1554 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1555 name: "AppDataBeforeHandshake",
1556 config: Config{
1557 Bugs: ProtocolBugs{
1558 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1559 },
1560 },
1561 shouldFail: true,
1562 expectedError: ":UNEXPECTED_RECORD:",
1563 },
1564 {
1565 name: "AppDataBeforeHandshake-Empty",
1566 config: Config{
1567 Bugs: ProtocolBugs{
1568 AppDataBeforeHandshake: []byte{},
1569 },
1570 },
1571 shouldFail: true,
1572 expectedError: ":UNEXPECTED_RECORD:",
1573 },
1574 {
1575 protocol: dtls,
1576 name: "AppDataBeforeHandshake-DTLS",
1577 config: Config{
1578 Bugs: ProtocolBugs{
1579 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1580 },
1581 },
1582 shouldFail: true,
1583 expectedError: ":UNEXPECTED_RECORD:",
1584 },
1585 {
1586 protocol: dtls,
1587 name: "AppDataBeforeHandshake-DTLS-Empty",
1588 config: Config{
1589 Bugs: ProtocolBugs{
1590 AppDataBeforeHandshake: []byte{},
1591 },
1592 },
1593 shouldFail: true,
1594 expectedError: ":UNEXPECTED_RECORD:",
1595 },
1596 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1597 name: "AppDataAfterChangeCipherSpec",
1598 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1599 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1600 Bugs: ProtocolBugs{
1601 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1602 },
1603 },
1604 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1605 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1606 },
1607 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1608 name: "AppDataAfterChangeCipherSpec-Empty",
1609 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1610 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1611 Bugs: ProtocolBugs{
1612 AppDataAfterChangeCipherSpec: []byte{},
1613 },
1614 },
1615 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1616 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1617 },
1618 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1619 protocol: dtls,
1620 name: "AppDataAfterChangeCipherSpec-DTLS",
1621 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1622 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1623 Bugs: ProtocolBugs{
1624 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1625 },
1626 },
1627 // BoringSSL's DTLS implementation will drop the out-of-order
1628 // application data.
1629 },
1630 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1631 protocol: dtls,
1632 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1633 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1634 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1635 Bugs: ProtocolBugs{
1636 AppDataAfterChangeCipherSpec: []byte{},
1637 },
1638 },
1639 // BoringSSL's DTLS implementation will drop the out-of-order
1640 // application data.
1641 },
1642 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1643 name: "AlertAfterChangeCipherSpec",
1644 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1645 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1646 Bugs: ProtocolBugs{
1647 AlertAfterChangeCipherSpec: alertRecordOverflow,
1648 },
1649 },
1650 shouldFail: true,
1651 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1652 },
1653 {
1654 protocol: dtls,
1655 name: "AlertAfterChangeCipherSpec-DTLS",
1656 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1657 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1658 Bugs: ProtocolBugs{
1659 AlertAfterChangeCipherSpec: alertRecordOverflow,
1660 },
1661 },
1662 shouldFail: true,
1663 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1664 },
1665 {
1666 protocol: dtls,
1667 name: "ReorderHandshakeFragments-Small-DTLS",
1668 config: Config{
1669 Bugs: ProtocolBugs{
1670 ReorderHandshakeFragments: true,
1671 // Small enough that every handshake message is
1672 // fragmented.
1673 MaxHandshakeRecordLength: 2,
1674 },
1675 },
1676 },
1677 {
1678 protocol: dtls,
1679 name: "ReorderHandshakeFragments-Large-DTLS",
1680 config: Config{
1681 Bugs: ProtocolBugs{
1682 ReorderHandshakeFragments: true,
1683 // Large enough that no handshake message is
1684 // fragmented.
1685 MaxHandshakeRecordLength: 2048,
1686 },
1687 },
1688 },
1689 {
1690 protocol: dtls,
1691 name: "MixCompleteMessageWithFragments-DTLS",
1692 config: Config{
1693 Bugs: ProtocolBugs{
1694 ReorderHandshakeFragments: true,
1695 MixCompleteMessageWithFragments: true,
1696 MaxHandshakeRecordLength: 2,
1697 },
1698 },
1699 },
1700 {
1701 name: "SendInvalidRecordType",
1702 config: Config{
1703 Bugs: ProtocolBugs{
1704 SendInvalidRecordType: true,
1705 },
1706 },
1707 shouldFail: true,
1708 expectedError: ":UNEXPECTED_RECORD:",
1709 },
1710 {
1711 protocol: dtls,
1712 name: "SendInvalidRecordType-DTLS",
1713 config: Config{
1714 Bugs: ProtocolBugs{
1715 SendInvalidRecordType: true,
1716 },
1717 },
1718 shouldFail: true,
1719 expectedError: ":UNEXPECTED_RECORD:",
1720 },
1721 {
1722 name: "FalseStart-SkipServerSecondLeg",
1723 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1724 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1725 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1726 NextProtos: []string{"foo"},
1727 Bugs: ProtocolBugs{
1728 SkipNewSessionTicket: true,
1729 SkipChangeCipherSpec: true,
1730 SkipFinished: true,
1731 ExpectFalseStart: true,
1732 },
1733 },
1734 flags: []string{
1735 "-false-start",
1736 "-handshake-never-done",
1737 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]1738 "-expect-alpn", "foo",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1739 },
1740 shimWritesFirst: true,
1741 shouldFail: true,
1742 expectedError: ":UNEXPECTED_RECORD:",
1743 },
1744 {
1745 name: "FalseStart-SkipServerSecondLeg-Implicit",
1746 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1747 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1748 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1749 NextProtos: []string{"foo"},
1750 Bugs: ProtocolBugs{
1751 SkipNewSessionTicket: true,
1752 SkipChangeCipherSpec: true,
1753 SkipFinished: true,
1754 },
1755 },
1756 flags: []string{
1757 "-implicit-handshake",
1758 "-false-start",
1759 "-handshake-never-done",
1760 "-advertise-alpn", "\x03foo",
1761 },
1762 shouldFail: true,
1763 expectedError: ":UNEXPECTED_RECORD:",
1764 },
1765 {
1766 testType: serverTest,
1767 name: "FailEarlyCallback",
1768 flags: []string{"-fail-early-callback"},
1769 shouldFail: true,
1770 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1771 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1772 },
1773 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1774 name: "FailCertCallback-Client-TLS12",
1775 config: Config{
1776 MaxVersion: VersionTLS12,
1777 ClientAuth: RequestClientCert,
1778 },
1779 flags: []string{"-fail-cert-callback"},
1780 shouldFail: true,
1781 expectedError: ":CERT_CB_ERROR:",
1782 expectedLocalError: "remote error: internal error",
1783 },
1784 {
1785 testType: serverTest,
1786 name: "FailCertCallback-Server-TLS12",
1787 config: Config{
1788 MaxVersion: VersionTLS12,
1789 },
1790 flags: []string{"-fail-cert-callback"},
1791 shouldFail: true,
1792 expectedError: ":CERT_CB_ERROR:",
1793 expectedLocalError: "remote error: internal error",
1794 },
1795 {
1796 name: "FailCertCallback-Client-TLS13",
1797 config: Config{
1798 MaxVersion: VersionTLS13,
1799 ClientAuth: RequestClientCert,
1800 },
1801 flags: []string{"-fail-cert-callback"},
1802 shouldFail: true,
1803 expectedError: ":CERT_CB_ERROR:",
1804 expectedLocalError: "remote error: internal error",
1805 },
1806 {
1807 testType: serverTest,
1808 name: "FailCertCallback-Server-TLS13",
1809 config: Config{
1810 MaxVersion: VersionTLS13,
1811 },
1812 flags: []string{"-fail-cert-callback"},
1813 shouldFail: true,
1814 expectedError: ":CERT_CB_ERROR:",
1815 expectedLocalError: "remote error: internal error",
1816 },
1817 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1818 protocol: dtls,
1819 name: "FragmentMessageTypeMismatch-DTLS",
1820 config: Config{
1821 Bugs: ProtocolBugs{
1822 MaxHandshakeRecordLength: 2,
1823 FragmentMessageTypeMismatch: true,
1824 },
1825 },
1826 shouldFail: true,
1827 expectedError: ":FRAGMENT_MISMATCH:",
1828 },
1829 {
1830 protocol: dtls,
1831 name: "FragmentMessageLengthMismatch-DTLS",
1832 config: Config{
1833 Bugs: ProtocolBugs{
1834 MaxHandshakeRecordLength: 2,
1835 FragmentMessageLengthMismatch: true,
1836 },
1837 },
1838 shouldFail: true,
1839 expectedError: ":FRAGMENT_MISMATCH:",
1840 },
1841 {
1842 protocol: dtls,
1843 name: "SplitFragments-Header-DTLS",
1844 config: Config{
1845 Bugs: ProtocolBugs{
1846 SplitFragments: 2,
1847 },
1848 },
1849 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1850 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1851 },
1852 {
1853 protocol: dtls,
1854 name: "SplitFragments-Boundary-DTLS",
1855 config: Config{
1856 Bugs: ProtocolBugs{
1857 SplitFragments: dtlsRecordHeaderLen,
1858 },
1859 },
1860 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1861 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1862 },
1863 {
1864 protocol: dtls,
1865 name: "SplitFragments-Body-DTLS",
1866 config: Config{
1867 Bugs: ProtocolBugs{
1868 SplitFragments: dtlsRecordHeaderLen + 1,
1869 },
1870 },
1871 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1872 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1873 },
1874 {
1875 protocol: dtls,
1876 name: "SendEmptyFragments-DTLS",
1877 config: Config{
1878 Bugs: ProtocolBugs{
1879 SendEmptyFragments: true,
1880 },
1881 },
1882 },
1883 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1884 name: "BadFinished-Client",
1885 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1886 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1887 Bugs: ProtocolBugs{
1888 BadFinished: true,
1889 },
1890 },
1891 shouldFail: true,
1892 expectedError: ":DIGEST_CHECK_FAILED:",
1893 },
1894 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1895 name: "BadFinished-Client-TLS13",
1896 config: Config{
1897 MaxVersion: VersionTLS13,
1898 Bugs: ProtocolBugs{
1899 BadFinished: true,
1900 },
1901 },
1902 shouldFail: true,
1903 expectedError: ":DIGEST_CHECK_FAILED:",
1904 },
1905 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1906 testType: serverTest,
1907 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1908 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1909 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1910 Bugs: ProtocolBugs{
1911 BadFinished: true,
1912 },
1913 },
1914 shouldFail: true,
1915 expectedError: ":DIGEST_CHECK_FAILED:",
1916 },
1917 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1918 testType: serverTest,
1919 name: "BadFinished-Server-TLS13",
1920 config: Config{
1921 MaxVersion: VersionTLS13,
1922 Bugs: ProtocolBugs{
1923 BadFinished: true,
1924 },
1925 },
1926 shouldFail: true,
1927 expectedError: ":DIGEST_CHECK_FAILED:",
1928 },
1929 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1930 name: "FalseStart-BadFinished",
1931 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1932 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1933 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1934 NextProtos: []string{"foo"},
1935 Bugs: ProtocolBugs{
1936 BadFinished: true,
1937 ExpectFalseStart: true,
1938 },
1939 },
1940 flags: []string{
1941 "-false-start",
1942 "-handshake-never-done",
1943 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]1944 "-expect-alpn", "foo",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1945 },
1946 shimWritesFirst: true,
1947 shouldFail: true,
1948 expectedError: ":DIGEST_CHECK_FAILED:",
1949 },
1950 {
1951 name: "NoFalseStart-NoALPN",
1952 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1953 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1954 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1955 Bugs: ProtocolBugs{
1956 ExpectFalseStart: true,
1957 AlertBeforeFalseStartTest: alertAccessDenied,
1958 },
1959 },
1960 flags: []string{
1961 "-false-start",
1962 },
1963 shimWritesFirst: true,
1964 shouldFail: true,
1965 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1966 expectedLocalError: "tls: peer did not false start: EOF",
1967 },
1968 {
1969 name: "NoFalseStart-NoAEAD",
1970 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1971 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1972 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1973 NextProtos: []string{"foo"},
1974 Bugs: ProtocolBugs{
1975 ExpectFalseStart: true,
1976 AlertBeforeFalseStartTest: alertAccessDenied,
1977 },
1978 },
1979 flags: []string{
1980 "-false-start",
1981 "-advertise-alpn", "\x03foo",
1982 },
1983 shimWritesFirst: true,
1984 shouldFail: true,
1985 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1986 expectedLocalError: "tls: peer did not false start: EOF",
1987 },
1988 {
1989 name: "NoFalseStart-RSA",
1990 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1991 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1992 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1993 NextProtos: []string{"foo"},
1994 Bugs: ProtocolBugs{
1995 ExpectFalseStart: true,
1996 AlertBeforeFalseStartTest: alertAccessDenied,
1997 },
1998 },
1999 flags: []string{
2000 "-false-start",
2001 "-advertise-alpn", "\x03foo",
2002 },
2003 shimWritesFirst: true,
2004 shouldFail: true,
2005 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2006 expectedLocalError: "tls: peer did not false start: EOF",
2007 },
2008 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2009 protocol: dtls,
2010 name: "SendSplitAlert-Sync",
2011 config: Config{
2012 Bugs: ProtocolBugs{
2013 SendSplitAlert: true,
2014 },
2015 },
2016 },
2017 {
2018 protocol: dtls,
2019 name: "SendSplitAlert-Async",
2020 config: Config{
2021 Bugs: ProtocolBugs{
2022 SendSplitAlert: true,
2023 },
2024 },
2025 flags: []string{"-async"},
2026 },
2027 {
2028 protocol: dtls,
2029 name: "PackDTLSHandshake",
2030 config: Config{
2031 Bugs: ProtocolBugs{
2032 MaxHandshakeRecordLength: 2,
2033 PackHandshakeFragments: 20,
2034 PackHandshakeRecords: 200,
2035 },
2036 },
2037 },
2038 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2039 name: "SendEmptyRecords-Pass",
2040 sendEmptyRecords: 32,
2041 },
2042 {
2043 name: "SendEmptyRecords",
2044 sendEmptyRecords: 33,
2045 shouldFail: true,
2046 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2047 },
2048 {
2049 name: "SendEmptyRecords-Async",
2050 sendEmptyRecords: 33,
2051 flags: []string{"-async"},
2052 shouldFail: true,
2053 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2054 },
2055 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2056 name: "SendWarningAlerts-Pass",
2057 config: Config{
2058 MaxVersion: VersionTLS12,
2059 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2060 sendWarningAlerts: 4,
2061 },
2062 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2063 protocol: dtls,
2064 name: "SendWarningAlerts-DTLS-Pass",
2065 config: Config{
2066 MaxVersion: VersionTLS12,
2067 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2068 sendWarningAlerts: 4,
2069 },
2070 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2071 name: "SendWarningAlerts-TLS13",
2072 config: Config{
2073 MaxVersion: VersionTLS13,
2074 },
2075 sendWarningAlerts: 4,
2076 shouldFail: true,
2077 expectedError: ":BAD_ALERT:",
2078 expectedLocalError: "remote error: error decoding message",
2079 },
2080 {
2081 name: "SendWarningAlerts",
2082 config: Config{
2083 MaxVersion: VersionTLS12,
2084 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2085 sendWarningAlerts: 5,
2086 shouldFail: true,
2087 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2088 },
2089 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2090 name: "SendWarningAlerts-Async",
2091 config: Config{
2092 MaxVersion: VersionTLS12,
2093 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2094 sendWarningAlerts: 5,
2095 flags: []string{"-async"},
2096 shouldFail: true,
2097 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2098 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2099 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2100 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2101 config: Config{
2102 MaxVersion: VersionTLS13,
2103 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2104 sendKeyUpdates: 33,
2105 keyUpdateRequest: keyUpdateNotRequested,
2106 shouldFail: true,
2107 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2108 },
2109 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2110 name: "EmptySessionID",
2111 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2112 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2113 SessionTicketsDisabled: true,
2114 },
2115 noSessionCache: true,
2116 flags: []string{"-expect-no-session"},
2117 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2118 {
2119 name: "Unclean-Shutdown",
2120 config: Config{
2121 Bugs: ProtocolBugs{
2122 NoCloseNotify: true,
2123 ExpectCloseNotify: true,
2124 },
2125 },
2126 shimShutsDown: true,
2127 flags: []string{"-check-close-notify"},
2128 shouldFail: true,
2129 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2130 },
2131 {
2132 name: "Unclean-Shutdown-Ignored",
2133 config: Config{
2134 Bugs: ProtocolBugs{
2135 NoCloseNotify: true,
2136 },
2137 },
2138 shimShutsDown: true,
2139 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2140 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2141 name: "Unclean-Shutdown-Alert",
2142 config: Config{
2143 Bugs: ProtocolBugs{
2144 SendAlertOnShutdown: alertDecompressionFailure,
2145 ExpectCloseNotify: true,
2146 },
2147 },
2148 shimShutsDown: true,
2149 flags: []string{"-check-close-notify"},
2150 shouldFail: true,
2151 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2152 },
2153 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2154 name: "LargePlaintext",
2155 config: Config{
2156 Bugs: ProtocolBugs{
2157 SendLargeRecords: true,
2158 },
2159 },
2160 messageLen: maxPlaintext + 1,
2161 shouldFail: true,
2162 expectedError: ":DATA_LENGTH_TOO_LONG:",
2163 },
2164 {
2165 protocol: dtls,
2166 name: "LargePlaintext-DTLS",
2167 config: Config{
2168 Bugs: ProtocolBugs{
2169 SendLargeRecords: true,
2170 },
2171 },
2172 messageLen: maxPlaintext + 1,
2173 shouldFail: true,
2174 expectedError: ":DATA_LENGTH_TOO_LONG:",
2175 },
2176 {
2177 name: "LargeCiphertext",
2178 config: Config{
2179 Bugs: ProtocolBugs{
2180 SendLargeRecords: true,
2181 },
2182 },
2183 messageLen: maxPlaintext * 2,
2184 shouldFail: true,
2185 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2186 },
2187 {
2188 protocol: dtls,
2189 name: "LargeCiphertext-DTLS",
2190 config: Config{
2191 Bugs: ProtocolBugs{
2192 SendLargeRecords: true,
2193 },
2194 },
2195 messageLen: maxPlaintext * 2,
2196 // Unlike the other four cases, DTLS drops records which
2197 // are invalid before authentication, so the connection
2198 // does not fail.
2199 expectMessageDropped: true,
2200 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2201 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2202 name: "BadHelloRequest-1",
2203 renegotiate: 1,
2204 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2205 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2206 Bugs: ProtocolBugs{
2207 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2208 },
2209 },
2210 flags: []string{
2211 "-renegotiate-freely",
2212 "-expect-total-renegotiations", "1",
2213 },
2214 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2215 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2216 },
2217 {
2218 name: "BadHelloRequest-2",
2219 renegotiate: 1,
2220 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2221 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2222 Bugs: ProtocolBugs{
2223 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2224 },
2225 },
2226 flags: []string{
2227 "-renegotiate-freely",
2228 "-expect-total-renegotiations", "1",
2229 },
2230 shouldFail: true,
2231 expectedError: ":BAD_HELLO_REQUEST:",
2232 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2233 {
2234 testType: serverTest,
2235 name: "SupportTicketsWithSessionID",
2236 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2237 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2238 SessionTicketsDisabled: true,
2239 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2240 resumeConfig: &Config{
2241 MaxVersion: VersionTLS12,
2242 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2243 resumeSession: true,
2244 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2245 {
2246 protocol: dtls,
2247 name: "DTLS-SendExtraFinished",
2248 config: Config{
2249 Bugs: ProtocolBugs{
2250 SendExtraFinished: true,
2251 },
2252 },
2253 shouldFail: true,
2254 expectedError: ":UNEXPECTED_RECORD:",
2255 },
2256 {
2257 protocol: dtls,
2258 name: "DTLS-SendExtraFinished-Reordered",
2259 config: Config{
2260 Bugs: ProtocolBugs{
2261 MaxHandshakeRecordLength: 2,
2262 ReorderHandshakeFragments: true,
2263 SendExtraFinished: true,
2264 },
2265 },
2266 shouldFail: true,
2267 expectedError: ":UNEXPECTED_RECORD:",
2268 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2269 {
2270 testType: serverTest,
2271 name: "V2ClientHello-EmptyRecordPrefix",
2272 config: Config{
2273 // Choose a cipher suite that does not involve
2274 // elliptic curves, so no extensions are
2275 // involved.
2276 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2277 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2278 Bugs: ProtocolBugs{
2279 SendV2ClientHello: true,
2280 },
2281 },
2282 sendPrefix: string([]byte{
2283 byte(recordTypeHandshake),
2284 3, 1, // version
2285 0, 0, // length
2286 }),
2287 // A no-op empty record may not be sent before V2ClientHello.
2288 shouldFail: true,
2289 expectedError: ":WRONG_VERSION_NUMBER:",
2290 },
2291 {
2292 testType: serverTest,
2293 name: "V2ClientHello-WarningAlertPrefix",
2294 config: Config{
2295 // Choose a cipher suite that does not involve
2296 // elliptic curves, so no extensions are
2297 // involved.
2298 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2299 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2300 Bugs: ProtocolBugs{
2301 SendV2ClientHello: true,
2302 },
2303 },
2304 sendPrefix: string([]byte{
2305 byte(recordTypeAlert),
2306 3, 1, // version
2307 0, 2, // length
2308 alertLevelWarning, byte(alertDecompressionFailure),
2309 }),
2310 // A no-op warning alert may not be sent before V2ClientHello.
2311 shouldFail: true,
2312 expectedError: ":WRONG_VERSION_NUMBER:",
2313 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2314 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2315 name: "KeyUpdate-Client",
2316 config: Config{
2317 MaxVersion: VersionTLS13,
2318 },
2319 sendKeyUpdates: 1,
2320 keyUpdateRequest: keyUpdateNotRequested,
2321 },
2322 {
2323 testType: serverTest,
2324 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2325 config: Config{
2326 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2327 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2328 sendKeyUpdates: 1,
2329 keyUpdateRequest: keyUpdateNotRequested,
2330 },
2331 {
2332 name: "KeyUpdate-InvalidRequestMode",
2333 config: Config{
2334 MaxVersion: VersionTLS13,
2335 },
2336 sendKeyUpdates: 1,
2337 keyUpdateRequest: 42,
2338 shouldFail: true,
2339 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2340 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2341 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]2342 // Test that KeyUpdates are acknowledged properly.
2343 name: "KeyUpdate-RequestACK",
2344 config: Config{
2345 MaxVersion: VersionTLS13,
2346 Bugs: ProtocolBugs{
2347 RejectUnsolicitedKeyUpdate: true,
2348 },
2349 },
2350 // Test the shim receiving many KeyUpdates in a row.
2351 sendKeyUpdates: 5,
2352 messageCount: 5,
2353 keyUpdateRequest: keyUpdateRequested,
2354 },
2355 {
2356 // Test that KeyUpdates are acknowledged properly if the
2357 // peer's KeyUpdate is discovered while a write is
2358 // pending.
2359 name: "KeyUpdate-RequestACK-UnfinishedWrite",
2360 config: Config{
2361 MaxVersion: VersionTLS13,
2362 Bugs: ProtocolBugs{
2363 RejectUnsolicitedKeyUpdate: true,
2364 },
2365 },
2366 // Test the shim receiving many KeyUpdates in a row.
2367 sendKeyUpdates: 5,
2368 messageCount: 5,
2369 keyUpdateRequest: keyUpdateRequested,
2370 readWithUnfinishedWrite: true,
2371 flags: []string{"-async"},
2372 },
2373 {
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2374 name: "SendSNIWarningAlert",
2375 config: Config{
2376 MaxVersion: VersionTLS12,
2377 Bugs: ProtocolBugs{
2378 SendSNIWarningAlert: true,
2379 },
2380 },
2381 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2382 {
2383 testType: serverTest,
2384 name: "ExtraCompressionMethods-TLS12",
2385 config: Config{
2386 MaxVersion: VersionTLS12,
2387 Bugs: ProtocolBugs{
2388 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2389 },
2390 },
2391 },
2392 {
2393 testType: serverTest,
2394 name: "ExtraCompressionMethods-TLS13",
2395 config: Config{
2396 MaxVersion: VersionTLS13,
2397 Bugs: ProtocolBugs{
2398 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2399 },
2400 },
2401 shouldFail: true,
2402 expectedError: ":INVALID_COMPRESSION_LIST:",
2403 expectedLocalError: "remote error: illegal parameter",
2404 },
2405 {
2406 testType: serverTest,
2407 name: "NoNullCompression-TLS12",
2408 config: Config{
2409 MaxVersion: VersionTLS12,
2410 Bugs: ProtocolBugs{
2411 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2412 },
2413 },
2414 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2415 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2416 expectedLocalError: "remote error: illegal parameter",
2417 },
2418 {
2419 testType: serverTest,
2420 name: "NoNullCompression-TLS13",
2421 config: Config{
2422 MaxVersion: VersionTLS13,
2423 Bugs: ProtocolBugs{
2424 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2425 },
2426 },
2427 shouldFail: true,
2428 expectedError: ":INVALID_COMPRESSION_LIST:",
2429 expectedLocalError: "remote error: illegal parameter",
2430 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2431 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2432 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2433 config: Config{
2434 MaxVersion: VersionTLS12,
2435 Bugs: ProtocolBugs{
2436 ExpectGREASE: true,
2437 },
2438 },
2439 flags: []string{"-enable-grease"},
2440 },
2441 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2442 name: "GREASE-Client-TLS13",
2443 config: Config{
2444 MaxVersion: VersionTLS13,
2445 Bugs: ProtocolBugs{
2446 ExpectGREASE: true,
2447 },
2448 },
2449 flags: []string{"-enable-grease"},
2450 },
2451 {
2452 testType: serverTest,
2453 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2454 config: Config{
2455 MaxVersion: VersionTLS13,
2456 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2457 // TLS 1.3 servers are expected to
2458 // always enable GREASE. TLS 1.3 is new,
2459 // so there is no existing ecosystem to
2460 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2461 ExpectGREASE: true,
2462 },
2463 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2464 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2465 {
2466 // Test the server so there is a large certificate as
2467 // well as application data.
2468 testType: serverTest,
2469 name: "MaxSendFragment",
2470 config: Config{
2471 Bugs: ProtocolBugs{
2472 MaxReceivePlaintext: 512,
2473 },
2474 },
2475 messageLen: 1024,
2476 flags: []string{
2477 "-max-send-fragment", "512",
2478 "-read-size", "1024",
2479 },
2480 },
2481 {
2482 // Test the server so there is a large certificate as
2483 // well as application data.
2484 testType: serverTest,
2485 name: "MaxSendFragment-TooLarge",
2486 config: Config{
2487 Bugs: ProtocolBugs{
2488 // Ensure that some of the records are
2489 // 512.
2490 MaxReceivePlaintext: 511,
2491 },
2492 },
2493 messageLen: 1024,
2494 flags: []string{
2495 "-max-send-fragment", "512",
2496 "-read-size", "1024",
2497 },
2498 shouldFail: true,
2499 expectedLocalError: "local error: record overflow",
2500 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2501 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2502 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2503
2504 // Test that very large messages can be received.
2505 cert := rsaCertificate
2506 for i := 0; i < 50; i++ {
2507 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2508 }
2509 testCases = append(testCases, testCase{
2510 name: "LargeMessage",
2511 config: Config{
2512 Certificates: []Certificate{cert},
2513 },
2514 })
2515 testCases = append(testCases, testCase{
2516 protocol: dtls,
2517 name: "LargeMessage-DTLS",
2518 config: Config{
2519 Certificates: []Certificate{cert},
2520 },
2521 })
2522
2523 // They are rejected if the maximum certificate chain length is capped.
2524 testCases = append(testCases, testCase{
2525 name: "LargeMessage-Reject",
2526 config: Config{
2527 Certificates: []Certificate{cert},
2528 },
2529 flags: []string{"-max-cert-list", "16384"},
2530 shouldFail: true,
2531 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2532 })
2533 testCases = append(testCases, testCase{
2534 protocol: dtls,
2535 name: "LargeMessage-Reject-DTLS",
2536 config: Config{
2537 Certificates: []Certificate{cert},
2538 },
2539 flags: []string{"-max-cert-list", "16384"},
2540 shouldFail: true,
2541 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2542 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2543}
2544
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2545func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2546 const psk = "12345"
2547 const pskIdentity = "luggage combo"
2548
2549 var prefix string
2550 if protocol == dtls {
2551 if !ver.hasDTLS {
2552 return
2553 }
2554 prefix = "D"
2555 }
2556
2557 var cert Certificate
2558 var certFile string
2559 var keyFile string
2560 if hasComponent(suite.name, "ECDSA") {
2561 cert = ecdsaP256Certificate
2562 certFile = ecdsaP256CertificateFile
2563 keyFile = ecdsaP256KeyFile
2564 } else {
2565 cert = rsaCertificate
2566 certFile = rsaCertificateFile
2567 keyFile = rsaKeyFile
2568 }
2569
2570 var flags []string
2571 if hasComponent(suite.name, "PSK") {
2572 flags = append(flags,
2573 "-psk", psk,
2574 "-psk-identity", pskIdentity)
2575 }
2576 if hasComponent(suite.name, "NULL") {
2577 // NULL ciphers must be explicitly enabled.
2578 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2579 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2580
2581 var shouldServerFail, shouldClientFail bool
2582 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2583 // BoringSSL clients accept ECDHE on SSLv3, but
2584 // a BoringSSL server will never select it
2585 // because the extension is missing.
2586 shouldServerFail = true
2587 }
2588 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2589 shouldClientFail = true
2590 shouldServerFail = true
2591 }
2592 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2593 shouldClientFail = true
2594 shouldServerFail = true
2595 }
2596 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2597 shouldClientFail = true
2598 shouldServerFail = true
2599 }
2600 if !isDTLSCipher(suite.name) && protocol == dtls {
2601 shouldClientFail = true
2602 shouldServerFail = true
2603 }
2604
2605 var sendCipherSuite uint16
2606 var expectedServerError, expectedClientError string
2607 serverCipherSuites := []uint16{suite.id}
2608 if shouldServerFail {
2609 expectedServerError = ":NO_SHARED_CIPHER:"
2610 }
2611 if shouldClientFail {
2612 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2613 // Configure the server to select ciphers as normal but
2614 // select an incompatible cipher in ServerHello.
2615 serverCipherSuites = nil
2616 sendCipherSuite = suite.id
2617 }
2618
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2619 // For cipher suites and versions where exporters are defined, verify
2620 // that they interoperate.
2621 var exportKeyingMaterial int
2622 if ver.version > VersionSSL30 {
2623 exportKeyingMaterial = 1024
2624 }
2625
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2626 testCases = append(testCases, testCase{
2627 testType: serverTest,
2628 protocol: protocol,
2629 name: prefix + ver.name + "-" + suite.name + "-server",
2630 config: Config{
2631 MinVersion: ver.version,
2632 MaxVersion: ver.version,
2633 CipherSuites: []uint16{suite.id},
2634 Certificates: []Certificate{cert},
2635 PreSharedKey: []byte(psk),
2636 PreSharedKeyIdentity: pskIdentity,
2637 Bugs: ProtocolBugs{
2638 AdvertiseAllConfiguredCiphers: true,
2639 },
2640 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2641 certFile: certFile,
2642 keyFile: keyFile,
2643 flags: flags,
2644 resumeSession: true,
2645 shouldFail: shouldServerFail,
2646 expectedError: expectedServerError,
2647 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2648 })
2649
2650 testCases = append(testCases, testCase{
2651 testType: clientTest,
2652 protocol: protocol,
2653 name: prefix + ver.name + "-" + suite.name + "-client",
2654 config: Config{
2655 MinVersion: ver.version,
2656 MaxVersion: ver.version,
2657 CipherSuites: serverCipherSuites,
2658 Certificates: []Certificate{cert},
2659 PreSharedKey: []byte(psk),
2660 PreSharedKeyIdentity: pskIdentity,
2661 Bugs: ProtocolBugs{
2662 IgnorePeerCipherPreferences: shouldClientFail,
2663 SendCipherSuite: sendCipherSuite,
2664 },
2665 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2666 flags: flags,
2667 resumeSession: true,
2668 shouldFail: shouldClientFail,
2669 expectedError: expectedClientError,
2670 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2671 })
2672
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2673 if shouldClientFail {
2674 return
2675 }
2676
2677 // Ensure the maximum record size is accepted.
2678 testCases = append(testCases, testCase{
2679 protocol: protocol,
2680 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2681 config: Config{
2682 MinVersion: ver.version,
2683 MaxVersion: ver.version,
2684 CipherSuites: []uint16{suite.id},
2685 Certificates: []Certificate{cert},
2686 PreSharedKey: []byte(psk),
2687 PreSharedKeyIdentity: pskIdentity,
2688 },
2689 flags: flags,
2690 messageLen: maxPlaintext,
2691 })
2692
2693 // Test bad records for all ciphers. Bad records are fatal in TLS
2694 // and ignored in DTLS.
2695 var shouldFail bool
2696 var expectedError string
2697 if protocol == tls {
2698 shouldFail = true
2699 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2700 }
2701
2702 testCases = append(testCases, testCase{
2703 protocol: protocol,
2704 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2705 config: Config{
2706 MinVersion: ver.version,
2707 MaxVersion: ver.version,
2708 CipherSuites: []uint16{suite.id},
2709 Certificates: []Certificate{cert},
2710 PreSharedKey: []byte(psk),
2711 PreSharedKeyIdentity: pskIdentity,
2712 },
2713 flags: flags,
2714 damageFirstWrite: true,
2715 messageLen: maxPlaintext,
2716 shouldFail: shouldFail,
2717 expectedError: expectedError,
2718 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2719}
2720
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2721func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2722 const bogusCipher = 0xfe00
2723
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2724 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2725 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2726 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2727 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2728 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2729 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2730 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2731
2732 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2733 name: "NoSharedCipher",
2734 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2735 MaxVersion: VersionTLS12,
2736 CipherSuites: []uint16{},
2737 },
2738 shouldFail: true,
2739 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2740 })
2741
2742 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2743 name: "NoSharedCipher-TLS13",
2744 config: Config{
2745 MaxVersion: VersionTLS13,
2746 CipherSuites: []uint16{},
2747 },
2748 shouldFail: true,
2749 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2750 })
2751
2752 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2753 name: "UnsupportedCipherSuite",
2754 config: Config{
2755 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2756 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2757 Bugs: ProtocolBugs{
2758 IgnorePeerCipherPreferences: true,
2759 },
2760 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2761 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2762 shouldFail: true,
2763 expectedError: ":WRONG_CIPHER_RETURNED:",
2764 })
2765
2766 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2767 name: "ServerHelloBogusCipher",
2768 config: Config{
2769 MaxVersion: VersionTLS12,
2770 Bugs: ProtocolBugs{
2771 SendCipherSuite: bogusCipher,
2772 },
2773 },
2774 shouldFail: true,
2775 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2776 })
2777 testCases = append(testCases, testCase{
2778 name: "ServerHelloBogusCipher-TLS13",
2779 config: Config{
2780 MaxVersion: VersionTLS13,
2781 Bugs: ProtocolBugs{
2782 SendCipherSuite: bogusCipher,
2783 },
2784 },
2785 shouldFail: true,
2786 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2787 })
2788
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2789 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2790 testCases = append(testCases, testCase{
2791 testType: serverTest,
2792 name: "UnknownCipher",
2793 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2794 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2795 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2796 Bugs: ProtocolBugs{
2797 AdvertiseAllConfiguredCiphers: true,
2798 },
2799 },
2800 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2801
2802 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2803 testCases = append(testCases, testCase{
2804 testType: serverTest,
2805 name: "UnknownCipher-TLS13",
2806 config: Config{
2807 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2808 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2809 Bugs: ProtocolBugs{
2810 AdvertiseAllConfiguredCiphers: true,
2811 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2812 },
2813 })
2814
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2815 // Test empty ECDHE_PSK identity hints work as expected.
2816 testCases = append(testCases, testCase{
2817 name: "EmptyECDHEPSKHint",
2818 config: Config{
2819 MaxVersion: VersionTLS12,
2820 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2821 PreSharedKey: []byte("secret"),
2822 },
2823 flags: []string{"-psk", "secret"},
2824 })
2825
2826 // Test empty PSK identity hints work as expected, even if an explicit
2827 // ServerKeyExchange is sent.
2828 testCases = append(testCases, testCase{
2829 name: "ExplicitEmptyPSKHint",
2830 config: Config{
2831 MaxVersion: VersionTLS12,
2832 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2833 PreSharedKey: []byte("secret"),
2834 Bugs: ProtocolBugs{
2835 AlwaysSendPreSharedKeyIdentityHint: true,
2836 },
2837 },
2838 flags: []string{"-psk", "secret"},
2839 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]2840
2841 // Test that clients enforce that the server-sent certificate and cipher
2842 // suite match in TLS 1.2.
2843 testCases = append(testCases, testCase{
2844 name: "CertificateCipherMismatch-RSA",
2845 config: Config{
2846 MaxVersion: VersionTLS12,
2847 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2848 Certificates: []Certificate{rsaCertificate},
2849 Bugs: ProtocolBugs{
2850 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2851 },
2852 },
2853 shouldFail: true,
2854 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2855 })
2856 testCases = append(testCases, testCase{
2857 name: "CertificateCipherMismatch-ECDSA",
2858 config: Config{
2859 MaxVersion: VersionTLS12,
2860 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2861 Certificates: []Certificate{ecdsaP256Certificate},
2862 Bugs: ProtocolBugs{
2863 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2864 },
2865 },
2866 shouldFail: true,
2867 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2868 })
2869 testCases = append(testCases, testCase{
2870 name: "CertificateCipherMismatch-Ed25519",
2871 config: Config{
2872 MaxVersion: VersionTLS12,
2873 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2874 Certificates: []Certificate{ed25519Certificate},
2875 Bugs: ProtocolBugs{
2876 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2877 },
2878 },
2879 shouldFail: true,
2880 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2881 })
2882
2883 // Test that servers decline to select a cipher suite which is
2884 // inconsistent with their configured certificate.
2885 testCases = append(testCases, testCase{
2886 testType: serverTest,
2887 name: "ServerCipherFilter-RSA",
2888 config: Config{
2889 MaxVersion: VersionTLS12,
2890 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2891 },
2892 flags: []string{
2893 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2894 "-key-file", path.Join(*resourceDir, rsaKeyFile),
2895 },
2896 shouldFail: true,
2897 expectedError: ":NO_SHARED_CIPHER:",
2898 })
2899 testCases = append(testCases, testCase{
2900 testType: serverTest,
2901 name: "ServerCipherFilter-ECDSA",
2902 config: Config{
2903 MaxVersion: VersionTLS12,
2904 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2905 },
2906 flags: []string{
2907 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2908 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
2909 },
2910 shouldFail: true,
2911 expectedError: ":NO_SHARED_CIPHER:",
2912 })
2913 testCases = append(testCases, testCase{
2914 testType: serverTest,
2915 name: "ServerCipherFilter-Ed25519",
2916 config: Config{
2917 MaxVersion: VersionTLS12,
2918 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2919 },
2920 flags: []string{
2921 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
2922 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
2923 },
2924 shouldFail: true,
2925 expectedError: ":NO_SHARED_CIPHER:",
2926 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2927}
2928
2929func addBadECDSASignatureTests() {
2930 for badR := BadValue(1); badR < NumBadValues; badR++ {
2931 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2932 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2933 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2934 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2935 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2936 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2937 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2938 Bugs: ProtocolBugs{
2939 BadECDSAR: badR,
2940 BadECDSAS: badS,
2941 },
2942 },
2943 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2944 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2945 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2946 testCases = append(testCases, testCase{
2947 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2948 config: Config{
2949 MaxVersion: VersionTLS13,
2950 Certificates: []Certificate{ecdsaP256Certificate},
2951 Bugs: ProtocolBugs{
2952 BadECDSAR: badR,
2953 BadECDSAS: badS,
2954 },
2955 },
2956 shouldFail: true,
2957 expectedError: ":BAD_SIGNATURE:",
2958 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2959 }
2960 }
2961}
2962
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2963func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2964 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2965 name: "MaxCBCPadding",
2966 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2967 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2968 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2969 Bugs: ProtocolBugs{
2970 MaxPadding: true,
2971 },
2972 },
2973 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2974 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2975 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2976 name: "BadCBCPadding",
2977 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2978 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2979 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2980 Bugs: ProtocolBugs{
2981 PaddingFirstByteBad: true,
2982 },
2983 },
2984 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2985 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2986 })
2987 // OpenSSL previously had an issue where the first byte of padding in
2988 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2989 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2990 name: "BadCBCPadding255",
2991 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2992 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2993 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2994 Bugs: ProtocolBugs{
2995 MaxPadding: true,
2996 PaddingFirstByteBadIf255: true,
2997 },
2998 },
2999 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
3000 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]3001 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3002 })
3003}
3004
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3005func addCBCSplittingTests() {
3006 testCases = append(testCases, testCase{
3007 name: "CBCRecordSplitting",
3008 config: Config{
3009 MaxVersion: VersionTLS10,
3010 MinVersion: VersionTLS10,
3011 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3012 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]3013 messageLen: -1, // read until EOF
3014 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3015 flags: []string{
3016 "-async",
3017 "-write-different-record-sizes",
3018 "-cbc-record-splitting",
3019 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]3020 })
3021 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3022 name: "CBCRecordSplittingPartialWrite",
3023 config: Config{
3024 MaxVersion: VersionTLS10,
3025 MinVersion: VersionTLS10,
3026 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3027 },
3028 messageLen: -1, // read until EOF
3029 flags: []string{
3030 "-async",
3031 "-write-different-record-sizes",
3032 "-cbc-record-splitting",
3033 "-partial-write",
3034 },
3035 })
3036}
3037
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3038func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3039 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3040 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3041 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3042 cert, err := x509.ParseCertificate(cert.Certificate[0])
3043 if err != nil {
3044 panic(err)
3045 }
3046 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3047 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3048 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3049
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3050 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3051 testCases = append(testCases, testCase{
3052 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3053 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3054 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3055 MinVersion: ver.version,
3056 MaxVersion: ver.version,
3057 ClientAuth: RequireAnyClientCert,
3058 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3059 },
3060 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3061 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3062 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3063 },
3064 })
3065 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3066 testType: serverTest,
3067 name: ver.name + "-Server-ClientAuth-RSA",
3068 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3069 MinVersion: ver.version,
3070 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3071 Certificates: []Certificate{rsaCertificate},
3072 },
3073 flags: []string{"-require-any-client-certificate"},
3074 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3075 if ver.version != VersionSSL30 {
3076 testCases = append(testCases, testCase{
3077 testType: serverTest,
3078 name: ver.name + "-Server-ClientAuth-ECDSA",
3079 config: Config{
3080 MinVersion: ver.version,
3081 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3082 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3083 },
3084 flags: []string{"-require-any-client-certificate"},
3085 })
3086 testCases = append(testCases, testCase{
3087 testType: clientTest,
3088 name: ver.name + "-Client-ClientAuth-ECDSA",
3089 config: Config{
3090 MinVersion: ver.version,
3091 MaxVersion: ver.version,
3092 ClientAuth: RequireAnyClientCert,
3093 ClientCAs: certPool,
3094 },
3095 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3096 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3097 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3098 },
3099 })
3100 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3101
3102 testCases = append(testCases, testCase{
3103 name: "NoClientCertificate-" + ver.name,
3104 config: Config{
3105 MinVersion: ver.version,
3106 MaxVersion: ver.version,
3107 ClientAuth: RequireAnyClientCert,
3108 },
3109 shouldFail: true,
3110 expectedLocalError: "client didn't provide a certificate",
3111 })
3112
3113 testCases = append(testCases, testCase{
3114 // Even if not configured to expect a certificate, OpenSSL will
3115 // return X509_V_OK as the verify_result.
3116 testType: serverTest,
3117 name: "NoClientCertificateRequested-Server-" + ver.name,
3118 config: Config{
3119 MinVersion: ver.version,
3120 MaxVersion: ver.version,
3121 },
3122 flags: []string{
3123 "-expect-verify-result",
3124 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3125 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3126 })
3127
3128 testCases = append(testCases, testCase{
3129 // If a client certificate is not provided, OpenSSL will still
3130 // return X509_V_OK as the verify_result.
3131 testType: serverTest,
3132 name: "NoClientCertificate-Server-" + ver.name,
3133 config: Config{
3134 MinVersion: ver.version,
3135 MaxVersion: ver.version,
3136 },
3137 flags: []string{
3138 "-expect-verify-result",
3139 "-verify-peer",
3140 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3141 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3142 })
3143
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3144 certificateRequired := "remote error: certificate required"
3145 if ver.version < VersionTLS13 {
3146 // Prior to TLS 1.3, the generic handshake_failure alert
3147 // was used.
3148 certificateRequired = "remote error: handshake failure"
3149 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3150 testCases = append(testCases, testCase{
3151 testType: serverTest,
3152 name: "RequireAnyClientCertificate-" + ver.name,
3153 config: Config{
3154 MinVersion: ver.version,
3155 MaxVersion: ver.version,
3156 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3157 flags: []string{"-require-any-client-certificate"},
3158 shouldFail: true,
3159 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3160 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3161 })
3162
3163 if ver.version != VersionSSL30 {
3164 testCases = append(testCases, testCase{
3165 testType: serverTest,
3166 name: "SkipClientCertificate-" + ver.name,
3167 config: Config{
3168 MinVersion: ver.version,
3169 MaxVersion: ver.version,
3170 Bugs: ProtocolBugs{
3171 SkipClientCertificate: true,
3172 },
3173 },
3174 // Setting SSL_VERIFY_PEER allows anonymous clients.
3175 flags: []string{"-verify-peer"},
3176 shouldFail: true,
3177 expectedError: ":UNEXPECTED_MESSAGE:",
3178 })
3179 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3180
3181 testCases = append(testCases, testCase{
3182 testType: serverTest,
3183 name: ver.name + "-Server-CertReq-CA-List",
3184 config: Config{
3185 MinVersion: ver.version,
3186 MaxVersion: ver.version,
3187 Certificates: []Certificate{rsaCertificate},
3188 Bugs: ProtocolBugs{
3189 ExpectCertificateReqNames: caNames,
3190 },
3191 },
3192 flags: []string{
3193 "-require-any-client-certificate",
3194 "-use-client-ca-list", encodeDERValues(caNames),
3195 },
3196 })
3197
3198 testCases = append(testCases, testCase{
3199 testType: clientTest,
3200 name: ver.name + "-Client-CertReq-CA-List",
3201 config: Config{
3202 MinVersion: ver.version,
3203 MaxVersion: ver.version,
3204 Certificates: []Certificate{rsaCertificate},
3205 ClientAuth: RequireAnyClientCert,
3206 ClientCAs: certPool,
3207 },
3208 flags: []string{
3209 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3210 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3211 "-expect-client-ca-list", encodeDERValues(caNames),
3212 },
3213 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3214 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3215
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3216 // Client auth is only legal in certificate-based ciphers.
3217 testCases = append(testCases, testCase{
3218 testType: clientTest,
3219 name: "ClientAuth-PSK",
3220 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3221 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3222 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3223 PreSharedKey: []byte("secret"),
3224 ClientAuth: RequireAnyClientCert,
3225 },
3226 flags: []string{
3227 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3228 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3229 "-psk", "secret",
3230 },
3231 shouldFail: true,
3232 expectedError: ":UNEXPECTED_MESSAGE:",
3233 })
3234 testCases = append(testCases, testCase{
3235 testType: clientTest,
3236 name: "ClientAuth-ECDHE_PSK",
3237 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3238 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3239 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3240 PreSharedKey: []byte("secret"),
3241 ClientAuth: RequireAnyClientCert,
3242 },
3243 flags: []string{
3244 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3245 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3246 "-psk", "secret",
3247 },
3248 shouldFail: true,
3249 expectedError: ":UNEXPECTED_MESSAGE:",
3250 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3251
3252 // Regression test for a bug where the client CA list, if explicitly
3253 // set to NULL, was mis-encoded.
3254 testCases = append(testCases, testCase{
3255 testType: serverTest,
3256 name: "Null-Client-CA-List",
3257 config: Config{
3258 MaxVersion: VersionTLS12,
3259 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3260 Bugs: ProtocolBugs{
3261 ExpectCertificateReqNames: [][]byte{},
3262 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3263 },
3264 flags: []string{
3265 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3266 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3267 },
3268 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3269}
3270
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3271func addExtendedMasterSecretTests() {
3272 const expectEMSFlag = "-expect-extended-master-secret"
3273
3274 for _, with := range []bool{false, true} {
3275 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3276 if with {
3277 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3278 }
3279
3280 for _, isClient := range []bool{false, true} {
3281 suffix := "-Server"
3282 testType := serverTest
3283 if isClient {
3284 suffix = "-Client"
3285 testType = clientTest
3286 }
3287
3288 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3289 // In TLS 1.3, the extension is irrelevant and
3290 // always reports as enabled.
3291 var flags []string
3292 if with || ver.version >= VersionTLS13 {
3293 flags = []string{expectEMSFlag}
3294 }
3295
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3296 test := testCase{
3297 testType: testType,
3298 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3299 config: Config{
3300 MinVersion: ver.version,
3301 MaxVersion: ver.version,
3302 Bugs: ProtocolBugs{
3303 NoExtendedMasterSecret: !with,
3304 RequireExtendedMasterSecret: with,
3305 },
3306 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3307 flags: flags,
3308 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3309 }
3310 if test.shouldFail {
3311 test.expectedLocalError = "extended master secret required but not supported by peer"
3312 }
3313 testCases = append(testCases, test)
3314 }
3315 }
3316 }
3317
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3318 for _, isClient := range []bool{false, true} {
3319 for _, supportedInFirstConnection := range []bool{false, true} {
3320 for _, supportedInResumeConnection := range []bool{false, true} {
3321 boolToWord := func(b bool) string {
3322 if b {
3323 return "Yes"
3324 }
3325 return "No"
3326 }
3327 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3328 if isClient {
3329 suffix += "Client"
3330 } else {
3331 suffix += "Server"
3332 }
3333
3334 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3335 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3336 Bugs: ProtocolBugs{
3337 RequireExtendedMasterSecret: true,
3338 },
3339 }
3340
3341 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3342 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3343 Bugs: ProtocolBugs{
3344 NoExtendedMasterSecret: true,
3345 },
3346 }
3347
3348 test := testCase{
3349 name: "ExtendedMasterSecret-" + suffix,
3350 resumeSession: true,
3351 }
3352
3353 if !isClient {
3354 test.testType = serverTest
3355 }
3356
3357 if supportedInFirstConnection {
3358 test.config = supportedConfig
3359 } else {
3360 test.config = noSupportConfig
3361 }
3362
3363 if supportedInResumeConnection {
3364 test.resumeConfig = &supportedConfig
3365 } else {
3366 test.resumeConfig = &noSupportConfig
3367 }
3368
3369 switch suffix {
3370 case "YesToYes-Client", "YesToYes-Server":
3371 // When a session is resumed, it should
3372 // still be aware that its master
3373 // secret was generated via EMS and
3374 // thus it's safe to use tls-unique.
3375 test.flags = []string{expectEMSFlag}
3376 case "NoToYes-Server":
3377 // If an original connection did not
3378 // contain EMS, but a resumption
3379 // handshake does, then a server should
3380 // not resume the session.
3381 test.expectResumeRejected = true
3382 case "YesToNo-Server":
3383 // Resuming an EMS session without the
3384 // EMS extension should cause the
3385 // server to abort the connection.
3386 test.shouldFail = true
3387 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3388 case "NoToYes-Client":
3389 // A client should abort a connection
3390 // where the server resumed a non-EMS
3391 // session but echoed the EMS
3392 // extension.
3393 test.shouldFail = true
3394 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3395 case "YesToNo-Client":
3396 // A client should abort a connection
3397 // where the server didn't echo EMS
3398 // when the session used it.
3399 test.shouldFail = true
3400 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3401 }
3402
3403 testCases = append(testCases, test)
3404 }
3405 }
3406 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3407
3408 // Switching EMS on renegotiation is forbidden.
3409 testCases = append(testCases, testCase{
3410 name: "ExtendedMasterSecret-Renego-NoEMS",
3411 config: Config{
3412 MaxVersion: VersionTLS12,
3413 Bugs: ProtocolBugs{
3414 NoExtendedMasterSecret: true,
3415 NoExtendedMasterSecretOnRenegotiation: true,
3416 },
3417 },
3418 renegotiate: 1,
3419 flags: []string{
3420 "-renegotiate-freely",
3421 "-expect-total-renegotiations", "1",
3422 },
3423 })
3424
3425 testCases = append(testCases, testCase{
3426 name: "ExtendedMasterSecret-Renego-Upgrade",
3427 config: Config{
3428 MaxVersion: VersionTLS12,
3429 Bugs: ProtocolBugs{
3430 NoExtendedMasterSecret: true,
3431 },
3432 },
3433 renegotiate: 1,
3434 flags: []string{
3435 "-renegotiate-freely",
3436 "-expect-total-renegotiations", "1",
3437 },
3438 shouldFail: true,
3439 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3440 })
3441
3442 testCases = append(testCases, testCase{
3443 name: "ExtendedMasterSecret-Renego-Downgrade",
3444 config: Config{
3445 MaxVersion: VersionTLS12,
3446 Bugs: ProtocolBugs{
3447 NoExtendedMasterSecretOnRenegotiation: true,
3448 },
3449 },
3450 renegotiate: 1,
3451 flags: []string{
3452 "-renegotiate-freely",
3453 "-expect-total-renegotiations", "1",
3454 },
3455 shouldFail: true,
3456 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3457 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3458}
3459
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3460type stateMachineTestConfig struct {
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3461 protocol protocol
3462 async bool
3463 splitHandshake bool
3464 packHandshakeFlight bool
3465 implicitHandshake bool
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3466}
3467
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3468// Adds tests that try to cover the range of the handshake state machine, under
3469// various conditions. Some of these are redundant with other tests, but they
3470// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3471func addAllStateMachineCoverageTests() {
3472 for _, async := range []bool{false, true} {
3473 for _, protocol := range []protocol{tls, dtls} {
3474 addStateMachineCoverageTests(stateMachineTestConfig{
3475 protocol: protocol,
3476 async: async,
3477 })
3478 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3479 protocol: protocol,
3480 async: async,
3481 implicitHandshake: true,
3482 })
3483 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3484 protocol: protocol,
3485 async: async,
3486 splitHandshake: true,
3487 })
3488 if protocol == tls {
3489 addStateMachineCoverageTests(stateMachineTestConfig{
3490 protocol: protocol,
3491 async: async,
3492 packHandshakeFlight: true,
3493 })
3494 }
3495 }
3496 }
3497}
3498
3499func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3500 var tests []testCase
3501
3502 // Basic handshake, with resumption. Client and server,
3503 // session ID and session ticket.
3504 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3505 name: "Basic-Client",
3506 config: Config{
3507 MaxVersion: VersionTLS12,
3508 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3509 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3510 // Ensure session tickets are used, not session IDs.
3511 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3512 })
3513 tests = append(tests, testCase{
3514 name: "Basic-Client-RenewTicket",
3515 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3516 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3517 Bugs: ProtocolBugs{
3518 RenewTicketOnResume: true,
3519 },
3520 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3521 flags: []string{"-expect-ticket-renewal"},
3522 resumeSession: true,
3523 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3524 })
3525 tests = append(tests, testCase{
3526 name: "Basic-Client-NoTicket",
3527 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3528 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3529 SessionTicketsDisabled: true,
3530 },
3531 resumeSession: true,
3532 })
3533 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3534 testType: serverTest,
3535 name: "Basic-Server",
3536 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3537 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3538 Bugs: ProtocolBugs{
3539 RequireSessionTickets: true,
3540 },
3541 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3542 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3543 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3544 })
3545 tests = append(tests, testCase{
3546 testType: serverTest,
3547 name: "Basic-Server-NoTickets",
3548 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3549 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3550 SessionTicketsDisabled: true,
3551 },
3552 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3553 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3554 })
3555 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3556 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3557 name: "Basic-Server-EarlyCallback",
3558 config: Config{
3559 MaxVersion: VersionTLS12,
3560 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3561 flags: []string{"-use-early-callback"},
3562 resumeSession: true,
3563 })
3564
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3565 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3566 if config.protocol == tls {
3567 tests = append(tests, testCase{
3568 name: "TLS13-1RTT-Client",
3569 config: Config{
3570 MaxVersion: VersionTLS13,
3571 MinVersion: VersionTLS13,
3572 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3573 resumeSession: true,
3574 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3575 })
3576
3577 tests = append(tests, testCase{
3578 testType: serverTest,
3579 name: "TLS13-1RTT-Server",
3580 config: Config{
3581 MaxVersion: VersionTLS13,
3582 MinVersion: VersionTLS13,
3583 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3584 resumeSession: true,
3585 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3586 // TLS 1.3 uses tickets, so the session should not be
3587 // cached statefully.
3588 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3589 })
3590
3591 tests = append(tests, testCase{
3592 name: "TLS13-HelloRetryRequest-Client",
3593 config: Config{
3594 MaxVersion: VersionTLS13,
3595 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3596 // P-384 requires a HelloRetryRequest against BoringSSL's default
3597 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3598 CurvePreferences: []CurveID{CurveP384},
3599 Bugs: ProtocolBugs{
3600 ExpectMissingKeyShare: true,
3601 },
3602 },
3603 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3604 resumeSession: true,
3605 })
3606
3607 tests = append(tests, testCase{
3608 testType: serverTest,
3609 name: "TLS13-HelloRetryRequest-Server",
3610 config: Config{
3611 MaxVersion: VersionTLS13,
3612 MinVersion: VersionTLS13,
3613 // Require a HelloRetryRequest for every curve.
3614 DefaultCurves: []CurveID{},
3615 },
3616 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3617 resumeSession: true,
3618 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3619
3620 // TODO(svaldez): Send data on early data once implemented.
3621 tests = append(tests, testCase{
3622 testType: clientTest,
3623 name: "TLS13-EarlyData-Client",
3624 config: Config{
3625 MaxVersion: VersionTLS13,
3626 MinVersion: VersionTLS13,
3627 MaxEarlyDataSize: 16384,
3628 },
3629 resumeSession: true,
3630 flags: []string{
3631 "-enable-early-data",
3632 "-expect-early-data-info",
3633 "-expect-accept-early-data",
3634 },
3635 })
3636
3637 tests = append(tests, testCase{
3638 testType: serverTest,
3639 name: "TLS13-EarlyData-Server",
3640 config: Config{
3641 MaxVersion: VersionTLS13,
3642 MinVersion: VersionTLS13,
3643 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3644 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3645 ExpectEarlyDataAccepted: true,
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3646 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3647 },
3648 },
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3649 messageCount: 2,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3650 resumeSession: true,
3651 flags: []string{
3652 "-enable-early-data",
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3653 "-expect-accept-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3654 },
3655 })
Alessandro Ghedinide254b42017-04-17 19:12:33 +0100[diff] [blame]3656
3657 tests = append(tests, testCase{
3658 testType: serverTest,
3659 name: "TLS13-MaxEarlyData-Server",
3660 config: Config{
3661 MaxVersion: VersionTLS13,
3662 MinVersion: VersionTLS13,
3663 Bugs: ProtocolBugs{
David Benjamin29975892017-04-27 23:47:21 -0400[diff] [blame]3664 SendEarlyData: [][]byte{bytes.Repeat([]byte{1}, 14336+1)},
Alessandro Ghedinide254b42017-04-17 19:12:33 +0100[diff] [blame]3665 ExpectEarlyDataAccepted: true,
3666 },
3667 },
3668 messageCount: 2,
3669 resumeSession: true,
3670 flags: []string{
3671 "-enable-early-data",
3672 "-expect-accept-early-data",
3673 },
3674 shouldFail: true,
3675 expectedError: ":TOO_MUCH_READ_EARLY_DATA:",
3676 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3677 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3678
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3679 // TLS client auth.
3680 tests = append(tests, testCase{
3681 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3682 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3683 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3684 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3685 ClientAuth: RequestClientCert,
3686 },
3687 })
3688 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3689 testType: serverTest,
3690 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3691 config: Config{
3692 MaxVersion: VersionTLS12,
3693 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3694 // Setting SSL_VERIFY_PEER allows anonymous clients.
3695 flags: []string{"-verify-peer"},
3696 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3697 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3698 tests = append(tests, testCase{
3699 testType: clientTest,
3700 name: "ClientAuth-NoCertificate-Client-SSL3",
3701 config: Config{
3702 MaxVersion: VersionSSL30,
3703 ClientAuth: RequestClientCert,
3704 },
3705 })
3706 tests = append(tests, testCase{
3707 testType: serverTest,
3708 name: "ClientAuth-NoCertificate-Server-SSL3",
3709 config: Config{
3710 MaxVersion: VersionSSL30,
3711 },
3712 // Setting SSL_VERIFY_PEER allows anonymous clients.
3713 flags: []string{"-verify-peer"},
3714 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3715 tests = append(tests, testCase{
3716 testType: clientTest,
3717 name: "ClientAuth-NoCertificate-Client-TLS13",
3718 config: Config{
3719 MaxVersion: VersionTLS13,
3720 ClientAuth: RequestClientCert,
3721 },
3722 })
3723 tests = append(tests, testCase{
3724 testType: serverTest,
3725 name: "ClientAuth-NoCertificate-Server-TLS13",
3726 config: Config{
3727 MaxVersion: VersionTLS13,
3728 },
3729 // Setting SSL_VERIFY_PEER allows anonymous clients.
3730 flags: []string{"-verify-peer"},
3731 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3732 }
3733 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3734 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3735 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3736 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3737 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3738 ClientAuth: RequireAnyClientCert,
3739 },
3740 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3741 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3742 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3743 },
3744 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3745 tests = append(tests, testCase{
3746 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3747 name: "ClientAuth-RSA-Client-TLS13",
3748 config: Config{
3749 MaxVersion: VersionTLS13,
3750 ClientAuth: RequireAnyClientCert,
3751 },
3752 flags: []string{
3753 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3754 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3755 },
3756 })
3757 tests = append(tests, testCase{
3758 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3759 name: "ClientAuth-ECDSA-Client",
3760 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3761 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3762 ClientAuth: RequireAnyClientCert,
3763 },
3764 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3765 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3766 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3767 },
3768 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3769 tests = append(tests, testCase{
3770 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3771 name: "ClientAuth-ECDSA-Client-TLS13",
3772 config: Config{
3773 MaxVersion: VersionTLS13,
3774 ClientAuth: RequireAnyClientCert,
3775 },
3776 flags: []string{
3777 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3778 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3779 },
3780 })
3781 tests = append(tests, testCase{
3782 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3783 name: "ClientAuth-NoCertificate-OldCallback",
3784 config: Config{
3785 MaxVersion: VersionTLS12,
3786 ClientAuth: RequestClientCert,
3787 },
3788 flags: []string{"-use-old-client-cert-callback"},
3789 })
3790 tests = append(tests, testCase{
3791 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3792 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3793 config: Config{
3794 MaxVersion: VersionTLS13,
3795 ClientAuth: RequestClientCert,
3796 },
3797 flags: []string{"-use-old-client-cert-callback"},
3798 })
3799 tests = append(tests, testCase{
3800 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3801 name: "ClientAuth-OldCallback",
3802 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3803 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3804 ClientAuth: RequireAnyClientCert,
3805 },
3806 flags: []string{
3807 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3808 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3809 "-use-old-client-cert-callback",
3810 },
3811 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3812 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3813 testType: clientTest,
3814 name: "ClientAuth-OldCallback-TLS13",
3815 config: Config{
3816 MaxVersion: VersionTLS13,
3817 ClientAuth: RequireAnyClientCert,
3818 },
3819 flags: []string{
3820 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3821 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3822 "-use-old-client-cert-callback",
3823 },
3824 })
3825 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3826 testType: serverTest,
3827 name: "ClientAuth-Server",
3828 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3829 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3830 Certificates: []Certificate{rsaCertificate},
3831 },
3832 flags: []string{"-require-any-client-certificate"},
3833 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3834 tests = append(tests, testCase{
3835 testType: serverTest,
3836 name: "ClientAuth-Server-TLS13",
3837 config: Config{
3838 MaxVersion: VersionTLS13,
3839 Certificates: []Certificate{rsaCertificate},
3840 },
3841 flags: []string{"-require-any-client-certificate"},
3842 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3843
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3844 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3845 tests = append(tests, testCase{
3846 testType: serverTest,
3847 name: "Basic-Server-RSA",
3848 config: Config{
3849 MaxVersion: VersionTLS12,
3850 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3851 },
3852 flags: []string{
3853 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3854 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3855 },
3856 })
3857 tests = append(tests, testCase{
3858 testType: serverTest,
3859 name: "Basic-Server-ECDHE-RSA",
3860 config: Config{
3861 MaxVersion: VersionTLS12,
3862 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3863 },
3864 flags: []string{
3865 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3866 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3867 },
3868 })
3869 tests = append(tests, testCase{
3870 testType: serverTest,
3871 name: "Basic-Server-ECDHE-ECDSA",
3872 config: Config{
3873 MaxVersion: VersionTLS12,
3874 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3875 },
3876 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3877 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3878 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3879 },
3880 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]3881 tests = append(tests, testCase{
3882 testType: serverTest,
3883 name: "Basic-Server-Ed25519",
3884 config: Config{
3885 MaxVersion: VersionTLS12,
3886 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3887 },
3888 flags: []string{
3889 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3890 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
3891 "-enable-ed25519",
3892 },
3893 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3894
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3895 // No session ticket support; server doesn't send NewSessionTicket.
3896 tests = append(tests, testCase{
3897 name: "SessionTicketsDisabled-Client",
3898 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3899 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3900 SessionTicketsDisabled: true,
3901 },
3902 })
3903 tests = append(tests, testCase{
3904 testType: serverTest,
3905 name: "SessionTicketsDisabled-Server",
3906 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3907 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3908 SessionTicketsDisabled: true,
3909 },
3910 })
3911
3912 // Skip ServerKeyExchange in PSK key exchange if there's no
3913 // identity hint.
3914 tests = append(tests, testCase{
3915 name: "EmptyPSKHint-Client",
3916 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3917 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3918 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3919 PreSharedKey: []byte("secret"),
3920 },
3921 flags: []string{"-psk", "secret"},
3922 })
3923 tests = append(tests, testCase{
3924 testType: serverTest,
3925 name: "EmptyPSKHint-Server",
3926 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3927 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3928 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3929 PreSharedKey: []byte("secret"),
3930 },
3931 flags: []string{"-psk", "secret"},
3932 })
3933
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3934 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3935 tests = append(tests, testCase{
3936 testType: clientTest,
3937 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3938 config: Config{
3939 MaxVersion: VersionTLS12,
3940 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3941 flags: []string{
3942 "-enable-ocsp-stapling",
3943 "-expect-ocsp-response",
3944 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3945 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3946 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3947 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3948 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3949 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3950 testType: serverTest,
3951 name: "OCSPStapling-Server",
3952 config: Config{
3953 MaxVersion: VersionTLS12,
3954 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3955 expectedOCSPResponse: testOCSPResponse,
3956 flags: []string{
3957 "-ocsp-response",
3958 base64.StdEncoding.EncodeToString(testOCSPResponse),
3959 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3960 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3961 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3962 tests = append(tests, testCase{
3963 testType: clientTest,
3964 name: "OCSPStapling-Client-TLS13",
3965 config: Config{
3966 MaxVersion: VersionTLS13,
3967 },
3968 flags: []string{
3969 "-enable-ocsp-stapling",
3970 "-expect-ocsp-response",
3971 base64.StdEncoding.EncodeToString(testOCSPResponse),
3972 "-verify-peer",
3973 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3974 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3975 })
3976 tests = append(tests, testCase{
3977 testType: serverTest,
3978 name: "OCSPStapling-Server-TLS13",
3979 config: Config{
3980 MaxVersion: VersionTLS13,
3981 },
3982 expectedOCSPResponse: testOCSPResponse,
3983 flags: []string{
3984 "-ocsp-response",
3985 base64.StdEncoding.EncodeToString(testOCSPResponse),
3986 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3987 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3988 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3989
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3990 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3991 for _, vers := range tlsVersions {
3992 if config.protocol == dtls && !vers.hasDTLS {
3993 continue
3994 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3995 for _, testType := range []testType{clientTest, serverTest} {
3996 suffix := "-Client"
3997 if testType == serverTest {
3998 suffix = "-Server"
3999 }
4000 suffix += "-" + vers.name
4001
4002 flag := "-verify-peer"
4003 if testType == serverTest {
4004 flag = "-require-any-client-certificate"
4005 }
4006
4007 tests = append(tests, testCase{
4008 testType: testType,
4009 name: "CertificateVerificationSucceed" + suffix,
4010 config: Config{
4011 MaxVersion: vers.version,
4012 Certificates: []Certificate{rsaCertificate},
4013 },
4014 flags: []string{
4015 flag,
4016 "-expect-verify-result",
4017 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4018 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4019 })
4020 tests = append(tests, testCase{
4021 testType: testType,
4022 name: "CertificateVerificationFail" + suffix,
4023 config: Config{
4024 MaxVersion: vers.version,
4025 Certificates: []Certificate{rsaCertificate},
4026 },
4027 flags: []string{
4028 flag,
4029 "-verify-fail",
4030 },
4031 shouldFail: true,
4032 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
4033 })
4034 }
4035
4036 // By default, the client is in a soft fail mode where the peer
4037 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4038 tests = append(tests, testCase{
4039 testType: clientTest,
4040 name: "CertificateVerificationSoftFail-" + vers.name,
4041 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4042 MaxVersion: vers.version,
4043 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4044 },
4045 flags: []string{
4046 "-verify-fail",
4047 "-expect-verify-result",
4048 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4049 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4050 })
4051 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]4052
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]4053 tests = append(tests, testCase{
4054 name: "ShimSendAlert",
4055 flags: []string{"-send-alert"},
4056 shimWritesFirst: true,
4057 shouldFail: true,
4058 expectedLocalError: "remote error: decompression failure",
4059 })
4060
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4061 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4062 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4063 name: "Renegotiate-Client",
4064 config: Config{
4065 MaxVersion: VersionTLS12,
4066 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]4067 renegotiate: 1,
4068 flags: []string{
4069 "-renegotiate-freely",
4070 "-expect-total-renegotiations", "1",
4071 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4072 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4073
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]4074 tests = append(tests, testCase{
4075 name: "SendHalfHelloRequest",
4076 config: Config{
4077 MaxVersion: VersionTLS12,
4078 Bugs: ProtocolBugs{
4079 PackHelloRequestWithFinished: config.packHandshakeFlight,
4080 },
4081 },
4082 sendHalfHelloRequest: true,
4083 flags: []string{"-renegotiate-ignore"},
4084 shouldFail: true,
4085 expectedError: ":UNEXPECTED_RECORD:",
4086 })
4087
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4088 // NPN on client and server; results in post-handshake message.
4089 tests = append(tests, testCase{
4090 name: "NPN-Client",
4091 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4092 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4093 NextProtos: []string{"foo"},
4094 },
4095 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4096 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4097 expectedNextProto: "foo",
4098 expectedNextProtoType: npn,
4099 })
4100 tests = append(tests, testCase{
4101 testType: serverTest,
4102 name: "NPN-Server",
4103 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4104 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4105 NextProtos: []string{"bar"},
4106 },
4107 flags: []string{
4108 "-advertise-npn", "\x03foo\x03bar\x03baz",
4109 "-expect-next-proto", "bar",
4110 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4111 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4112 expectedNextProto: "bar",
4113 expectedNextProtoType: npn,
4114 })
4115
4116 // TODO(davidben): Add tests for when False Start doesn't trigger.
4117
4118 // Client does False Start and negotiates NPN.
4119 tests = append(tests, testCase{
4120 name: "FalseStart",
4121 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4122 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4123 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4124 NextProtos: []string{"foo"},
4125 Bugs: ProtocolBugs{
4126 ExpectFalseStart: true,
4127 },
4128 },
4129 flags: []string{
4130 "-false-start",
4131 "-select-next-proto", "foo",
4132 },
4133 shimWritesFirst: true,
4134 resumeSession: true,
4135 })
4136
4137 // Client does False Start and negotiates ALPN.
4138 tests = append(tests, testCase{
4139 name: "FalseStart-ALPN",
4140 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4141 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4142 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4143 NextProtos: []string{"foo"},
4144 Bugs: ProtocolBugs{
4145 ExpectFalseStart: true,
4146 },
4147 },
4148 flags: []string{
4149 "-false-start",
4150 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]4151 "-expect-alpn", "foo",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4152 },
4153 shimWritesFirst: true,
4154 resumeSession: true,
4155 })
4156
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4157 // False Start without session tickets.
4158 tests = append(tests, testCase{
4159 name: "FalseStart-SessionTicketsDisabled",
4160 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4161 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4162 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4163 NextProtos: []string{"foo"},
4164 SessionTicketsDisabled: true,
4165 Bugs: ProtocolBugs{
4166 ExpectFalseStart: true,
4167 },
4168 },
4169 flags: []string{
4170 "-false-start",
4171 "-select-next-proto", "foo",
4172 },
4173 shimWritesFirst: true,
4174 })
4175
4176 // Server parses a V2ClientHello.
4177 tests = append(tests, testCase{
4178 testType: serverTest,
4179 name: "SendV2ClientHello",
4180 config: Config{
4181 // Choose a cipher suite that does not involve
4182 // elliptic curves, so no extensions are
4183 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4184 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4185 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4186 Bugs: ProtocolBugs{
4187 SendV2ClientHello: true,
4188 },
4189 },
4190 })
4191
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4192 // Test Channel ID
4193 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4194 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4195 continue
4196 }
4197 // Client sends a Channel ID.
4198 tests = append(tests, testCase{
4199 name: "ChannelID-Client-" + ver.name,
4200 config: Config{
4201 MaxVersion: ver.version,
4202 RequestChannelID: true,
4203 },
4204 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4205 resumeSession: true,
4206 expectChannelID: true,
4207 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4208
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4209 // Server accepts a Channel ID.
4210 tests = append(tests, testCase{
4211 testType: serverTest,
4212 name: "ChannelID-Server-" + ver.name,
4213 config: Config{
4214 MaxVersion: ver.version,
4215 ChannelID: channelIDKey,
4216 },
4217 flags: []string{
4218 "-expect-channel-id",
4219 base64.StdEncoding.EncodeToString(channelIDBytes),
4220 },
4221 resumeSession: true,
4222 expectChannelID: true,
4223 })
4224
4225 tests = append(tests, testCase{
4226 testType: serverTest,
4227 name: "InvalidChannelIDSignature-" + ver.name,
4228 config: Config{
4229 MaxVersion: ver.version,
4230 ChannelID: channelIDKey,
4231 Bugs: ProtocolBugs{
4232 InvalidChannelIDSignature: true,
4233 },
4234 },
4235 flags: []string{"-enable-channel-id"},
4236 shouldFail: true,
4237 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4238 })
4239 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4240
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4241 // Channel ID and NPN at the same time, to ensure their relative
4242 // ordering is correct.
4243 tests = append(tests, testCase{
4244 name: "ChannelID-NPN-Client",
4245 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4246 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4247 RequestChannelID: true,
4248 NextProtos: []string{"foo"},
4249 },
4250 flags: []string{
4251 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4252 "-select-next-proto", "foo",
4253 },
4254 resumeSession: true,
4255 expectChannelID: true,
4256 expectedNextProto: "foo",
4257 expectedNextProtoType: npn,
4258 })
4259 tests = append(tests, testCase{
4260 testType: serverTest,
4261 name: "ChannelID-NPN-Server",
4262 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4263 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4264 ChannelID: channelIDKey,
4265 NextProtos: []string{"bar"},
4266 },
4267 flags: []string{
4268 "-expect-channel-id",
4269 base64.StdEncoding.EncodeToString(channelIDBytes),
4270 "-advertise-npn", "\x03foo\x03bar\x03baz",
4271 "-expect-next-proto", "bar",
4272 },
4273 resumeSession: true,
4274 expectChannelID: true,
4275 expectedNextProto: "bar",
4276 expectedNextProtoType: npn,
4277 })
4278
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4279 // Bidirectional shutdown with the runner initiating.
4280 tests = append(tests, testCase{
4281 name: "Shutdown-Runner",
4282 config: Config{
4283 Bugs: ProtocolBugs{
4284 ExpectCloseNotify: true,
4285 },
4286 },
4287 flags: []string{"-check-close-notify"},
4288 })
4289
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4290 if !config.implicitHandshake {
4291 // Bidirectional shutdown with the shim initiating. The runner,
4292 // in the meantime, sends garbage before the close_notify which
4293 // the shim must ignore. This test is disabled under implicit
4294 // handshake tests because the shim never reads or writes.
4295 tests = append(tests, testCase{
4296 name: "Shutdown-Shim",
4297 config: Config{
4298 MaxVersion: VersionTLS12,
4299 Bugs: ProtocolBugs{
4300 ExpectCloseNotify: true,
4301 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4302 },
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4303 shimShutsDown: true,
4304 sendEmptyRecords: 1,
4305 sendWarningAlerts: 1,
4306 flags: []string{"-check-close-notify"},
4307 })
4308 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4309 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4310 // TODO(davidben): DTLS 1.3 will want a similar thing for
4311 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4312 tests = append(tests, testCase{
4313 name: "SkipHelloVerifyRequest",
4314 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4315 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4316 Bugs: ProtocolBugs{
4317 SkipHelloVerifyRequest: true,
4318 },
4319 },
4320 })
4321 }
4322
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4323 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4324 test.protocol = config.protocol
4325 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4326 test.name += "-DTLS"
4327 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4328 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4329 test.name += "-Async"
4330 test.flags = append(test.flags, "-async")
4331 } else {
4332 test.name += "-Sync"
4333 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4334 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4335 test.name += "-SplitHandshakeRecords"
4336 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4337 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4338 test.config.Bugs.MaxPacketLength = 256
4339 test.flags = append(test.flags, "-mtu", "256")
4340 }
4341 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4342 if config.packHandshakeFlight {
4343 test.name += "-PackHandshakeFlight"
4344 test.config.Bugs.PackHandshakeFlight = true
4345 }
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4346 if config.implicitHandshake {
4347 test.name += "-ImplicitHandshake"
4348 test.flags = append(test.flags, "-implicit-handshake")
4349 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4350 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4351 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4352}
4353
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4354func addDDoSCallbackTests() {
4355 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4356 for _, resume := range []bool{false, true} {
4357 suffix := "Resume"
4358 if resume {
4359 suffix = "No" + suffix
4360 }
4361
4362 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4363 testType: serverTest,
4364 name: "Server-DDoS-OK-" + suffix,
4365 config: Config{
4366 MaxVersion: VersionTLS12,
4367 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4368 flags: []string{"-install-ddos-callback"},
4369 resumeSession: resume,
4370 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4371 testCases = append(testCases, testCase{
4372 testType: serverTest,
4373 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4374 config: Config{
4375 MaxVersion: VersionTLS13,
4376 },
4377 flags: []string{"-install-ddos-callback"},
4378 resumeSession: resume,
4379 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4380
4381 failFlag := "-fail-ddos-callback"
4382 if resume {
4383 failFlag = "-fail-second-ddos-callback"
4384 }
4385 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4386 testType: serverTest,
4387 name: "Server-DDoS-Reject-" + suffix,
4388 config: Config{
4389 MaxVersion: VersionTLS12,
4390 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4391 flags: []string{"-install-ddos-callback", failFlag},
4392 resumeSession: resume,
4393 shouldFail: true,
4394 expectedError: ":CONNECTION_REJECTED:",
4395 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4396 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4397 testCases = append(testCases, testCase{
4398 testType: serverTest,
4399 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4400 config: Config{
4401 MaxVersion: VersionTLS13,
4402 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4403 flags: []string{"-install-ddos-callback", failFlag},
4404 resumeSession: resume,
4405 shouldFail: true,
4406 expectedError: ":CONNECTION_REJECTED:",
4407 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4408 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4409 }
4410}
4411
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4412func addVersionNegotiationTests() {
4413 for i, shimVers := range tlsVersions {
4414 // Assemble flags to disable all newer versions on the shim.
4415 var flags []string
4416 for _, vers := range tlsVersions[i+1:] {
4417 flags = append(flags, vers.flag)
4418 }
4419
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4420 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4421 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4422 protocols := []protocol{tls}
4423 if runnerVers.hasDTLS && shimVers.hasDTLS {
4424 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4425 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4426 for _, protocol := range protocols {
4427 expectedVersion := shimVers.version
4428 if runnerVers.version < shimVers.version {
4429 expectedVersion = runnerVers.version
4430 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4431
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4432 suffix := shimVers.name + "-" + runnerVers.name
4433 if protocol == dtls {
4434 suffix += "-DTLS"
4435 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4436
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4437 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4438
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4439 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4440 clientVers := shimVers.version
4441 if clientVers > VersionTLS10 {
4442 clientVers = VersionTLS10
4443 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4444 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4445 serverVers := expectedVersion
4446 if expectedVersion >= VersionTLS13 {
4447 serverVers = VersionTLS10
4448 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4449 serverVers = versionToWire(serverVers, protocol == dtls)
4450
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4451 testCases = append(testCases, testCase{
4452 protocol: protocol,
4453 testType: clientTest,
4454 name: "VersionNegotiation-Client-" + suffix,
4455 config: Config{
4456 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4457 Bugs: ProtocolBugs{
4458 ExpectInitialRecordVersion: clientVers,
4459 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4460 },
4461 flags: flags,
4462 expectedVersion: expectedVersion,
4463 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4464 testCases = append(testCases, testCase{
4465 protocol: protocol,
4466 testType: clientTest,
4467 name: "VersionNegotiation-Client2-" + suffix,
4468 config: Config{
4469 MaxVersion: runnerVers.version,
4470 Bugs: ProtocolBugs{
4471 ExpectInitialRecordVersion: clientVers,
4472 },
4473 },
4474 flags: []string{"-max-version", shimVersFlag},
4475 expectedVersion: expectedVersion,
4476 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4477
4478 testCases = append(testCases, testCase{
4479 protocol: protocol,
4480 testType: serverTest,
4481 name: "VersionNegotiation-Server-" + suffix,
4482 config: Config{
4483 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4484 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4485 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4486 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4487 },
4488 flags: flags,
4489 expectedVersion: expectedVersion,
4490 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4491 testCases = append(testCases, testCase{
4492 protocol: protocol,
4493 testType: serverTest,
4494 name: "VersionNegotiation-Server2-" + suffix,
4495 config: Config{
4496 MaxVersion: runnerVers.version,
4497 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4498 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4499 },
4500 },
4501 flags: []string{"-max-version", shimVersFlag},
4502 expectedVersion: expectedVersion,
4503 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4504 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4505 }
4506 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4507
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4508 // Test the version extension at all versions.
4509 for _, vers := range tlsVersions {
4510 protocols := []protocol{tls}
4511 if vers.hasDTLS {
4512 protocols = append(protocols, dtls)
4513 }
4514 for _, protocol := range protocols {
4515 suffix := vers.name
4516 if protocol == dtls {
4517 suffix += "-DTLS"
4518 }
4519
4520 wireVersion := versionToWire(vers.version, protocol == dtls)
4521 testCases = append(testCases, testCase{
4522 protocol: protocol,
4523 testType: serverTest,
4524 name: "VersionNegotiationExtension-" + suffix,
4525 config: Config{
4526 Bugs: ProtocolBugs{
4527 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4528 },
4529 },
4530 expectedVersion: vers.version,
4531 })
4532 }
4533
4534 }
4535
4536 // If all versions are unknown, negotiation fails.
4537 testCases = append(testCases, testCase{
4538 testType: serverTest,
4539 name: "NoSupportedVersions",
4540 config: Config{
4541 Bugs: ProtocolBugs{
4542 SendSupportedVersions: []uint16{0x1111},
4543 },
4544 },
4545 shouldFail: true,
4546 expectedError: ":UNSUPPORTED_PROTOCOL:",
4547 })
4548 testCases = append(testCases, testCase{
4549 protocol: dtls,
4550 testType: serverTest,
4551 name: "NoSupportedVersions-DTLS",
4552 config: Config{
4553 Bugs: ProtocolBugs{
4554 SendSupportedVersions: []uint16{0x1111},
4555 },
4556 },
4557 shouldFail: true,
4558 expectedError: ":UNSUPPORTED_PROTOCOL:",
4559 })
4560
4561 testCases = append(testCases, testCase{
4562 testType: serverTest,
4563 name: "ClientHelloVersionTooHigh",
4564 config: Config{
4565 MaxVersion: VersionTLS13,
4566 Bugs: ProtocolBugs{
4567 SendClientVersion: 0x0304,
4568 OmitSupportedVersions: true,
4569 },
4570 },
4571 expectedVersion: VersionTLS12,
4572 })
4573
4574 testCases = append(testCases, testCase{
4575 testType: serverTest,
4576 name: "ConflictingVersionNegotiation",
4577 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4578 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4579 SendClientVersion: VersionTLS12,
4580 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4581 },
4582 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4583 // The extension takes precedence over the ClientHello version.
4584 expectedVersion: VersionTLS11,
4585 })
4586
4587 testCases = append(testCases, testCase{
4588 testType: serverTest,
4589 name: "ConflictingVersionNegotiation-2",
4590 config: Config{
4591 Bugs: ProtocolBugs{
4592 SendClientVersion: VersionTLS11,
4593 SendSupportedVersions: []uint16{VersionTLS12},
4594 },
4595 },
4596 // The extension takes precedence over the ClientHello version.
4597 expectedVersion: VersionTLS12,
4598 })
4599
4600 testCases = append(testCases, testCase{
4601 testType: serverTest,
4602 name: "RejectFinalTLS13",
4603 config: Config{
4604 Bugs: ProtocolBugs{
4605 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4606 },
4607 },
4608 // We currently implement a draft TLS 1.3 version. Ensure that
4609 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4610 expectedVersion: VersionTLS12,
4611 })
4612
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4613 // Test that the maximum version is selected regardless of the
4614 // client-sent order.
4615 testCases = append(testCases, testCase{
4616 testType: serverTest,
4617 name: "IgnoreClientVersionOrder",
4618 config: Config{
4619 Bugs: ProtocolBugs{
4620 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4621 },
4622 },
4623 expectedVersion: VersionTLS13,
4624 })
4625
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4626 // Test for version tolerance.
4627 testCases = append(testCases, testCase{
4628 testType: serverTest,
4629 name: "MinorVersionTolerance",
4630 config: Config{
4631 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4632 SendClientVersion: 0x03ff,
4633 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4634 },
4635 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4636 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4637 })
4638 testCases = append(testCases, testCase{
4639 testType: serverTest,
4640 name: "MajorVersionTolerance",
4641 config: Config{
4642 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4643 SendClientVersion: 0x0400,
4644 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4645 },
4646 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4647 // TLS 1.3 must be negotiated with the supported_versions
4648 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4649 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4650 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4651 testCases = append(testCases, testCase{
4652 testType: serverTest,
4653 name: "VersionTolerance-TLS13",
4654 config: Config{
4655 Bugs: ProtocolBugs{
4656 // Although TLS 1.3 does not use
4657 // ClientHello.version, it still tolerates high
4658 // values there.
4659 SendClientVersion: 0x0400,
4660 },
4661 },
4662 expectedVersion: VersionTLS13,
4663 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4664
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4665 testCases = append(testCases, testCase{
4666 protocol: dtls,
4667 testType: serverTest,
4668 name: "MinorVersionTolerance-DTLS",
4669 config: Config{
4670 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4671 SendClientVersion: 0xfe00,
4672 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4673 },
4674 },
4675 expectedVersion: VersionTLS12,
4676 })
4677 testCases = append(testCases, testCase{
4678 protocol: dtls,
4679 testType: serverTest,
4680 name: "MajorVersionTolerance-DTLS",
4681 config: Config{
4682 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4683 SendClientVersion: 0xfdff,
4684 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4685 },
4686 },
4687 expectedVersion: VersionTLS12,
4688 })
4689
4690 // Test that versions below 3.0 are rejected.
4691 testCases = append(testCases, testCase{
4692 testType: serverTest,
4693 name: "VersionTooLow",
4694 config: Config{
4695 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4696 SendClientVersion: 0x0200,
4697 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4698 },
4699 },
4700 shouldFail: true,
4701 expectedError: ":UNSUPPORTED_PROTOCOL:",
4702 })
4703 testCases = append(testCases, testCase{
4704 protocol: dtls,
4705 testType: serverTest,
4706 name: "VersionTooLow-DTLS",
4707 config: Config{
4708 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4709 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4710 },
4711 },
4712 shouldFail: true,
4713 expectedError: ":UNSUPPORTED_PROTOCOL:",
4714 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4715
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4716 testCases = append(testCases, testCase{
4717 name: "ServerBogusVersion",
4718 config: Config{
4719 Bugs: ProtocolBugs{
4720 SendServerHelloVersion: 0x1234,
4721 },
4722 },
4723 shouldFail: true,
4724 expectedError: ":UNSUPPORTED_PROTOCOL:",
4725 })
4726
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4727 // Test TLS 1.3's downgrade signal.
4728 testCases = append(testCases, testCase{
4729 name: "Downgrade-TLS12-Client",
4730 config: Config{
4731 Bugs: ProtocolBugs{
4732 NegotiateVersion: VersionTLS12,
4733 },
4734 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4735 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4736 // TODO(davidben): This test should fail once TLS 1.3 is final
4737 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4738 })
4739 testCases = append(testCases, testCase{
4740 testType: serverTest,
4741 name: "Downgrade-TLS12-Server",
4742 config: Config{
4743 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4744 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4745 },
4746 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4747 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4748 // TODO(davidben): This test should fail once TLS 1.3 is final
4749 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4750 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4751}
4752
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4753func addMinimumVersionTests() {
4754 for i, shimVers := range tlsVersions {
4755 // Assemble flags to disable all older versions on the shim.
4756 var flags []string
4757 for _, vers := range tlsVersions[:i] {
4758 flags = append(flags, vers.flag)
4759 }
4760
4761 for _, runnerVers := range tlsVersions {
4762 protocols := []protocol{tls}
4763 if runnerVers.hasDTLS && shimVers.hasDTLS {
4764 protocols = append(protocols, dtls)
4765 }
4766 for _, protocol := range protocols {
4767 suffix := shimVers.name + "-" + runnerVers.name
4768 if protocol == dtls {
4769 suffix += "-DTLS"
4770 }
4771 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4772
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4773 var expectedVersion uint16
4774 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4775 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4776 if runnerVers.version >= shimVers.version {
4777 expectedVersion = runnerVers.version
4778 } else {
4779 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4780 expectedError = ":UNSUPPORTED_PROTOCOL:"
4781 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4782 }
4783
4784 testCases = append(testCases, testCase{
4785 protocol: protocol,
4786 testType: clientTest,
4787 name: "MinimumVersion-Client-" + suffix,
4788 config: Config{
4789 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4790 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4791 // Ensure the server does not decline to
4792 // select a version (versions extension) or
4793 // cipher (some ciphers depend on versions).
4794 NegotiateVersion: runnerVers.version,
4795 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4796 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4797 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4798 flags: flags,
4799 expectedVersion: expectedVersion,
4800 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4801 expectedError: expectedError,
4802 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4803 })
4804 testCases = append(testCases, testCase{
4805 protocol: protocol,
4806 testType: clientTest,
4807 name: "MinimumVersion-Client2-" + suffix,
4808 config: Config{
4809 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4810 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4811 // Ensure the server does not decline to
4812 // select a version (versions extension) or
4813 // cipher (some ciphers depend on versions).
4814 NegotiateVersion: runnerVers.version,
4815 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4816 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4817 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4818 flags: []string{"-min-version", shimVersFlag},
4819 expectedVersion: expectedVersion,
4820 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4821 expectedError: expectedError,
4822 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4823 })
4824
4825 testCases = append(testCases, testCase{
4826 protocol: protocol,
4827 testType: serverTest,
4828 name: "MinimumVersion-Server-" + suffix,
4829 config: Config{
4830 MaxVersion: runnerVers.version,
4831 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4832 flags: flags,
4833 expectedVersion: expectedVersion,
4834 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4835 expectedError: expectedError,
4836 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4837 })
4838 testCases = append(testCases, testCase{
4839 protocol: protocol,
4840 testType: serverTest,
4841 name: "MinimumVersion-Server2-" + suffix,
4842 config: Config{
4843 MaxVersion: runnerVers.version,
4844 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4845 flags: []string{"-min-version", shimVersFlag},
4846 expectedVersion: expectedVersion,
4847 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4848 expectedError: expectedError,
4849 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4850 })
4851 }
4852 }
4853 }
4854}
4855
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4856func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4857 // TODO(davidben): Extensions, where applicable, all move their server
4858 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4859 // tests for both. Also test interaction with 0-RTT when implemented.
4860
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4861 // Repeat extensions tests all versions except SSL 3.0.
4862 for _, ver := range tlsVersions {
4863 if ver.version == VersionSSL30 {
4864 continue
4865 }
4866
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4867 // Test that duplicate extensions are rejected.
4868 testCases = append(testCases, testCase{
4869 testType: clientTest,
4870 name: "DuplicateExtensionClient-" + ver.name,
4871 config: Config{
4872 MaxVersion: ver.version,
4873 Bugs: ProtocolBugs{
4874 DuplicateExtension: true,
4875 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4876 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4877 shouldFail: true,
4878 expectedLocalError: "remote error: error decoding message",
4879 })
4880 testCases = append(testCases, testCase{
4881 testType: serverTest,
4882 name: "DuplicateExtensionServer-" + ver.name,
4883 config: Config{
4884 MaxVersion: ver.version,
4885 Bugs: ProtocolBugs{
4886 DuplicateExtension: true,
4887 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4888 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4889 shouldFail: true,
4890 expectedLocalError: "remote error: error decoding message",
4891 })
4892
4893 // Test SNI.
4894 testCases = append(testCases, testCase{
4895 testType: clientTest,
4896 name: "ServerNameExtensionClient-" + ver.name,
4897 config: Config{
4898 MaxVersion: ver.version,
4899 Bugs: ProtocolBugs{
4900 ExpectServerName: "example.com",
4901 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4902 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4903 flags: []string{"-host-name", "example.com"},
4904 })
4905 testCases = append(testCases, testCase{
4906 testType: clientTest,
4907 name: "ServerNameExtensionClientMismatch-" + ver.name,
4908 config: Config{
4909 MaxVersion: ver.version,
4910 Bugs: ProtocolBugs{
4911 ExpectServerName: "mismatch.com",
4912 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4913 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4914 flags: []string{"-host-name", "example.com"},
4915 shouldFail: true,
4916 expectedLocalError: "tls: unexpected server name",
4917 })
4918 testCases = append(testCases, testCase{
4919 testType: clientTest,
4920 name: "ServerNameExtensionClientMissing-" + ver.name,
4921 config: Config{
4922 MaxVersion: ver.version,
4923 Bugs: ProtocolBugs{
4924 ExpectServerName: "missing.com",
4925 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4926 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4927 shouldFail: true,
4928 expectedLocalError: "tls: unexpected server name",
4929 })
4930 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]4931 testType: clientTest,
4932 name: "TolerateServerNameAck-" + ver.name,
4933 config: Config{
4934 MaxVersion: ver.version,
4935 Bugs: ProtocolBugs{
4936 SendServerNameAck: true,
4937 },
4938 },
4939 flags: []string{"-host-name", "example.com"},
4940 resumeSession: true,
4941 })
4942 testCases = append(testCases, testCase{
4943 testType: clientTest,
4944 name: "UnsolicitedServerNameAck-" + ver.name,
4945 config: Config{
4946 MaxVersion: ver.version,
4947 Bugs: ProtocolBugs{
4948 SendServerNameAck: true,
4949 },
4950 },
4951 shouldFail: true,
4952 expectedError: ":UNEXPECTED_EXTENSION:",
4953 expectedLocalError: "remote error: unsupported extension",
4954 })
4955 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4956 testType: serverTest,
4957 name: "ServerNameExtensionServer-" + ver.name,
4958 config: Config{
4959 MaxVersion: ver.version,
4960 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4961 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4962 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4963 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4964 })
4965
4966 // Test ALPN.
4967 testCases = append(testCases, testCase{
4968 testType: clientTest,
4969 name: "ALPNClient-" + ver.name,
4970 config: Config{
4971 MaxVersion: ver.version,
4972 NextProtos: []string{"foo"},
4973 },
4974 flags: []string{
4975 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4976 "-expect-alpn", "foo",
4977 },
4978 expectedNextProto: "foo",
4979 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4980 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4981 })
4982 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4983 testType: clientTest,
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4984 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4985 config: Config{
4986 MaxVersion: ver.version,
4987 Bugs: ProtocolBugs{
4988 SendALPN: "baz",
4989 },
4990 },
4991 flags: []string{
4992 "-advertise-alpn", "\x03foo\x03bar",
4993 },
4994 shouldFail: true,
4995 expectedError: ":INVALID_ALPN_PROTOCOL:",
4996 expectedLocalError: "remote error: illegal parameter",
4997 })
4998 testCases = append(testCases, testCase{
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4999 testType: clientTest,
5000 name: "ALPNClient-AllowUnknown-" + ver.name,
5001 config: Config{
5002 MaxVersion: ver.version,
5003 Bugs: ProtocolBugs{
5004 SendALPN: "baz",
5005 },
5006 },
5007 flags: []string{
5008 "-advertise-alpn", "\x03foo\x03bar",
5009 "-allow-unknown-alpn-protos",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]5010 "-expect-alpn", "baz",
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]5011 },
5012 })
5013 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5014 testType: serverTest,
5015 name: "ALPNServer-" + ver.name,
5016 config: Config{
5017 MaxVersion: ver.version,
5018 NextProtos: []string{"foo", "bar", "baz"},
5019 },
5020 flags: []string{
5021 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5022 "-select-alpn", "foo",
5023 },
5024 expectedNextProto: "foo",
5025 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5026 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5027 })
5028 testCases = append(testCases, testCase{
5029 testType: serverTest,
5030 name: "ALPNServer-Decline-" + ver.name,
5031 config: Config{
5032 MaxVersion: ver.version,
5033 NextProtos: []string{"foo", "bar", "baz"},
5034 },
5035 flags: []string{"-decline-alpn"},
5036 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5037 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5038 })
5039
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5040 // Test ALPN in async mode as well to ensure that extensions callbacks are only
5041 // called once.
5042 testCases = append(testCases, testCase{
5043 testType: serverTest,
5044 name: "ALPNServer-Async-" + ver.name,
5045 config: Config{
5046 MaxVersion: ver.version,
5047 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]5048 // Prior to TLS 1.3, exercise the asynchronous session callback.
5049 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5050 },
5051 flags: []string{
5052 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5053 "-select-alpn", "foo",
5054 "-async",
5055 },
5056 expectedNextProto: "foo",
5057 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5058 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5059 })
5060
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5061 var emptyString string
5062 testCases = append(testCases, testCase{
5063 testType: clientTest,
5064 name: "ALPNClient-EmptyProtocolName-" + ver.name,
5065 config: Config{
5066 MaxVersion: ver.version,
5067 NextProtos: []string{""},
5068 Bugs: ProtocolBugs{
5069 // A server returning an empty ALPN protocol
5070 // should be rejected.
5071 ALPNProtocol: &emptyString,
5072 },
5073 },
5074 flags: []string{
5075 "-advertise-alpn", "\x03foo",
5076 },
5077 shouldFail: true,
5078 expectedError: ":PARSE_TLSEXT:",
5079 })
5080 testCases = append(testCases, testCase{
5081 testType: serverTest,
5082 name: "ALPNServer-EmptyProtocolName-" + ver.name,
5083 config: Config{
5084 MaxVersion: ver.version,
5085 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5086 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5087 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5088 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5089 flags: []string{
5090 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5091 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5092 shouldFail: true,
5093 expectedError: ":PARSE_TLSEXT:",
5094 })
5095
5096 // Test NPN and the interaction with ALPN.
5097 if ver.version < VersionTLS13 {
5098 // Test that the server prefers ALPN over NPN.
5099 testCases = append(testCases, testCase{
5100 testType: serverTest,
5101 name: "ALPNServer-Preferred-" + ver.name,
5102 config: Config{
5103 MaxVersion: ver.version,
5104 NextProtos: []string{"foo", "bar", "baz"},
5105 },
5106 flags: []string{
5107 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5108 "-select-alpn", "foo",
5109 "-advertise-npn", "\x03foo\x03bar\x03baz",
5110 },
5111 expectedNextProto: "foo",
5112 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5113 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5114 })
5115 testCases = append(testCases, testCase{
5116 testType: serverTest,
5117 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5118 config: Config{
5119 MaxVersion: ver.version,
5120 NextProtos: []string{"foo", "bar", "baz"},
5121 Bugs: ProtocolBugs{
5122 SwapNPNAndALPN: true,
5123 },
5124 },
5125 flags: []string{
5126 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5127 "-select-alpn", "foo",
5128 "-advertise-npn", "\x03foo\x03bar\x03baz",
5129 },
5130 expectedNextProto: "foo",
5131 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5132 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5133 })
5134
5135 // Test that negotiating both NPN and ALPN is forbidden.
5136 testCases = append(testCases, testCase{
5137 name: "NegotiateALPNAndNPN-" + ver.name,
5138 config: Config{
5139 MaxVersion: ver.version,
5140 NextProtos: []string{"foo", "bar", "baz"},
5141 Bugs: ProtocolBugs{
5142 NegotiateALPNAndNPN: true,
5143 },
5144 },
5145 flags: []string{
5146 "-advertise-alpn", "\x03foo",
5147 "-select-next-proto", "foo",
5148 },
5149 shouldFail: true,
5150 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5151 })
5152 testCases = append(testCases, testCase{
5153 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5154 config: Config{
5155 MaxVersion: ver.version,
5156 NextProtos: []string{"foo", "bar", "baz"},
5157 Bugs: ProtocolBugs{
5158 NegotiateALPNAndNPN: true,
5159 SwapNPNAndALPN: true,
5160 },
5161 },
5162 flags: []string{
5163 "-advertise-alpn", "\x03foo",
5164 "-select-next-proto", "foo",
5165 },
5166 shouldFail: true,
5167 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5168 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5169 }
5170
5171 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5172
5173 // Resume with a corrupt ticket.
5174 testCases = append(testCases, testCase{
5175 testType: serverTest,
5176 name: "CorruptTicket-" + ver.name,
5177 config: Config{
5178 MaxVersion: ver.version,
5179 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5180 FilterTicket: func(in []byte) ([]byte, error) {
5181 in[len(in)-1] ^= 1
5182 return in, nil
5183 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5184 },
5185 },
5186 resumeSession: true,
5187 expectResumeRejected: true,
5188 })
5189 // Test the ticket callback, with and without renewal.
5190 testCases = append(testCases, testCase{
5191 testType: serverTest,
5192 name: "TicketCallback-" + ver.name,
5193 config: Config{
5194 MaxVersion: ver.version,
5195 },
5196 resumeSession: true,
5197 flags: []string{"-use-ticket-callback"},
5198 })
5199 testCases = append(testCases, testCase{
5200 testType: serverTest,
5201 name: "TicketCallback-Renew-" + ver.name,
5202 config: Config{
5203 MaxVersion: ver.version,
5204 Bugs: ProtocolBugs{
5205 ExpectNewTicket: true,
5206 },
5207 },
5208 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5209 resumeSession: true,
5210 })
5211
5212 // Test that the ticket callback is only called once when everything before
5213 // it in the ClientHello is asynchronous. This corrupts the ticket so
5214 // certificate selection callbacks run.
5215 testCases = append(testCases, testCase{
5216 testType: serverTest,
5217 name: "TicketCallback-SingleCall-" + ver.name,
5218 config: Config{
5219 MaxVersion: ver.version,
5220 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5221 FilterTicket: func(in []byte) ([]byte, error) {
5222 in[len(in)-1] ^= 1
5223 return in, nil
5224 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5225 },
5226 },
5227 resumeSession: true,
5228 expectResumeRejected: true,
5229 flags: []string{
5230 "-use-ticket-callback",
5231 "-async",
5232 },
5233 })
5234
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5235 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5236 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5237 testCases = append(testCases, testCase{
5238 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5239 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5240 config: Config{
5241 MaxVersion: ver.version,
5242 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5243 EmptyTicketSessionID: true,
5244 },
5245 },
5246 resumeSession: true,
5247 })
5248 testCases = append(testCases, testCase{
5249 testType: serverTest,
5250 name: "TicketSessionIDLength-16-" + ver.name,
5251 config: Config{
5252 MaxVersion: ver.version,
5253 Bugs: ProtocolBugs{
5254 TicketSessionIDLength: 16,
5255 },
5256 },
5257 resumeSession: true,
5258 })
5259 testCases = append(testCases, testCase{
5260 testType: serverTest,
5261 name: "TicketSessionIDLength-32-" + ver.name,
5262 config: Config{
5263 MaxVersion: ver.version,
5264 Bugs: ProtocolBugs{
5265 TicketSessionIDLength: 32,
5266 },
5267 },
5268 resumeSession: true,
5269 })
5270 testCases = append(testCases, testCase{
5271 testType: serverTest,
5272 name: "TicketSessionIDLength-33-" + ver.name,
5273 config: Config{
5274 MaxVersion: ver.version,
5275 Bugs: ProtocolBugs{
5276 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5277 },
5278 },
5279 resumeSession: true,
5280 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5281 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5282 expectedError: ":DECODE_ERROR:",
5283 })
5284 }
5285
5286 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5287 // are ignored.
5288 if ver.hasDTLS {
5289 testCases = append(testCases, testCase{
5290 protocol: dtls,
5291 name: "SRTP-Client-" + ver.name,
5292 config: Config{
5293 MaxVersion: ver.version,
5294 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5295 },
5296 flags: []string{
5297 "-srtp-profiles",
5298 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5299 },
5300 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5301 })
5302 testCases = append(testCases, testCase{
5303 protocol: dtls,
5304 testType: serverTest,
5305 name: "SRTP-Server-" + ver.name,
5306 config: Config{
5307 MaxVersion: ver.version,
5308 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5309 },
5310 flags: []string{
5311 "-srtp-profiles",
5312 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5313 },
5314 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5315 })
5316 // Test that the MKI is ignored.
5317 testCases = append(testCases, testCase{
5318 protocol: dtls,
5319 testType: serverTest,
5320 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5321 config: Config{
5322 MaxVersion: ver.version,
5323 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5324 Bugs: ProtocolBugs{
5325 SRTPMasterKeyIdentifer: "bogus",
5326 },
5327 },
5328 flags: []string{
5329 "-srtp-profiles",
5330 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5331 },
5332 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5333 })
5334 // Test that SRTP isn't negotiated on the server if there were
5335 // no matching profiles.
5336 testCases = append(testCases, testCase{
5337 protocol: dtls,
5338 testType: serverTest,
5339 name: "SRTP-Server-NoMatch-" + ver.name,
5340 config: Config{
5341 MaxVersion: ver.version,
5342 SRTPProtectionProfiles: []uint16{100, 101, 102},
5343 },
5344 flags: []string{
5345 "-srtp-profiles",
5346 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5347 },
5348 expectedSRTPProtectionProfile: 0,
5349 })
5350 // Test that the server returning an invalid SRTP profile is
5351 // flagged as an error by the client.
5352 testCases = append(testCases, testCase{
5353 protocol: dtls,
5354 name: "SRTP-Client-NoMatch-" + ver.name,
5355 config: Config{
5356 MaxVersion: ver.version,
5357 Bugs: ProtocolBugs{
5358 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5359 },
5360 },
5361 flags: []string{
5362 "-srtp-profiles",
5363 "SRTP_AES128_CM_SHA1_80",
5364 },
5365 shouldFail: true,
5366 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5367 })
5368 }
5369
5370 // Test SCT list.
5371 testCases = append(testCases, testCase{
5372 name: "SignedCertificateTimestampList-Client-" + ver.name,
5373 testType: clientTest,
5374 config: Config{
5375 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5376 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5377 flags: []string{
5378 "-enable-signed-cert-timestamps",
5379 "-expect-signed-cert-timestamps",
5380 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5381 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5382 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5383 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5384
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5385 var differentSCTList []byte
5386 differentSCTList = append(differentSCTList, testSCTList...)
5387 differentSCTList[len(differentSCTList)-1] ^= 1
5388
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5389 // The SCT extension did not specify that it must only be sent on resumption as it
5390 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5391 testCases = append(testCases, testCase{
5392 name: "SendSCTListOnResume-" + ver.name,
5393 config: Config{
5394 MaxVersion: ver.version,
5395 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5396 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5397 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5398 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5399 flags: []string{
5400 "-enable-signed-cert-timestamps",
5401 "-expect-signed-cert-timestamps",
5402 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5403 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5404 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5405 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5406
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5407 testCases = append(testCases, testCase{
5408 name: "SignedCertificateTimestampList-Server-" + ver.name,
5409 testType: serverTest,
5410 config: Config{
5411 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5412 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5413 flags: []string{
5414 "-signed-cert-timestamps",
5415 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5416 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5417 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5418 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5419 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5420
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5421 emptySCTListCert := *testCerts[0].cert
5422 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5423
5424 // Test empty SCT list.
5425 testCases = append(testCases, testCase{
5426 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5427 testType: clientTest,
5428 config: Config{
5429 MaxVersion: ver.version,
5430 Certificates: []Certificate{emptySCTListCert},
5431 },
5432 flags: []string{
5433 "-enable-signed-cert-timestamps",
5434 },
5435 shouldFail: true,
5436 expectedError: ":ERROR_PARSING_EXTENSION:",
5437 })
5438
5439 emptySCTCert := *testCerts[0].cert
5440 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5441
5442 // Test empty SCT in non-empty list.
5443 testCases = append(testCases, testCase{
5444 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5445 testType: clientTest,
5446 config: Config{
5447 MaxVersion: ver.version,
5448 Certificates: []Certificate{emptySCTCert},
5449 },
5450 flags: []string{
5451 "-enable-signed-cert-timestamps",
5452 },
5453 shouldFail: true,
5454 expectedError: ":ERROR_PARSING_EXTENSION:",
5455 })
5456
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5457 // Test that certificate-related extensions are not sent unsolicited.
5458 testCases = append(testCases, testCase{
5459 testType: serverTest,
5460 name: "UnsolicitedCertificateExtensions-" + ver.name,
5461 config: Config{
5462 MaxVersion: ver.version,
5463 Bugs: ProtocolBugs{
5464 NoOCSPStapling: true,
5465 NoSignedCertificateTimestamps: true,
5466 },
5467 },
5468 flags: []string{
5469 "-ocsp-response",
5470 base64.StdEncoding.EncodeToString(testOCSPResponse),
5471 "-signed-cert-timestamps",
5472 base64.StdEncoding.EncodeToString(testSCTList),
5473 },
5474 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5475 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5476
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5477 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5478 testType: clientTest,
5479 name: "ClientHelloPadding",
5480 config: Config{
5481 Bugs: ProtocolBugs{
5482 RequireClientHelloSize: 512,
5483 },
5484 },
5485 // This hostname just needs to be long enough to push the
5486 // ClientHello into F5's danger zone between 256 and 511 bytes
5487 // long.
5488 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5489 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5490
5491 // Extensions should not function in SSL 3.0.
5492 testCases = append(testCases, testCase{
5493 testType: serverTest,
5494 name: "SSLv3Extensions-NoALPN",
5495 config: Config{
5496 MaxVersion: VersionSSL30,
5497 NextProtos: []string{"foo", "bar", "baz"},
5498 },
5499 flags: []string{
5500 "-select-alpn", "foo",
5501 },
5502 expectNoNextProto: true,
5503 })
5504
5505 // Test session tickets separately as they follow a different codepath.
5506 testCases = append(testCases, testCase{
5507 testType: serverTest,
5508 name: "SSLv3Extensions-NoTickets",
5509 config: Config{
5510 MaxVersion: VersionSSL30,
5511 Bugs: ProtocolBugs{
5512 // Historically, session tickets in SSL 3.0
5513 // failed in different ways depending on whether
5514 // the client supported renegotiation_info.
5515 NoRenegotiationInfo: true,
5516 },
5517 },
5518 resumeSession: true,
5519 })
5520 testCases = append(testCases, testCase{
5521 testType: serverTest,
5522 name: "SSLv3Extensions-NoTickets2",
5523 config: Config{
5524 MaxVersion: VersionSSL30,
5525 },
5526 resumeSession: true,
5527 })
5528
5529 // But SSL 3.0 does send and process renegotiation_info.
5530 testCases = append(testCases, testCase{
5531 testType: serverTest,
5532 name: "SSLv3Extensions-RenegotiationInfo",
5533 config: Config{
5534 MaxVersion: VersionSSL30,
5535 Bugs: ProtocolBugs{
5536 RequireRenegotiationInfo: true,
5537 },
5538 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5539 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5540 })
5541 testCases = append(testCases, testCase{
5542 testType: serverTest,
5543 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5544 config: Config{
5545 MaxVersion: VersionSSL30,
5546 Bugs: ProtocolBugs{
5547 NoRenegotiationInfo: true,
5548 SendRenegotiationSCSV: true,
5549 RequireRenegotiationInfo: true,
5550 },
5551 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5552 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5553 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5554
5555 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5556 // in ServerHello.
5557 testCases = append(testCases, testCase{
5558 name: "NPN-Forbidden-TLS13",
5559 config: Config{
5560 MaxVersion: VersionTLS13,
5561 NextProtos: []string{"foo"},
5562 Bugs: ProtocolBugs{
5563 NegotiateNPNAtAllVersions: true,
5564 },
5565 },
5566 flags: []string{"-select-next-proto", "foo"},
5567 shouldFail: true,
5568 expectedError: ":ERROR_PARSING_EXTENSION:",
5569 })
5570 testCases = append(testCases, testCase{
5571 name: "EMS-Forbidden-TLS13",
5572 config: Config{
5573 MaxVersion: VersionTLS13,
5574 Bugs: ProtocolBugs{
5575 NegotiateEMSAtAllVersions: true,
5576 },
5577 },
5578 shouldFail: true,
5579 expectedError: ":ERROR_PARSING_EXTENSION:",
5580 })
5581 testCases = append(testCases, testCase{
5582 name: "RenegotiationInfo-Forbidden-TLS13",
5583 config: Config{
5584 MaxVersion: VersionTLS13,
5585 Bugs: ProtocolBugs{
5586 NegotiateRenegotiationInfoAtAllVersions: true,
5587 },
5588 },
5589 shouldFail: true,
5590 expectedError: ":ERROR_PARSING_EXTENSION:",
5591 })
5592 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5593 name: "Ticket-Forbidden-TLS13",
5594 config: Config{
5595 MaxVersion: VersionTLS12,
5596 },
5597 resumeConfig: &Config{
5598 MaxVersion: VersionTLS13,
5599 Bugs: ProtocolBugs{
5600 AdvertiseTicketExtension: true,
5601 },
5602 },
5603 resumeSession: true,
5604 shouldFail: true,
5605 expectedError: ":ERROR_PARSING_EXTENSION:",
5606 })
5607
5608 // Test that illegal extensions in TLS 1.3 are declined by the server if
5609 // offered in ClientHello. The runner's server will fail if this occurs,
5610 // so we exercise the offering path. (EMS and Renegotiation Info are
5611 // implicit in every test.)
5612 testCases = append(testCases, testCase{
5613 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5614 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5615 config: Config{
5616 MaxVersion: VersionTLS13,
5617 NextProtos: []string{"bar"},
5618 },
5619 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5620 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5621
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5622 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5623 // tolerated.
5624 testCases = append(testCases, testCase{
5625 name: "SendOCSPResponseOnResume-TLS12",
5626 config: Config{
5627 MaxVersion: VersionTLS12,
5628 Bugs: ProtocolBugs{
5629 SendOCSPResponseOnResume: []byte("bogus"),
5630 },
5631 },
5632 flags: []string{
5633 "-enable-ocsp-stapling",
5634 "-expect-ocsp-response",
5635 base64.StdEncoding.EncodeToString(testOCSPResponse),
5636 },
5637 resumeSession: true,
5638 })
5639
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5640 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5641 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5642 config: Config{
5643 MaxVersion: VersionTLS13,
5644 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5645 SendExtensionOnCertificate: testOCSPExtension,
5646 },
5647 },
5648 shouldFail: true,
5649 expectedError: ":UNEXPECTED_EXTENSION:",
5650 })
5651
5652 testCases = append(testCases, testCase{
5653 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5654 config: Config{
5655 MaxVersion: VersionTLS13,
5656 Bugs: ProtocolBugs{
5657 SendExtensionOnCertificate: testSCTExtension,
5658 },
5659 },
5660 shouldFail: true,
5661 expectedError: ":UNEXPECTED_EXTENSION:",
5662 })
5663
5664 // Test that extensions on client certificates are never accepted.
5665 testCases = append(testCases, testCase{
5666 name: "SendExtensionOnClientCertificate-TLS13",
5667 testType: serverTest,
5668 config: Config{
5669 MaxVersion: VersionTLS13,
5670 Certificates: []Certificate{rsaCertificate},
5671 Bugs: ProtocolBugs{
5672 SendExtensionOnCertificate: testOCSPExtension,
5673 },
5674 },
5675 flags: []string{
5676 "-enable-ocsp-stapling",
5677 "-require-any-client-certificate",
5678 },
5679 shouldFail: true,
5680 expectedError: ":UNEXPECTED_EXTENSION:",
5681 })
5682
5683 testCases = append(testCases, testCase{
5684 name: "SendUnknownExtensionOnCertificate-TLS13",
5685 config: Config{
5686 MaxVersion: VersionTLS13,
5687 Bugs: ProtocolBugs{
5688 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5689 },
5690 },
5691 shouldFail: true,
5692 expectedError: ":UNEXPECTED_EXTENSION:",
5693 })
5694
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5695 var differentSCTList []byte
5696 differentSCTList = append(differentSCTList, testSCTList...)
5697 differentSCTList[len(differentSCTList)-1] ^= 1
5698
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5699 // Test that extensions on intermediates are allowed but ignored.
5700 testCases = append(testCases, testCase{
5701 name: "IgnoreExtensionsOnIntermediates-TLS13",
5702 config: Config{
5703 MaxVersion: VersionTLS13,
5704 Certificates: []Certificate{rsaChainCertificate},
5705 Bugs: ProtocolBugs{
5706 // Send different values on the intermediate. This tests
5707 // the intermediate's extensions do not override the
5708 // leaf's.
5709 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5710 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5711 },
5712 },
5713 flags: []string{
5714 "-enable-ocsp-stapling",
5715 "-expect-ocsp-response",
5716 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5717 "-enable-signed-cert-timestamps",
5718 "-expect-signed-cert-timestamps",
5719 base64.StdEncoding.EncodeToString(testSCTList),
5720 },
5721 resumeSession: true,
5722 })
5723
5724 // Test that extensions are not sent on intermediates when configured
5725 // only for a leaf.
5726 testCases = append(testCases, testCase{
5727 testType: serverTest,
5728 name: "SendNoExtensionsOnIntermediate-TLS13",
5729 config: Config{
5730 MaxVersion: VersionTLS13,
5731 Bugs: ProtocolBugs{
5732 ExpectNoExtensionsOnIntermediate: true,
5733 },
5734 },
5735 flags: []string{
5736 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5737 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5738 "-ocsp-response",
5739 base64.StdEncoding.EncodeToString(testOCSPResponse),
5740 "-signed-cert-timestamps",
5741 base64.StdEncoding.EncodeToString(testSCTList),
5742 },
5743 })
5744
5745 // Test that extensions are not sent on client certificates.
5746 testCases = append(testCases, testCase{
5747 name: "SendNoClientCertificateExtensions-TLS13",
5748 config: Config{
5749 MaxVersion: VersionTLS13,
5750 ClientAuth: RequireAnyClientCert,
5751 },
5752 flags: []string{
5753 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5754 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5755 "-ocsp-response",
5756 base64.StdEncoding.EncodeToString(testOCSPResponse),
5757 "-signed-cert-timestamps",
5758 base64.StdEncoding.EncodeToString(testSCTList),
5759 },
5760 })
5761
5762 testCases = append(testCases, testCase{
5763 name: "SendDuplicateExtensionsOnCerts-TLS13",
5764 config: Config{
5765 MaxVersion: VersionTLS13,
5766 Bugs: ProtocolBugs{
5767 SendDuplicateCertExtensions: true,
5768 },
5769 },
5770 flags: []string{
5771 "-enable-ocsp-stapling",
5772 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5773 },
5774 resumeSession: true,
5775 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5776 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5777 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5778
5779 testCases = append(testCases, testCase{
5780 name: "SignedCertificateTimestampListInvalid-Server",
5781 testType: serverTest,
5782 flags: []string{
5783 "-signed-cert-timestamps",
5784 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5785 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5786 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5787 expectedError: ":INVALID_SCT_LIST:",
5788 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5789}
5790
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5791func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5792 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5793 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5794 // SSL 3.0 does not have tickets and TLS 1.3 does not
5795 // have session IDs, so skip their cross-resumption
5796 // tests.
5797 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5798 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5799 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5800 }
5801
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5802 protocols := []protocol{tls}
5803 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5804 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5805 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5806 for _, protocol := range protocols {
5807 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5808 if protocol == dtls {
5809 suffix += "-DTLS"
5810 }
5811
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5812 if sessionVers.version == resumeVers.version {
5813 testCases = append(testCases, testCase{
5814 protocol: protocol,
5815 name: "Resume-Client" + suffix,
5816 resumeSession: true,
5817 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5818 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5819 Bugs: ProtocolBugs{
5820 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5821 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5822 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5823 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5824 expectedVersion: sessionVers.version,
5825 expectedResumeVersion: resumeVers.version,
5826 })
5827 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5828 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5829
5830 // Offering a TLS 1.3 session sends an empty session ID, so
5831 // there is no way to convince a non-lookahead client the
5832 // session was resumed. It will appear to the client that a
5833 // stray ChangeCipherSpec was sent.
5834 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5835 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5836 }
5837
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5838 testCases = append(testCases, testCase{
5839 protocol: protocol,
5840 name: "Resume-Client-Mismatch" + suffix,
5841 resumeSession: true,
5842 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5843 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5844 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5845 expectedVersion: sessionVers.version,
5846 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5847 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5848 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5849 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5850 },
5851 },
5852 expectedResumeVersion: resumeVers.version,
5853 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5854 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5855 })
5856 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5857
5858 testCases = append(testCases, testCase{
5859 protocol: protocol,
5860 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5861 resumeSession: true,
5862 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5863 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5864 },
5865 expectedVersion: sessionVers.version,
5866 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5867 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5868 },
5869 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5870 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5871 expectedResumeVersion: resumeVers.version,
5872 })
5873
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5874 testCases = append(testCases, testCase{
5875 protocol: protocol,
5876 testType: serverTest,
5877 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5878 resumeSession: true,
5879 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5880 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5881 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5882 expectedVersion: sessionVers.version,
5883 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5884 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5885 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5886 Bugs: ProtocolBugs{
5887 SendBothTickets: true,
5888 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5889 },
5890 expectedResumeVersion: resumeVers.version,
5891 })
5892 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5893 }
5894 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5895
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5896 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5897 testCases = append(testCases, testCase{
5898 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5899 name: "ShimTicketRewritable",
5900 resumeSession: true,
5901 config: Config{
5902 MaxVersion: VersionTLS12,
5903 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5904 Bugs: ProtocolBugs{
5905 FilterTicket: func(in []byte) ([]byte, error) {
5906 in, err := SetShimTicketVersion(in, VersionTLS12)
5907 if err != nil {
5908 return nil, err
5909 }
5910 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5911 },
5912 },
5913 },
5914 flags: []string{
5915 "-ticket-key",
5916 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5917 },
5918 })
5919
5920 // Resumptions are declined if the version does not match.
5921 testCases = append(testCases, testCase{
5922 testType: serverTest,
5923 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5924 resumeSession: true,
5925 config: Config{
5926 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5927 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5928 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5929 FilterTicket: func(in []byte) ([]byte, error) {
5930 return SetShimTicketVersion(in, VersionTLS13)
5931 },
5932 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5933 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5934 flags: []string{
5935 "-ticket-key",
5936 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5937 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5938 expectResumeRejected: true,
5939 })
5940
5941 testCases = append(testCases, testCase{
5942 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5943 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5944 resumeSession: true,
5945 config: Config{
5946 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5947 Bugs: ProtocolBugs{
5948 FilterTicket: func(in []byte) ([]byte, error) {
5949 return SetShimTicketVersion(in, VersionTLS12)
5950 },
5951 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5952 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5953 flags: []string{
5954 "-ticket-key",
5955 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5956 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5957 expectResumeRejected: true,
5958 })
5959
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5960 // Resumptions are declined if the cipher is invalid or disabled.
5961 testCases = append(testCases, testCase{
5962 testType: serverTest,
5963 name: "Resume-Server-DeclineBadCipher",
5964 resumeSession: true,
5965 config: Config{
5966 MaxVersion: VersionTLS12,
5967 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5968 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5969 FilterTicket: func(in []byte) ([]byte, error) {
5970 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5971 },
5972 },
5973 },
5974 flags: []string{
5975 "-ticket-key",
5976 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5977 },
5978 expectResumeRejected: true,
5979 })
5980
5981 testCases = append(testCases, testCase{
5982 testType: serverTest,
5983 name: "Resume-Server-DeclineBadCipher-2",
5984 resumeSession: true,
5985 config: Config{
5986 MaxVersion: VersionTLS12,
5987 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5988 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5989 FilterTicket: func(in []byte) ([]byte, error) {
5990 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5991 },
5992 },
5993 },
5994 flags: []string{
5995 "-cipher", "AES128",
5996 "-ticket-key",
5997 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5998 },
5999 expectResumeRejected: true,
6000 })
6001
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6002 // Sessions are not resumed if they do not use the preferred cipher.
6003 testCases = append(testCases, testCase{
6004 testType: serverTest,
6005 name: "Resume-Server-CipherNotPreferred",
6006 resumeSession: true,
6007 config: Config{
6008 MaxVersion: VersionTLS12,
6009 Bugs: ProtocolBugs{
6010 ExpectNewTicket: true,
6011 FilterTicket: func(in []byte) ([]byte, error) {
6012 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
6013 },
6014 },
6015 },
6016 flags: []string{
6017 "-ticket-key",
6018 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6019 },
6020 shouldFail: false,
6021 expectResumeRejected: true,
6022 })
6023
6024 // TLS 1.3 allows sessions to be resumed at a different cipher if their
6025 // PRF hashes match, but BoringSSL will always decline such resumptions.
6026 testCases = append(testCases, testCase{
6027 testType: serverTest,
6028 name: "Resume-Server-CipherNotPreferred-TLS13",
6029 resumeSession: true,
6030 config: Config{
6031 MaxVersion: VersionTLS13,
6032 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
6033 Bugs: ProtocolBugs{
6034 FilterTicket: func(in []byte) ([]byte, error) {
6035 // If the client (runner) offers ChaCha20-Poly1305 first, the
6036 // server (shim) always prefers it. Switch it to AES-GCM.
6037 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
6038 },
6039 },
6040 },
6041 flags: []string{
6042 "-ticket-key",
6043 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6044 },
6045 shouldFail: false,
6046 expectResumeRejected: true,
6047 })
6048
6049 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6050 testCases = append(testCases, testCase{
6051 testType: serverTest,
6052 name: "Resume-Server-DeclineBadCipher-TLS13",
6053 resumeSession: true,
6054 config: Config{
6055 MaxVersion: VersionTLS13,
6056 Bugs: ProtocolBugs{
6057 FilterTicket: func(in []byte) ([]byte, error) {
6058 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
6059 },
6060 },
6061 },
6062 flags: []string{
6063 "-ticket-key",
6064 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6065 },
6066 expectResumeRejected: true,
6067 })
6068
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6069 // If the client does not offer the cipher from the session, decline to
6070 // resume. Clients are forbidden from doing this, but BoringSSL selects
6071 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6072 testCases = append(testCases, testCase{
6073 testType: serverTest,
6074 name: "Resume-Server-UnofferedCipher",
6075 resumeSession: true,
6076 config: Config{
6077 MaxVersion: VersionTLS12,
6078 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6079 },
6080 resumeConfig: &Config{
6081 MaxVersion: VersionTLS12,
6082 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6083 Bugs: ProtocolBugs{
6084 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6085 },
6086 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6087 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6088 })
6089
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6090 // In TLS 1.3, clients may advertise a cipher list which does not
6091 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]6092 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
6093 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6094 testCases = append(testCases, testCase{
6095 testType: serverTest,
6096 name: "Resume-Server-UnofferedCipher-TLS13",
6097 resumeSession: true,
6098 config: Config{
6099 MaxVersion: VersionTLS13,
6100 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6101 },
6102 resumeConfig: &Config{
6103 MaxVersion: VersionTLS13,
6104 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6105 Bugs: ProtocolBugs{
6106 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6107 },
6108 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6109 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6110 })
6111
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6112 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6113 testCases = append(testCases, testCase{
6114 name: "Resume-Client-CipherMismatch",
6115 resumeSession: true,
6116 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6117 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6118 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6119 },
6120 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6121 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6122 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6123 Bugs: ProtocolBugs{
6124 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6125 },
6126 },
6127 shouldFail: true,
6128 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6129 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6130
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6131 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6132 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6133 testCases = append(testCases, testCase{
6134 name: "Resume-Client-CipherMismatch-TLS13",
6135 resumeSession: true,
6136 config: Config{
6137 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6138 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6139 },
6140 resumeConfig: &Config{
6141 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6142 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6143 },
6144 })
6145
6146 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6147 testCases = append(testCases, testCase{
6148 name: "Resume-Client-PRFMismatch-TLS13",
6149 resumeSession: true,
6150 config: Config{
6151 MaxVersion: VersionTLS13,
6152 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6153 },
6154 resumeConfig: &Config{
6155 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6156 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6157 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6158 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6159 },
6160 },
6161 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6162 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6163 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6164
6165 testCases = append(testCases, testCase{
6166 testType: serverTest,
6167 name: "Resume-Server-BinderWrongLength",
6168 resumeSession: true,
6169 config: Config{
6170 MaxVersion: VersionTLS13,
6171 Bugs: ProtocolBugs{
6172 SendShortPSKBinder: true,
6173 },
6174 },
6175 shouldFail: true,
6176 expectedLocalError: "remote error: error decrypting message",
6177 expectedError: ":DIGEST_CHECK_FAILED:",
6178 })
6179
6180 testCases = append(testCases, testCase{
6181 testType: serverTest,
6182 name: "Resume-Server-NoPSKBinder",
6183 resumeSession: true,
6184 config: Config{
6185 MaxVersion: VersionTLS13,
6186 Bugs: ProtocolBugs{
6187 SendNoPSKBinder: true,
6188 },
6189 },
6190 shouldFail: true,
6191 expectedLocalError: "remote error: error decoding message",
6192 expectedError: ":DECODE_ERROR:",
6193 })
6194
6195 testCases = append(testCases, testCase{
6196 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6197 name: "Resume-Server-ExtraPSKBinder",
6198 resumeSession: true,
6199 config: Config{
6200 MaxVersion: VersionTLS13,
6201 Bugs: ProtocolBugs{
6202 SendExtraPSKBinder: true,
6203 },
6204 },
6205 shouldFail: true,
6206 expectedLocalError: "remote error: illegal parameter",
6207 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6208 })
6209
6210 testCases = append(testCases, testCase{
6211 testType: serverTest,
6212 name: "Resume-Server-ExtraIdentityNoBinder",
6213 resumeSession: true,
6214 config: Config{
6215 MaxVersion: VersionTLS13,
6216 Bugs: ProtocolBugs{
6217 ExtraPSKIdentity: true,
6218 },
6219 },
6220 shouldFail: true,
6221 expectedLocalError: "remote error: illegal parameter",
6222 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6223 })
6224
6225 testCases = append(testCases, testCase{
6226 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6227 name: "Resume-Server-InvalidPSKBinder",
6228 resumeSession: true,
6229 config: Config{
6230 MaxVersion: VersionTLS13,
6231 Bugs: ProtocolBugs{
6232 SendInvalidPSKBinder: true,
6233 },
6234 },
6235 shouldFail: true,
6236 expectedLocalError: "remote error: error decrypting message",
6237 expectedError: ":DIGEST_CHECK_FAILED:",
6238 })
6239
6240 testCases = append(testCases, testCase{
6241 testType: serverTest,
6242 name: "Resume-Server-PSKBinderFirstExtension",
6243 resumeSession: true,
6244 config: Config{
6245 MaxVersion: VersionTLS13,
6246 Bugs: ProtocolBugs{
6247 PSKBinderFirst: true,
6248 },
6249 },
6250 shouldFail: true,
6251 expectedLocalError: "remote error: illegal parameter",
6252 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6253 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6254}
6255
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6256func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6257 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6258 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6259 testType: serverTest,
6260 name: "Renegotiate-Server-Forbidden",
6261 config: Config{
6262 MaxVersion: VersionTLS12,
6263 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6264 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6265 shouldFail: true,
6266 expectedError: ":NO_RENEGOTIATION:",
6267 expectedLocalError: "remote error: no renegotiation",
6268 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6269 // The server shouldn't echo the renegotiation extension unless
6270 // requested by the client.
6271 testCases = append(testCases, testCase{
6272 testType: serverTest,
6273 name: "Renegotiate-Server-NoExt",
6274 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6275 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6276 Bugs: ProtocolBugs{
6277 NoRenegotiationInfo: true,
6278 RequireRenegotiationInfo: true,
6279 },
6280 },
6281 shouldFail: true,
6282 expectedLocalError: "renegotiation extension missing",
6283 })
6284 // The renegotiation SCSV should be sufficient for the server to echo
6285 // the extension.
6286 testCases = append(testCases, testCase{
6287 testType: serverTest,
6288 name: "Renegotiate-Server-NoExt-SCSV",
6289 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6290 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6291 Bugs: ProtocolBugs{
6292 NoRenegotiationInfo: true,
6293 SendRenegotiationSCSV: true,
6294 RequireRenegotiationInfo: true,
6295 },
6296 },
6297 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6298 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6299 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6300 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6301 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6302 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6303 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6304 },
6305 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6306 renegotiate: 1,
6307 flags: []string{
6308 "-renegotiate-freely",
6309 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6310 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6311 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6312 })
6313 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6314 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6315 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6316 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6317 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6318 Bugs: ProtocolBugs{
6319 EmptyRenegotiationInfo: true,
6320 },
6321 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6322 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6323 shouldFail: true,
6324 expectedError: ":RENEGOTIATION_MISMATCH:",
6325 })
6326 testCases = append(testCases, testCase{
6327 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6328 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6329 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6330 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6331 Bugs: ProtocolBugs{
6332 BadRenegotiationInfo: true,
6333 },
6334 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6335 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6336 shouldFail: true,
6337 expectedError: ":RENEGOTIATION_MISMATCH:",
6338 })
6339 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6340 name: "Renegotiate-Client-Downgrade",
6341 renegotiate: 1,
6342 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6343 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6344 Bugs: ProtocolBugs{
6345 NoRenegotiationInfoAfterInitial: true,
6346 },
6347 },
6348 flags: []string{"-renegotiate-freely"},
6349 shouldFail: true,
6350 expectedError: ":RENEGOTIATION_MISMATCH:",
6351 })
6352 testCases = append(testCases, testCase{
6353 name: "Renegotiate-Client-Upgrade",
6354 renegotiate: 1,
6355 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6356 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6357 Bugs: ProtocolBugs{
6358 NoRenegotiationInfoInInitial: true,
6359 },
6360 },
6361 flags: []string{"-renegotiate-freely"},
6362 shouldFail: true,
6363 expectedError: ":RENEGOTIATION_MISMATCH:",
6364 })
6365 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6366 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6367 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6368 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6369 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6370 Bugs: ProtocolBugs{
6371 NoRenegotiationInfo: true,
6372 },
6373 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6374 flags: []string{
6375 "-renegotiate-freely",
6376 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6377 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6378 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6379 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6380
6381 // Test that the server may switch ciphers on renegotiation without
6382 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6383 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6384 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6385 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6386 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6387 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6388 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6389 },
6390 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6391 flags: []string{
6392 "-renegotiate-freely",
6393 "-expect-total-renegotiations", "1",
6394 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6395 })
6396 testCases = append(testCases, testCase{
6397 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6398 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6399 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6400 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6401 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6402 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6403 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6404 flags: []string{
6405 "-renegotiate-freely",
6406 "-expect-total-renegotiations", "1",
6407 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6408 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6409
6410 // Test that the server may not switch versions on renegotiation.
6411 testCases = append(testCases, testCase{
6412 name: "Renegotiate-Client-SwitchVersion",
6413 config: Config{
6414 MaxVersion: VersionTLS12,
6415 // Pick a cipher which exists at both versions.
6416 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6417 Bugs: ProtocolBugs{
6418 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6419 // Avoid failing early at the record layer.
6420 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6421 },
6422 },
6423 renegotiate: 1,
6424 flags: []string{
6425 "-renegotiate-freely",
6426 "-expect-total-renegotiations", "1",
6427 },
6428 shouldFail: true,
6429 expectedError: ":WRONG_SSL_VERSION:",
6430 })
6431
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6432 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6433 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6434 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6435 config: Config{
6436 MaxVersion: VersionTLS10,
6437 Bugs: ProtocolBugs{
6438 RequireSameRenegoClientVersion: true,
6439 },
6440 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6441 flags: []string{
6442 "-renegotiate-freely",
6443 "-expect-total-renegotiations", "1",
6444 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6445 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6446 testCases = append(testCases, testCase{
6447 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6448 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6449 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6450 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6451 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6452 NextProtos: []string{"foo"},
6453 },
6454 flags: []string{
6455 "-false-start",
6456 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6457 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6458 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6459 },
6460 shimWritesFirst: true,
6461 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6462
6463 // Client-side renegotiation controls.
6464 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6465 name: "Renegotiate-Client-Forbidden-1",
6466 config: Config{
6467 MaxVersion: VersionTLS12,
6468 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6469 renegotiate: 1,
6470 shouldFail: true,
6471 expectedError: ":NO_RENEGOTIATION:",
6472 expectedLocalError: "remote error: no renegotiation",
6473 })
6474 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6475 name: "Renegotiate-Client-Once-1",
6476 config: Config{
6477 MaxVersion: VersionTLS12,
6478 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6479 renegotiate: 1,
6480 flags: []string{
6481 "-renegotiate-once",
6482 "-expect-total-renegotiations", "1",
6483 },
6484 })
6485 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6486 name: "Renegotiate-Client-Freely-1",
6487 config: Config{
6488 MaxVersion: VersionTLS12,
6489 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6490 renegotiate: 1,
6491 flags: []string{
6492 "-renegotiate-freely",
6493 "-expect-total-renegotiations", "1",
6494 },
6495 })
6496 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6497 name: "Renegotiate-Client-Once-2",
6498 config: Config{
6499 MaxVersion: VersionTLS12,
6500 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6501 renegotiate: 2,
6502 flags: []string{"-renegotiate-once"},
6503 shouldFail: true,
6504 expectedError: ":NO_RENEGOTIATION:",
6505 expectedLocalError: "remote error: no renegotiation",
6506 })
6507 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6508 name: "Renegotiate-Client-Freely-2",
6509 config: Config{
6510 MaxVersion: VersionTLS12,
6511 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6512 renegotiate: 2,
6513 flags: []string{
6514 "-renegotiate-freely",
6515 "-expect-total-renegotiations", "2",
6516 },
6517 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6518 testCases = append(testCases, testCase{
6519 name: "Renegotiate-Client-NoIgnore",
6520 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6521 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6522 Bugs: ProtocolBugs{
6523 SendHelloRequestBeforeEveryAppDataRecord: true,
6524 },
6525 },
6526 shouldFail: true,
6527 expectedError: ":NO_RENEGOTIATION:",
6528 })
6529 testCases = append(testCases, testCase{
6530 name: "Renegotiate-Client-Ignore",
6531 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6532 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6533 Bugs: ProtocolBugs{
6534 SendHelloRequestBeforeEveryAppDataRecord: true,
6535 },
6536 },
6537 flags: []string{
6538 "-renegotiate-ignore",
6539 "-expect-total-renegotiations", "0",
6540 },
6541 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6542
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6543 // Renegotiation is not allowed at SSL 3.0.
6544 testCases = append(testCases, testCase{
6545 name: "Renegotiate-Client-SSL3",
6546 config: Config{
6547 MaxVersion: VersionSSL30,
6548 },
6549 renegotiate: 1,
6550 flags: []string{
6551 "-renegotiate-freely",
6552 "-expect-total-renegotiations", "1",
6553 },
6554 shouldFail: true,
6555 expectedError: ":NO_RENEGOTIATION:",
6556 expectedLocalError: "remote error: no renegotiation",
6557 })
6558
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6559 // Renegotiation is not allowed when there is an unfinished write.
6560 testCases = append(testCases, testCase{
6561 name: "Renegotiate-Client-UnfinishedWrite",
6562 config: Config{
6563 MaxVersion: VersionTLS12,
6564 },
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]6565 renegotiate: 1,
6566 readWithUnfinishedWrite: true,
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6567 flags: []string{
6568 "-async",
6569 "-renegotiate-freely",
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6570 },
6571 shouldFail: true,
6572 expectedError: ":NO_RENEGOTIATION:",
6573 // We do not successfully send the no_renegotiation alert in
6574 // this case. https://crbug.com/boringssl/130
6575 })
6576
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6577 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6578 testCases = append(testCases, testCase{
6579 name: "StrayHelloRequest",
6580 config: Config{
6581 MaxVersion: VersionTLS12,
6582 Bugs: ProtocolBugs{
6583 SendHelloRequestBeforeEveryHandshakeMessage: true,
6584 },
6585 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6586 shouldFail: true,
6587 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6588 })
6589 testCases = append(testCases, testCase{
6590 name: "StrayHelloRequest-Packed",
6591 config: Config{
6592 MaxVersion: VersionTLS12,
6593 Bugs: ProtocolBugs{
6594 PackHandshakeFlight: true,
6595 SendHelloRequestBeforeEveryHandshakeMessage: true,
6596 },
6597 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6598 shouldFail: true,
6599 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6600 })
6601
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6602 // Test renegotiation works if HelloRequest and server Finished come in
6603 // the same record.
6604 testCases = append(testCases, testCase{
6605 name: "Renegotiate-Client-Packed",
6606 config: Config{
6607 MaxVersion: VersionTLS12,
6608 Bugs: ProtocolBugs{
6609 PackHandshakeFlight: true,
6610 PackHelloRequestWithFinished: true,
6611 },
6612 },
6613 renegotiate: 1,
6614 flags: []string{
6615 "-renegotiate-freely",
6616 "-expect-total-renegotiations", "1",
6617 },
6618 })
6619
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6620 // Renegotiation is forbidden in TLS 1.3.
6621 testCases = append(testCases, testCase{
6622 name: "Renegotiate-Client-TLS13",
6623 config: Config{
6624 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6625 Bugs: ProtocolBugs{
6626 SendHelloRequestBeforeEveryAppDataRecord: true,
6627 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6628 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6629 flags: []string{
6630 "-renegotiate-freely",
6631 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6632 shouldFail: true,
6633 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6634 })
6635
6636 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6637 testCases = append(testCases, testCase{
6638 name: "StrayHelloRequest-TLS13",
6639 config: Config{
6640 MaxVersion: VersionTLS13,
6641 Bugs: ProtocolBugs{
6642 SendHelloRequestBeforeEveryHandshakeMessage: true,
6643 },
6644 },
6645 shouldFail: true,
6646 expectedError: ":UNEXPECTED_MESSAGE:",
6647 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6648
6649 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6650 // always reads as supporting it, regardless of whether it was
6651 // negotiated.
6652 testCases = append(testCases, testCase{
6653 name: "AlwaysReportRenegotiationInfo-TLS13",
6654 config: Config{
6655 MaxVersion: VersionTLS13,
6656 Bugs: ProtocolBugs{
6657 NoRenegotiationInfo: true,
6658 },
6659 },
6660 flags: []string{
6661 "-expect-secure-renegotiation",
6662 },
6663 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]6664
6665 // Certificates may not change on renegotiation.
6666 testCases = append(testCases, testCase{
6667 name: "Renegotiation-CertificateChange",
6668 config: Config{
6669 MaxVersion: VersionTLS12,
6670 Certificates: []Certificate{rsaCertificate},
6671 Bugs: ProtocolBugs{
6672 RenegotiationCertificate: &rsaChainCertificate,
6673 },
6674 },
6675 renegotiate: 1,
6676 flags: []string{"-renegotiate-freely"},
6677 shouldFail: true,
6678 expectedError: ":SERVER_CERT_CHANGED:",
6679 })
6680 testCases = append(testCases, testCase{
6681 name: "Renegotiation-CertificateChange-2",
6682 config: Config{
6683 MaxVersion: VersionTLS12,
6684 Certificates: []Certificate{rsaCertificate},
6685 Bugs: ProtocolBugs{
6686 RenegotiationCertificate: &rsa1024Certificate,
6687 },
6688 },
6689 renegotiate: 1,
6690 flags: []string{"-renegotiate-freely"},
6691 shouldFail: true,
6692 expectedError: ":SERVER_CERT_CHANGED:",
6693 })
David Benjaminbbf42462017-03-14 21:27:10 -0400[diff] [blame]6694
6695 // We do not negotiate ALPN after the initial handshake. This is
6696 // error-prone and only risks bugs in consumers.
6697 testCases = append(testCases, testCase{
6698 testType: clientTest,
6699 name: "Renegotiation-ForbidALPN",
6700 config: Config{
6701 MaxVersion: VersionTLS12,
6702 Bugs: ProtocolBugs{
6703 // Forcibly negotiate ALPN on both initial and
6704 // renegotiation handshakes. The test stack will
6705 // internally check the client does not offer
6706 // it.
6707 SendALPN: "foo",
6708 },
6709 },
6710 flags: []string{
6711 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6712 "-expect-alpn", "foo",
6713 "-renegotiate-freely",
6714 },
6715 renegotiate: 1,
6716 shouldFail: true,
6717 expectedError: ":UNEXPECTED_EXTENSION:",
6718 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6719}
6720
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6721func addDTLSReplayTests() {
6722 // Test that sequence number replays are detected.
6723 testCases = append(testCases, testCase{
6724 protocol: dtls,
6725 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6726 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6727 replayWrites: true,
6728 })
6729
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6730 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6731 // than the retransmit window.
6732 testCases = append(testCases, testCase{
6733 protocol: dtls,
6734 name: "DTLS-Replay-LargeGaps",
6735 config: Config{
6736 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6737 SequenceNumberMapping: func(in uint64) uint64 {
6738 return in * 127
6739 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6740 },
6741 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6742 messageCount: 200,
6743 replayWrites: true,
6744 })
6745
6746 // Test the incoming sequence number changing non-monotonically.
6747 testCases = append(testCases, testCase{
6748 protocol: dtls,
6749 name: "DTLS-Replay-NonMonotonic",
6750 config: Config{
6751 Bugs: ProtocolBugs{
6752 SequenceNumberMapping: func(in uint64) uint64 {
6753 return in ^ 31
6754 },
6755 },
6756 },
6757 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6758 replayWrites: true,
6759 })
6760}
6761
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6762var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6763 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6764 id signatureAlgorithm
6765 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6766}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6767 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6768 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6769 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6770 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6771 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6772 // The “P256” in the following line is not a mistake. In TLS 1.2 the
6773 // hash function doesn't have to match the curve and so the same
6774 // signature algorithm works with P-224.
6775 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6776 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6777 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6778 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6779 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6780 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6781 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6782 {"Ed25519", signatureEd25519, testCertEd25519},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6783 // Tests for key types prior to TLS 1.2.
6784 {"RSA", 0, testCertRSA},
6785 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6786}
6787
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6788const fakeSigAlg1 signatureAlgorithm = 0x2a01
6789const fakeSigAlg2 signatureAlgorithm = 0xff01
6790
6791func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6792 // Not all ciphers involve a signature. Advertise a list which gives all
6793 // versions a signing cipher.
6794 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6795 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6796 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6797 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6798 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6799 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6800 }
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6801
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6802 var allAlgorithms []signatureAlgorithm
6803 for _, alg := range testSignatureAlgorithms {
6804 if alg.id != 0 {
6805 allAlgorithms = append(allAlgorithms, alg.id)
6806 }
6807 }
6808
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6809 // Make sure each signature algorithm works. Include some fake values in
6810 // the list and ensure they're ignored.
6811 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6812 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6813 if (ver.version < VersionTLS12) != (alg.id == 0) {
6814 continue
6815 }
6816
6817 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6818 // or remove it in C.
6819 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6820 continue
6821 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6822
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6823 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6824 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6825 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6826 shouldSignFail = true
6827 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6828 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6829 // RSA-PKCS1 does not exist in TLS 1.3.
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6830 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
6831 shouldSignFail = true
6832 shouldVerifyFail = true
6833 }
6834 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
6835 // the curve has to match the hash size.
6836 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6837 shouldSignFail = true
6838 shouldVerifyFail = true
6839 }
6840
6841 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6842 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6843 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6844 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6845
6846 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6847 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6848 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6849 }
6850 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6851 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6852 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6853
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6854 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6855
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6856 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6857 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6858 config: Config{
6859 MaxVersion: ver.version,
6860 ClientAuth: RequireAnyClientCert,
6861 VerifySignatureAlgorithms: []signatureAlgorithm{
6862 fakeSigAlg1,
6863 alg.id,
6864 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6865 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6866 },
6867 flags: []string{
6868 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6869 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6870 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6871 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6872 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6873 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6874 expectedError: signError,
6875 expectedPeerSignatureAlgorithm: alg.id,
6876 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6877
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6878 testCases = append(testCases, testCase{
6879 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6880 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6881 config: Config{
6882 MaxVersion: ver.version,
6883 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6884 SignSignatureAlgorithms: []signatureAlgorithm{
6885 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6886 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6887 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6888 SkipECDSACurveCheck: shouldVerifyFail,
6889 IgnoreSignatureVersionChecks: shouldVerifyFail,
6890 // Some signature algorithms may not be advertised.
6891 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6892 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6893 },
6894 flags: []string{
6895 "-require-any-client-certificate",
6896 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6897 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6898 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6899 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6900 // Resume the session to assert the peer signature
6901 // algorithm is reported on both handshakes.
6902 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6903 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6904 expectedError: verifyError,
6905 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6906
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6907 // No signing cipher for SSL 3.0.
David Benjamin96bc12a2017-04-14 16:48:08 -0400[diff] [blame]6908 if ver.version > VersionSSL30 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6909 testCases = append(testCases, testCase{
6910 testType: serverTest,
6911 name: "ServerAuth-Sign" + suffix,
6912 config: Config{
6913 MaxVersion: ver.version,
6914 CipherSuites: signingCiphers,
6915 VerifySignatureAlgorithms: []signatureAlgorithm{
6916 fakeSigAlg1,
6917 alg.id,
6918 fakeSigAlg2,
6919 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6920 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6921 flags: []string{
6922 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6923 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6924 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6925 "-enable-ed25519",
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6926 },
6927 shouldFail: shouldSignFail,
6928 expectedError: signError,
6929 expectedPeerSignatureAlgorithm: alg.id,
6930 })
6931 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6932
6933 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6934 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6935 config: Config{
6936 MaxVersion: ver.version,
6937 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6938 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6939 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6940 alg.id,
6941 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6942 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6943 SkipECDSACurveCheck: shouldVerifyFail,
6944 IgnoreSignatureVersionChecks: shouldVerifyFail,
6945 // Some signature algorithms may not be advertised.
6946 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6947 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6948 },
6949 flags: []string{
6950 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6951 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6952 "-enable-ed25519",
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6953 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6954 // Resume the session to assert the peer signature
6955 // algorithm is reported on both handshakes.
6956 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6957 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6958 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6959 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6960
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6961 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6962 testCases = append(testCases, testCase{
6963 testType: serverTest,
6964 name: "ClientAuth-InvalidSignature" + suffix,
6965 config: Config{
6966 MaxVersion: ver.version,
6967 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6968 SignSignatureAlgorithms: []signatureAlgorithm{
6969 alg.id,
6970 },
6971 Bugs: ProtocolBugs{
6972 InvalidSignature: true,
6973 },
6974 },
6975 flags: []string{
6976 "-require-any-client-certificate",
6977 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6978 "-enable-ed25519",
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6979 },
6980 shouldFail: true,
6981 expectedError: ":BAD_SIGNATURE:",
6982 })
6983
6984 testCases = append(testCases, testCase{
6985 name: "ServerAuth-InvalidSignature" + suffix,
6986 config: Config{
6987 MaxVersion: ver.version,
6988 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6989 CipherSuites: signingCiphers,
6990 SignSignatureAlgorithms: []signatureAlgorithm{
6991 alg.id,
6992 },
6993 Bugs: ProtocolBugs{
6994 InvalidSignature: true,
6995 },
6996 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6997 flags: []string{
6998 "-enable-all-curves",
6999 "-enable-ed25519",
7000 },
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7001 shouldFail: true,
7002 expectedError: ":BAD_SIGNATURE:",
7003 })
7004 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7005
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7006 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7007 testCases = append(testCases, testCase{
7008 name: "ClientAuth-Sign-Negotiate" + suffix,
7009 config: Config{
7010 MaxVersion: ver.version,
7011 ClientAuth: RequireAnyClientCert,
7012 VerifySignatureAlgorithms: allAlgorithms,
7013 },
7014 flags: []string{
7015 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7016 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7017 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7018 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7019 "-signing-prefs", strconv.Itoa(int(alg.id)),
7020 },
7021 expectedPeerSignatureAlgorithm: alg.id,
7022 })
7023
7024 testCases = append(testCases, testCase{
7025 testType: serverTest,
7026 name: "ServerAuth-Sign-Negotiate" + suffix,
7027 config: Config{
7028 MaxVersion: ver.version,
7029 CipherSuites: signingCiphers,
7030 VerifySignatureAlgorithms: allAlgorithms,
7031 },
7032 flags: []string{
7033 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7034 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7035 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7036 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7037 "-signing-prefs", strconv.Itoa(int(alg.id)),
7038 },
7039 expectedPeerSignatureAlgorithm: alg.id,
7040 })
7041 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7042 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7043 }
7044
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7045 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7046 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7047 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7048 config: Config{
7049 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7050 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7051 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7052 signatureECDSAWithP521AndSHA512,
7053 signatureRSAPKCS1WithSHA384,
7054 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7055 },
7056 },
7057 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7058 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7059 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7060 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7061 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7062 })
7063
7064 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7065 name: "ClientAuth-SignatureType-TLS13",
7066 config: Config{
7067 ClientAuth: RequireAnyClientCert,
7068 MaxVersion: VersionTLS13,
7069 VerifySignatureAlgorithms: []signatureAlgorithm{
7070 signatureECDSAWithP521AndSHA512,
7071 signatureRSAPKCS1WithSHA384,
7072 signatureRSAPSSWithSHA384,
7073 signatureECDSAWithSHA1,
7074 },
7075 },
7076 flags: []string{
7077 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7078 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7079 },
7080 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7081 })
7082
7083 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7084 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7085 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7086 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7087 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7088 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7089 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7090 signatureECDSAWithP521AndSHA512,
7091 signatureRSAPKCS1WithSHA384,
7092 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7093 },
7094 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7095 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7096 })
7097
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7098 testCases = append(testCases, testCase{
7099 testType: serverTest,
7100 name: "ServerAuth-SignatureType-TLS13",
7101 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7102 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7103 VerifySignatureAlgorithms: []signatureAlgorithm{
7104 signatureECDSAWithP521AndSHA512,
7105 signatureRSAPKCS1WithSHA384,
7106 signatureRSAPSSWithSHA384,
7107 signatureECDSAWithSHA1,
7108 },
7109 },
7110 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7111 })
7112
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7113 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7114 testCases = append(testCases, testCase{
7115 testType: serverTest,
7116 name: "Verify-ClientAuth-SignatureType",
7117 config: Config{
7118 MaxVersion: VersionTLS12,
7119 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7120 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7121 signatureRSAPKCS1WithSHA256,
7122 },
7123 Bugs: ProtocolBugs{
7124 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7125 },
7126 },
7127 flags: []string{
7128 "-require-any-client-certificate",
7129 },
7130 shouldFail: true,
7131 expectedError: ":WRONG_SIGNATURE_TYPE:",
7132 })
7133
7134 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7135 testType: serverTest,
7136 name: "Verify-ClientAuth-SignatureType-TLS13",
7137 config: Config{
7138 MaxVersion: VersionTLS13,
7139 Certificates: []Certificate{rsaCertificate},
7140 SignSignatureAlgorithms: []signatureAlgorithm{
7141 signatureRSAPSSWithSHA256,
7142 },
7143 Bugs: ProtocolBugs{
7144 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7145 },
7146 },
7147 flags: []string{
7148 "-require-any-client-certificate",
7149 },
7150 shouldFail: true,
7151 expectedError: ":WRONG_SIGNATURE_TYPE:",
7152 })
7153
7154 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7155 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7156 config: Config{
7157 MaxVersion: VersionTLS12,
7158 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7159 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7160 signatureRSAPKCS1WithSHA256,
7161 },
7162 Bugs: ProtocolBugs{
7163 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7164 },
7165 },
7166 shouldFail: true,
7167 expectedError: ":WRONG_SIGNATURE_TYPE:",
7168 })
7169
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7170 testCases = append(testCases, testCase{
7171 name: "Verify-ServerAuth-SignatureType-TLS13",
7172 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7173 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7174 SignSignatureAlgorithms: []signatureAlgorithm{
7175 signatureRSAPSSWithSHA256,
7176 },
7177 Bugs: ProtocolBugs{
7178 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7179 },
7180 },
7181 shouldFail: true,
7182 expectedError: ":WRONG_SIGNATURE_TYPE:",
7183 })
7184
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7185 // Test that, if the list is missing, the peer falls back to SHA-1 in
7186 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7187 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7188 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7189 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7190 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7191 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7192 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7193 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7194 },
7195 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7196 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7197 },
7198 },
7199 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7200 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7201 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7202 },
7203 })
7204
7205 testCases = append(testCases, testCase{
7206 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7207 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7208 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7209 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7210 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7211 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7212 },
7213 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7214 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7215 },
7216 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7217 flags: []string{
7218 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7219 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7220 },
7221 })
7222
7223 testCases = append(testCases, testCase{
7224 name: "ClientAuth-SHA1-Fallback-ECDSA",
7225 config: Config{
7226 MaxVersion: VersionTLS12,
7227 ClientAuth: RequireAnyClientCert,
7228 VerifySignatureAlgorithms: []signatureAlgorithm{
7229 signatureECDSAWithSHA1,
7230 },
7231 Bugs: ProtocolBugs{
7232 NoSignatureAlgorithms: true,
7233 },
7234 },
7235 flags: []string{
7236 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7237 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7238 },
7239 })
7240
7241 testCases = append(testCases, testCase{
7242 testType: serverTest,
7243 name: "ServerAuth-SHA1-Fallback-ECDSA",
7244 config: Config{
7245 MaxVersion: VersionTLS12,
7246 VerifySignatureAlgorithms: []signatureAlgorithm{
7247 signatureECDSAWithSHA1,
7248 },
7249 Bugs: ProtocolBugs{
7250 NoSignatureAlgorithms: true,
7251 },
7252 },
7253 flags: []string{
7254 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7255 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7256 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7257 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7258
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7259 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7260 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7261 config: Config{
7262 MaxVersion: VersionTLS13,
7263 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7264 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7265 signatureRSAPKCS1WithSHA1,
7266 },
7267 Bugs: ProtocolBugs{
7268 NoSignatureAlgorithms: true,
7269 },
7270 },
7271 flags: []string{
7272 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7273 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7274 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7275 shouldFail: true,
7276 // An empty CertificateRequest signature algorithm list is a
7277 // syntax error in TLS 1.3.
7278 expectedError: ":DECODE_ERROR:",
7279 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7280 })
7281
7282 testCases = append(testCases, testCase{
7283 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7284 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7285 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7286 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7287 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7288 signatureRSAPKCS1WithSHA1,
7289 },
7290 Bugs: ProtocolBugs{
7291 NoSignatureAlgorithms: true,
7292 },
7293 },
7294 shouldFail: true,
7295 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7296 })
7297
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7298 // Test that hash preferences are enforced. BoringSSL does not implement
7299 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7300 testCases = append(testCases, testCase{
7301 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7302 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7303 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7304 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7305 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7306 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7307 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7308 },
7309 Bugs: ProtocolBugs{
7310 IgnorePeerSignatureAlgorithmPreferences: true,
7311 },
7312 },
7313 flags: []string{"-require-any-client-certificate"},
7314 shouldFail: true,
7315 expectedError: ":WRONG_SIGNATURE_TYPE:",
7316 })
7317
7318 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7319 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7320 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7321 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7322 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7323 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7324 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7325 },
7326 Bugs: ProtocolBugs{
7327 IgnorePeerSignatureAlgorithmPreferences: true,
7328 },
7329 },
7330 shouldFail: true,
7331 expectedError: ":WRONG_SIGNATURE_TYPE:",
7332 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7333 testCases = append(testCases, testCase{
7334 testType: serverTest,
7335 name: "ClientAuth-Enforced-TLS13",
7336 config: Config{
7337 MaxVersion: VersionTLS13,
7338 Certificates: []Certificate{rsaCertificate},
7339 SignSignatureAlgorithms: []signatureAlgorithm{
7340 signatureRSAPKCS1WithMD5,
7341 },
7342 Bugs: ProtocolBugs{
7343 IgnorePeerSignatureAlgorithmPreferences: true,
7344 IgnoreSignatureVersionChecks: true,
7345 },
7346 },
7347 flags: []string{"-require-any-client-certificate"},
7348 shouldFail: true,
7349 expectedError: ":WRONG_SIGNATURE_TYPE:",
7350 })
7351
7352 testCases = append(testCases, testCase{
7353 name: "ServerAuth-Enforced-TLS13",
7354 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7355 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7356 SignSignatureAlgorithms: []signatureAlgorithm{
7357 signatureRSAPKCS1WithMD5,
7358 },
7359 Bugs: ProtocolBugs{
7360 IgnorePeerSignatureAlgorithmPreferences: true,
7361 IgnoreSignatureVersionChecks: true,
7362 },
7363 },
7364 shouldFail: true,
7365 expectedError: ":WRONG_SIGNATURE_TYPE:",
7366 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7367
7368 // Test that the agreed upon digest respects the client preferences and
7369 // the server digests.
7370 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7371 name: "NoCommonAlgorithms-Digests",
7372 config: Config{
7373 MaxVersion: VersionTLS12,
7374 ClientAuth: RequireAnyClientCert,
7375 VerifySignatureAlgorithms: []signatureAlgorithm{
7376 signatureRSAPKCS1WithSHA512,
7377 signatureRSAPKCS1WithSHA1,
7378 },
7379 },
7380 flags: []string{
7381 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7382 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7383 "-digest-prefs", "SHA256",
7384 },
7385 shouldFail: true,
7386 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7387 })
7388 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7389 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7390 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7391 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7392 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7393 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7394 signatureRSAPKCS1WithSHA512,
7395 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7396 },
7397 },
7398 flags: []string{
7399 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7400 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7401 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7402 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7403 shouldFail: true,
7404 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7405 })
7406 testCases = append(testCases, testCase{
7407 name: "NoCommonAlgorithms-TLS13",
7408 config: Config{
7409 MaxVersion: VersionTLS13,
7410 ClientAuth: RequireAnyClientCert,
7411 VerifySignatureAlgorithms: []signatureAlgorithm{
7412 signatureRSAPSSWithSHA512,
7413 signatureRSAPSSWithSHA384,
7414 },
7415 },
7416 flags: []string{
7417 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7418 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7419 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7420 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7421 shouldFail: true,
7422 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7423 })
7424 testCases = append(testCases, testCase{
7425 name: "Agree-Digest-SHA256",
7426 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7427 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7428 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7429 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7430 signatureRSAPKCS1WithSHA1,
7431 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7432 },
7433 },
7434 flags: []string{
7435 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7436 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7437 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7438 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7439 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7440 })
7441 testCases = append(testCases, testCase{
7442 name: "Agree-Digest-SHA1",
7443 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7444 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7445 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7446 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7447 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7448 },
7449 },
7450 flags: []string{
7451 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7452 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7453 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7454 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7455 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7456 })
7457 testCases = append(testCases, testCase{
7458 name: "Agree-Digest-Default",
7459 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7460 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7461 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7462 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7463 signatureRSAPKCS1WithSHA256,
7464 signatureECDSAWithP256AndSHA256,
7465 signatureRSAPKCS1WithSHA1,
7466 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7467 },
7468 },
7469 flags: []string{
7470 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7471 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7472 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7473 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7474 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7475
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7476 // Test that the signing preference list may include extra algorithms
7477 // without negotiation problems.
7478 testCases = append(testCases, testCase{
7479 testType: serverTest,
7480 name: "FilterExtraAlgorithms",
7481 config: Config{
7482 MaxVersion: VersionTLS12,
7483 VerifySignatureAlgorithms: []signatureAlgorithm{
7484 signatureRSAPKCS1WithSHA256,
7485 },
7486 },
7487 flags: []string{
7488 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7489 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7490 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7491 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7492 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7493 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7494 },
7495 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7496 })
7497
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7498 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7499 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7500 testCases = append(testCases, testCase{
7501 name: "CheckLeafCurve",
7502 config: Config{
7503 MaxVersion: VersionTLS12,
7504 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7505 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7506 },
7507 flags: []string{"-p384-only"},
7508 shouldFail: true,
7509 expectedError: ":BAD_ECC_CERT:",
7510 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7511
7512 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7513 testCases = append(testCases, testCase{
7514 name: "CheckLeafCurve-TLS13",
7515 config: Config{
7516 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7517 Certificates: []Certificate{ecdsaP256Certificate},
7518 },
7519 flags: []string{"-p384-only"},
7520 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7521
7522 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7523 testCases = append(testCases, testCase{
7524 name: "ECDSACurveMismatch-Verify-TLS12",
7525 config: Config{
7526 MaxVersion: VersionTLS12,
7527 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7528 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7529 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7530 signatureECDSAWithP384AndSHA384,
7531 },
7532 },
7533 })
7534
7535 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7536 testCases = append(testCases, testCase{
7537 name: "ECDSACurveMismatch-Verify-TLS13",
7538 config: Config{
7539 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7540 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7541 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7542 signatureECDSAWithP384AndSHA384,
7543 },
7544 Bugs: ProtocolBugs{
7545 SkipECDSACurveCheck: true,
7546 },
7547 },
7548 shouldFail: true,
7549 expectedError: ":WRONG_SIGNATURE_TYPE:",
7550 })
7551
7552 // Signature algorithm selection in TLS 1.3 should take the curve into
7553 // account.
7554 testCases = append(testCases, testCase{
7555 testType: serverTest,
7556 name: "ECDSACurveMismatch-Sign-TLS13",
7557 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7558 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7559 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7560 signatureECDSAWithP384AndSHA384,
7561 signatureECDSAWithP256AndSHA256,
7562 },
7563 },
7564 flags: []string{
7565 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7566 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7567 },
7568 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7569 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7570
7571 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7572 // server does not attempt to sign in that case.
7573 testCases = append(testCases, testCase{
7574 testType: serverTest,
7575 name: "RSA-PSS-Large",
7576 config: Config{
7577 MaxVersion: VersionTLS13,
7578 VerifySignatureAlgorithms: []signatureAlgorithm{
7579 signatureRSAPSSWithSHA512,
7580 },
7581 },
7582 flags: []string{
7583 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7584 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7585 },
7586 shouldFail: true,
7587 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7588 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7589
7590 // Test that RSA-PSS is enabled by default for TLS 1.2.
7591 testCases = append(testCases, testCase{
7592 testType: clientTest,
7593 name: "RSA-PSS-Default-Verify",
7594 config: Config{
7595 MaxVersion: VersionTLS12,
7596 SignSignatureAlgorithms: []signatureAlgorithm{
7597 signatureRSAPSSWithSHA256,
7598 },
7599 },
7600 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7601 })
7602
7603 testCases = append(testCases, testCase{
7604 testType: serverTest,
7605 name: "RSA-PSS-Default-Sign",
7606 config: Config{
7607 MaxVersion: VersionTLS12,
7608 VerifySignatureAlgorithms: []signatureAlgorithm{
7609 signatureRSAPSSWithSHA256,
7610 },
7611 },
7612 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7613 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7614
7615 // TLS 1.1 and below has no way to advertise support for or negotiate
7616 // Ed25519's signature algorithm.
7617 testCases = append(testCases, testCase{
7618 testType: clientTest,
7619 name: "NoEd25519-TLS11-ServerAuth-Verify",
7620 config: Config{
7621 MaxVersion: VersionTLS11,
7622 Certificates: []Certificate{ed25519Certificate},
7623 Bugs: ProtocolBugs{
7624 // Sign with Ed25519 even though it is TLS 1.1.
7625 UseLegacySigningAlgorithm: signatureEd25519,
7626 },
7627 },
7628 flags: []string{"-enable-ed25519"},
7629 shouldFail: true,
7630 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7631 })
7632 testCases = append(testCases, testCase{
7633 testType: serverTest,
7634 name: "NoEd25519-TLS11-ServerAuth-Sign",
7635 config: Config{
7636 MaxVersion: VersionTLS11,
7637 },
7638 flags: []string{
7639 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7640 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7641 },
7642 shouldFail: true,
7643 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7644 })
7645 testCases = append(testCases, testCase{
7646 testType: serverTest,
7647 name: "NoEd25519-TLS11-ClientAuth-Verify",
7648 config: Config{
7649 MaxVersion: VersionTLS11,
7650 Certificates: []Certificate{ed25519Certificate},
7651 Bugs: ProtocolBugs{
7652 // Sign with Ed25519 even though it is TLS 1.1.
7653 UseLegacySigningAlgorithm: signatureEd25519,
7654 },
7655 },
7656 flags: []string{
7657 "-enable-ed25519",
7658 "-require-any-client-certificate",
7659 },
7660 shouldFail: true,
7661 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7662 })
7663 testCases = append(testCases, testCase{
7664 testType: clientTest,
7665 name: "NoEd25519-TLS11-ClientAuth-Sign",
7666 config: Config{
7667 MaxVersion: VersionTLS11,
7668 ClientAuth: RequireAnyClientCert,
7669 },
7670 flags: []string{
7671 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7672 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7673 },
7674 shouldFail: true,
7675 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7676 })
7677
7678 // Test Ed25519 is not advertised by default.
7679 testCases = append(testCases, testCase{
7680 testType: clientTest,
7681 name: "Ed25519DefaultDisable-NoAdvertise",
7682 config: Config{
7683 Certificates: []Certificate{ed25519Certificate},
7684 },
7685 shouldFail: true,
7686 expectedLocalError: "tls: no common signature algorithms",
7687 })
7688
7689 // Test Ed25519, when disabled, is not accepted if the peer ignores our
7690 // preferences.
7691 testCases = append(testCases, testCase{
7692 testType: clientTest,
7693 name: "Ed25519DefaultDisable-NoAccept",
7694 config: Config{
7695 Certificates: []Certificate{ed25519Certificate},
7696 Bugs: ProtocolBugs{
7697 IgnorePeerSignatureAlgorithmPreferences: true,
7698 },
7699 },
7700 shouldFail: true,
7701 expectedLocalError: "remote error: illegal parameter",
7702 expectedError: ":WRONG_SIGNATURE_TYPE:",
7703 })
David Benjamin71c21b42017-04-14 17:05:40 -0400[diff] [blame]7704
7705 // Test that configuring verify preferences changes what the client
7706 // advertises.
7707 testCases = append(testCases, testCase{
7708 name: "VerifyPreferences-Advertised",
7709 config: Config{
7710 Certificates: []Certificate{rsaCertificate},
7711 SignSignatureAlgorithms: []signatureAlgorithm{
7712 signatureRSAPSSWithSHA256,
7713 signatureRSAPSSWithSHA384,
7714 signatureRSAPSSWithSHA512,
7715 },
7716 },
7717 flags: []string{
7718 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7719 "-expect-peer-signature-algorithm", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7720 },
7721 })
7722
7723 // Test that the client advertises a set which the runner can find
7724 // nothing in common with.
7725 testCases = append(testCases, testCase{
7726 name: "VerifyPreferences-NoCommonAlgorithms",
7727 config: Config{
7728 Certificates: []Certificate{rsaCertificate},
7729 SignSignatureAlgorithms: []signatureAlgorithm{
7730 signatureRSAPSSWithSHA256,
7731 signatureRSAPSSWithSHA512,
7732 },
7733 },
7734 flags: []string{
7735 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7736 },
7737 shouldFail: true,
7738 expectedLocalError: "tls: no common signature algorithms",
7739 })
7740
7741 // Test that the client enforces its preferences when configured.
7742 testCases = append(testCases, testCase{
7743 name: "VerifyPreferences-Enforced",
7744 config: Config{
7745 Certificates: []Certificate{rsaCertificate},
7746 SignSignatureAlgorithms: []signatureAlgorithm{
7747 signatureRSAPSSWithSHA256,
7748 signatureRSAPSSWithSHA512,
7749 },
7750 Bugs: ProtocolBugs{
7751 IgnorePeerSignatureAlgorithmPreferences: true,
7752 },
7753 },
7754 flags: []string{
7755 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7756 },
7757 shouldFail: true,
7758 expectedLocalError: "remote error: illegal parameter",
7759 expectedError: ":WRONG_SIGNATURE_TYPE:",
7760 })
7761
7762 // Test that explicitly configuring Ed25519 is as good as changing the
7763 // boolean toggle.
7764 testCases = append(testCases, testCase{
7765 name: "VerifyPreferences-Ed25519",
7766 config: Config{
7767 Certificates: []Certificate{ed25519Certificate},
7768 },
7769 flags: []string{
7770 "-verify-prefs", strconv.Itoa(int(signatureEd25519)),
7771 },
7772 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7773}
7774
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7775// timeouts is the retransmit schedule for BoringSSL. It doubles and
7776// caps at 60 seconds. On the 13th timeout, it gives up.
7777var timeouts = []time.Duration{
7778 1 * time.Second,
7779 2 * time.Second,
7780 4 * time.Second,
7781 8 * time.Second,
7782 16 * time.Second,
7783 32 * time.Second,
7784 60 * time.Second,
7785 60 * time.Second,
7786 60 * time.Second,
7787 60 * time.Second,
7788 60 * time.Second,
7789 60 * time.Second,
7790 60 * time.Second,
7791}
7792
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7793// shortTimeouts is an alternate set of timeouts which would occur if the
7794// initial timeout duration was set to 250ms.
7795var shortTimeouts = []time.Duration{
7796 250 * time.Millisecond,
7797 500 * time.Millisecond,
7798 1 * time.Second,
7799 2 * time.Second,
7800 4 * time.Second,
7801 8 * time.Second,
7802 16 * time.Second,
7803 32 * time.Second,
7804 60 * time.Second,
7805 60 * time.Second,
7806 60 * time.Second,
7807 60 * time.Second,
7808 60 * time.Second,
7809}
7810
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7811func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7812 // These tests work by coordinating some behavior on both the shim and
7813 // the runner.
7814 //
7815 // TimeoutSchedule configures the runner to send a series of timeout
7816 // opcodes to the shim (see packetAdaptor) immediately before reading
7817 // each peer handshake flight N. The timeout opcode both simulates a
7818 // timeout in the shim and acts as a synchronization point to help the
7819 // runner bracket each handshake flight.
7820 //
7821 // We assume the shim does not read from the channel eagerly. It must
7822 // first wait until it has sent flight N and is ready to receive
7823 // handshake flight N+1. At this point, it will process the timeout
7824 // opcode. It must then immediately respond with a timeout ACK and act
7825 // as if the shim was idle for the specified amount of time.
7826 //
7827 // The runner then drops all packets received before the ACK and
7828 // continues waiting for flight N. This ordering results in one attempt
7829 // at sending flight N to be dropped. For the test to complete, the
7830 // shim must send flight N again, testing that the shim implements DTLS
7831 // retransmit on a timeout.
7832
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7833 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7834 // likely be more epochs to cross and the final message's retransmit may
7835 // be more complex.
7836
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7837 // Test that this is indeed the timeout schedule. Stress all
7838 // four patterns of handshake.
7839 for i := 1; i < len(timeouts); i++ {
7840 number := strconv.Itoa(i)
7841 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7842 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7843 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7844 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7845 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7846 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7847 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7848 },
7849 },
7850 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7851 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7852 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7853 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7854 protocol: dtls,
7855 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7856 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7857 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7858 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7859 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7860 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7861 },
7862 },
7863 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7864 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7865 })
7866 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7867
7868 // Test that exceeding the timeout schedule hits a read
7869 // timeout.
7870 testCases = append(testCases, testCase{
7871 protocol: dtls,
7872 name: "DTLS-Retransmit-Timeout",
7873 config: Config{
7874 MaxVersion: VersionTLS12,
7875 Bugs: ProtocolBugs{
7876 TimeoutSchedule: timeouts,
7877 },
7878 },
7879 resumeSession: true,
7880 flags: []string{"-async"},
7881 shouldFail: true,
7882 expectedError: ":READ_TIMEOUT_EXPIRED:",
7883 })
7884
7885 // Test that timeout handling has a fudge factor, due to API
7886 // problems.
7887 testCases = append(testCases, testCase{
7888 protocol: dtls,
7889 name: "DTLS-Retransmit-Fudge",
7890 config: Config{
7891 MaxVersion: VersionTLS12,
7892 Bugs: ProtocolBugs{
7893 TimeoutSchedule: []time.Duration{
7894 timeouts[0] - 10*time.Millisecond,
7895 },
7896 },
7897 },
7898 resumeSession: true,
7899 flags: []string{"-async"},
7900 })
7901
7902 // Test that the final Finished retransmitting isn't
7903 // duplicated if the peer badly fragments everything.
7904 testCases = append(testCases, testCase{
7905 testType: serverTest,
7906 protocol: dtls,
7907 name: "DTLS-Retransmit-Fragmented",
7908 config: Config{
7909 MaxVersion: VersionTLS12,
7910 Bugs: ProtocolBugs{
7911 TimeoutSchedule: []time.Duration{timeouts[0]},
7912 MaxHandshakeRecordLength: 2,
7913 },
7914 },
7915 flags: []string{"-async"},
7916 })
7917
7918 // Test the timeout schedule when a shorter initial timeout duration is set.
7919 testCases = append(testCases, testCase{
7920 protocol: dtls,
7921 name: "DTLS-Retransmit-Short-Client",
7922 config: Config{
7923 MaxVersion: VersionTLS12,
7924 Bugs: ProtocolBugs{
7925 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7926 },
7927 },
7928 resumeSession: true,
7929 flags: []string{
7930 "-async",
7931 "-initial-timeout-duration-ms", "250",
7932 },
7933 })
7934 testCases = append(testCases, testCase{
7935 protocol: dtls,
7936 testType: serverTest,
7937 name: "DTLS-Retransmit-Short-Server",
7938 config: Config{
7939 MaxVersion: VersionTLS12,
7940 Bugs: ProtocolBugs{
7941 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7942 },
7943 },
7944 resumeSession: true,
7945 flags: []string{
7946 "-async",
7947 "-initial-timeout-duration-ms", "250",
7948 },
7949 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7950}
7951
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7952func addExportKeyingMaterialTests() {
7953 for _, vers := range tlsVersions {
7954 if vers.version == VersionSSL30 {
7955 continue
7956 }
7957 testCases = append(testCases, testCase{
7958 name: "ExportKeyingMaterial-" + vers.name,
7959 config: Config{
7960 MaxVersion: vers.version,
7961 },
7962 exportKeyingMaterial: 1024,
7963 exportLabel: "label",
7964 exportContext: "context",
7965 useExportContext: true,
7966 })
7967 testCases = append(testCases, testCase{
7968 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7969 config: Config{
7970 MaxVersion: vers.version,
7971 },
7972 exportKeyingMaterial: 1024,
7973 })
7974 testCases = append(testCases, testCase{
7975 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7976 config: Config{
7977 MaxVersion: vers.version,
7978 },
7979 exportKeyingMaterial: 1024,
7980 useExportContext: true,
7981 })
7982 testCases = append(testCases, testCase{
7983 name: "ExportKeyingMaterial-Small-" + vers.name,
7984 config: Config{
7985 MaxVersion: vers.version,
7986 },
7987 exportKeyingMaterial: 1,
7988 exportLabel: "label",
7989 exportContext: "context",
7990 useExportContext: true,
7991 })
7992 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7993
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7994 testCases = append(testCases, testCase{
7995 name: "ExportKeyingMaterial-SSL3",
7996 config: Config{
7997 MaxVersion: VersionSSL30,
7998 },
7999 exportKeyingMaterial: 1024,
8000 exportLabel: "label",
8001 exportContext: "context",
8002 useExportContext: true,
8003 shouldFail: true,
8004 expectedError: "failed to export keying material",
8005 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]8006
8007 // Exporters work during a False Start.
8008 testCases = append(testCases, testCase{
8009 name: "ExportKeyingMaterial-FalseStart",
8010 config: Config{
8011 MaxVersion: VersionTLS12,
8012 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8013 NextProtos: []string{"foo"},
8014 Bugs: ProtocolBugs{
8015 ExpectFalseStart: true,
8016 },
8017 },
8018 flags: []string{
8019 "-false-start",
8020 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]8021 "-expect-alpn", "foo",
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]8022 },
8023 shimWritesFirst: true,
8024 exportKeyingMaterial: 1024,
8025 exportLabel: "label",
8026 exportContext: "context",
8027 useExportContext: true,
8028 })
8029
8030 // Exporters do not work in the middle of a renegotiation. Test this by
8031 // triggering the exporter after every SSL_read call and configuring the
8032 // shim to run asynchronously.
8033 testCases = append(testCases, testCase{
8034 name: "ExportKeyingMaterial-Renegotiate",
8035 config: Config{
8036 MaxVersion: VersionTLS12,
8037 },
8038 renegotiate: 1,
8039 flags: []string{
8040 "-async",
8041 "-use-exporter-between-reads",
8042 "-renegotiate-freely",
8043 "-expect-total-renegotiations", "1",
8044 },
8045 shouldFail: true,
8046 expectedError: "failed to export keying material",
8047 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]8048}
8049
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8050func addTLSUniqueTests() {
8051 for _, isClient := range []bool{false, true} {
8052 for _, isResumption := range []bool{false, true} {
8053 for _, hasEMS := range []bool{false, true} {
8054 var suffix string
8055 if isResumption {
8056 suffix = "Resume-"
8057 } else {
8058 suffix = "Full-"
8059 }
8060
8061 if hasEMS {
8062 suffix += "EMS-"
8063 } else {
8064 suffix += "NoEMS-"
8065 }
8066
8067 if isClient {
8068 suffix += "Client"
8069 } else {
8070 suffix += "Server"
8071 }
8072
8073 test := testCase{
8074 name: "TLSUnique-" + suffix,
8075 testTLSUnique: true,
8076 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8077 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8078 Bugs: ProtocolBugs{
8079 NoExtendedMasterSecret: !hasEMS,
8080 },
8081 },
8082 }
8083
8084 if isResumption {
8085 test.resumeSession = true
8086 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8087 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8088 Bugs: ProtocolBugs{
8089 NoExtendedMasterSecret: !hasEMS,
8090 },
8091 }
8092 }
8093
8094 if isResumption && !hasEMS {
8095 test.shouldFail = true
8096 test.expectedError = "failed to get tls-unique"
8097 }
8098
8099 testCases = append(testCases, test)
8100 }
8101 }
8102 }
8103}
8104
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8105func addCustomExtensionTests() {
8106 expectedContents := "custom extension"
8107 emptyString := ""
8108
8109 for _, isClient := range []bool{false, true} {
8110 suffix := "Server"
8111 flag := "-enable-server-custom-extension"
8112 testType := serverTest
8113 if isClient {
8114 suffix = "Client"
8115 flag = "-enable-client-custom-extension"
8116 testType = clientTest
8117 }
8118
8119 testCases = append(testCases, testCase{
8120 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8121 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8122 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8123 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8124 Bugs: ProtocolBugs{
8125 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8126 ExpectedCustomExtension: &expectedContents,
8127 },
8128 },
8129 flags: []string{flag},
8130 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8131 testCases = append(testCases, testCase{
8132 testType: testType,
8133 name: "CustomExtensions-" + suffix + "-TLS13",
8134 config: Config{
8135 MaxVersion: VersionTLS13,
8136 Bugs: ProtocolBugs{
8137 CustomExtension: expectedContents,
8138 ExpectedCustomExtension: &expectedContents,
8139 },
8140 },
8141 flags: []string{flag},
8142 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8143
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]8144 // 0-RTT is not currently supported with Custom Extensions.
8145 testCases = append(testCases, testCase{
8146 testType: testType,
8147 name: "CustomExtensions-" + suffix + "-EarlyData",
8148 config: Config{
8149 MaxVersion: VersionTLS13,
8150 Bugs: ProtocolBugs{
8151 CustomExtension: expectedContents,
8152 ExpectedCustomExtension: &expectedContents,
8153 },
8154 },
8155 shouldFail: true,
8156 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8157 flags: []string{flag, "-enable-early-data"},
8158 })
8159
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8160 // If the parse callback fails, the handshake should also fail.
8161 testCases = append(testCases, testCase{
8162 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8163 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8164 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8165 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8166 Bugs: ProtocolBugs{
8167 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8168 ExpectedCustomExtension: &expectedContents,
8169 },
8170 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8171 flags: []string{flag},
8172 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8173 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8174 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8175 testCases = append(testCases, testCase{
8176 testType: testType,
8177 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
8178 config: Config{
8179 MaxVersion: VersionTLS13,
8180 Bugs: ProtocolBugs{
8181 CustomExtension: expectedContents + "foo",
8182 ExpectedCustomExtension: &expectedContents,
8183 },
8184 },
8185 flags: []string{flag},
8186 shouldFail: true,
8187 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8188 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8189
8190 // If the add callback fails, the handshake should also fail.
8191 testCases = append(testCases, testCase{
8192 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8193 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8194 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8195 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8196 Bugs: ProtocolBugs{
8197 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8198 ExpectedCustomExtension: &expectedContents,
8199 },
8200 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8201 flags: []string{flag, "-custom-extension-fail-add"},
8202 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8203 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8204 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8205 testCases = append(testCases, testCase{
8206 testType: testType,
8207 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
8208 config: Config{
8209 MaxVersion: VersionTLS13,
8210 Bugs: ProtocolBugs{
8211 CustomExtension: expectedContents,
8212 ExpectedCustomExtension: &expectedContents,
8213 },
8214 },
8215 flags: []string{flag, "-custom-extension-fail-add"},
8216 shouldFail: true,
8217 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8218 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8219
8220 // If the add callback returns zero, no extension should be
8221 // added.
8222 skipCustomExtension := expectedContents
8223 if isClient {
8224 // For the case where the client skips sending the
8225 // custom extension, the server must not “echo” it.
8226 skipCustomExtension = ""
8227 }
8228 testCases = append(testCases, testCase{
8229 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8230 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8231 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8232 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8233 Bugs: ProtocolBugs{
8234 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8235 ExpectedCustomExtension: &emptyString,
8236 },
8237 },
8238 flags: []string{flag, "-custom-extension-skip"},
8239 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8240 testCases = append(testCases, testCase{
8241 testType: testType,
8242 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
8243 config: Config{
8244 MaxVersion: VersionTLS13,
8245 Bugs: ProtocolBugs{
8246 CustomExtension: skipCustomExtension,
8247 ExpectedCustomExtension: &emptyString,
8248 },
8249 },
8250 flags: []string{flag, "-custom-extension-skip"},
8251 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8252 }
8253
8254 // The custom extension add callback should not be called if the client
8255 // doesn't send the extension.
8256 testCases = append(testCases, testCase{
8257 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8258 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8259 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8260 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8261 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8262 ExpectedCustomExtension: &emptyString,
8263 },
8264 },
8265 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8266 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8267
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8268 testCases = append(testCases, testCase{
8269 testType: serverTest,
8270 name: "CustomExtensions-NotCalled-Server-TLS13",
8271 config: Config{
8272 MaxVersion: VersionTLS13,
8273 Bugs: ProtocolBugs{
8274 ExpectedCustomExtension: &emptyString,
8275 },
8276 },
8277 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8278 })
8279
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8280 // Test an unknown extension from the server.
8281 testCases = append(testCases, testCase{
8282 testType: clientTest,
8283 name: "UnknownExtension-Client",
8284 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8285 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8286 Bugs: ProtocolBugs{
8287 CustomExtension: expectedContents,
8288 },
8289 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8290 shouldFail: true,
8291 expectedError: ":UNEXPECTED_EXTENSION:",
8292 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8293 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8294 testCases = append(testCases, testCase{
8295 testType: clientTest,
8296 name: "UnknownExtension-Client-TLS13",
8297 config: Config{
8298 MaxVersion: VersionTLS13,
8299 Bugs: ProtocolBugs{
8300 CustomExtension: expectedContents,
8301 },
8302 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8303 shouldFail: true,
8304 expectedError: ":UNEXPECTED_EXTENSION:",
8305 expectedLocalError: "remote error: unsupported extension",
8306 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8307 testCases = append(testCases, testCase{
8308 testType: clientTest,
8309 name: "UnknownUnencryptedExtension-Client-TLS13",
8310 config: Config{
8311 MaxVersion: VersionTLS13,
8312 Bugs: ProtocolBugs{
8313 CustomUnencryptedExtension: expectedContents,
8314 },
8315 },
8316 shouldFail: true,
8317 expectedError: ":UNEXPECTED_EXTENSION:",
8318 // The shim must send an alert, but alerts at this point do not
8319 // get successfully decrypted by the runner.
8320 expectedLocalError: "local error: bad record MAC",
8321 })
8322 testCases = append(testCases, testCase{
8323 testType: clientTest,
8324 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8325 config: Config{
8326 MaxVersion: VersionTLS13,
8327 Bugs: ProtocolBugs{
8328 SendUnencryptedALPN: "foo",
8329 },
8330 },
8331 flags: []string{
8332 "-advertise-alpn", "\x03foo\x03bar",
8333 },
8334 shouldFail: true,
8335 expectedError: ":UNEXPECTED_EXTENSION:",
8336 // The shim must send an alert, but alerts at this point do not
8337 // get successfully decrypted by the runner.
8338 expectedLocalError: "local error: bad record MAC",
8339 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8340
8341 // Test a known but unoffered extension from the server.
8342 testCases = append(testCases, testCase{
8343 testType: clientTest,
8344 name: "UnofferedExtension-Client",
8345 config: Config{
8346 MaxVersion: VersionTLS12,
8347 Bugs: ProtocolBugs{
8348 SendALPN: "alpn",
8349 },
8350 },
8351 shouldFail: true,
8352 expectedError: ":UNEXPECTED_EXTENSION:",
8353 expectedLocalError: "remote error: unsupported extension",
8354 })
8355 testCases = append(testCases, testCase{
8356 testType: clientTest,
8357 name: "UnofferedExtension-Client-TLS13",
8358 config: Config{
8359 MaxVersion: VersionTLS13,
8360 Bugs: ProtocolBugs{
8361 SendALPN: "alpn",
8362 },
8363 },
8364 shouldFail: true,
8365 expectedError: ":UNEXPECTED_EXTENSION:",
8366 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8367 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8368}
8369
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8370func addRSAClientKeyExchangeTests() {
8371 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8372 testCases = append(testCases, testCase{
8373 testType: serverTest,
8374 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8375 config: Config{
8376 // Ensure the ClientHello version and final
8377 // version are different, to detect if the
8378 // server uses the wrong one.
8379 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8380 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8381 Bugs: ProtocolBugs{
8382 BadRSAClientKeyExchange: bad,
8383 },
8384 },
8385 shouldFail: true,
8386 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8387 })
8388 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8389
8390 // The server must compare whatever was in ClientHello.version for the
8391 // RSA premaster.
8392 testCases = append(testCases, testCase{
8393 testType: serverTest,
8394 name: "SendClientVersion-RSA",
8395 config: Config{
8396 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8397 Bugs: ProtocolBugs{
8398 SendClientVersion: 0x1234,
8399 },
8400 },
8401 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8402 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8403}
8404
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8405var testCurves = []struct {
8406 name string
8407 id CurveID
8408}{
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]8409 {"P-224", CurveP224},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8410 {"P-256", CurveP256},
8411 {"P-384", CurveP384},
8412 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8413 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8414}
8415
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8416const bogusCurve = 0x1234
8417
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8418func addCurveTests() {
8419 for _, curve := range testCurves {
8420 testCases = append(testCases, testCase{
8421 name: "CurveTest-Client-" + curve.name,
8422 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8423 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8424 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8425 CurvePreferences: []CurveID{curve.id},
8426 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8427 flags: []string{
8428 "-enable-all-curves",
8429 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8430 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8431 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8432 })
8433 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8434 name: "CurveTest-Client-" + curve.name + "-TLS13",
8435 config: Config{
8436 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8437 CurvePreferences: []CurveID{curve.id},
8438 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8439 flags: []string{
8440 "-enable-all-curves",
8441 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8442 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8443 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8444 })
8445 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8446 testType: serverTest,
8447 name: "CurveTest-Server-" + curve.name,
8448 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8449 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8450 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8451 CurvePreferences: []CurveID{curve.id},
8452 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8453 flags: []string{
8454 "-enable-all-curves",
8455 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8456 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8457 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8458 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8459 testCases = append(testCases, testCase{
8460 testType: serverTest,
8461 name: "CurveTest-Server-" + curve.name + "-TLS13",
8462 config: Config{
8463 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8464 CurvePreferences: []CurveID{curve.id},
8465 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8466 flags: []string{
8467 "-enable-all-curves",
8468 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8469 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8470 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8471 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8472 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8473
8474 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8475 testCases = append(testCases, testCase{
8476 testType: serverTest,
8477 name: "UnknownCurve",
8478 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8479 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8480 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8481 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8482 },
8483 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8484
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8485 // The server must be tolerant to bogus curves.
8486 testCases = append(testCases, testCase{
8487 testType: serverTest,
8488 name: "UnknownCurve-TLS13",
8489 config: Config{
8490 MaxVersion: VersionTLS13,
8491 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8492 },
8493 })
8494
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8495 // The server must not consider ECDHE ciphers when there are no
8496 // supported curves.
8497 testCases = append(testCases, testCase{
8498 testType: serverTest,
8499 name: "NoSupportedCurves",
8500 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8501 MaxVersion: VersionTLS12,
8502 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8503 Bugs: ProtocolBugs{
8504 NoSupportedCurves: true,
8505 },
8506 },
8507 shouldFail: true,
8508 expectedError: ":NO_SHARED_CIPHER:",
8509 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8510 testCases = append(testCases, testCase{
8511 testType: serverTest,
8512 name: "NoSupportedCurves-TLS13",
8513 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8514 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8515 Bugs: ProtocolBugs{
8516 NoSupportedCurves: true,
8517 },
8518 },
8519 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8520 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8521 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8522
8523 // The server must fall back to another cipher when there are no
8524 // supported curves.
8525 testCases = append(testCases, testCase{
8526 testType: serverTest,
8527 name: "NoCommonCurves",
8528 config: Config{
8529 MaxVersion: VersionTLS12,
8530 CipherSuites: []uint16{
8531 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8532 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8533 },
8534 CurvePreferences: []CurveID{CurveP224},
8535 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8536 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8537 })
8538
8539 // The client must reject bogus curves and disabled curves.
8540 testCases = append(testCases, testCase{
8541 name: "BadECDHECurve",
8542 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8543 MaxVersion: VersionTLS12,
8544 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8545 Bugs: ProtocolBugs{
8546 SendCurve: bogusCurve,
8547 },
8548 },
8549 shouldFail: true,
8550 expectedError: ":WRONG_CURVE:",
8551 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8552 testCases = append(testCases, testCase{
8553 name: "BadECDHECurve-TLS13",
8554 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8555 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8556 Bugs: ProtocolBugs{
8557 SendCurve: bogusCurve,
8558 },
8559 },
8560 shouldFail: true,
8561 expectedError: ":WRONG_CURVE:",
8562 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8563
8564 testCases = append(testCases, testCase{
8565 name: "UnsupportedCurve",
8566 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8567 MaxVersion: VersionTLS12,
8568 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8569 CurvePreferences: []CurveID{CurveP256},
8570 Bugs: ProtocolBugs{
8571 IgnorePeerCurvePreferences: true,
8572 },
8573 },
8574 flags: []string{"-p384-only"},
8575 shouldFail: true,
8576 expectedError: ":WRONG_CURVE:",
8577 })
8578
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8579 testCases = append(testCases, testCase{
8580 // TODO(davidben): Add a TLS 1.3 version where
8581 // HelloRetryRequest requests an unsupported curve.
8582 name: "UnsupportedCurve-ServerHello-TLS13",
8583 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8584 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8585 CurvePreferences: []CurveID{CurveP384},
8586 Bugs: ProtocolBugs{
8587 SendCurve: CurveP256,
8588 },
8589 },
8590 flags: []string{"-p384-only"},
8591 shouldFail: true,
8592 expectedError: ":WRONG_CURVE:",
8593 })
8594
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8595 // Test invalid curve points.
8596 testCases = append(testCases, testCase{
8597 name: "InvalidECDHPoint-Client",
8598 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8599 MaxVersion: VersionTLS12,
8600 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8601 CurvePreferences: []CurveID{CurveP256},
8602 Bugs: ProtocolBugs{
8603 InvalidECDHPoint: true,
8604 },
8605 },
8606 shouldFail: true,
8607 expectedError: ":INVALID_ENCODING:",
8608 })
8609 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8610 name: "InvalidECDHPoint-Client-TLS13",
8611 config: Config{
8612 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8613 CurvePreferences: []CurveID{CurveP256},
8614 Bugs: ProtocolBugs{
8615 InvalidECDHPoint: true,
8616 },
8617 },
8618 shouldFail: true,
8619 expectedError: ":INVALID_ENCODING:",
8620 })
8621 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8622 testType: serverTest,
8623 name: "InvalidECDHPoint-Server",
8624 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8625 MaxVersion: VersionTLS12,
8626 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8627 CurvePreferences: []CurveID{CurveP256},
8628 Bugs: ProtocolBugs{
8629 InvalidECDHPoint: true,
8630 },
8631 },
8632 shouldFail: true,
8633 expectedError: ":INVALID_ENCODING:",
8634 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8635 testCases = append(testCases, testCase{
8636 testType: serverTest,
8637 name: "InvalidECDHPoint-Server-TLS13",
8638 config: Config{
8639 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8640 CurvePreferences: []CurveID{CurveP256},
8641 Bugs: ProtocolBugs{
8642 InvalidECDHPoint: true,
8643 },
8644 },
8645 shouldFail: true,
8646 expectedError: ":INVALID_ENCODING:",
8647 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8648
8649 // The previous curve ID should be reported on TLS 1.2 resumption.
8650 testCases = append(testCases, testCase{
8651 name: "CurveID-Resume-Client",
8652 config: Config{
8653 MaxVersion: VersionTLS12,
8654 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8655 CurvePreferences: []CurveID{CurveX25519},
8656 },
8657 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8658 resumeSession: true,
8659 })
8660 testCases = append(testCases, testCase{
8661 testType: serverTest,
8662 name: "CurveID-Resume-Server",
8663 config: Config{
8664 MaxVersion: VersionTLS12,
8665 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8666 CurvePreferences: []CurveID{CurveX25519},
8667 },
8668 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8669 resumeSession: true,
8670 })
8671
8672 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8673 // one should be reported.
8674 testCases = append(testCases, testCase{
8675 name: "CurveID-Resume-Client-TLS13",
8676 config: Config{
8677 MaxVersion: VersionTLS13,
8678 CurvePreferences: []CurveID{CurveX25519},
8679 },
8680 resumeConfig: &Config{
8681 MaxVersion: VersionTLS13,
8682 CurvePreferences: []CurveID{CurveP256},
8683 },
8684 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]8685 "-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8686 "-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8687 },
8688 resumeSession: true,
8689 })
8690 testCases = append(testCases, testCase{
8691 testType: serverTest,
8692 name: "CurveID-Resume-Server-TLS13",
8693 config: Config{
8694 MaxVersion: VersionTLS13,
8695 CurvePreferences: []CurveID{CurveX25519},
8696 },
8697 resumeConfig: &Config{
8698 MaxVersion: VersionTLS13,
8699 CurvePreferences: []CurveID{CurveP256},
8700 },
8701 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]8702 "-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8703 "-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8704 },
8705 resumeSession: true,
8706 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8707
8708 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8709 testCases = append(testCases, testCase{
8710 name: "PointFormat-ServerHello-TLS12",
8711 config: Config{
8712 MaxVersion: VersionTLS12,
8713 Bugs: ProtocolBugs{
8714 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8715 },
8716 },
8717 })
8718 testCases = append(testCases, testCase{
8719 name: "PointFormat-EncryptedExtensions-TLS13",
8720 config: Config{
8721 MaxVersion: VersionTLS13,
8722 Bugs: ProtocolBugs{
8723 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8724 },
8725 },
8726 shouldFail: true,
8727 expectedError: ":ERROR_PARSING_EXTENSION:",
8728 })
8729
8730 // Test that we tolerate unknown point formats, as long as
8731 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8732 // check they are still functional.
8733 testCases = append(testCases, testCase{
8734 name: "PointFormat-Client-Tolerance",
8735 config: Config{
8736 MaxVersion: VersionTLS12,
8737 Bugs: ProtocolBugs{
8738 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8739 },
8740 },
8741 })
8742 testCases = append(testCases, testCase{
8743 testType: serverTest,
8744 name: "PointFormat-Server-Tolerance",
8745 config: Config{
8746 MaxVersion: VersionTLS12,
8747 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8748 Bugs: ProtocolBugs{
8749 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8750 },
8751 },
8752 })
8753
8754 // Test TLS 1.2 does not require the point format extension to be
8755 // present.
8756 testCases = append(testCases, testCase{
8757 name: "PointFormat-Client-Missing",
8758 config: Config{
8759 MaxVersion: VersionTLS12,
8760 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8761 Bugs: ProtocolBugs{
8762 SendSupportedPointFormats: []byte{},
8763 },
8764 },
8765 })
8766 testCases = append(testCases, testCase{
8767 testType: serverTest,
8768 name: "PointFormat-Server-Missing",
8769 config: Config{
8770 MaxVersion: VersionTLS12,
8771 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8772 Bugs: ProtocolBugs{
8773 SendSupportedPointFormats: []byte{},
8774 },
8775 },
8776 })
8777
8778 // If the point format extension is present, uncompressed points must be
8779 // offered. BoringSSL requires this whether or not ECDHE is used.
8780 testCases = append(testCases, testCase{
8781 name: "PointFormat-Client-MissingUncompressed",
8782 config: Config{
8783 MaxVersion: VersionTLS12,
8784 Bugs: ProtocolBugs{
8785 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8786 },
8787 },
8788 shouldFail: true,
8789 expectedError: ":ERROR_PARSING_EXTENSION:",
8790 })
8791 testCases = append(testCases, testCase{
8792 testType: serverTest,
8793 name: "PointFormat-Server-MissingUncompressed",
8794 config: Config{
8795 MaxVersion: VersionTLS12,
8796 Bugs: ProtocolBugs{
8797 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8798 },
8799 },
8800 shouldFail: true,
8801 expectedError: ":ERROR_PARSING_EXTENSION:",
8802 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8803}
8804
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8805func addTLS13RecordTests() {
8806 testCases = append(testCases, testCase{
8807 name: "TLS13-RecordPadding",
8808 config: Config{
8809 MaxVersion: VersionTLS13,
8810 MinVersion: VersionTLS13,
8811 Bugs: ProtocolBugs{
8812 RecordPadding: 10,
8813 },
8814 },
8815 })
8816
8817 testCases = append(testCases, testCase{
8818 name: "TLS13-EmptyRecords",
8819 config: Config{
8820 MaxVersion: VersionTLS13,
8821 MinVersion: VersionTLS13,
8822 Bugs: ProtocolBugs{
8823 OmitRecordContents: true,
8824 },
8825 },
8826 shouldFail: true,
8827 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8828 })
8829
8830 testCases = append(testCases, testCase{
8831 name: "TLS13-OnlyPadding",
8832 config: Config{
8833 MaxVersion: VersionTLS13,
8834 MinVersion: VersionTLS13,
8835 Bugs: ProtocolBugs{
8836 OmitRecordContents: true,
8837 RecordPadding: 10,
8838 },
8839 },
8840 shouldFail: true,
8841 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8842 })
8843
8844 testCases = append(testCases, testCase{
8845 name: "TLS13-WrongOuterRecord",
8846 config: Config{
8847 MaxVersion: VersionTLS13,
8848 MinVersion: VersionTLS13,
8849 Bugs: ProtocolBugs{
8850 OuterRecordType: recordTypeHandshake,
8851 },
8852 },
8853 shouldFail: true,
8854 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8855 })
8856}
8857
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8858func addSessionTicketTests() {
8859 testCases = append(testCases, testCase{
8860 // In TLS 1.2 and below, empty NewSessionTicket messages
8861 // mean the server changed its mind on sending a ticket.
8862 name: "SendEmptySessionTicket",
8863 config: Config{
8864 MaxVersion: VersionTLS12,
8865 Bugs: ProtocolBugs{
8866 SendEmptySessionTicket: true,
8867 },
8868 },
8869 flags: []string{"-expect-no-session"},
8870 })
8871
8872 // Test that the server ignores unknown PSK modes.
8873 testCases = append(testCases, testCase{
8874 testType: serverTest,
8875 name: "TLS13-SendUnknownModeSessionTicket-Server",
8876 config: Config{
8877 MaxVersion: VersionTLS13,
8878 Bugs: ProtocolBugs{
8879 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8880 },
8881 },
8882 resumeSession: true,
8883 expectedResumeVersion: VersionTLS13,
8884 })
8885
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8886 // Test that the server does not send session tickets with no matching key exchange mode.
8887 testCases = append(testCases, testCase{
8888 testType: serverTest,
8889 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8890 config: Config{
8891 MaxVersion: VersionTLS13,
8892 Bugs: ProtocolBugs{
8893 SendPSKKeyExchangeModes: []byte{0x1a},
8894 ExpectNoNewSessionTicket: true,
8895 },
8896 },
8897 })
8898
8899 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8900 testCases = append(testCases, testCase{
8901 testType: serverTest,
8902 name: "TLS13-SendBadKEModeSessionTicket-Server",
8903 config: Config{
8904 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8905 },
8906 resumeConfig: &Config{
8907 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8908 Bugs: ProtocolBugs{
8909 SendPSKKeyExchangeModes: []byte{0x1a},
8910 },
8911 },
8912 resumeSession: true,
8913 expectResumeRejected: true,
8914 })
8915
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8916 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8917 testCases = append(testCases, testCase{
8918 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8919 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8920 config: Config{
8921 MaxVersion: VersionTLS13,
8922 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8923 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8924 },
8925 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8926 resumeSession: true,
8927 flags: []string{
8928 "-resumption-delay", "10",
8929 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8930 })
8931
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8932 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8933 testCases = append(testCases, testCase{
8934 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8935 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8936 config: Config{
8937 MaxVersion: VersionTLS13,
8938 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8939 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8940 },
8941 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8942 resumeSession: true,
8943 shouldFail: true,
8944 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8945 })
8946
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8947 // Test that the server's ticket age skew reporting works.
8948 testCases = append(testCases, testCase{
8949 testType: serverTest,
8950 name: "TLS13-TicketAgeSkew-Forward",
8951 config: Config{
8952 MaxVersion: VersionTLS13,
8953 Bugs: ProtocolBugs{
8954 SendTicketAge: 15 * time.Second,
8955 },
8956 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8957 resumeSession: true,
8958 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8959 flags: []string{
8960 "-resumption-delay", "10",
8961 "-expect-ticket-age-skew", "5",
8962 },
8963 })
8964 testCases = append(testCases, testCase{
8965 testType: serverTest,
8966 name: "TLS13-TicketAgeSkew-Backward",
8967 config: Config{
8968 MaxVersion: VersionTLS13,
8969 Bugs: ProtocolBugs{
8970 SendTicketAge: 5 * time.Second,
8971 },
8972 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8973 resumeSession: true,
8974 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8975 flags: []string{
8976 "-resumption-delay", "10",
8977 "-expect-ticket-age-skew", "-5",
8978 },
8979 })
8980
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8981 testCases = append(testCases, testCase{
8982 testType: clientTest,
8983 name: "TLS13-SendTicketEarlyDataInfo",
8984 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8985 MaxVersion: VersionTLS13,
8986 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8987 },
8988 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8989 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8990 "-expect-early-data-info",
8991 },
8992 })
8993
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8994 // Test that 0-RTT tickets are ignored in clients unless opted in.
8995 testCases = append(testCases, testCase{
8996 testType: clientTest,
8997 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8998 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8999 MaxVersion: VersionTLS13,
9000 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]9001 },
9002 })
9003
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9004 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9005 testType: clientTest,
9006 name: "TLS13-DuplicateTicketEarlyDataInfo",
9007 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]9008 MaxVersion: VersionTLS13,
9009 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9010 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9011 DuplicateTicketEarlyDataInfo: true,
9012 },
9013 },
9014 shouldFail: true,
9015 expectedError: ":DUPLICATE_EXTENSION:",
9016 expectedLocalError: "remote error: illegal parameter",
9017 })
9018
9019 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9020 testType: serverTest,
9021 name: "TLS13-ExpectTicketEarlyDataInfo",
9022 config: Config{
9023 MaxVersion: VersionTLS13,
9024 Bugs: ProtocolBugs{
9025 ExpectTicketEarlyDataInfo: true,
9026 },
9027 },
9028 flags: []string{
9029 "-enable-early-data",
9030 },
9031 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9032
9033 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
9034 // is honored.
9035 testCases = append(testCases, testCase{
9036 testType: clientTest,
9037 name: "TLS13-HonorServerSessionTicketLifetime",
9038 config: Config{
9039 MaxVersion: VersionTLS13,
9040 Bugs: ProtocolBugs{
9041 SendTicketLifetime: 20 * time.Second,
9042 },
9043 },
9044 flags: []string{
9045 "-resumption-delay", "19",
9046 },
9047 resumeSession: true,
9048 })
9049 testCases = append(testCases, testCase{
9050 testType: clientTest,
9051 name: "TLS13-HonorServerSessionTicketLifetime-2",
9052 config: Config{
9053 MaxVersion: VersionTLS13,
9054 Bugs: ProtocolBugs{
9055 SendTicketLifetime: 20 * time.Second,
9056 // The client should not offer the expired session.
9057 ExpectNoTLS13PSK: true,
9058 },
9059 },
9060 flags: []string{
9061 "-resumption-delay", "21",
9062 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]9063 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9064 expectResumeRejected: true,
9065 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9066}
9067
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9068func addChangeCipherSpecTests() {
9069 // Test missing ChangeCipherSpecs.
9070 testCases = append(testCases, testCase{
9071 name: "SkipChangeCipherSpec-Client",
9072 config: Config{
9073 MaxVersion: VersionTLS12,
9074 Bugs: ProtocolBugs{
9075 SkipChangeCipherSpec: true,
9076 },
9077 },
9078 shouldFail: true,
9079 expectedError: ":UNEXPECTED_RECORD:",
9080 })
9081 testCases = append(testCases, testCase{
9082 testType: serverTest,
9083 name: "SkipChangeCipherSpec-Server",
9084 config: Config{
9085 MaxVersion: VersionTLS12,
9086 Bugs: ProtocolBugs{
9087 SkipChangeCipherSpec: true,
9088 },
9089 },
9090 shouldFail: true,
9091 expectedError: ":UNEXPECTED_RECORD:",
9092 })
9093 testCases = append(testCases, testCase{
9094 testType: serverTest,
9095 name: "SkipChangeCipherSpec-Server-NPN",
9096 config: Config{
9097 MaxVersion: VersionTLS12,
9098 NextProtos: []string{"bar"},
9099 Bugs: ProtocolBugs{
9100 SkipChangeCipherSpec: true,
9101 },
9102 },
9103 flags: []string{
9104 "-advertise-npn", "\x03foo\x03bar\x03baz",
9105 },
9106 shouldFail: true,
9107 expectedError: ":UNEXPECTED_RECORD:",
9108 })
9109
9110 // Test synchronization between the handshake and ChangeCipherSpec.
9111 // Partial post-CCS handshake messages before ChangeCipherSpec should be
9112 // rejected. Test both with and without handshake packing to handle both
9113 // when the partial post-CCS message is in its own record and when it is
9114 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9115 for _, packed := range []bool{false, true} {
9116 var suffix string
9117 if packed {
9118 suffix = "-Packed"
9119 }
9120
9121 testCases = append(testCases, testCase{
9122 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
9123 config: Config{
9124 MaxVersion: VersionTLS12,
9125 Bugs: ProtocolBugs{
9126 FragmentAcrossChangeCipherSpec: true,
9127 PackHandshakeFlight: packed,
9128 },
9129 },
9130 shouldFail: true,
9131 expectedError: ":UNEXPECTED_RECORD:",
9132 })
9133 testCases = append(testCases, testCase{
9134 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
9135 config: Config{
9136 MaxVersion: VersionTLS12,
9137 },
9138 resumeSession: true,
9139 resumeConfig: &Config{
9140 MaxVersion: VersionTLS12,
9141 Bugs: ProtocolBugs{
9142 FragmentAcrossChangeCipherSpec: true,
9143 PackHandshakeFlight: packed,
9144 },
9145 },
9146 shouldFail: true,
9147 expectedError: ":UNEXPECTED_RECORD:",
9148 })
9149 testCases = append(testCases, testCase{
9150 testType: serverTest,
9151 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
9152 config: Config{
9153 MaxVersion: VersionTLS12,
9154 Bugs: ProtocolBugs{
9155 FragmentAcrossChangeCipherSpec: true,
9156 PackHandshakeFlight: packed,
9157 },
9158 },
9159 shouldFail: true,
9160 expectedError: ":UNEXPECTED_RECORD:",
9161 })
9162 testCases = append(testCases, testCase{
9163 testType: serverTest,
9164 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
9165 config: Config{
9166 MaxVersion: VersionTLS12,
9167 },
9168 resumeSession: true,
9169 resumeConfig: &Config{
9170 MaxVersion: VersionTLS12,
9171 Bugs: ProtocolBugs{
9172 FragmentAcrossChangeCipherSpec: true,
9173 PackHandshakeFlight: packed,
9174 },
9175 },
9176 shouldFail: true,
9177 expectedError: ":UNEXPECTED_RECORD:",
9178 })
9179 testCases = append(testCases, testCase{
9180 testType: serverTest,
9181 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
9182 config: Config{
9183 MaxVersion: VersionTLS12,
9184 NextProtos: []string{"bar"},
9185 Bugs: ProtocolBugs{
9186 FragmentAcrossChangeCipherSpec: true,
9187 PackHandshakeFlight: packed,
9188 },
9189 },
9190 flags: []string{
9191 "-advertise-npn", "\x03foo\x03bar\x03baz",
9192 },
9193 shouldFail: true,
9194 expectedError: ":UNEXPECTED_RECORD:",
9195 })
9196 }
9197
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]9198 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
9199 // messages in the handshake queue. Do this by testing the server
9200 // reading the client Finished, reversing the flight so Finished comes
9201 // first.
9202 testCases = append(testCases, testCase{
9203 protocol: dtls,
9204 testType: serverTest,
9205 name: "SendUnencryptedFinished-DTLS",
9206 config: Config{
9207 MaxVersion: VersionTLS12,
9208 Bugs: ProtocolBugs{
9209 SendUnencryptedFinished: true,
9210 ReverseHandshakeFragments: true,
9211 },
9212 },
9213 shouldFail: true,
9214 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9215 })
9216
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9217 // Test synchronization between encryption changes and the handshake in
9218 // TLS 1.3, where ChangeCipherSpec is implicit.
9219 testCases = append(testCases, testCase{
9220 name: "PartialEncryptedExtensionsWithServerHello",
9221 config: Config{
9222 MaxVersion: VersionTLS13,
9223 Bugs: ProtocolBugs{
9224 PartialEncryptedExtensionsWithServerHello: true,
9225 },
9226 },
9227 shouldFail: true,
9228 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9229 })
9230 testCases = append(testCases, testCase{
9231 testType: serverTest,
9232 name: "PartialClientFinishedWithClientHello",
9233 config: Config{
9234 MaxVersion: VersionTLS13,
9235 Bugs: ProtocolBugs{
9236 PartialClientFinishedWithClientHello: true,
9237 },
9238 },
9239 shouldFail: true,
9240 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9241 })
9242
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9243 // Test that early ChangeCipherSpecs are handled correctly.
9244 testCases = append(testCases, testCase{
9245 testType: serverTest,
9246 name: "EarlyChangeCipherSpec-server-1",
9247 config: Config{
9248 MaxVersion: VersionTLS12,
9249 Bugs: ProtocolBugs{
9250 EarlyChangeCipherSpec: 1,
9251 },
9252 },
9253 shouldFail: true,
9254 expectedError: ":UNEXPECTED_RECORD:",
9255 })
9256 testCases = append(testCases, testCase{
9257 testType: serverTest,
9258 name: "EarlyChangeCipherSpec-server-2",
9259 config: Config{
9260 MaxVersion: VersionTLS12,
9261 Bugs: ProtocolBugs{
9262 EarlyChangeCipherSpec: 2,
9263 },
9264 },
9265 shouldFail: true,
9266 expectedError: ":UNEXPECTED_RECORD:",
9267 })
9268 testCases = append(testCases, testCase{
9269 protocol: dtls,
9270 name: "StrayChangeCipherSpec",
9271 config: Config{
9272 // TODO(davidben): Once DTLS 1.3 exists, test
9273 // that stray ChangeCipherSpec messages are
9274 // rejected.
9275 MaxVersion: VersionTLS12,
9276 Bugs: ProtocolBugs{
9277 StrayChangeCipherSpec: true,
9278 },
9279 },
9280 })
9281
9282 // Test that the contents of ChangeCipherSpec are checked.
9283 testCases = append(testCases, testCase{
9284 name: "BadChangeCipherSpec-1",
9285 config: Config{
9286 MaxVersion: VersionTLS12,
9287 Bugs: ProtocolBugs{
9288 BadChangeCipherSpec: []byte{2},
9289 },
9290 },
9291 shouldFail: true,
9292 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9293 })
9294 testCases = append(testCases, testCase{
9295 name: "BadChangeCipherSpec-2",
9296 config: Config{
9297 MaxVersion: VersionTLS12,
9298 Bugs: ProtocolBugs{
9299 BadChangeCipherSpec: []byte{1, 1},
9300 },
9301 },
9302 shouldFail: true,
9303 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9304 })
9305 testCases = append(testCases, testCase{
9306 protocol: dtls,
9307 name: "BadChangeCipherSpec-DTLS-1",
9308 config: Config{
9309 MaxVersion: VersionTLS12,
9310 Bugs: ProtocolBugs{
9311 BadChangeCipherSpec: []byte{2},
9312 },
9313 },
9314 shouldFail: true,
9315 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9316 })
9317 testCases = append(testCases, testCase{
9318 protocol: dtls,
9319 name: "BadChangeCipherSpec-DTLS-2",
9320 config: Config{
9321 MaxVersion: VersionTLS12,
9322 Bugs: ProtocolBugs{
9323 BadChangeCipherSpec: []byte{1, 1},
9324 },
9325 },
9326 shouldFail: true,
9327 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9328 })
9329}
9330
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9331type perMessageTest struct {
9332 messageType uint8
9333 test testCase
9334}
9335
9336// makePerMessageTests returns a series of test templates which cover each
9337// message in the TLS handshake. These may be used with bugs like
9338// WrongMessageType to fully test a per-message bug.
9339func makePerMessageTests() []perMessageTest {
9340 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9341 for _, protocol := range []protocol{tls, dtls} {
9342 var suffix string
9343 if protocol == dtls {
9344 suffix = "-DTLS"
9345 }
9346
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9347 ret = append(ret, perMessageTest{
9348 messageType: typeClientHello,
9349 test: testCase{
9350 protocol: protocol,
9351 testType: serverTest,
9352 name: "ClientHello" + suffix,
9353 config: Config{
9354 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9355 },
9356 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9357 })
9358
9359 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9360 ret = append(ret, perMessageTest{
9361 messageType: typeHelloVerifyRequest,
9362 test: testCase{
9363 protocol: protocol,
9364 name: "HelloVerifyRequest" + suffix,
9365 config: Config{
9366 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9367 },
9368 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9369 })
9370 }
9371
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9372 ret = append(ret, perMessageTest{
9373 messageType: typeServerHello,
9374 test: testCase{
9375 protocol: protocol,
9376 name: "ServerHello" + suffix,
9377 config: Config{
9378 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9379 },
9380 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9381 })
9382
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9383 ret = append(ret, perMessageTest{
9384 messageType: typeCertificate,
9385 test: testCase{
9386 protocol: protocol,
9387 name: "ServerCertificate" + suffix,
9388 config: Config{
9389 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9390 },
9391 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9392 })
9393
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9394 ret = append(ret, perMessageTest{
9395 messageType: typeCertificateStatus,
9396 test: testCase{
9397 protocol: protocol,
9398 name: "CertificateStatus" + suffix,
9399 config: Config{
9400 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9401 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9402 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9403 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9404 })
9405
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9406 ret = append(ret, perMessageTest{
9407 messageType: typeServerKeyExchange,
9408 test: testCase{
9409 protocol: protocol,
9410 name: "ServerKeyExchange" + suffix,
9411 config: Config{
9412 MaxVersion: VersionTLS12,
9413 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9414 },
9415 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9416 })
9417
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9418 ret = append(ret, perMessageTest{
9419 messageType: typeCertificateRequest,
9420 test: testCase{
9421 protocol: protocol,
9422 name: "CertificateRequest" + suffix,
9423 config: Config{
9424 MaxVersion: VersionTLS12,
9425 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9426 },
9427 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9428 })
9429
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9430 ret = append(ret, perMessageTest{
9431 messageType: typeServerHelloDone,
9432 test: testCase{
9433 protocol: protocol,
9434 name: "ServerHelloDone" + suffix,
9435 config: Config{
9436 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9437 },
9438 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9439 })
9440
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9441 ret = append(ret, perMessageTest{
9442 messageType: typeCertificate,
9443 test: testCase{
9444 testType: serverTest,
9445 protocol: protocol,
9446 name: "ClientCertificate" + suffix,
9447 config: Config{
9448 Certificates: []Certificate{rsaCertificate},
9449 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9450 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9451 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9452 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9453 })
9454
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9455 ret = append(ret, perMessageTest{
9456 messageType: typeCertificateVerify,
9457 test: testCase{
9458 testType: serverTest,
9459 protocol: protocol,
9460 name: "CertificateVerify" + suffix,
9461 config: Config{
9462 Certificates: []Certificate{rsaCertificate},
9463 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9464 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9465 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9466 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9467 })
9468
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9469 ret = append(ret, perMessageTest{
9470 messageType: typeClientKeyExchange,
9471 test: testCase{
9472 testType: serverTest,
9473 protocol: protocol,
9474 name: "ClientKeyExchange" + suffix,
9475 config: Config{
9476 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9477 },
9478 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9479 })
9480
9481 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9482 ret = append(ret, perMessageTest{
9483 messageType: typeNextProtocol,
9484 test: testCase{
9485 testType: serverTest,
9486 protocol: protocol,
9487 name: "NextProtocol" + suffix,
9488 config: Config{
9489 MaxVersion: VersionTLS12,
9490 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9491 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9492 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9493 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9494 })
9495
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9496 ret = append(ret, perMessageTest{
9497 messageType: typeChannelID,
9498 test: testCase{
9499 testType: serverTest,
9500 protocol: protocol,
9501 name: "ChannelID" + suffix,
9502 config: Config{
9503 MaxVersion: VersionTLS12,
9504 ChannelID: channelIDKey,
9505 },
9506 flags: []string{
9507 "-expect-channel-id",
9508 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9509 },
9510 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9511 })
9512 }
9513
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9514 ret = append(ret, perMessageTest{
9515 messageType: typeFinished,
9516 test: testCase{
9517 testType: serverTest,
9518 protocol: protocol,
9519 name: "ClientFinished" + suffix,
9520 config: Config{
9521 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9522 },
9523 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9524 })
9525
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9526 ret = append(ret, perMessageTest{
9527 messageType: typeNewSessionTicket,
9528 test: testCase{
9529 protocol: protocol,
9530 name: "NewSessionTicket" + suffix,
9531 config: Config{
9532 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9533 },
9534 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9535 })
9536
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9537 ret = append(ret, perMessageTest{
9538 messageType: typeFinished,
9539 test: testCase{
9540 protocol: protocol,
9541 name: "ServerFinished" + suffix,
9542 config: Config{
9543 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9544 },
9545 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9546 })
9547
9548 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9549
9550 ret = append(ret, perMessageTest{
9551 messageType: typeClientHello,
9552 test: testCase{
9553 testType: serverTest,
9554 name: "TLS13-ClientHello",
9555 config: Config{
9556 MaxVersion: VersionTLS13,
9557 },
9558 },
9559 })
9560
9561 ret = append(ret, perMessageTest{
9562 messageType: typeServerHello,
9563 test: testCase{
9564 name: "TLS13-ServerHello",
9565 config: Config{
9566 MaxVersion: VersionTLS13,
9567 },
9568 },
9569 })
9570
9571 ret = append(ret, perMessageTest{
9572 messageType: typeEncryptedExtensions,
9573 test: testCase{
9574 name: "TLS13-EncryptedExtensions",
9575 config: Config{
9576 MaxVersion: VersionTLS13,
9577 },
9578 },
9579 })
9580
9581 ret = append(ret, perMessageTest{
9582 messageType: typeCertificateRequest,
9583 test: testCase{
9584 name: "TLS13-CertificateRequest",
9585 config: Config{
9586 MaxVersion: VersionTLS13,
9587 ClientAuth: RequireAnyClientCert,
9588 },
9589 },
9590 })
9591
9592 ret = append(ret, perMessageTest{
9593 messageType: typeCertificate,
9594 test: testCase{
9595 name: "TLS13-ServerCertificate",
9596 config: Config{
9597 MaxVersion: VersionTLS13,
9598 },
9599 },
9600 })
9601
9602 ret = append(ret, perMessageTest{
9603 messageType: typeCertificateVerify,
9604 test: testCase{
9605 name: "TLS13-ServerCertificateVerify",
9606 config: Config{
9607 MaxVersion: VersionTLS13,
9608 },
9609 },
9610 })
9611
9612 ret = append(ret, perMessageTest{
9613 messageType: typeFinished,
9614 test: testCase{
9615 name: "TLS13-ServerFinished",
9616 config: Config{
9617 MaxVersion: VersionTLS13,
9618 },
9619 },
9620 })
9621
9622 ret = append(ret, perMessageTest{
9623 messageType: typeCertificate,
9624 test: testCase{
9625 testType: serverTest,
9626 name: "TLS13-ClientCertificate",
9627 config: Config{
9628 Certificates: []Certificate{rsaCertificate},
9629 MaxVersion: VersionTLS13,
9630 },
9631 flags: []string{"-require-any-client-certificate"},
9632 },
9633 })
9634
9635 ret = append(ret, perMessageTest{
9636 messageType: typeCertificateVerify,
9637 test: testCase{
9638 testType: serverTest,
9639 name: "TLS13-ClientCertificateVerify",
9640 config: Config{
9641 Certificates: []Certificate{rsaCertificate},
9642 MaxVersion: VersionTLS13,
9643 },
9644 flags: []string{"-require-any-client-certificate"},
9645 },
9646 })
9647
9648 ret = append(ret, perMessageTest{
9649 messageType: typeFinished,
9650 test: testCase{
9651 testType: serverTest,
9652 name: "TLS13-ClientFinished",
9653 config: Config{
9654 MaxVersion: VersionTLS13,
9655 },
9656 },
9657 })
9658
9659 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9660}
9661
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9662func addWrongMessageTypeTests() {
9663 for _, t := range makePerMessageTests() {
9664 t.test.name = "WrongMessageType-" + t.test.name
9665 t.test.config.Bugs.SendWrongMessageType = t.messageType
9666 t.test.shouldFail = true
9667 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9668 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9669
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9670 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9671 // In TLS 1.3, a bad ServerHello means the client sends
9672 // an unencrypted alert while the server expects
9673 // encryption, so the alert is not readable by runner.
9674 t.test.expectedLocalError = "local error: bad record MAC"
9675 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9676
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9677 testCases = append(testCases, t.test)
9678 }
David Benjaminebacdee2017-04-08 11:00:45 -0400[diff] [blame]9679
9680 // The processing order for TLS 1.3 version negotiation is such that one
9681 // may accidentally accept a HelloRetryRequest in lieu of ServerHello in
9682 // TLS 1.2. Test that we do not do this.
9683 testCases = append(testCases, testCase{
9684 name: "SendServerHelloAsHelloRetryRequest",
9685 config: Config{
9686 MaxVersion: VersionTLS12,
9687 Bugs: ProtocolBugs{
9688 SendServerHelloAsHelloRetryRequest: true,
9689 },
9690 },
9691 shouldFail: true,
9692 expectedError: ":UNEXPECTED_MESSAGE:",
9693 expectedLocalError: "remote error: unexpected message",
9694 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9695}
9696
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9697func addTrailingMessageDataTests() {
9698 for _, t := range makePerMessageTests() {
9699 t.test.name = "TrailingMessageData-" + t.test.name
9700 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9701 t.test.shouldFail = true
9702 t.test.expectedError = ":DECODE_ERROR:"
9703 t.test.expectedLocalError = "remote error: error decoding message"
9704
9705 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9706 // In TLS 1.3, a bad ServerHello means the client sends
9707 // an unencrypted alert while the server expects
9708 // encryption, so the alert is not readable by runner.
9709 t.test.expectedLocalError = "local error: bad record MAC"
9710 }
9711
9712 if t.messageType == typeFinished {
9713 // Bad Finished messages read as the verify data having
9714 // the wrong length.
9715 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9716 t.test.expectedLocalError = "remote error: error decrypting message"
9717 }
9718
9719 testCases = append(testCases, t.test)
9720 }
9721}
9722
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9723func addTLS13HandshakeTests() {
9724 testCases = append(testCases, testCase{
9725 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9726 name: "NegotiatePSKResumption-TLS13",
9727 config: Config{
9728 MaxVersion: VersionTLS13,
9729 Bugs: ProtocolBugs{
9730 NegotiatePSKResumption: true,
9731 },
9732 },
9733 resumeSession: true,
9734 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9735 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9736 })
9737
9738 testCases = append(testCases, testCase{
9739 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9740 name: "MissingKeyShare-Client",
9741 config: Config{
9742 MaxVersion: VersionTLS13,
9743 Bugs: ProtocolBugs{
9744 MissingKeyShare: true,
9745 },
9746 },
9747 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9748 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9749 })
9750
9751 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9752 testType: serverTest,
9753 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9754 config: Config{
9755 MaxVersion: VersionTLS13,
9756 Bugs: ProtocolBugs{
9757 MissingKeyShare: true,
9758 },
9759 },
9760 shouldFail: true,
9761 expectedError: ":MISSING_KEY_SHARE:",
9762 })
9763
9764 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9765 testType: serverTest,
9766 name: "DuplicateKeyShares",
9767 config: Config{
9768 MaxVersion: VersionTLS13,
9769 Bugs: ProtocolBugs{
9770 DuplicateKeyShares: true,
9771 },
9772 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9773 shouldFail: true,
9774 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9775 })
9776
9777 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9778 testType: serverTest,
9779 name: "SkipEarlyData",
9780 config: Config{
9781 MaxVersion: VersionTLS13,
9782 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9783 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9784 },
9785 },
9786 })
9787
9788 testCases = append(testCases, testCase{
9789 testType: serverTest,
9790 name: "SkipEarlyData-OmitEarlyDataExtension",
9791 config: Config{
9792 MaxVersion: VersionTLS13,
9793 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9794 SendFakeEarlyDataLength: 4,
9795 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9796 },
9797 },
9798 shouldFail: true,
9799 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9800 })
9801
9802 testCases = append(testCases, testCase{
9803 testType: serverTest,
9804 name: "SkipEarlyData-TooMuchData",
9805 config: Config{
9806 MaxVersion: VersionTLS13,
9807 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9808 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9809 },
9810 },
9811 shouldFail: true,
9812 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9813 })
9814
9815 testCases = append(testCases, testCase{
9816 testType: serverTest,
9817 name: "SkipEarlyData-Interleaved",
9818 config: Config{
9819 MaxVersion: VersionTLS13,
9820 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9821 SendFakeEarlyDataLength: 4,
9822 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9823 },
9824 },
9825 shouldFail: true,
9826 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9827 })
9828
9829 testCases = append(testCases, testCase{
9830 testType: serverTest,
9831 name: "SkipEarlyData-EarlyDataInTLS12",
9832 config: Config{
9833 MaxVersion: VersionTLS13,
9834 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9835 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9836 },
9837 },
9838 shouldFail: true,
9839 expectedError: ":UNEXPECTED_RECORD:",
9840 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9841 })
9842
9843 testCases = append(testCases, testCase{
9844 testType: serverTest,
9845 name: "SkipEarlyData-HRR",
9846 config: Config{
9847 MaxVersion: VersionTLS13,
9848 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9849 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9850 },
9851 DefaultCurves: []CurveID{},
9852 },
9853 })
9854
9855 testCases = append(testCases, testCase{
9856 testType: serverTest,
9857 name: "SkipEarlyData-HRR-Interleaved",
9858 config: Config{
9859 MaxVersion: VersionTLS13,
9860 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9861 SendFakeEarlyDataLength: 4,
9862 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9863 },
9864 DefaultCurves: []CurveID{},
9865 },
9866 shouldFail: true,
9867 expectedError: ":UNEXPECTED_RECORD:",
9868 })
9869
9870 testCases = append(testCases, testCase{
9871 testType: serverTest,
9872 name: "SkipEarlyData-HRR-TooMuchData",
9873 config: Config{
9874 MaxVersion: VersionTLS13,
9875 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9876 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9877 },
9878 DefaultCurves: []CurveID{},
9879 },
9880 shouldFail: true,
9881 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9882 })
9883
9884 // Test that skipping early data looking for cleartext correctly
9885 // processes an alert record.
9886 testCases = append(testCases, testCase{
9887 testType: serverTest,
9888 name: "SkipEarlyData-HRR-FatalAlert",
9889 config: Config{
9890 MaxVersion: VersionTLS13,
9891 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9892 SendEarlyAlert: true,
9893 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9894 },
9895 DefaultCurves: []CurveID{},
9896 },
9897 shouldFail: true,
9898 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9899 })
9900
9901 testCases = append(testCases, testCase{
9902 testType: serverTest,
9903 name: "SkipEarlyData-SecondClientHelloEarlyData",
9904 config: Config{
9905 MaxVersion: VersionTLS13,
9906 Bugs: ProtocolBugs{
9907 SendEarlyDataOnSecondClientHello: true,
9908 },
9909 DefaultCurves: []CurveID{},
9910 },
9911 shouldFail: true,
9912 expectedLocalError: "remote error: bad record MAC",
9913 })
9914
9915 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9916 testType: clientTest,
9917 name: "EmptyEncryptedExtensions",
9918 config: Config{
9919 MaxVersion: VersionTLS13,
9920 Bugs: ProtocolBugs{
9921 EmptyEncryptedExtensions: true,
9922 },
9923 },
9924 shouldFail: true,
9925 expectedLocalError: "remote error: error decoding message",
9926 })
9927
9928 testCases = append(testCases, testCase{
9929 testType: clientTest,
9930 name: "EncryptedExtensionsWithKeyShare",
9931 config: Config{
9932 MaxVersion: VersionTLS13,
9933 Bugs: ProtocolBugs{
9934 EncryptedExtensionsWithKeyShare: true,
9935 },
9936 },
9937 shouldFail: true,
9938 expectedLocalError: "remote error: unsupported extension",
9939 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9940
9941 testCases = append(testCases, testCase{
9942 testType: serverTest,
9943 name: "SendHelloRetryRequest",
9944 config: Config{
9945 MaxVersion: VersionTLS13,
9946 // Require a HelloRetryRequest for every curve.
9947 DefaultCurves: []CurveID{},
9948 },
9949 expectedCurveID: CurveX25519,
9950 })
9951
9952 testCases = append(testCases, testCase{
9953 testType: serverTest,
9954 name: "SendHelloRetryRequest-2",
9955 config: Config{
9956 MaxVersion: VersionTLS13,
9957 DefaultCurves: []CurveID{CurveP384},
9958 },
9959 // Although the ClientHello did not predict our preferred curve,
9960 // we always select it whether it is predicted or not.
9961 expectedCurveID: CurveX25519,
9962 })
9963
9964 testCases = append(testCases, testCase{
9965 name: "UnknownCurve-HelloRetryRequest",
9966 config: Config{
9967 MaxVersion: VersionTLS13,
9968 // P-384 requires HelloRetryRequest in BoringSSL.
9969 CurvePreferences: []CurveID{CurveP384},
9970 Bugs: ProtocolBugs{
9971 SendHelloRetryRequestCurve: bogusCurve,
9972 },
9973 },
9974 shouldFail: true,
9975 expectedError: ":WRONG_CURVE:",
9976 })
9977
9978 testCases = append(testCases, testCase{
9979 name: "DisabledCurve-HelloRetryRequest",
9980 config: Config{
9981 MaxVersion: VersionTLS13,
9982 CurvePreferences: []CurveID{CurveP256},
9983 Bugs: ProtocolBugs{
9984 IgnorePeerCurvePreferences: true,
9985 },
9986 },
9987 flags: []string{"-p384-only"},
9988 shouldFail: true,
9989 expectedError: ":WRONG_CURVE:",
9990 })
9991
9992 testCases = append(testCases, testCase{
9993 name: "UnnecessaryHelloRetryRequest",
9994 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9995 MaxVersion: VersionTLS13,
9996 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9997 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9998 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9999 },
10000 },
10001 shouldFail: true,
10002 expectedError: ":WRONG_CURVE:",
10003 })
10004
10005 testCases = append(testCases, testCase{
10006 name: "SecondHelloRetryRequest",
10007 config: Config{
10008 MaxVersion: VersionTLS13,
10009 // P-384 requires HelloRetryRequest in BoringSSL.
10010 CurvePreferences: []CurveID{CurveP384},
10011 Bugs: ProtocolBugs{
10012 SecondHelloRetryRequest: true,
10013 },
10014 },
10015 shouldFail: true,
10016 expectedError: ":UNEXPECTED_MESSAGE:",
10017 })
10018
10019 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]10020 name: "HelloRetryRequest-Empty",
10021 config: Config{
10022 MaxVersion: VersionTLS13,
10023 Bugs: ProtocolBugs{
10024 AlwaysSendHelloRetryRequest: true,
10025 },
10026 },
10027 shouldFail: true,
10028 expectedError: ":DECODE_ERROR:",
10029 })
10030
10031 testCases = append(testCases, testCase{
10032 name: "HelloRetryRequest-DuplicateCurve",
10033 config: Config{
10034 MaxVersion: VersionTLS13,
10035 // P-384 requires a HelloRetryRequest against BoringSSL's default
10036 // configuration. Assert this ExpectMissingKeyShare.
10037 CurvePreferences: []CurveID{CurveP384},
10038 Bugs: ProtocolBugs{
10039 ExpectMissingKeyShare: true,
10040 DuplicateHelloRetryRequestExtensions: true,
10041 },
10042 },
10043 shouldFail: true,
10044 expectedError: ":DUPLICATE_EXTENSION:",
10045 expectedLocalError: "remote error: illegal parameter",
10046 })
10047
10048 testCases = append(testCases, testCase{
10049 name: "HelloRetryRequest-Cookie",
10050 config: Config{
10051 MaxVersion: VersionTLS13,
10052 Bugs: ProtocolBugs{
10053 SendHelloRetryRequestCookie: []byte("cookie"),
10054 },
10055 },
10056 })
10057
10058 testCases = append(testCases, testCase{
10059 name: "HelloRetryRequest-DuplicateCookie",
10060 config: Config{
10061 MaxVersion: VersionTLS13,
10062 Bugs: ProtocolBugs{
10063 SendHelloRetryRequestCookie: []byte("cookie"),
10064 DuplicateHelloRetryRequestExtensions: true,
10065 },
10066 },
10067 shouldFail: true,
10068 expectedError: ":DUPLICATE_EXTENSION:",
10069 expectedLocalError: "remote error: illegal parameter",
10070 })
10071
10072 testCases = append(testCases, testCase{
10073 name: "HelloRetryRequest-EmptyCookie",
10074 config: Config{
10075 MaxVersion: VersionTLS13,
10076 Bugs: ProtocolBugs{
10077 SendHelloRetryRequestCookie: []byte{},
10078 },
10079 },
10080 shouldFail: true,
10081 expectedError: ":DECODE_ERROR:",
10082 })
10083
10084 testCases = append(testCases, testCase{
10085 name: "HelloRetryRequest-Cookie-Curve",
10086 config: Config{
10087 MaxVersion: VersionTLS13,
10088 // P-384 requires HelloRetryRequest in BoringSSL.
10089 CurvePreferences: []CurveID{CurveP384},
10090 Bugs: ProtocolBugs{
10091 SendHelloRetryRequestCookie: []byte("cookie"),
10092 ExpectMissingKeyShare: true,
10093 },
10094 },
10095 })
10096
10097 testCases = append(testCases, testCase{
10098 name: "HelloRetryRequest-Unknown",
10099 config: Config{
10100 MaxVersion: VersionTLS13,
10101 Bugs: ProtocolBugs{
10102 CustomHelloRetryRequestExtension: "extension",
10103 },
10104 },
10105 shouldFail: true,
10106 expectedError: ":UNEXPECTED_EXTENSION:",
10107 expectedLocalError: "remote error: unsupported extension",
10108 })
10109
10110 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10111 testType: serverTest,
10112 name: "SecondClientHelloMissingKeyShare",
10113 config: Config{
10114 MaxVersion: VersionTLS13,
10115 DefaultCurves: []CurveID{},
10116 Bugs: ProtocolBugs{
10117 SecondClientHelloMissingKeyShare: true,
10118 },
10119 },
10120 shouldFail: true,
10121 expectedError: ":MISSING_KEY_SHARE:",
10122 })
10123
10124 testCases = append(testCases, testCase{
10125 testType: serverTest,
10126 name: "SecondClientHelloWrongCurve",
10127 config: Config{
10128 MaxVersion: VersionTLS13,
10129 DefaultCurves: []CurveID{},
10130 Bugs: ProtocolBugs{
10131 MisinterpretHelloRetryRequestCurve: CurveP521,
10132 },
10133 },
10134 shouldFail: true,
10135 expectedError: ":WRONG_CURVE:",
10136 })
10137
10138 testCases = append(testCases, testCase{
10139 name: "HelloRetryRequestVersionMismatch",
10140 config: Config{
10141 MaxVersion: VersionTLS13,
10142 // P-384 requires HelloRetryRequest in BoringSSL.
10143 CurvePreferences: []CurveID{CurveP384},
10144 Bugs: ProtocolBugs{
10145 SendServerHelloVersion: 0x0305,
10146 },
10147 },
10148 shouldFail: true,
10149 expectedError: ":WRONG_VERSION_NUMBER:",
10150 })
10151
10152 testCases = append(testCases, testCase{
10153 name: "HelloRetryRequestCurveMismatch",
10154 config: Config{
10155 MaxVersion: VersionTLS13,
10156 // P-384 requires HelloRetryRequest in BoringSSL.
10157 CurvePreferences: []CurveID{CurveP384},
10158 Bugs: ProtocolBugs{
10159 // Send P-384 (correct) in the HelloRetryRequest.
10160 SendHelloRetryRequestCurve: CurveP384,
10161 // But send P-256 in the ServerHello.
10162 SendCurve: CurveP256,
10163 },
10164 },
10165 shouldFail: true,
10166 expectedError: ":WRONG_CURVE:",
10167 })
10168
10169 // Test the server selecting a curve that requires a HelloRetryRequest
10170 // without sending it.
10171 testCases = append(testCases, testCase{
10172 name: "SkipHelloRetryRequest",
10173 config: Config{
10174 MaxVersion: VersionTLS13,
10175 // P-384 requires HelloRetryRequest in BoringSSL.
10176 CurvePreferences: []CurveID{CurveP384},
10177 Bugs: ProtocolBugs{
10178 SkipHelloRetryRequest: true,
10179 },
10180 },
10181 shouldFail: true,
10182 expectedError: ":WRONG_CURVE:",
10183 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]10184
10185 testCases = append(testCases, testCase{
10186 name: "TLS13-RequestContextInHandshake",
10187 config: Config{
10188 MaxVersion: VersionTLS13,
10189 MinVersion: VersionTLS13,
10190 ClientAuth: RequireAnyClientCert,
10191 Bugs: ProtocolBugs{
10192 SendRequestContext: []byte("request context"),
10193 },
10194 },
10195 flags: []string{
10196 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10197 "-key-file", path.Join(*resourceDir, rsaKeyFile),
10198 },
10199 shouldFail: true,
10200 expectedError: ":DECODE_ERROR:",
10201 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]10202
10203 testCases = append(testCases, testCase{
10204 testType: serverTest,
10205 name: "TLS13-TrailingKeyShareData",
10206 config: Config{
10207 MaxVersion: VersionTLS13,
10208 Bugs: ProtocolBugs{
10209 TrailingKeyShareData: true,
10210 },
10211 },
10212 shouldFail: true,
10213 expectedError: ":DECODE_ERROR:",
10214 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]10215
10216 testCases = append(testCases, testCase{
10217 name: "TLS13-AlwaysSelectPSKIdentity",
10218 config: Config{
10219 MaxVersion: VersionTLS13,
10220 Bugs: ProtocolBugs{
10221 AlwaysSelectPSKIdentity: true,
10222 },
10223 },
10224 shouldFail: true,
10225 expectedError: ":UNEXPECTED_EXTENSION:",
10226 })
10227
10228 testCases = append(testCases, testCase{
10229 name: "TLS13-InvalidPSKIdentity",
10230 config: Config{
10231 MaxVersion: VersionTLS13,
10232 Bugs: ProtocolBugs{
10233 SelectPSKIdentityOnResume: 1,
10234 },
10235 },
10236 resumeSession: true,
10237 shouldFail: true,
10238 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
10239 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10240
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10241 testCases = append(testCases, testCase{
10242 testType: serverTest,
10243 name: "TLS13-ExtraPSKIdentity",
10244 config: Config{
10245 MaxVersion: VersionTLS13,
10246 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]10247 ExtraPSKIdentity: true,
10248 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10249 },
10250 },
10251 resumeSession: true,
10252 })
10253
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10254 // Test that unknown NewSessionTicket extensions are tolerated.
10255 testCases = append(testCases, testCase{
10256 name: "TLS13-CustomTicketExtension",
10257 config: Config{
10258 MaxVersion: VersionTLS13,
10259 Bugs: ProtocolBugs{
10260 CustomTicketExtension: "1234",
10261 },
10262 },
10263 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10264
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10265 testCases = append(testCases, testCase{
10266 testType: clientTest,
10267 name: "TLS13-DataLessEarlyData-Reject-Client",
10268 config: Config{
10269 MaxVersion: VersionTLS13,
10270 MaxEarlyDataSize: 16384,
10271 },
10272 resumeConfig: &Config{
10273 MaxVersion: VersionTLS13,
10274 MaxEarlyDataSize: 16384,
10275 Bugs: ProtocolBugs{
10276 AlwaysRejectEarlyData: true,
10277 },
10278 },
10279 resumeSession: true,
10280 flags: []string{
10281 "-enable-early-data",
10282 "-expect-early-data-info",
10283 "-expect-reject-early-data",
10284 },
10285 })
10286
10287 testCases = append(testCases, testCase{
10288 testType: clientTest,
10289 name: "TLS13-DataLessEarlyData-HRR-Client",
10290 config: Config{
10291 MaxVersion: VersionTLS13,
10292 MaxEarlyDataSize: 16384,
10293 },
10294 resumeConfig: &Config{
10295 MaxVersion: VersionTLS13,
10296 MaxEarlyDataSize: 16384,
10297 Bugs: ProtocolBugs{
10298 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10299 },
10300 },
10301 resumeSession: true,
10302 flags: []string{
10303 "-enable-early-data",
10304 "-expect-early-data-info",
10305 "-expect-reject-early-data",
10306 },
10307 })
10308
10309 // The client must check the server does not send the early_data
10310 // extension while rejecting the session.
10311 testCases = append(testCases, testCase{
10312 testType: clientTest,
10313 name: "TLS13-EarlyDataWithoutResume-Client",
10314 config: Config{
10315 MaxVersion: VersionTLS13,
10316 MaxEarlyDataSize: 16384,
10317 },
10318 resumeConfig: &Config{
10319 MaxVersion: VersionTLS13,
10320 SessionTicketsDisabled: true,
10321 Bugs: ProtocolBugs{
10322 SendEarlyDataExtension: true,
10323 },
10324 },
10325 resumeSession: true,
10326 flags: []string{
10327 "-enable-early-data",
10328 "-expect-early-data-info",
10329 },
10330 shouldFail: true,
10331 expectedError: ":UNEXPECTED_EXTENSION:",
10332 })
10333
10334 // The client must fail with a dedicated error code if the server
10335 // responds with TLS 1.2 when offering 0-RTT.
10336 testCases = append(testCases, testCase{
10337 testType: clientTest,
10338 name: "TLS13-EarlyDataVersionDowngrade-Client",
10339 config: Config{
10340 MaxVersion: VersionTLS13,
10341 MaxEarlyDataSize: 16384,
10342 },
10343 resumeConfig: &Config{
10344 MaxVersion: VersionTLS12,
10345 },
10346 resumeSession: true,
10347 flags: []string{
10348 "-enable-early-data",
10349 "-expect-early-data-info",
10350 },
10351 shouldFail: true,
10352 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10353 })
10354
10355 // Test that the client rejects an (unsolicited) early_data extension if
10356 // the server sent an HRR.
10357 testCases = append(testCases, testCase{
10358 testType: clientTest,
10359 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10360 config: Config{
10361 MaxVersion: VersionTLS13,
10362 MaxEarlyDataSize: 16384,
10363 },
10364 resumeConfig: &Config{
10365 MaxVersion: VersionTLS13,
10366 MaxEarlyDataSize: 16384,
10367 Bugs: ProtocolBugs{
10368 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10369 SendEarlyDataExtension: true,
10370 },
10371 },
10372 resumeSession: true,
10373 flags: []string{
10374 "-enable-early-data",
10375 "-expect-early-data-info",
10376 },
10377 shouldFail: true,
10378 expectedError: ":UNEXPECTED_EXTENSION:",
10379 })
10380
10381 fooString := "foo"
10382 barString := "bar"
10383
10384 // Test that the client reports the correct ALPN after a 0-RTT reject
10385 // that changed it.
10386 testCases = append(testCases, testCase{
10387 testType: clientTest,
10388 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10389 config: Config{
10390 MaxVersion: VersionTLS13,
10391 MaxEarlyDataSize: 16384,
10392 Bugs: ProtocolBugs{
10393 ALPNProtocol: &fooString,
10394 },
10395 },
10396 resumeConfig: &Config{
10397 MaxVersion: VersionTLS13,
10398 MaxEarlyDataSize: 16384,
10399 Bugs: ProtocolBugs{
10400 ALPNProtocol: &barString,
10401 },
10402 },
10403 resumeSession: true,
10404 flags: []string{
10405 "-advertise-alpn", "\x03foo\x03bar",
10406 "-enable-early-data",
10407 "-expect-early-data-info",
10408 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10409 "-on-initial-expect-alpn", "foo",
10410 "-on-resume-expect-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10411 },
10412 })
10413
10414 // Test that the client reports the correct ALPN after a 0-RTT reject if
10415 // ALPN was omitted from the first connection.
10416 testCases = append(testCases, testCase{
10417 testType: clientTest,
10418 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10419 config: Config{
10420 MaxVersion: VersionTLS13,
10421 MaxEarlyDataSize: 16384,
10422 },
10423 resumeConfig: &Config{
10424 MaxVersion: VersionTLS13,
10425 MaxEarlyDataSize: 16384,
10426 NextProtos: []string{"foo"},
10427 },
10428 resumeSession: true,
10429 flags: []string{
10430 "-advertise-alpn", "\x03foo\x03bar",
10431 "-enable-early-data",
10432 "-expect-early-data-info",
10433 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10434 "-on-initial-expect-alpn", "",
10435 "-on-resume-expect-alpn", "foo",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10436 },
10437 })
10438
10439 // Test that the client reports the correct ALPN after a 0-RTT reject if
10440 // ALPN was omitted from the second connection.
10441 testCases = append(testCases, testCase{
10442 testType: clientTest,
10443 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10444 config: Config{
10445 MaxVersion: VersionTLS13,
10446 MaxEarlyDataSize: 16384,
10447 NextProtos: []string{"foo"},
10448 },
10449 resumeConfig: &Config{
10450 MaxVersion: VersionTLS13,
10451 MaxEarlyDataSize: 16384,
10452 },
10453 resumeSession: true,
10454 flags: []string{
10455 "-advertise-alpn", "\x03foo\x03bar",
10456 "-enable-early-data",
10457 "-expect-early-data-info",
10458 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10459 "-on-initial-expect-alpn", "foo",
10460 "-on-resume-expect-alpn", "",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10461 },
10462 })
10463
10464 // Test that the client enforces ALPN match on 0-RTT accept.
10465 testCases = append(testCases, testCase{
10466 testType: clientTest,
10467 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10468 config: Config{
10469 MaxVersion: VersionTLS13,
10470 MaxEarlyDataSize: 16384,
10471 Bugs: ProtocolBugs{
10472 ALPNProtocol: &fooString,
10473 },
10474 },
10475 resumeConfig: &Config{
10476 MaxVersion: VersionTLS13,
10477 MaxEarlyDataSize: 16384,
10478 Bugs: ProtocolBugs{
10479 AlwaysAcceptEarlyData: true,
10480 ALPNProtocol: &barString,
10481 },
10482 },
10483 resumeSession: true,
10484 flags: []string{
10485 "-advertise-alpn", "\x03foo\x03bar",
10486 "-enable-early-data",
10487 "-expect-early-data-info",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10488 "-on-initial-expect-alpn", "foo",
10489 "-on-resume-expect-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10490 },
10491 shouldFail: true,
10492 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10493 })
10494
10495 // Test that the server correctly rejects 0-RTT when the previous
10496 // session did not allow early data on resumption.
10497 testCases = append(testCases, testCase{
10498 testType: serverTest,
10499 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10500 config: Config{
10501 MaxVersion: VersionTLS13,
10502 },
10503 resumeConfig: &Config{
10504 MaxVersion: VersionTLS13,
10505 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10506 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10507 ExpectEarlyDataAccepted: false,
10508 },
10509 },
10510 resumeSession: true,
10511 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10512 "-on-resume-enable-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10513 "-expect-reject-early-data",
10514 },
10515 })
10516
10517 // Test that we reject early data where ALPN is omitted from the first
10518 // connection.
10519 testCases = append(testCases, testCase{
10520 testType: serverTest,
10521 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10522 config: Config{
10523 MaxVersion: VersionTLS13,
10524 NextProtos: []string{},
10525 },
10526 resumeConfig: &Config{
10527 MaxVersion: VersionTLS13,
10528 NextProtos: []string{"foo"},
10529 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10530 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10531 ExpectEarlyDataAccepted: false,
10532 },
10533 },
10534 resumeSession: true,
10535 flags: []string{
10536 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10537 "-on-initial-select-alpn", "",
10538 "-on-resume-select-alpn", "foo",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10539 },
10540 })
10541
10542 // Test that we reject early data where ALPN is omitted from the second
10543 // connection.
10544 testCases = append(testCases, testCase{
10545 testType: serverTest,
10546 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10547 config: Config{
10548 MaxVersion: VersionTLS13,
10549 NextProtos: []string{"foo"},
10550 },
10551 resumeConfig: &Config{
10552 MaxVersion: VersionTLS13,
10553 NextProtos: []string{},
10554 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10555 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10556 ExpectEarlyDataAccepted: false,
10557 },
10558 },
10559 resumeSession: true,
10560 flags: []string{
10561 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10562 "-on-initial-select-alpn", "foo",
10563 "-on-resume-select-alpn", "",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10564 },
10565 })
10566
10567 // Test that we reject early data with mismatched ALPN.
10568 testCases = append(testCases, testCase{
10569 testType: serverTest,
10570 name: "TLS13-EarlyData-ALPNMismatch-Server",
10571 config: Config{
10572 MaxVersion: VersionTLS13,
10573 NextProtos: []string{"foo"},
10574 },
10575 resumeConfig: &Config{
10576 MaxVersion: VersionTLS13,
10577 NextProtos: []string{"bar"},
10578 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10579 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10580 ExpectEarlyDataAccepted: false,
10581 },
10582 },
10583 resumeSession: true,
10584 flags: []string{
10585 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10586 "-on-initial-select-alpn", "foo",
10587 "-on-resume-select-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10588 },
10589 })
10590
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10591 // Test that the client offering 0-RTT and Channel ID forbids the server
10592 // from accepting both.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10593 testCases = append(testCases, testCase{
10594 testType: clientTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10595 name: "TLS13-EarlyDataChannelID-AcceptBoth-Client",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10596 config: Config{
10597 MaxVersion: VersionTLS13,
10598 MaxEarlyDataSize: 16384,
10599 RequestChannelID: true,
10600 },
10601 resumeSession: true,
10602 expectChannelID: true,
10603 shouldFail: true,
10604 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
10605 flags: []string{
10606 "-enable-early-data",
10607 "-expect-early-data-info",
10608 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10609 },
10610 })
10611
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10612 // Test that the client offering Channel ID and 0-RTT allows the server
10613 // to decline 0-RTT.
10614 testCases = append(testCases, testCase{
10615 testType: clientTest,
10616 name: "TLS13-EarlyDataChannelID-AcceptChannelID-Client",
10617 config: Config{
10618 MaxVersion: VersionTLS13,
10619 MaxEarlyDataSize: 16384,
10620 RequestChannelID: true,
10621 Bugs: ProtocolBugs{
10622 AlwaysRejectEarlyData: true,
10623 },
10624 },
10625 resumeSession: true,
10626 expectChannelID: true,
10627 flags: []string{
10628 "-enable-early-data",
10629 "-expect-early-data-info",
10630 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10631 "-expect-reject-early-data",
10632 },
10633 })
10634
10635 // Test that the client offering Channel ID and 0-RTT allows the server
10636 // to decline Channel ID.
10637 testCases = append(testCases, testCase{
10638 testType: clientTest,
10639 name: "TLS13-EarlyDataChannelID-AcceptEarlyData-Client",
10640 config: Config{
10641 MaxVersion: VersionTLS13,
10642 MaxEarlyDataSize: 16384,
10643 },
10644 resumeSession: true,
10645 flags: []string{
10646 "-enable-early-data",
10647 "-expect-early-data-info",
10648 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10649 "-expect-accept-early-data",
10650 },
10651 })
10652
10653 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
10654 // if it would negotiate Channel ID.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10655 testCases = append(testCases, testCase{
10656 testType: serverTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10657 name: "TLS13-EarlyDataChannelID-OfferBoth-Server",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10658 config: Config{
10659 MaxVersion: VersionTLS13,
10660 ChannelID: channelIDKey,
10661 Bugs: ProtocolBugs{
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10662 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10663 ExpectEarlyDataAccepted: false,
10664 },
10665 },
10666 resumeSession: true,
10667 expectChannelID: true,
10668 flags: []string{
10669 "-enable-early-data",
10670 "-expect-reject-early-data",
10671 "-expect-channel-id",
10672 base64.StdEncoding.EncodeToString(channelIDBytes),
10673 },
10674 })
10675
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10676 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
10677 // if not offered Channel ID.
10678 testCases = append(testCases, testCase{
10679 testType: serverTest,
10680 name: "TLS13-EarlyDataChannelID-OfferEarlyData-Server",
10681 config: Config{
10682 MaxVersion: VersionTLS13,
10683 Bugs: ProtocolBugs{
10684 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10685 ExpectEarlyDataAccepted: true,
10686 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
10687 },
10688 },
10689 resumeSession: true,
10690 expectChannelID: false,
10691 flags: []string{
10692 "-enable-early-data",
10693 "-expect-accept-early-data",
10694 "-enable-channel-id",
10695 },
10696 })
10697
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10698 // Test that the server rejects 0-RTT streams without end_of_early_data.
10699 // The subsequent records should fail to decrypt.
10700 testCases = append(testCases, testCase{
10701 testType: serverTest,
10702 name: "TLS13-EarlyData-SkipEndOfEarlyData",
10703 config: Config{
10704 MaxVersion: VersionTLS13,
10705 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10706 SendEarlyData: [][]byte{{1, 2, 3, 4}},
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10707 ExpectEarlyDataAccepted: true,
10708 SkipEndOfEarlyData: true,
10709 },
10710 },
10711 resumeSession: true,
10712 flags: []string{"-enable-early-data"},
10713 shouldFail: true,
10714 expectedLocalError: "remote error: bad record MAC",
10715 expectedError: ":BAD_DECRYPT:",
10716 })
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10717
10718 testCases = append(testCases, testCase{
10719 testType: serverTest,
10720 name: "TLS13-EarlyData-UnexpectedHandshake-Server",
10721 config: Config{
10722 MaxVersion: VersionTLS13,
10723 },
10724 resumeConfig: &Config{
10725 MaxVersion: VersionTLS13,
10726 Bugs: ProtocolBugs{
10727 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10728 SendStrayEarlyHandshake: true,
10729 ExpectEarlyDataAccepted: true},
10730 },
10731 resumeSession: true,
10732 shouldFail: true,
10733 expectedError: ":UNEXPECTED_RECORD:",
10734 expectedLocalError: "remote error: unexpected message",
10735 flags: []string{
10736 "-enable-early-data",
10737 },
10738 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10739}
10740
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10741func addTLS13CipherPreferenceTests() {
10742 // Test that client preference is honored if the shim has AES hardware
10743 // and ChaCha20-Poly1305 is preferred otherwise.
10744 testCases = append(testCases, testCase{
10745 testType: serverTest,
10746 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10747 config: Config{
10748 MaxVersion: VersionTLS13,
10749 CipherSuites: []uint16{
10750 TLS_CHACHA20_POLY1305_SHA256,
10751 TLS_AES_128_GCM_SHA256,
10752 },
10753 },
10754 flags: []string{
10755 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10756 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10757 },
10758 })
10759
10760 testCases = append(testCases, testCase{
10761 testType: serverTest,
10762 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10763 config: Config{
10764 MaxVersion: VersionTLS13,
10765 CipherSuites: []uint16{
10766 TLS_AES_128_GCM_SHA256,
10767 TLS_CHACHA20_POLY1305_SHA256,
10768 },
10769 },
10770 flags: []string{
10771 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10772 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10773 },
10774 })
10775
10776 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10777 // whether it has AES hardware.
10778 testCases = append(testCases, testCase{
10779 name: "TLS13-CipherPreference-Client",
10780 config: Config{
10781 MaxVersion: VersionTLS13,
10782 // Use the client cipher order. (This is the default but
10783 // is listed to be explicit.)
10784 PreferServerCipherSuites: false,
10785 },
10786 flags: []string{
10787 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10788 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10789 },
10790 })
10791}
10792
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10793func addPeekTests() {
10794 // Test SSL_peek works, including on empty records.
10795 testCases = append(testCases, testCase{
10796 name: "Peek-Basic",
10797 sendEmptyRecords: 1,
10798 flags: []string{"-peek-then-read"},
10799 })
10800
10801 // Test SSL_peek can drive the initial handshake.
10802 testCases = append(testCases, testCase{
10803 name: "Peek-ImplicitHandshake",
10804 flags: []string{
10805 "-peek-then-read",
10806 "-implicit-handshake",
10807 },
10808 })
10809
10810 // Test SSL_peek can discover and drive a renegotiation.
10811 testCases = append(testCases, testCase{
10812 name: "Peek-Renegotiate",
10813 config: Config{
10814 MaxVersion: VersionTLS12,
10815 },
10816 renegotiate: 1,
10817 flags: []string{
10818 "-peek-then-read",
10819 "-renegotiate-freely",
10820 "-expect-total-renegotiations", "1",
10821 },
10822 })
10823
10824 // Test SSL_peek can discover a close_notify.
10825 testCases = append(testCases, testCase{
10826 name: "Peek-Shutdown",
10827 config: Config{
10828 Bugs: ProtocolBugs{
10829 ExpectCloseNotify: true,
10830 },
10831 },
10832 flags: []string{
10833 "-peek-then-read",
10834 "-check-close-notify",
10835 },
10836 })
10837
10838 // Test SSL_peek can discover an alert.
10839 testCases = append(testCases, testCase{
10840 name: "Peek-Alert",
10841 config: Config{
10842 Bugs: ProtocolBugs{
10843 SendSpuriousAlert: alertRecordOverflow,
10844 },
10845 },
10846 flags: []string{"-peek-then-read"},
10847 shouldFail: true,
10848 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10849 })
10850
10851 // Test SSL_peek can handle KeyUpdate.
10852 testCases = append(testCases, testCase{
10853 name: "Peek-KeyUpdate",
10854 config: Config{
10855 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10856 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]10857 sendKeyUpdates: 1,
10858 keyUpdateRequest: keyUpdateNotRequested,
10859 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10860 })
10861}
10862
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10863func addRecordVersionTests() {
10864 for _, ver := range tlsVersions {
10865 // Test that the record version is enforced.
10866 testCases = append(testCases, testCase{
10867 name: "CheckRecordVersion-" + ver.name,
10868 config: Config{
10869 MinVersion: ver.version,
10870 MaxVersion: ver.version,
10871 Bugs: ProtocolBugs{
10872 SendRecordVersion: 0x03ff,
10873 },
10874 },
10875 shouldFail: true,
10876 expectedError: ":WRONG_VERSION_NUMBER:",
10877 })
10878
10879 // Test that the ClientHello may use any record version, for
10880 // compatibility reasons.
10881 testCases = append(testCases, testCase{
10882 testType: serverTest,
10883 name: "LooseInitialRecordVersion-" + ver.name,
10884 config: Config{
10885 MinVersion: ver.version,
10886 MaxVersion: ver.version,
10887 Bugs: ProtocolBugs{
10888 SendInitialRecordVersion: 0x03ff,
10889 },
10890 },
10891 })
10892
10893 // Test that garbage ClientHello record versions are rejected.
10894 testCases = append(testCases, testCase{
10895 testType: serverTest,
10896 name: "GarbageInitialRecordVersion-" + ver.name,
10897 config: Config{
10898 MinVersion: ver.version,
10899 MaxVersion: ver.version,
10900 Bugs: ProtocolBugs{
10901 SendInitialRecordVersion: 0xffff,
10902 },
10903 },
10904 shouldFail: true,
10905 expectedError: ":WRONG_VERSION_NUMBER:",
10906 })
10907 }
10908}
10909
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10910func addCertificateTests() {
10911 // Test that a certificate chain with intermediate may be sent and
10912 // received as both client and server.
10913 for _, ver := range tlsVersions {
10914 testCases = append(testCases, testCase{
10915 testType: clientTest,
10916 name: "SendReceiveIntermediate-Client-" + ver.name,
10917 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10918 MinVersion: ver.version,
10919 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10920 Certificates: []Certificate{rsaChainCertificate},
10921 ClientAuth: RequireAnyClientCert,
10922 },
10923 expectPeerCertificate: &rsaChainCertificate,
10924 flags: []string{
10925 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10926 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10927 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10928 },
10929 })
10930
10931 testCases = append(testCases, testCase{
10932 testType: serverTest,
10933 name: "SendReceiveIntermediate-Server-" + ver.name,
10934 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10935 MinVersion: ver.version,
10936 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10937 Certificates: []Certificate{rsaChainCertificate},
10938 },
10939 expectPeerCertificate: &rsaChainCertificate,
10940 flags: []string{
10941 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10942 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10943 "-require-any-client-certificate",
10944 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10945 },
10946 })
10947 }
10948}
10949
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10950func addRetainOnlySHA256ClientCertTests() {
10951 for _, ver := range tlsVersions {
10952 // Test that enabling
10953 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10954 // actually requesting a client certificate is a no-op.
10955 testCases = append(testCases, testCase{
10956 testType: serverTest,
10957 name: "RetainOnlySHA256-NoCert-" + ver.name,
10958 config: Config{
10959 MinVersion: ver.version,
10960 MaxVersion: ver.version,
10961 },
10962 flags: []string{
10963 "-retain-only-sha256-client-cert-initial",
10964 "-retain-only-sha256-client-cert-resume",
10965 },
10966 resumeSession: true,
10967 })
10968
10969 // Test that when retaining only a SHA-256 certificate is
10970 // enabled, the hash appears as expected.
10971 testCases = append(testCases, testCase{
10972 testType: serverTest,
10973 name: "RetainOnlySHA256-Cert-" + ver.name,
10974 config: Config{
10975 MinVersion: ver.version,
10976 MaxVersion: ver.version,
10977 Certificates: []Certificate{rsaCertificate},
10978 },
10979 flags: []string{
10980 "-verify-peer",
10981 "-retain-only-sha256-client-cert-initial",
10982 "-retain-only-sha256-client-cert-resume",
10983 "-expect-sha256-client-cert-initial",
10984 "-expect-sha256-client-cert-resume",
10985 },
10986 resumeSession: true,
10987 })
10988
10989 // Test that when the config changes from on to off, a
10990 // resumption is rejected because the server now wants the full
10991 // certificate chain.
10992 testCases = append(testCases, testCase{
10993 testType: serverTest,
10994 name: "RetainOnlySHA256-OnOff-" + ver.name,
10995 config: Config{
10996 MinVersion: ver.version,
10997 MaxVersion: ver.version,
10998 Certificates: []Certificate{rsaCertificate},
10999 },
11000 flags: []string{
11001 "-verify-peer",
11002 "-retain-only-sha256-client-cert-initial",
11003 "-expect-sha256-client-cert-initial",
11004 },
11005 resumeSession: true,
11006 expectResumeRejected: true,
11007 })
11008
11009 // Test that when the config changes from off to on, a
11010 // resumption is rejected because the server now wants just the
11011 // hash.
11012 testCases = append(testCases, testCase{
11013 testType: serverTest,
11014 name: "RetainOnlySHA256-OffOn-" + ver.name,
11015 config: Config{
11016 MinVersion: ver.version,
11017 MaxVersion: ver.version,
11018 Certificates: []Certificate{rsaCertificate},
11019 },
11020 flags: []string{
11021 "-verify-peer",
11022 "-retain-only-sha256-client-cert-resume",
11023 "-expect-sha256-client-cert-resume",
11024 },
11025 resumeSession: true,
11026 expectResumeRejected: true,
11027 })
11028 }
11029}
11030
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11031func addECDSAKeyUsageTests() {
11032 p256 := elliptic.P256()
11033 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
11034 if err != nil {
11035 panic(err)
11036 }
11037
11038 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
11039 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
11040 if err != nil {
11041 panic(err)
11042 }
11043
11044 template := x509.Certificate{
11045 SerialNumber: serialNumber,
11046 Subject: pkix.Name{
11047 Organization: []string{"Acme Co"},
11048 },
11049 NotBefore: time.Now(),
11050 NotAfter: time.Now(),
11051
11052 // An ECC certificate with only the keyAgreement key usgae may
11053 // be used with ECDH, but not ECDSA.
11054 KeyUsage: x509.KeyUsageKeyAgreement,
11055 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
11056 BasicConstraintsValid: true,
11057 }
11058
11059 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
11060 if err != nil {
11061 panic(err)
11062 }
11063
11064 cert := Certificate{
11065 Certificate: [][]byte{derBytes},
11066 PrivateKey: priv,
11067 }
11068
11069 for _, ver := range tlsVersions {
11070 if ver.version < VersionTLS12 {
11071 continue
11072 }
11073
11074 testCases = append(testCases, testCase{
11075 testType: clientTest,
11076 name: "ECDSAKeyUsage-" + ver.name,
11077 config: Config{
11078 MinVersion: ver.version,
11079 MaxVersion: ver.version,
11080 Certificates: []Certificate{cert},
11081 },
11082 shouldFail: true,
11083 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
11084 })
11085 }
11086}
11087
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11088func addExtraHandshakeTests() {
11089 // An extra SSL_do_handshake is normally a no-op. These tests use -async
11090 // to ensure there is no transport I/O.
11091 testCases = append(testCases, testCase{
11092 testType: clientTest,
11093 name: "ExtraHandshake-Client-TLS12",
11094 config: Config{
11095 MinVersion: VersionTLS12,
11096 MaxVersion: VersionTLS12,
11097 },
11098 flags: []string{
11099 "-async",
11100 "-no-op-extra-handshake",
11101 },
11102 })
11103 testCases = append(testCases, testCase{
11104 testType: serverTest,
11105 name: "ExtraHandshake-Server-TLS12",
11106 config: Config{
11107 MinVersion: VersionTLS12,
11108 MaxVersion: VersionTLS12,
11109 },
11110 flags: []string{
11111 "-async",
11112 "-no-op-extra-handshake",
11113 },
11114 })
11115 testCases = append(testCases, testCase{
11116 testType: clientTest,
11117 name: "ExtraHandshake-Client-TLS13",
11118 config: Config{
11119 MinVersion: VersionTLS13,
11120 MaxVersion: VersionTLS13,
11121 },
11122 flags: []string{
11123 "-async",
11124 "-no-op-extra-handshake",
11125 },
11126 })
11127 testCases = append(testCases, testCase{
11128 testType: serverTest,
11129 name: "ExtraHandshake-Server-TLS13",
11130 config: Config{
11131 MinVersion: VersionTLS13,
11132 MaxVersion: VersionTLS13,
11133 },
11134 flags: []string{
11135 "-async",
11136 "-no-op-extra-handshake",
11137 },
11138 })
11139
11140 // An extra SSL_do_handshake is a no-op in server 0-RTT.
11141 testCases = append(testCases, testCase{
11142 testType: serverTest,
11143 name: "ExtraHandshake-Server-EarlyData-TLS13",
11144 config: Config{
11145 MaxVersion: VersionTLS13,
11146 MinVersion: VersionTLS13,
11147 Bugs: ProtocolBugs{
11148 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11149 ExpectEarlyDataAccepted: true,
11150 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
11151 },
11152 },
11153 messageCount: 2,
11154 resumeSession: true,
11155 flags: []string{
11156 "-async",
11157 "-enable-early-data",
11158 "-expect-accept-early-data",
11159 "-no-op-extra-handshake",
11160 },
11161 })
11162
11163 // An extra SSL_do_handshake drives the handshake to completion in False
11164 // Start. We test this by handshaking twice and asserting the False
11165 // Start does not appear to happen. See AlertBeforeFalseStartTest for
11166 // how the test works.
11167 testCases = append(testCases, testCase{
11168 testType: clientTest,
11169 name: "ExtraHandshake-FalseStart",
11170 config: Config{
11171 MaxVersion: VersionTLS12,
11172 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
11173 NextProtos: []string{"foo"},
11174 Bugs: ProtocolBugs{
11175 ExpectFalseStart: true,
11176 AlertBeforeFalseStartTest: alertAccessDenied,
11177 },
11178 },
11179 flags: []string{
11180 "-handshake-twice",
11181 "-false-start",
11182 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11183 "-expect-alpn", "foo",
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11184 },
11185 shimWritesFirst: true,
11186 shouldFail: true,
11187 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
11188 expectedLocalError: "tls: peer did not false start: EOF",
11189 })
11190}
11191
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11192func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11193 defer wg.Done()
11194
11195 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11196 var err error
11197
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11198 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11199 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
11200 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11201 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11202 if err != nil {
11203 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
11204 }
11205 break
11206 }
11207 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11208 } else if *repeatUntilFailure {
11209 for err == nil {
11210 statusChan <- statusMsg{test: test, started: true}
11211 err = runTest(test, shimPath, -1)
11212 }
11213 } else {
11214 statusChan <- statusMsg{test: test, started: true}
11215 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11216 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11217 statusChan <- statusMsg{test: test, err: err}
11218 }
11219}
11220
11221type statusMsg struct {
11222 test *testCase
11223 started bool
11224 err error
11225}
11226
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11227func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11228 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11229
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11230 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11231 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11232 if !*pipe {
11233 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]11234 var erase string
11235 for i := 0; i < lineLen; i++ {
11236 erase += "\b \b"
11237 }
11238 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11239 }
11240
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11241 if msg.started {
11242 started++
11243 } else {
11244 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11245
11246 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11247 if msg.err == errUnimplemented {
11248 if *pipe {
11249 // Print each test instead of a status line.
11250 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
11251 }
11252 unimplemented++
11253 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
11254 } else {
11255 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
11256 failed++
11257 testOutput.addResult(msg.test.name, "FAIL")
11258 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11259 } else {
11260 if *pipe {
11261 // Print each test instead of a status line.
11262 fmt.Printf("PASSED (%s)\n", msg.test.name)
11263 }
11264 testOutput.addResult(msg.test.name, "PASS")
11265 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11266 }
11267
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11268 if !*pipe {
11269 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11270 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11271 lineLen = len(line)
11272 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11273 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11274 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11275
11276 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11277}
11278
11279func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11280 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11281 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]11282 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11283
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11284 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11285 addCipherSuiteTests()
11286 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]11287 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]11288 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]11289 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]11290 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]11291 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]11292 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]11293 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]11294 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]11295 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]11296 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]11297 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]11298 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]11299 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]11300 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]11301 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]11302 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]11303 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]11304 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]11305 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]11306 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]11307 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]11308 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]11309 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]11310 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]11311 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]11312 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11313 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]11314 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11315 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]11316 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11317 addECDSAKeyUsageTests()
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11318 addExtraHandshakeTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11319
11320 var wg sync.WaitGroup
11321
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11322 statusChan := make(chan statusMsg, *numWorkers)
11323 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11324 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11325
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11326 if len(*shimConfigFile) != 0 {
11327 encoded, err := ioutil.ReadFile(*shimConfigFile)
11328 if err != nil {
11329 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
11330 os.Exit(1)
11331 }
11332
11333 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
11334 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
11335 os.Exit(1)
11336 }
11337 }
11338
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11339 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11340
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11341 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11342 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11343 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11344 }
11345
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11346 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11347 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11348 matched := true
11349 if len(*testToRun) != 0 {
11350 var err error
11351 matched, err = filepath.Match(*testToRun, testCases[i].name)
11352 if err != nil {
11353 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
11354 os.Exit(1)
11355 }
11356 }
11357
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11358 if !*includeDisabled {
11359 for pattern := range shimConfig.DisabledTests {
11360 isDisabled, err := filepath.Match(pattern, testCases[i].name)
11361 if err != nil {
11362 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
11363 os.Exit(1)
11364 }
11365
11366 if isDisabled {
11367 matched = false
11368 break
11369 }
11370 }
11371 }
11372
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11373 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11374 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11375 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11376
11377 // Only run one test if repeating until failure.
11378 if *repeatUntilFailure {
11379 break
11380 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11381 }
11382 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11383
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11384 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11385 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11386 os.Exit(1)
11387 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11388
11389 close(testChan)
11390 wg.Wait()
11391 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11392 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11393
11394 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11395
11396 if *jsonOutput != "" {
11397 if err := testOutput.writeTo(*jsonOutput); err != nil {
11398 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
11399 }
11400 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11401
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11402 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
11403 os.Exit(1)
11404 }
11405
11406 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11407 os.Exit(1)
11408 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11409}