Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 24e5886c0edfc409c8083d10f9f1120111efd6f5 / . / ssl / test / runner / runner.go
blob: f714c77ddd1b978f5e9cd308e954509728af193d [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]68 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]69)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]70
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]71// ShimConfigurations is used with the “json” package and represents a shim
72// config file.
73type ShimConfiguration struct {
74 // DisabledTests maps from a glob-based pattern to a freeform string.
75 // The glob pattern is used to exclude tests from being run and the
76 // freeform string is unparsed but expected to explain why the test is
77 // disabled.
78 DisabledTests map[string]string
79
80 // ErrorMap maps from expected error strings to the correct error
81 // string for the shim in question. For example, it might map
82 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
83 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
84 ErrorMap map[string]string
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]85
86 // HalfRTTTickets is the number of half-RTT tickets the client should
87 // expect before half-RTT data when testing 0-RTT.
88 HalfRTTTickets int
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]89}
90
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]91// Setup shimConfig defaults aligning with BoringSSL.
92var shimConfig ShimConfiguration = ShimConfiguration{
93 HalfRTTTickets: 2,
94}
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]95
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]96type testCert int
97
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]98const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]99 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]100 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]101 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]102 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]103 testCertECDSAP256
104 testCertECDSAP384
105 testCertECDSAP521
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]106 testCertEd25519
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]107)
108
109const (
110 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]111 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]112 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]113 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]114 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
115 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
116 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]117 ed25519CertificateFile = "ed25519_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]118)
119
120const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]121 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]122 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]123 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]124 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]125 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
126 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
127 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]128 ed25519KeyFile = "ed25519_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]129 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]130)
131
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]132var (
133 rsaCertificate Certificate
134 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]135 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]136 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]137 ecdsaP256Certificate Certificate
138 ecdsaP384Certificate Certificate
139 ecdsaP521Certificate Certificate
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]140 ed25519Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]141)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]142
143var testCerts = []struct {
144 id testCert
145 certFile, keyFile string
146 cert *Certificate
147}{
148 {
149 id: testCertRSA,
150 certFile: rsaCertificateFile,
151 keyFile: rsaKeyFile,
152 cert: &rsaCertificate,
153 },
154 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]155 id: testCertRSA1024,
156 certFile: rsa1024CertificateFile,
157 keyFile: rsa1024KeyFile,
158 cert: &rsa1024Certificate,
159 },
160 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]161 id: testCertRSAChain,
162 certFile: rsaChainCertificateFile,
163 keyFile: rsaChainKeyFile,
164 cert: &rsaChainCertificate,
165 },
166 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]167 id: testCertECDSAP224,
168 certFile: ecdsaP224CertificateFile,
169 keyFile: ecdsaP224KeyFile,
170 cert: &ecdsaP224Certificate,
171 },
172 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]173 id: testCertECDSAP256,
174 certFile: ecdsaP256CertificateFile,
175 keyFile: ecdsaP256KeyFile,
176 cert: &ecdsaP256Certificate,
177 },
178 {
179 id: testCertECDSAP384,
180 certFile: ecdsaP384CertificateFile,
181 keyFile: ecdsaP384KeyFile,
182 cert: &ecdsaP384Certificate,
183 },
184 {
185 id: testCertECDSAP521,
186 certFile: ecdsaP521CertificateFile,
187 keyFile: ecdsaP521KeyFile,
188 cert: &ecdsaP521Certificate,
189 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]190 {
191 id: testCertEd25519,
192 certFile: ed25519CertificateFile,
193 keyFile: ed25519KeyFile,
194 cert: &ed25519Certificate,
195 },
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]196}
197
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]198var channelIDKey *ecdsa.PrivateKey
199var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]200
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]201var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]202var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]203
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]204var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]205var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]206
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]207func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]208 for i := range testCerts {
209 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
210 if err != nil {
211 panic(err)
212 }
213 cert.OCSPStaple = testOCSPResponse
214 cert.SignedCertificateTimestampList = testSCTList
215 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]216 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]217
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]218 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]219 if err != nil {
220 panic(err)
221 }
222 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
223 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
224 panic("bad key type")
225 }
226 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
227 if err != nil {
228 panic(err)
229 }
230 if channelIDKey.Curve != elliptic.P256() {
231 panic("bad curve")
232 }
233
234 channelIDBytes = make([]byte, 64)
235 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
236 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]237}
238
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]239func getRunnerCertificate(t testCert) Certificate {
240 for _, cert := range testCerts {
241 if cert.id == t {
242 return *cert.cert
243 }
244 }
245 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]246}
247
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]248func getShimCertificate(t testCert) string {
249 for _, cert := range testCerts {
250 if cert.id == t {
251 return cert.certFile
252 }
253 }
254 panic("Unknown test certificate")
255}
256
257func getShimKey(t testCert) string {
258 for _, cert := range testCerts {
259 if cert.id == t {
260 return cert.keyFile
261 }
262 }
263 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]264}
265
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]266// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
267func encodeDERValues(values [][]byte) string {
268 var ret string
269 for i, v := range values {
270 if i > 0 {
271 ret += ","
272 }
273 ret += hex.EncodeToString(v)
274 }
275
276 return ret
277}
278
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]279type testType int
280
281const (
282 clientTest testType = iota
283 serverTest
284)
285
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]286type protocol int
287
288const (
289 tls protocol = iota
290 dtls
291)
292
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]293const (
294 alpn = 1
295 npn = 2
296)
297
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]298type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]299 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]300 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]301 name string
302 config Config
303 shouldFail bool
304 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]305 // expectedLocalError, if not empty, contains a substring that must be
306 // found in the local error.
307 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]308 // expectedVersion, if non-zero, specifies the TLS version that must be
309 // negotiated.
310 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]311 // expectedResumeVersion, if non-zero, specifies the TLS version that
312 // must be negotiated on resumption. If zero, expectedVersion is used.
313 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]314 // expectedCipher, if non-zero, specifies the TLS cipher suite that
315 // should be negotiated.
316 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]317 // expectChannelID controls whether the connection should have
318 // negotiated a Channel ID with channelIDKey.
319 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]320 // expectedNextProto controls whether the connection should
321 // negotiate a next protocol via NPN or ALPN.
322 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]323 // expectNoNextProto, if true, means that no next protocol should be
324 // negotiated.
325 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]326 // expectedNextProtoType, if non-zero, is the expected next
327 // protocol negotiation mechanism.
328 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]329 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
330 // should be negotiated. If zero, none should be negotiated.
331 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]332 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
333 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]334 // expectedSCTList, if not nil, is the expected SCT list to be received.
335 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]336 // expectedPeerSignatureAlgorithm, if not zero, is the signature
337 // algorithm that the peer should have used in the handshake.
338 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]339 // expectedCurveID, if not zero, is the curve that the handshake should
340 // have used.
341 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]342 // messageLen is the length, in bytes, of the test message that will be
343 // sent.
344 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]345 // messageCount is the number of test messages that will be sent.
346 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]347 // certFile is the path to the certificate to use for the server.
348 certFile string
349 // keyFile is the path to the private key to use for the server.
350 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]351 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]352 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]353 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]354 // resumeRenewedSession controls whether a third connection should be
355 // tested which attempts to resume the second connection's session.
356 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]357 // expectResumeRejected, if true, specifies that the attempted
358 // resumption must be rejected by the client. This is only valid for a
359 // serverTest.
360 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]361 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]362 // resumption. Unless newSessionsOnResume is set,
363 // SessionTicketKey, ServerSessionCache, and
364 // ClientSessionCache are copied from the initial connection's
365 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]366 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]367 // newSessionsOnResume, if true, will cause resumeConfig to
368 // use a different session resumption context.
369 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]370 // noSessionCache, if true, will cause the server to run without a
371 // session cache.
372 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]373 // sendPrefix sends a prefix on the socket before actually performing a
374 // handshake.
375 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]376 // shimWritesFirst controls whether the shim sends an initial "hello"
377 // message before doing a roundtrip with the runner.
378 shimWritesFirst bool
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]379 // readWithUnfinishedWrite behaves like shimWritesFirst, but the shim
380 // does not complete the write until responding to the first runner
381 // message.
382 readWithUnfinishedWrite bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]383 // shimShutsDown, if true, runs a test where the shim shuts down the
384 // connection immediately after the handshake rather than echoing
385 // messages from the runner.
386 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]387 // renegotiate indicates the number of times the connection should be
388 // renegotiated during the exchange.
389 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]390 // sendHalfHelloRequest, if true, causes the server to send half a
391 // HelloRequest when the handshake completes.
392 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]393 // renegotiateCiphers is a list of ciphersuite ids that will be
394 // switched in just before renegotiation.
395 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]396 // replayWrites, if true, configures the underlying transport
397 // to replay every write it makes in DTLS tests.
398 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]399 // damageFirstWrite, if true, configures the underlying transport to
400 // damage the final byte of the first application data write.
401 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]402 // exportKeyingMaterial, if non-zero, configures the test to exchange
403 // keying material and verify they match.
404 exportKeyingMaterial int
405 exportLabel string
406 exportContext string
407 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]408 // flags, if not empty, contains a list of command-line flags that will
409 // be passed to the shim program.
410 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]411 // testTLSUnique, if true, causes the shim to send the tls-unique value
412 // which will be compared against the expected value.
413 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]414 // sendEmptyRecords is the number of consecutive empty records to send
David Benjamin24e58862017-06-14 18:45:29 -0400[diff] [blame^]415 // before each test message.
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]416 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]417 // sendWarningAlerts is the number of consecutive warning alerts to send
David Benjamin24e58862017-06-14 18:45:29 -0400[diff] [blame^]418 // before each test message.
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]419 sendWarningAlerts int
David Benjamin24e58862017-06-14 18:45:29 -0400[diff] [blame^]420 // sendBogusAlertType, if true, causes a bogus alert of invalid type to
421 // be sent before each test message.
422 sendBogusAlertType bool
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]423 // sendKeyUpdates is the number of consecutive key updates to send
424 // before and after the test message.
425 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]426 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
427 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]428 // expectMessageDropped, if true, means the test message is expected to
429 // be dropped by the client rather than echoed back.
430 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]431 // expectPeerCertificate, if not nil, is the certificate chain the peer
432 // is expected to send.
433 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]434}
435
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]436var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]437
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]438func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]439 if len(data) == 0 {
440 return
441 }
442
443 protocol := "tls"
444 if test.protocol == dtls {
445 protocol = "dtls"
446 }
447
448 side := "client"
449 if test.testType == serverTest {
450 side = "server"
451 }
452
453 dir := path.Join(*transcriptDir, protocol, side)
454 if err := os.MkdirAll(dir, 0755); err != nil {
455 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
456 return
457 }
458
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]459 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]460 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
461 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
462 }
463}
464
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]465// A timeoutConn implements an idle timeout on each Read and Write operation.
466type timeoutConn struct {
467 net.Conn
468 timeout time.Duration
469}
470
471func (t *timeoutConn) Read(b []byte) (int, error) {
472 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
473 return 0, err
474 }
475 return t.Conn.Read(b)
476}
477
478func (t *timeoutConn) Write(b []byte) (int, error) {
479 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
480 return 0, err
481 }
482 return t.Conn.Write(b)
483}
484
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]485func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]486 if !test.noSessionCache {
487 if config.ClientSessionCache == nil {
488 config.ClientSessionCache = NewLRUClientSessionCache(1)
489 }
490 if config.ServerSessionCache == nil {
491 config.ServerSessionCache = NewLRUServerSessionCache(1)
492 }
493 }
494 if test.testType == clientTest {
495 if len(config.Certificates) == 0 {
496 config.Certificates = []Certificate{rsaCertificate}
497 }
498 } else {
499 // Supply a ServerName to ensure a constant session cache key,
500 // rather than falling back to net.Conn.RemoteAddr.
501 if len(config.ServerName) == 0 {
502 config.ServerName = "test"
503 }
504 }
505 if *fuzzer {
506 config.Bugs.NullAllCiphers = true
507 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]508 if *deterministic {
509 config.Time = func() time.Time { return time.Unix(1234, 1234) }
510 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]511
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]512 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]513
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]514 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]515 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
516 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]517 }
518
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]519 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]520 local, peer := "client", "server"
521 if test.testType == clientTest {
522 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]523 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]524 connDebug := &recordingConn{
525 Conn: conn,
526 isDatagram: test.protocol == dtls,
527 local: local,
528 peer: peer,
529 }
530 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]531 if *flagDebug {
532 defer connDebug.WriteTo(os.Stdout)
533 }
534 if len(*transcriptDir) != 0 {
535 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]536 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]537 }()
538 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]539
540 if config.Bugs.PacketAdaptor != nil {
541 config.Bugs.PacketAdaptor.debug = connDebug
542 }
543 }
544
545 if test.replayWrites {
546 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]547 }
548
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]549 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]550 if test.damageFirstWrite {
551 connDamage = newDamageAdaptor(conn)
552 conn = connDamage
553 }
554
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]555 if test.sendPrefix != "" {
556 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
557 return err
558 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]559 }
560
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]561 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]562 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]563 if test.protocol == dtls {
564 tlsConn = DTLSServer(conn, config)
565 } else {
566 tlsConn = Server(conn, config)
567 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]568 } else {
569 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]570 if test.protocol == dtls {
571 tlsConn = DTLSClient(conn, config)
572 } else {
573 tlsConn = Client(conn, config)
574 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]575 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]576 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]577
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]578 if err := tlsConn.Handshake(); err != nil {
579 return err
580 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]581
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]582 // TODO(davidben): move all per-connection expectations into a dedicated
583 // expectations struct that can be specified separately for the two
584 // legs.
585 expectedVersion := test.expectedVersion
586 if isResume && test.expectedResumeVersion != 0 {
587 expectedVersion = test.expectedResumeVersion
588 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]589 connState := tlsConn.ConnectionState()
590 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]591 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]592 }
593
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]594 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]595 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
596 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]597 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
598 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
599 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]600
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]601 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]602 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]603 if channelID == nil {
604 return fmt.Errorf("no channel ID negotiated")
605 }
606 if channelID.Curve != channelIDKey.Curve ||
607 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
608 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
609 return fmt.Errorf("incorrect channel ID")
610 }
611 }
612
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]613 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]614 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]615 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
616 }
617 }
618
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]619 if test.expectNoNextProto {
620 if actual := connState.NegotiatedProtocol; actual != "" {
621 return fmt.Errorf("got unexpected next proto %s", actual)
622 }
623 }
624
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]625 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]626 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]627 return fmt.Errorf("next proto type mismatch")
628 }
629 }
630
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]631 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]632 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
633 }
634
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]635 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]636 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]637 }
638
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]639 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
640 return fmt.Errorf("SCT list mismatch")
641 }
642
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]643 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
644 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]645 }
646
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]647 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
648 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
649 }
650
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]651 if test.expectPeerCertificate != nil {
652 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
653 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
654 }
655 for i, cert := range connState.PeerCertificates {
656 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
657 return fmt.Errorf("peer certificate %d did not match", i+1)
658 }
659 }
660 }
661
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]662 if test.exportKeyingMaterial > 0 {
663 actual := make([]byte, test.exportKeyingMaterial)
664 if _, err := io.ReadFull(tlsConn, actual); err != nil {
665 return err
666 }
667 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
668 if err != nil {
669 return err
670 }
671 if !bytes.Equal(actual, expected) {
672 return fmt.Errorf("keying material mismatch")
673 }
674 }
675
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]676 if test.testTLSUnique {
677 var peersValue [12]byte
678 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
679 return err
680 }
681 expected := tlsConn.ConnectionState().TLSUnique
682 if !bytes.Equal(peersValue[:], expected) {
683 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
684 }
685 }
686
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]687 if test.sendHalfHelloRequest {
688 tlsConn.SendHalfHelloRequest()
689 }
690
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]691 shimPrefixPending := test.shimWritesFirst || test.readWithUnfinishedWrite
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]692 if test.renegotiate > 0 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]693 // If readWithUnfinishedWrite is set, the shim prefix will be
694 // available later.
695 if shimPrefixPending && !test.readWithUnfinishedWrite {
696 var buf [5]byte
697 _, err := io.ReadFull(tlsConn, buf[:])
698 if err != nil {
699 return err
700 }
701 if string(buf[:]) != "hello" {
702 return fmt.Errorf("bad initial message")
703 }
704 shimPrefixPending = false
705 }
706
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]707 if test.renegotiateCiphers != nil {
708 config.CipherSuites = test.renegotiateCiphers
709 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]710 for i := 0; i < test.renegotiate; i++ {
711 if err := tlsConn.Renegotiate(); err != nil {
712 return err
713 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]714 }
715 } else if test.renegotiateCiphers != nil {
716 panic("renegotiateCiphers without renegotiate")
717 }
718
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]719 if test.damageFirstWrite {
720 connDamage.setDamage(true)
721 tlsConn.Write([]byte("DAMAGED WRITE"))
722 connDamage.setDamage(false)
723 }
724
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]725 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]726 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]727 if test.protocol == dtls {
728 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
729 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]730 // Read until EOF.
731 _, err := io.Copy(ioutil.Discard, tlsConn)
732 return err
733 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]734 if messageLen == 0 {
735 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]736 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]737
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]738 messageCount := test.messageCount
739 if messageCount == 0 {
740 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]741 }
742
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]743 for j := 0; j < messageCount; j++ {
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]744 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]745 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]746 }
747
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]748 for i := 0; i < test.sendEmptyRecords; i++ {
749 tlsConn.Write(nil)
750 }
751
752 for i := 0; i < test.sendWarningAlerts; i++ {
753 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
754 }
755
David Benjamin24e58862017-06-14 18:45:29 -0400[diff] [blame^]756 if test.sendBogusAlertType {
757 tlsConn.SendAlert(0x42, alertUnexpectedMessage)
758 }
759
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]760 testMessage := make([]byte, messageLen)
761 for i := range testMessage {
762 testMessage[i] = 0x42 ^ byte(j)
763 }
764 tlsConn.Write(testMessage)
765
766 // Consume the shim prefix if needed.
767 if shimPrefixPending {
768 var buf [5]byte
769 _, err := io.ReadFull(tlsConn, buf[:])
770 if err != nil {
771 return err
772 }
773 if string(buf[:]) != "hello" {
774 return fmt.Errorf("bad initial message")
775 }
776 shimPrefixPending = false
777 }
778
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]779 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]780 // The shim will not respond.
781 continue
782 }
783
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]784 // Process the KeyUpdate ACK. However many KeyUpdates the runner
785 // sends, the shim should respond only once.
786 if test.sendKeyUpdates > 0 && test.keyUpdateRequest == keyUpdateRequested {
787 if err := tlsConn.ReadKeyUpdateACK(); err != nil {
788 return err
789 }
790 }
791
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]792 buf := make([]byte, len(testMessage))
793 if test.protocol == dtls {
794 bufTmp := make([]byte, len(buf)+1)
795 n, err := tlsConn.Read(bufTmp)
796 if err != nil {
797 return err
798 }
799 if n != len(buf) {
800 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
801 }
802 copy(buf, bufTmp)
803 } else {
804 _, err := io.ReadFull(tlsConn, buf)
805 if err != nil {
806 return err
807 }
808 }
809
810 for i, v := range buf {
811 if v != testMessage[i]^0xff {
812 return fmt.Errorf("bad reply contents at byte %d", i)
813 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]814 }
815 }
816
817 return nil
818}
819
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]820func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]821 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]822 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]823 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]824 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]825 valgrindArgs = append(valgrindArgs, path)
826 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]827
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]828 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]829}
830
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]831func gdbOf(path string, args ...string) *exec.Cmd {
832 xtermArgs := []string{"-e", "gdb", "--args"}
833 xtermArgs = append(xtermArgs, path)
834 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]835
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]836 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]837}
838
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]839func lldbOf(path string, args ...string) *exec.Cmd {
840 xtermArgs := []string{"-e", "lldb", "--"}
841 xtermArgs = append(xtermArgs, path)
842 xtermArgs = append(xtermArgs, args...)
843
844 return exec.Command("xterm", xtermArgs...)
845}
846
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]847var (
848 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
849 errUnimplemented = errors.New("child process does not implement needed flags")
850)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]851
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]852// accept accepts a connection from listener, unless waitChan signals a process
853// exit first.
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]854func acceptOrWait(listener *net.TCPListener, waitChan chan error) (net.Conn, error) {
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]855 type connOrError struct {
856 conn net.Conn
857 err error
858 }
859 connChan := make(chan connOrError, 1)
860 go func() {
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]861 listener.SetDeadline(time.Now().Add(*idleTimeout))
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]862 conn, err := listener.Accept()
863 connChan <- connOrError{conn, err}
864 close(connChan)
865 }()
866 select {
867 case result := <-connChan:
868 return result.conn, result.err
869 case childErr := <-waitChan:
870 waitChan <- childErr
871 return nil, fmt.Errorf("child exited early: %s", childErr)
872 }
873}
874
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]875func translateExpectedError(errorStr string) string {
876 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
877 return translated
878 }
879
880 if *looseErrors {
881 return ""
882 }
883
884 return errorStr
885}
886
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]887func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]888 // Help debugging panics on the Go side.
889 defer func() {
890 if r := recover(); r != nil {
891 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
892 panic(r)
893 }
894 }()
895
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]896 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
897 panic("Error expected without shouldFail in " + test.name)
898 }
899
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]900 if test.expectResumeRejected && !test.resumeSession {
901 panic("expectResumeRejected without resumeSession in " + test.name)
902 }
903
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]904 for _, ver := range tlsVersions {
905 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
906 continue
907 }
908
909 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
910 continue
911 }
912
913 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
914 }
915
Matthew Braithwaite2d04cf02017-05-19 18:13:25 -0700[diff] [blame]916 listener, err := net.ListenTCP("tcp", &net.TCPAddr{IP: net.IPv6loopback})
917 if err != nil {
918 listener, err = net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
919 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]920 if err != nil {
921 panic(err)
922 }
923 defer func() {
924 if listener != nil {
925 listener.Close()
926 }
927 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]928
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]929 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]930 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]931 flags = append(flags, "-server")
932
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]933 flags = append(flags, "-key-file")
934 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]935 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]936 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]937 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]938 }
939
940 flags = append(flags, "-cert-file")
941 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]942 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]943 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]944 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]945 }
946 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]947
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]948 if test.protocol == dtls {
949 flags = append(flags, "-dtls")
950 }
951
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]952 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]953 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]954 resumeCount++
955 if test.resumeRenewedSession {
956 resumeCount++
957 }
958 }
959
960 if resumeCount > 0 {
961 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]962 }
963
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]964 if test.shimWritesFirst {
965 flags = append(flags, "-shim-writes-first")
966 }
967
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]968 if test.readWithUnfinishedWrite {
969 flags = append(flags, "-read-with-unfinished-write")
970 }
971
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]972 if test.shimShutsDown {
973 flags = append(flags, "-shim-shuts-down")
974 }
975
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]976 if test.exportKeyingMaterial > 0 {
977 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
978 flags = append(flags, "-export-label", test.exportLabel)
979 flags = append(flags, "-export-context", test.exportContext)
980 if test.useExportContext {
981 flags = append(flags, "-use-export-context")
982 }
983 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]984 if test.expectResumeRejected {
985 flags = append(flags, "-expect-session-miss")
986 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]987
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]988 if test.testTLSUnique {
989 flags = append(flags, "-tls-unique")
990 }
991
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]992 flags = append(flags, test.flags...)
993
994 var shim *exec.Cmd
995 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]996 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]997 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]998 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]999 } else if *useLLDB {
1000 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1001 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1002 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1003 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1004 shim.Stdin = os.Stdin
1005 var stdoutBuf, stderrBuf bytes.Buffer
1006 shim.Stdout = &stdoutBuf
1007 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1008 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]1009 shim.Env = os.Environ()
1010 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1011 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]1012 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1013 }
1014 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
1015 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1016
1017 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1018 panic(err)
1019 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1020 waitChan := make(chan error, 1)
1021 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1022
1023 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1024
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]1025 if *deterministic {
1026 config.Rand = &deterministicRand{}
1027 }
1028
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1029 conn, err := acceptOrWait(listener, waitChan)
1030 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1031 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1032 conn.Close()
1033 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]1034
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]1035 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1036 var resumeConfig Config
1037 if test.resumeConfig != nil {
1038 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]1039 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1040 resumeConfig.SessionTicketKey = config.SessionTicketKey
1041 resumeConfig.ClientSessionCache = config.ClientSessionCache
1042 resumeConfig.ServerSessionCache = config.ServerSessionCache
1043 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]1044 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1045 } else {
1046 resumeConfig = config
1047 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1048 var connResume net.Conn
1049 connResume, err = acceptOrWait(listener, waitChan)
1050 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1051 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1052 connResume.Close()
1053 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1054 }
1055
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1056 // Close the listener now. This is to avoid hangs should the shim try to
1057 // open more connections than expected.
1058 listener.Close()
1059 listener = nil
1060
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]1061 var shimKilledLock sync.Mutex
1062 var shimKilled bool
1063 waitTimeout := time.AfterFunc(*idleTimeout, func() {
1064 shimKilledLock.Lock()
1065 shimKilled = true
1066 shimKilledLock.Unlock()
1067 shim.Process.Kill()
1068 })
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1069 childErr := <-waitChan
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]1070 waitTimeout.Stop()
1071 shimKilledLock.Lock()
1072 if shimKilled && err == nil {
1073 err = errors.New("timeout waiting for the shim to exit.")
1074 }
1075 shimKilledLock.Unlock()
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1076 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1077 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1078 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1079 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1080 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1081 case 89:
1082 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1083 case 99:
1084 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1085 }
1086 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1087
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1088 // Account for Windows line endings.
1089 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1090 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1091
1092 // Separate the errors from the shim and those from tools like
1093 // AddressSanitizer.
1094 var extraStderr string
1095 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1096 stderr = stderrParts[0]
1097 extraStderr = stderrParts[1]
1098 }
1099
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1100 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1101 expectedError := translateExpectedError(test.expectedError)
1102 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1103
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1104 localError := "none"
1105 if err != nil {
1106 localError = err.Error()
1107 }
1108 if len(test.expectedLocalError) != 0 {
1109 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1110 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1111
1112 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1113 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1114 if childErr != nil {
1115 childError = childErr.Error()
1116 }
1117
1118 var msg string
1119 switch {
1120 case failed && !test.shouldFail:
1121 msg = "unexpected failure"
1122 case !failed && test.shouldFail:
1123 msg = "unexpected success"
1124 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1125 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1126 default:
1127 panic("internal error")
1128 }
1129
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1130 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1131 }
1132
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1133 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
Adam Langleyc88f2452017-04-27 14:15:37 -0700[diff] [blame]1134 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1135 }
1136
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1137 if *useValgrind && isValgrindError {
1138 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1139 }
1140
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1141 return nil
1142}
1143
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1144type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1145 name string
1146 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1147 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1148 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1149}
1150
1151var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1152 {"SSL3", VersionSSL30, "-no-ssl3", false},
1153 {"TLS1", VersionTLS10, "-no-tls1", true},
1154 {"TLS11", VersionTLS11, "-no-tls11", false},
1155 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1156 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1157}
1158
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1159type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1160 name string
1161 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1162}
1163
1164var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1165 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1166 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1167 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1168 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1169 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1170 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1171 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1172 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1173 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1174 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1175 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1176 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1177 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1178 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1179 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1180 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1181 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1182 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1183 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1184 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1185 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1186 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1187 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1188 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1189 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1190 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1191 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1192 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1193 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1194 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1195}
1196
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1197func hasComponent(suiteName, component string) bool {
1198 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1199}
1200
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1201func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1202 return hasComponent(suiteName, "GCM") ||
1203 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1204 hasComponent(suiteName, "SHA384") ||
1205 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1206}
1207
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1208func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1209 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1210}
1211
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1212func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1213 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1214}
1215
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1216func bigFromHex(hex string) *big.Int {
1217 ret, ok := new(big.Int).SetString(hex, 16)
1218 if !ok {
1219 panic("failed to parse hex number 0x" + hex)
1220 }
1221 return ret
1222}
1223
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1224func addBasicTests() {
1225 basicTests := []testCase{
1226 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1227 name: "NoFallbackSCSV",
1228 config: Config{
1229 Bugs: ProtocolBugs{
1230 FailIfNotFallbackSCSV: true,
1231 },
1232 },
1233 shouldFail: true,
1234 expectedLocalError: "no fallback SCSV found",
1235 },
1236 {
1237 name: "SendFallbackSCSV",
1238 config: Config{
1239 Bugs: ProtocolBugs{
1240 FailIfNotFallbackSCSV: true,
1241 },
1242 },
1243 flags: []string{"-fallback-scsv"},
1244 },
1245 {
1246 name: "ClientCertificateTypes",
1247 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1248 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1249 ClientAuth: RequestClientCert,
1250 ClientCertificateTypes: []byte{
1251 CertTypeDSSSign,
1252 CertTypeRSASign,
1253 CertTypeECDSASign,
1254 },
1255 },
1256 flags: []string{
1257 "-expect-certificate-types",
1258 base64.StdEncoding.EncodeToString([]byte{
1259 CertTypeDSSSign,
1260 CertTypeRSASign,
1261 CertTypeECDSASign,
1262 }),
1263 },
1264 },
1265 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1266 name: "UnauthenticatedECDH",
1267 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1268 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1269 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1270 Bugs: ProtocolBugs{
1271 UnauthenticatedECDH: true,
1272 },
1273 },
1274 shouldFail: true,
1275 expectedError: ":UNEXPECTED_MESSAGE:",
1276 },
1277 {
1278 name: "SkipCertificateStatus",
1279 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1280 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1281 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1282 Bugs: ProtocolBugs{
1283 SkipCertificateStatus: true,
1284 },
1285 },
1286 flags: []string{
1287 "-enable-ocsp-stapling",
1288 },
1289 },
1290 {
1291 name: "SkipServerKeyExchange",
1292 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1293 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1294 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1295 Bugs: ProtocolBugs{
1296 SkipServerKeyExchange: true,
1297 },
1298 },
1299 shouldFail: true,
1300 expectedError: ":UNEXPECTED_MESSAGE:",
1301 },
1302 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1303 testType: serverTest,
1304 name: "Alert",
1305 config: Config{
1306 Bugs: ProtocolBugs{
1307 SendSpuriousAlert: alertRecordOverflow,
1308 },
1309 },
1310 shouldFail: true,
1311 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1312 },
1313 {
1314 protocol: dtls,
1315 testType: serverTest,
1316 name: "Alert-DTLS",
1317 config: Config{
1318 Bugs: ProtocolBugs{
1319 SendSpuriousAlert: alertRecordOverflow,
1320 },
1321 },
1322 shouldFail: true,
1323 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1324 },
1325 {
1326 testType: serverTest,
1327 name: "FragmentAlert",
1328 config: Config{
1329 Bugs: ProtocolBugs{
1330 FragmentAlert: true,
1331 SendSpuriousAlert: alertRecordOverflow,
1332 },
1333 },
1334 shouldFail: true,
1335 expectedError: ":BAD_ALERT:",
1336 },
1337 {
1338 protocol: dtls,
1339 testType: serverTest,
1340 name: "FragmentAlert-DTLS",
1341 config: Config{
1342 Bugs: ProtocolBugs{
1343 FragmentAlert: true,
1344 SendSpuriousAlert: alertRecordOverflow,
1345 },
1346 },
1347 shouldFail: true,
1348 expectedError: ":BAD_ALERT:",
1349 },
1350 {
1351 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1352 name: "DoubleAlert",
1353 config: Config{
1354 Bugs: ProtocolBugs{
1355 DoubleAlert: true,
1356 SendSpuriousAlert: alertRecordOverflow,
1357 },
1358 },
1359 shouldFail: true,
1360 expectedError: ":BAD_ALERT:",
1361 },
1362 {
1363 protocol: dtls,
1364 testType: serverTest,
1365 name: "DoubleAlert-DTLS",
1366 config: Config{
1367 Bugs: ProtocolBugs{
1368 DoubleAlert: true,
1369 SendSpuriousAlert: alertRecordOverflow,
1370 },
1371 },
1372 shouldFail: true,
1373 expectedError: ":BAD_ALERT:",
1374 },
1375 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1376 name: "SkipNewSessionTicket",
1377 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1378 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1379 Bugs: ProtocolBugs{
1380 SkipNewSessionTicket: true,
1381 },
1382 },
1383 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1384 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1385 },
1386 {
1387 testType: serverTest,
1388 name: "FallbackSCSV",
1389 config: Config{
1390 MaxVersion: VersionTLS11,
1391 Bugs: ProtocolBugs{
1392 SendFallbackSCSV: true,
1393 },
1394 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1395 shouldFail: true,
1396 expectedError: ":INAPPROPRIATE_FALLBACK:",
1397 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1398 },
1399 {
1400 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1401 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1402 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1403 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1404 Bugs: ProtocolBugs{
1405 SendFallbackSCSV: true,
1406 },
1407 },
1408 },
1409 {
1410 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1411 name: "FallbackSCSV-VersionMatch-TLS12",
1412 config: Config{
1413 MaxVersion: VersionTLS12,
1414 Bugs: ProtocolBugs{
1415 SendFallbackSCSV: true,
1416 },
1417 },
1418 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1419 },
1420 {
1421 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1422 name: "FragmentedClientVersion",
1423 config: Config{
1424 Bugs: ProtocolBugs{
1425 MaxHandshakeRecordLength: 1,
1426 FragmentClientVersion: true,
1427 },
1428 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1429 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1430 },
1431 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1432 testType: serverTest,
1433 name: "HttpGET",
1434 sendPrefix: "GET / HTTP/1.0\n",
1435 shouldFail: true,
1436 expectedError: ":HTTP_REQUEST:",
1437 },
1438 {
1439 testType: serverTest,
1440 name: "HttpPOST",
1441 sendPrefix: "POST / HTTP/1.0\n",
1442 shouldFail: true,
1443 expectedError: ":HTTP_REQUEST:",
1444 },
1445 {
1446 testType: serverTest,
1447 name: "HttpHEAD",
1448 sendPrefix: "HEAD / HTTP/1.0\n",
1449 shouldFail: true,
1450 expectedError: ":HTTP_REQUEST:",
1451 },
1452 {
1453 testType: serverTest,
1454 name: "HttpPUT",
1455 sendPrefix: "PUT / HTTP/1.0\n",
1456 shouldFail: true,
1457 expectedError: ":HTTP_REQUEST:",
1458 },
1459 {
1460 testType: serverTest,
1461 name: "HttpCONNECT",
1462 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1463 shouldFail: true,
1464 expectedError: ":HTTPS_PROXY_REQUEST:",
1465 },
1466 {
1467 testType: serverTest,
1468 name: "Garbage",
1469 sendPrefix: "blah",
1470 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1471 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1472 },
1473 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1474 name: "RSAEphemeralKey",
1475 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1476 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1477 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1478 Bugs: ProtocolBugs{
1479 RSAEphemeralKey: true,
1480 },
1481 },
1482 shouldFail: true,
1483 expectedError: ":UNEXPECTED_MESSAGE:",
1484 },
1485 {
1486 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1487 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1488 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1489 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1490 },
1491 {
1492 protocol: dtls,
1493 name: "DisableEverything-DTLS",
1494 flags: []string{"-no-tls12", "-no-tls1"},
1495 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1496 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1497 },
1498 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1499 protocol: dtls,
1500 testType: serverTest,
1501 name: "MTU",
1502 config: Config{
1503 Bugs: ProtocolBugs{
1504 MaxPacketLength: 256,
1505 },
1506 },
1507 flags: []string{"-mtu", "256"},
1508 },
1509 {
1510 protocol: dtls,
1511 testType: serverTest,
1512 name: "MTUExceeded",
1513 config: Config{
1514 Bugs: ProtocolBugs{
1515 MaxPacketLength: 255,
1516 },
1517 },
1518 flags: []string{"-mtu", "256"},
1519 shouldFail: true,
1520 expectedLocalError: "dtls: exceeded maximum packet length",
1521 },
1522 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1523 name: "EmptyCertificateList",
1524 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1525 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1526 Bugs: ProtocolBugs{
1527 EmptyCertificateList: true,
1528 },
1529 },
1530 shouldFail: true,
1531 expectedError: ":DECODE_ERROR:",
1532 },
1533 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1534 name: "EmptyCertificateList-TLS13",
1535 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1536 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1537 Bugs: ProtocolBugs{
1538 EmptyCertificateList: true,
1539 },
1540 },
1541 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1542 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1543 },
1544 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1545 name: "TLSFatalBadPackets",
1546 damageFirstWrite: true,
1547 shouldFail: true,
1548 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1549 },
1550 {
1551 protocol: dtls,
1552 name: "DTLSIgnoreBadPackets",
1553 damageFirstWrite: true,
1554 },
1555 {
1556 protocol: dtls,
1557 name: "DTLSIgnoreBadPackets-Async",
1558 damageFirstWrite: true,
1559 flags: []string{"-async"},
1560 },
1561 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1562 name: "AppDataBeforeHandshake",
1563 config: Config{
1564 Bugs: ProtocolBugs{
1565 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1566 },
1567 },
1568 shouldFail: true,
1569 expectedError: ":UNEXPECTED_RECORD:",
1570 },
1571 {
1572 name: "AppDataBeforeHandshake-Empty",
1573 config: Config{
1574 Bugs: ProtocolBugs{
1575 AppDataBeforeHandshake: []byte{},
1576 },
1577 },
1578 shouldFail: true,
1579 expectedError: ":UNEXPECTED_RECORD:",
1580 },
1581 {
1582 protocol: dtls,
1583 name: "AppDataBeforeHandshake-DTLS",
1584 config: Config{
1585 Bugs: ProtocolBugs{
1586 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1587 },
1588 },
1589 shouldFail: true,
1590 expectedError: ":UNEXPECTED_RECORD:",
1591 },
1592 {
1593 protocol: dtls,
1594 name: "AppDataBeforeHandshake-DTLS-Empty",
1595 config: Config{
1596 Bugs: ProtocolBugs{
1597 AppDataBeforeHandshake: []byte{},
1598 },
1599 },
1600 shouldFail: true,
1601 expectedError: ":UNEXPECTED_RECORD:",
1602 },
1603 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1604 name: "AppDataAfterChangeCipherSpec",
1605 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1606 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1607 Bugs: ProtocolBugs{
1608 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1609 },
1610 },
1611 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1612 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1613 },
1614 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1615 name: "AppDataAfterChangeCipherSpec-Empty",
1616 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1617 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1618 Bugs: ProtocolBugs{
1619 AppDataAfterChangeCipherSpec: []byte{},
1620 },
1621 },
1622 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1623 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1624 },
1625 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1626 protocol: dtls,
1627 name: "AppDataAfterChangeCipherSpec-DTLS",
1628 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1629 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1630 Bugs: ProtocolBugs{
1631 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1632 },
1633 },
1634 // BoringSSL's DTLS implementation will drop the out-of-order
1635 // application data.
1636 },
1637 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1638 protocol: dtls,
1639 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1640 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1641 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1642 Bugs: ProtocolBugs{
1643 AppDataAfterChangeCipherSpec: []byte{},
1644 },
1645 },
1646 // BoringSSL's DTLS implementation will drop the out-of-order
1647 // application data.
1648 },
1649 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1650 name: "AlertAfterChangeCipherSpec",
1651 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1652 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1653 Bugs: ProtocolBugs{
1654 AlertAfterChangeCipherSpec: alertRecordOverflow,
1655 },
1656 },
1657 shouldFail: true,
1658 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1659 },
1660 {
1661 protocol: dtls,
1662 name: "AlertAfterChangeCipherSpec-DTLS",
1663 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1664 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1665 Bugs: ProtocolBugs{
1666 AlertAfterChangeCipherSpec: alertRecordOverflow,
1667 },
1668 },
1669 shouldFail: true,
1670 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1671 },
1672 {
1673 protocol: dtls,
1674 name: "ReorderHandshakeFragments-Small-DTLS",
1675 config: Config{
1676 Bugs: ProtocolBugs{
1677 ReorderHandshakeFragments: true,
1678 // Small enough that every handshake message is
1679 // fragmented.
1680 MaxHandshakeRecordLength: 2,
1681 },
1682 },
1683 },
1684 {
1685 protocol: dtls,
1686 name: "ReorderHandshakeFragments-Large-DTLS",
1687 config: Config{
1688 Bugs: ProtocolBugs{
1689 ReorderHandshakeFragments: true,
1690 // Large enough that no handshake message is
1691 // fragmented.
1692 MaxHandshakeRecordLength: 2048,
1693 },
1694 },
1695 },
1696 {
1697 protocol: dtls,
1698 name: "MixCompleteMessageWithFragments-DTLS",
1699 config: Config{
1700 Bugs: ProtocolBugs{
1701 ReorderHandshakeFragments: true,
1702 MixCompleteMessageWithFragments: true,
1703 MaxHandshakeRecordLength: 2,
1704 },
1705 },
1706 },
1707 {
1708 name: "SendInvalidRecordType",
1709 config: Config{
1710 Bugs: ProtocolBugs{
1711 SendInvalidRecordType: true,
1712 },
1713 },
1714 shouldFail: true,
1715 expectedError: ":UNEXPECTED_RECORD:",
1716 },
1717 {
1718 protocol: dtls,
1719 name: "SendInvalidRecordType-DTLS",
1720 config: Config{
1721 Bugs: ProtocolBugs{
1722 SendInvalidRecordType: true,
1723 },
1724 },
1725 shouldFail: true,
1726 expectedError: ":UNEXPECTED_RECORD:",
1727 },
1728 {
1729 name: "FalseStart-SkipServerSecondLeg",
1730 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1731 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1732 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1733 NextProtos: []string{"foo"},
1734 Bugs: ProtocolBugs{
1735 SkipNewSessionTicket: true,
1736 SkipChangeCipherSpec: true,
1737 SkipFinished: true,
1738 ExpectFalseStart: true,
1739 },
1740 },
1741 flags: []string{
1742 "-false-start",
1743 "-handshake-never-done",
1744 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]1745 "-expect-alpn", "foo",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1746 },
1747 shimWritesFirst: true,
1748 shouldFail: true,
1749 expectedError: ":UNEXPECTED_RECORD:",
1750 },
1751 {
1752 name: "FalseStart-SkipServerSecondLeg-Implicit",
1753 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1754 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1755 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1756 NextProtos: []string{"foo"},
1757 Bugs: ProtocolBugs{
1758 SkipNewSessionTicket: true,
1759 SkipChangeCipherSpec: true,
1760 SkipFinished: true,
1761 },
1762 },
1763 flags: []string{
1764 "-implicit-handshake",
1765 "-false-start",
1766 "-handshake-never-done",
1767 "-advertise-alpn", "\x03foo",
1768 },
1769 shouldFail: true,
1770 expectedError: ":UNEXPECTED_RECORD:",
1771 },
1772 {
1773 testType: serverTest,
1774 name: "FailEarlyCallback",
1775 flags: []string{"-fail-early-callback"},
1776 shouldFail: true,
1777 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1778 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1779 },
1780 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1781 name: "FailCertCallback-Client-TLS12",
1782 config: Config{
1783 MaxVersion: VersionTLS12,
1784 ClientAuth: RequestClientCert,
1785 },
1786 flags: []string{"-fail-cert-callback"},
1787 shouldFail: true,
1788 expectedError: ":CERT_CB_ERROR:",
1789 expectedLocalError: "remote error: internal error",
1790 },
1791 {
1792 testType: serverTest,
1793 name: "FailCertCallback-Server-TLS12",
1794 config: Config{
1795 MaxVersion: VersionTLS12,
1796 },
1797 flags: []string{"-fail-cert-callback"},
1798 shouldFail: true,
1799 expectedError: ":CERT_CB_ERROR:",
1800 expectedLocalError: "remote error: internal error",
1801 },
1802 {
1803 name: "FailCertCallback-Client-TLS13",
1804 config: Config{
1805 MaxVersion: VersionTLS13,
1806 ClientAuth: RequestClientCert,
1807 },
1808 flags: []string{"-fail-cert-callback"},
1809 shouldFail: true,
1810 expectedError: ":CERT_CB_ERROR:",
1811 expectedLocalError: "remote error: internal error",
1812 },
1813 {
1814 testType: serverTest,
1815 name: "FailCertCallback-Server-TLS13",
1816 config: Config{
1817 MaxVersion: VersionTLS13,
1818 },
1819 flags: []string{"-fail-cert-callback"},
1820 shouldFail: true,
1821 expectedError: ":CERT_CB_ERROR:",
1822 expectedLocalError: "remote error: internal error",
1823 },
1824 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1825 protocol: dtls,
1826 name: "FragmentMessageTypeMismatch-DTLS",
1827 config: Config{
1828 Bugs: ProtocolBugs{
1829 MaxHandshakeRecordLength: 2,
1830 FragmentMessageTypeMismatch: true,
1831 },
1832 },
1833 shouldFail: true,
1834 expectedError: ":FRAGMENT_MISMATCH:",
1835 },
1836 {
1837 protocol: dtls,
1838 name: "FragmentMessageLengthMismatch-DTLS",
1839 config: Config{
1840 Bugs: ProtocolBugs{
1841 MaxHandshakeRecordLength: 2,
1842 FragmentMessageLengthMismatch: true,
1843 },
1844 },
1845 shouldFail: true,
1846 expectedError: ":FRAGMENT_MISMATCH:",
1847 },
1848 {
1849 protocol: dtls,
1850 name: "SplitFragments-Header-DTLS",
1851 config: Config{
1852 Bugs: ProtocolBugs{
1853 SplitFragments: 2,
1854 },
1855 },
1856 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1857 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1858 },
1859 {
1860 protocol: dtls,
1861 name: "SplitFragments-Boundary-DTLS",
1862 config: Config{
1863 Bugs: ProtocolBugs{
1864 SplitFragments: dtlsRecordHeaderLen,
1865 },
1866 },
1867 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1868 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1869 },
1870 {
1871 protocol: dtls,
1872 name: "SplitFragments-Body-DTLS",
1873 config: Config{
1874 Bugs: ProtocolBugs{
1875 SplitFragments: dtlsRecordHeaderLen + 1,
1876 },
1877 },
1878 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1879 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1880 },
1881 {
1882 protocol: dtls,
1883 name: "SendEmptyFragments-DTLS",
1884 config: Config{
1885 Bugs: ProtocolBugs{
1886 SendEmptyFragments: true,
1887 },
1888 },
1889 },
1890 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1891 name: "BadFinished-Client",
1892 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1893 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1894 Bugs: ProtocolBugs{
1895 BadFinished: true,
1896 },
1897 },
1898 shouldFail: true,
1899 expectedError: ":DIGEST_CHECK_FAILED:",
1900 },
1901 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1902 name: "BadFinished-Client-TLS13",
1903 config: Config{
1904 MaxVersion: VersionTLS13,
1905 Bugs: ProtocolBugs{
1906 BadFinished: true,
1907 },
1908 },
1909 shouldFail: true,
1910 expectedError: ":DIGEST_CHECK_FAILED:",
1911 },
1912 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1913 testType: serverTest,
1914 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1915 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1916 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1917 Bugs: ProtocolBugs{
1918 BadFinished: true,
1919 },
1920 },
1921 shouldFail: true,
1922 expectedError: ":DIGEST_CHECK_FAILED:",
1923 },
1924 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1925 testType: serverTest,
1926 name: "BadFinished-Server-TLS13",
1927 config: Config{
1928 MaxVersion: VersionTLS13,
1929 Bugs: ProtocolBugs{
1930 BadFinished: true,
1931 },
1932 },
1933 shouldFail: true,
1934 expectedError: ":DIGEST_CHECK_FAILED:",
1935 },
1936 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1937 name: "FalseStart-BadFinished",
1938 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1939 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1940 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1941 NextProtos: []string{"foo"},
1942 Bugs: ProtocolBugs{
1943 BadFinished: true,
1944 ExpectFalseStart: true,
1945 },
1946 },
1947 flags: []string{
1948 "-false-start",
1949 "-handshake-never-done",
1950 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]1951 "-expect-alpn", "foo",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1952 },
1953 shimWritesFirst: true,
1954 shouldFail: true,
1955 expectedError: ":DIGEST_CHECK_FAILED:",
1956 },
1957 {
1958 name: "NoFalseStart-NoALPN",
1959 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1960 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1961 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1962 Bugs: ProtocolBugs{
1963 ExpectFalseStart: true,
1964 AlertBeforeFalseStartTest: alertAccessDenied,
1965 },
1966 },
1967 flags: []string{
1968 "-false-start",
1969 },
1970 shimWritesFirst: true,
1971 shouldFail: true,
1972 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1973 expectedLocalError: "tls: peer did not false start: EOF",
1974 },
1975 {
1976 name: "NoFalseStart-NoAEAD",
1977 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1978 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1979 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1980 NextProtos: []string{"foo"},
1981 Bugs: ProtocolBugs{
1982 ExpectFalseStart: true,
1983 AlertBeforeFalseStartTest: alertAccessDenied,
1984 },
1985 },
1986 flags: []string{
1987 "-false-start",
1988 "-advertise-alpn", "\x03foo",
1989 },
1990 shimWritesFirst: true,
1991 shouldFail: true,
1992 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1993 expectedLocalError: "tls: peer did not false start: EOF",
1994 },
1995 {
1996 name: "NoFalseStart-RSA",
1997 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1998 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1999 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
2000 NextProtos: []string{"foo"},
2001 Bugs: ProtocolBugs{
2002 ExpectFalseStart: true,
2003 AlertBeforeFalseStartTest: alertAccessDenied,
2004 },
2005 },
2006 flags: []string{
2007 "-false-start",
2008 "-advertise-alpn", "\x03foo",
2009 },
2010 shimWritesFirst: true,
2011 shouldFail: true,
2012 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2013 expectedLocalError: "tls: peer did not false start: EOF",
2014 },
2015 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2016 protocol: dtls,
2017 name: "SendSplitAlert-Sync",
2018 config: Config{
2019 Bugs: ProtocolBugs{
2020 SendSplitAlert: true,
2021 },
2022 },
2023 },
2024 {
2025 protocol: dtls,
2026 name: "SendSplitAlert-Async",
2027 config: Config{
2028 Bugs: ProtocolBugs{
2029 SendSplitAlert: true,
2030 },
2031 },
2032 flags: []string{"-async"},
2033 },
2034 {
2035 protocol: dtls,
2036 name: "PackDTLSHandshake",
2037 config: Config{
2038 Bugs: ProtocolBugs{
2039 MaxHandshakeRecordLength: 2,
2040 PackHandshakeFragments: 20,
2041 PackHandshakeRecords: 200,
2042 },
2043 },
2044 },
2045 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2046 name: "SendEmptyRecords-Pass",
2047 sendEmptyRecords: 32,
2048 },
2049 {
2050 name: "SendEmptyRecords",
2051 sendEmptyRecords: 33,
2052 shouldFail: true,
2053 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2054 },
2055 {
2056 name: "SendEmptyRecords-Async",
2057 sendEmptyRecords: 33,
2058 flags: []string{"-async"},
2059 shouldFail: true,
2060 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2061 },
2062 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2063 name: "SendWarningAlerts-Pass",
2064 config: Config{
2065 MaxVersion: VersionTLS12,
2066 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2067 sendWarningAlerts: 4,
2068 },
2069 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2070 protocol: dtls,
2071 name: "SendWarningAlerts-DTLS-Pass",
2072 config: Config{
2073 MaxVersion: VersionTLS12,
2074 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2075 sendWarningAlerts: 4,
2076 },
2077 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2078 name: "SendWarningAlerts-TLS13",
2079 config: Config{
2080 MaxVersion: VersionTLS13,
2081 },
2082 sendWarningAlerts: 4,
2083 shouldFail: true,
2084 expectedError: ":BAD_ALERT:",
2085 expectedLocalError: "remote error: error decoding message",
2086 },
2087 {
2088 name: "SendWarningAlerts",
2089 config: Config{
2090 MaxVersion: VersionTLS12,
2091 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2092 sendWarningAlerts: 5,
2093 shouldFail: true,
2094 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2095 },
2096 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2097 name: "SendWarningAlerts-Async",
2098 config: Config{
2099 MaxVersion: VersionTLS12,
2100 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2101 sendWarningAlerts: 5,
2102 flags: []string{"-async"},
2103 shouldFail: true,
2104 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2105 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2106 {
David Benjamin24e58862017-06-14 18:45:29 -0400[diff] [blame^]2107 name: "SendBogusAlertType",
2108 sendBogusAlertType: true,
2109 shouldFail: true,
2110 expectedError: ":UNKNOWN_ALERT_TYPE:",
2111 expectedLocalError: "remote error: illegal parameter",
2112 },
2113 {
2114 protocol: dtls,
2115 name: "SendBogusAlertType-DTLS",
2116 sendBogusAlertType: true,
2117 shouldFail: true,
2118 expectedError: ":UNKNOWN_ALERT_TYPE:",
2119 expectedLocalError: "remote error: illegal parameter",
2120 },
2121 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2122 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2123 config: Config{
2124 MaxVersion: VersionTLS13,
2125 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2126 sendKeyUpdates: 33,
2127 keyUpdateRequest: keyUpdateNotRequested,
2128 shouldFail: true,
2129 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2130 },
2131 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2132 name: "EmptySessionID",
2133 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2134 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2135 SessionTicketsDisabled: true,
2136 },
2137 noSessionCache: true,
2138 flags: []string{"-expect-no-session"},
2139 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2140 {
2141 name: "Unclean-Shutdown",
2142 config: Config{
2143 Bugs: ProtocolBugs{
2144 NoCloseNotify: true,
2145 ExpectCloseNotify: true,
2146 },
2147 },
2148 shimShutsDown: true,
2149 flags: []string{"-check-close-notify"},
2150 shouldFail: true,
2151 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2152 },
2153 {
2154 name: "Unclean-Shutdown-Ignored",
2155 config: Config{
2156 Bugs: ProtocolBugs{
2157 NoCloseNotify: true,
2158 },
2159 },
2160 shimShutsDown: true,
2161 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2162 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2163 name: "Unclean-Shutdown-Alert",
2164 config: Config{
2165 Bugs: ProtocolBugs{
2166 SendAlertOnShutdown: alertDecompressionFailure,
2167 ExpectCloseNotify: true,
2168 },
2169 },
2170 shimShutsDown: true,
2171 flags: []string{"-check-close-notify"},
2172 shouldFail: true,
2173 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2174 },
2175 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2176 name: "LargePlaintext",
2177 config: Config{
2178 Bugs: ProtocolBugs{
2179 SendLargeRecords: true,
2180 },
2181 },
2182 messageLen: maxPlaintext + 1,
2183 shouldFail: true,
2184 expectedError: ":DATA_LENGTH_TOO_LONG:",
2185 },
2186 {
2187 protocol: dtls,
2188 name: "LargePlaintext-DTLS",
2189 config: Config{
2190 Bugs: ProtocolBugs{
2191 SendLargeRecords: true,
2192 },
2193 },
2194 messageLen: maxPlaintext + 1,
2195 shouldFail: true,
2196 expectedError: ":DATA_LENGTH_TOO_LONG:",
2197 },
2198 {
2199 name: "LargeCiphertext",
2200 config: Config{
2201 Bugs: ProtocolBugs{
2202 SendLargeRecords: true,
2203 },
2204 },
2205 messageLen: maxPlaintext * 2,
2206 shouldFail: true,
2207 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2208 },
2209 {
2210 protocol: dtls,
2211 name: "LargeCiphertext-DTLS",
2212 config: Config{
2213 Bugs: ProtocolBugs{
2214 SendLargeRecords: true,
2215 },
2216 },
2217 messageLen: maxPlaintext * 2,
2218 // Unlike the other four cases, DTLS drops records which
2219 // are invalid before authentication, so the connection
2220 // does not fail.
2221 expectMessageDropped: true,
2222 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2223 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2224 name: "BadHelloRequest-1",
2225 renegotiate: 1,
2226 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2227 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2228 Bugs: ProtocolBugs{
2229 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2230 },
2231 },
2232 flags: []string{
2233 "-renegotiate-freely",
2234 "-expect-total-renegotiations", "1",
2235 },
2236 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2237 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2238 },
2239 {
2240 name: "BadHelloRequest-2",
2241 renegotiate: 1,
2242 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2243 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2244 Bugs: ProtocolBugs{
2245 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2246 },
2247 },
2248 flags: []string{
2249 "-renegotiate-freely",
2250 "-expect-total-renegotiations", "1",
2251 },
2252 shouldFail: true,
2253 expectedError: ":BAD_HELLO_REQUEST:",
2254 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2255 {
2256 testType: serverTest,
2257 name: "SupportTicketsWithSessionID",
2258 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2259 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2260 SessionTicketsDisabled: true,
2261 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2262 resumeConfig: &Config{
2263 MaxVersion: VersionTLS12,
2264 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2265 resumeSession: true,
2266 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2267 {
2268 protocol: dtls,
2269 name: "DTLS-SendExtraFinished",
2270 config: Config{
2271 Bugs: ProtocolBugs{
2272 SendExtraFinished: true,
2273 },
2274 },
2275 shouldFail: true,
2276 expectedError: ":UNEXPECTED_RECORD:",
2277 },
2278 {
2279 protocol: dtls,
2280 name: "DTLS-SendExtraFinished-Reordered",
2281 config: Config{
2282 Bugs: ProtocolBugs{
2283 MaxHandshakeRecordLength: 2,
2284 ReorderHandshakeFragments: true,
2285 SendExtraFinished: true,
2286 },
2287 },
2288 shouldFail: true,
2289 expectedError: ":UNEXPECTED_RECORD:",
2290 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2291 {
2292 testType: serverTest,
2293 name: "V2ClientHello-EmptyRecordPrefix",
2294 config: Config{
2295 // Choose a cipher suite that does not involve
2296 // elliptic curves, so no extensions are
2297 // involved.
2298 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2299 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2300 Bugs: ProtocolBugs{
2301 SendV2ClientHello: true,
2302 },
2303 },
2304 sendPrefix: string([]byte{
2305 byte(recordTypeHandshake),
2306 3, 1, // version
2307 0, 0, // length
2308 }),
2309 // A no-op empty record may not be sent before V2ClientHello.
2310 shouldFail: true,
2311 expectedError: ":WRONG_VERSION_NUMBER:",
2312 },
2313 {
2314 testType: serverTest,
2315 name: "V2ClientHello-WarningAlertPrefix",
2316 config: Config{
2317 // Choose a cipher suite that does not involve
2318 // elliptic curves, so no extensions are
2319 // involved.
2320 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2321 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2322 Bugs: ProtocolBugs{
2323 SendV2ClientHello: true,
2324 },
2325 },
2326 sendPrefix: string([]byte{
2327 byte(recordTypeAlert),
2328 3, 1, // version
2329 0, 2, // length
2330 alertLevelWarning, byte(alertDecompressionFailure),
2331 }),
2332 // A no-op warning alert may not be sent before V2ClientHello.
2333 shouldFail: true,
2334 expectedError: ":WRONG_VERSION_NUMBER:",
2335 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2336 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2337 name: "KeyUpdate-Client",
2338 config: Config{
2339 MaxVersion: VersionTLS13,
2340 },
2341 sendKeyUpdates: 1,
2342 keyUpdateRequest: keyUpdateNotRequested,
2343 },
2344 {
2345 testType: serverTest,
2346 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2347 config: Config{
2348 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2349 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2350 sendKeyUpdates: 1,
2351 keyUpdateRequest: keyUpdateNotRequested,
2352 },
2353 {
2354 name: "KeyUpdate-InvalidRequestMode",
2355 config: Config{
2356 MaxVersion: VersionTLS13,
2357 },
2358 sendKeyUpdates: 1,
2359 keyUpdateRequest: 42,
2360 shouldFail: true,
2361 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2362 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2363 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]2364 // Test that KeyUpdates are acknowledged properly.
2365 name: "KeyUpdate-RequestACK",
2366 config: Config{
2367 MaxVersion: VersionTLS13,
2368 Bugs: ProtocolBugs{
2369 RejectUnsolicitedKeyUpdate: true,
2370 },
2371 },
2372 // Test the shim receiving many KeyUpdates in a row.
2373 sendKeyUpdates: 5,
2374 messageCount: 5,
2375 keyUpdateRequest: keyUpdateRequested,
2376 },
2377 {
2378 // Test that KeyUpdates are acknowledged properly if the
2379 // peer's KeyUpdate is discovered while a write is
2380 // pending.
2381 name: "KeyUpdate-RequestACK-UnfinishedWrite",
2382 config: Config{
2383 MaxVersion: VersionTLS13,
2384 Bugs: ProtocolBugs{
2385 RejectUnsolicitedKeyUpdate: true,
2386 },
2387 },
2388 // Test the shim receiving many KeyUpdates in a row.
2389 sendKeyUpdates: 5,
2390 messageCount: 5,
2391 keyUpdateRequest: keyUpdateRequested,
2392 readWithUnfinishedWrite: true,
2393 flags: []string{"-async"},
2394 },
2395 {
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2396 name: "SendSNIWarningAlert",
2397 config: Config{
2398 MaxVersion: VersionTLS12,
2399 Bugs: ProtocolBugs{
2400 SendSNIWarningAlert: true,
2401 },
2402 },
2403 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2404 {
2405 testType: serverTest,
2406 name: "ExtraCompressionMethods-TLS12",
2407 config: Config{
2408 MaxVersion: VersionTLS12,
2409 Bugs: ProtocolBugs{
2410 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2411 },
2412 },
2413 },
2414 {
2415 testType: serverTest,
2416 name: "ExtraCompressionMethods-TLS13",
2417 config: Config{
2418 MaxVersion: VersionTLS13,
2419 Bugs: ProtocolBugs{
2420 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2421 },
2422 },
2423 shouldFail: true,
2424 expectedError: ":INVALID_COMPRESSION_LIST:",
2425 expectedLocalError: "remote error: illegal parameter",
2426 },
2427 {
2428 testType: serverTest,
2429 name: "NoNullCompression-TLS12",
2430 config: Config{
2431 MaxVersion: VersionTLS12,
2432 Bugs: ProtocolBugs{
2433 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2434 },
2435 },
2436 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2437 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2438 expectedLocalError: "remote error: illegal parameter",
2439 },
2440 {
2441 testType: serverTest,
2442 name: "NoNullCompression-TLS13",
2443 config: Config{
2444 MaxVersion: VersionTLS13,
2445 Bugs: ProtocolBugs{
2446 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2447 },
2448 },
2449 shouldFail: true,
2450 expectedError: ":INVALID_COMPRESSION_LIST:",
2451 expectedLocalError: "remote error: illegal parameter",
2452 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2453 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2454 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2455 config: Config{
2456 MaxVersion: VersionTLS12,
2457 Bugs: ProtocolBugs{
2458 ExpectGREASE: true,
2459 },
2460 },
2461 flags: []string{"-enable-grease"},
2462 },
2463 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2464 name: "GREASE-Client-TLS13",
2465 config: Config{
2466 MaxVersion: VersionTLS13,
2467 Bugs: ProtocolBugs{
2468 ExpectGREASE: true,
2469 },
2470 },
2471 flags: []string{"-enable-grease"},
2472 },
2473 {
2474 testType: serverTest,
2475 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2476 config: Config{
2477 MaxVersion: VersionTLS13,
2478 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2479 // TLS 1.3 servers are expected to
2480 // always enable GREASE. TLS 1.3 is new,
2481 // so there is no existing ecosystem to
2482 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2483 ExpectGREASE: true,
2484 },
2485 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2486 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2487 {
2488 // Test the server so there is a large certificate as
2489 // well as application data.
2490 testType: serverTest,
2491 name: "MaxSendFragment",
2492 config: Config{
2493 Bugs: ProtocolBugs{
2494 MaxReceivePlaintext: 512,
2495 },
2496 },
2497 messageLen: 1024,
2498 flags: []string{
2499 "-max-send-fragment", "512",
2500 "-read-size", "1024",
2501 },
2502 },
2503 {
2504 // Test the server so there is a large certificate as
2505 // well as application data.
2506 testType: serverTest,
2507 name: "MaxSendFragment-TooLarge",
2508 config: Config{
2509 Bugs: ProtocolBugs{
2510 // Ensure that some of the records are
2511 // 512.
2512 MaxReceivePlaintext: 511,
2513 },
2514 },
2515 messageLen: 1024,
2516 flags: []string{
2517 "-max-send-fragment", "512",
2518 "-read-size", "1024",
2519 },
2520 shouldFail: true,
2521 expectedLocalError: "local error: record overflow",
2522 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2523 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2524 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2525
2526 // Test that very large messages can be received.
2527 cert := rsaCertificate
2528 for i := 0; i < 50; i++ {
2529 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2530 }
2531 testCases = append(testCases, testCase{
2532 name: "LargeMessage",
2533 config: Config{
2534 Certificates: []Certificate{cert},
2535 },
2536 })
2537 testCases = append(testCases, testCase{
2538 protocol: dtls,
2539 name: "LargeMessage-DTLS",
2540 config: Config{
2541 Certificates: []Certificate{cert},
2542 },
2543 })
2544
2545 // They are rejected if the maximum certificate chain length is capped.
2546 testCases = append(testCases, testCase{
2547 name: "LargeMessage-Reject",
2548 config: Config{
2549 Certificates: []Certificate{cert},
2550 },
2551 flags: []string{"-max-cert-list", "16384"},
2552 shouldFail: true,
2553 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2554 })
2555 testCases = append(testCases, testCase{
2556 protocol: dtls,
2557 name: "LargeMessage-Reject-DTLS",
2558 config: Config{
2559 Certificates: []Certificate{cert},
2560 },
2561 flags: []string{"-max-cert-list", "16384"},
2562 shouldFail: true,
2563 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2564 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2565}
2566
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2567func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2568 const psk = "12345"
2569 const pskIdentity = "luggage combo"
2570
2571 var prefix string
2572 if protocol == dtls {
2573 if !ver.hasDTLS {
2574 return
2575 }
2576 prefix = "D"
2577 }
2578
2579 var cert Certificate
2580 var certFile string
2581 var keyFile string
2582 if hasComponent(suite.name, "ECDSA") {
2583 cert = ecdsaP256Certificate
2584 certFile = ecdsaP256CertificateFile
2585 keyFile = ecdsaP256KeyFile
2586 } else {
2587 cert = rsaCertificate
2588 certFile = rsaCertificateFile
2589 keyFile = rsaKeyFile
2590 }
2591
2592 var flags []string
2593 if hasComponent(suite.name, "PSK") {
2594 flags = append(flags,
2595 "-psk", psk,
2596 "-psk-identity", pskIdentity)
2597 }
2598 if hasComponent(suite.name, "NULL") {
2599 // NULL ciphers must be explicitly enabled.
2600 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2601 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2602
2603 var shouldServerFail, shouldClientFail bool
2604 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2605 // BoringSSL clients accept ECDHE on SSLv3, but
2606 // a BoringSSL server will never select it
2607 // because the extension is missing.
2608 shouldServerFail = true
2609 }
2610 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2611 shouldClientFail = true
2612 shouldServerFail = true
2613 }
2614 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2615 shouldClientFail = true
2616 shouldServerFail = true
2617 }
2618 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2619 shouldClientFail = true
2620 shouldServerFail = true
2621 }
2622 if !isDTLSCipher(suite.name) && protocol == dtls {
2623 shouldClientFail = true
2624 shouldServerFail = true
2625 }
2626
2627 var sendCipherSuite uint16
2628 var expectedServerError, expectedClientError string
2629 serverCipherSuites := []uint16{suite.id}
2630 if shouldServerFail {
2631 expectedServerError = ":NO_SHARED_CIPHER:"
2632 }
2633 if shouldClientFail {
2634 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2635 // Configure the server to select ciphers as normal but
2636 // select an incompatible cipher in ServerHello.
2637 serverCipherSuites = nil
2638 sendCipherSuite = suite.id
2639 }
2640
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2641 // For cipher suites and versions where exporters are defined, verify
2642 // that they interoperate.
2643 var exportKeyingMaterial int
2644 if ver.version > VersionSSL30 {
2645 exportKeyingMaterial = 1024
2646 }
2647
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2648 testCases = append(testCases, testCase{
2649 testType: serverTest,
2650 protocol: protocol,
2651 name: prefix + ver.name + "-" + suite.name + "-server",
2652 config: Config{
2653 MinVersion: ver.version,
2654 MaxVersion: ver.version,
2655 CipherSuites: []uint16{suite.id},
2656 Certificates: []Certificate{cert},
2657 PreSharedKey: []byte(psk),
2658 PreSharedKeyIdentity: pskIdentity,
2659 Bugs: ProtocolBugs{
2660 AdvertiseAllConfiguredCiphers: true,
2661 },
2662 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2663 certFile: certFile,
2664 keyFile: keyFile,
2665 flags: flags,
2666 resumeSession: true,
2667 shouldFail: shouldServerFail,
2668 expectedError: expectedServerError,
2669 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2670 })
2671
2672 testCases = append(testCases, testCase{
2673 testType: clientTest,
2674 protocol: protocol,
2675 name: prefix + ver.name + "-" + suite.name + "-client",
2676 config: Config{
2677 MinVersion: ver.version,
2678 MaxVersion: ver.version,
2679 CipherSuites: serverCipherSuites,
2680 Certificates: []Certificate{cert},
2681 PreSharedKey: []byte(psk),
2682 PreSharedKeyIdentity: pskIdentity,
2683 Bugs: ProtocolBugs{
2684 IgnorePeerCipherPreferences: shouldClientFail,
2685 SendCipherSuite: sendCipherSuite,
2686 },
2687 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2688 flags: flags,
2689 resumeSession: true,
2690 shouldFail: shouldClientFail,
2691 expectedError: expectedClientError,
2692 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2693 })
2694
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2695 if shouldClientFail {
2696 return
2697 }
2698
2699 // Ensure the maximum record size is accepted.
2700 testCases = append(testCases, testCase{
2701 protocol: protocol,
2702 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2703 config: Config{
2704 MinVersion: ver.version,
2705 MaxVersion: ver.version,
2706 CipherSuites: []uint16{suite.id},
2707 Certificates: []Certificate{cert},
2708 PreSharedKey: []byte(psk),
2709 PreSharedKeyIdentity: pskIdentity,
2710 },
2711 flags: flags,
2712 messageLen: maxPlaintext,
2713 })
2714
2715 // Test bad records for all ciphers. Bad records are fatal in TLS
2716 // and ignored in DTLS.
2717 var shouldFail bool
2718 var expectedError string
2719 if protocol == tls {
2720 shouldFail = true
2721 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2722 }
2723
2724 testCases = append(testCases, testCase{
2725 protocol: protocol,
2726 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2727 config: Config{
2728 MinVersion: ver.version,
2729 MaxVersion: ver.version,
2730 CipherSuites: []uint16{suite.id},
2731 Certificates: []Certificate{cert},
2732 PreSharedKey: []byte(psk),
2733 PreSharedKeyIdentity: pskIdentity,
2734 },
2735 flags: flags,
2736 damageFirstWrite: true,
2737 messageLen: maxPlaintext,
2738 shouldFail: shouldFail,
2739 expectedError: expectedError,
2740 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2741}
2742
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2743func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2744 const bogusCipher = 0xfe00
2745
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2746 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2747 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2748 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2749 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2750 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2751 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2752 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2753
2754 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2755 name: "NoSharedCipher",
2756 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2757 MaxVersion: VersionTLS12,
2758 CipherSuites: []uint16{},
2759 },
2760 shouldFail: true,
2761 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2762 })
2763
2764 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2765 name: "NoSharedCipher-TLS13",
2766 config: Config{
2767 MaxVersion: VersionTLS13,
2768 CipherSuites: []uint16{},
2769 },
2770 shouldFail: true,
2771 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2772 })
2773
2774 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2775 name: "UnsupportedCipherSuite",
2776 config: Config{
2777 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2778 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2779 Bugs: ProtocolBugs{
2780 IgnorePeerCipherPreferences: true,
2781 },
2782 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2783 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2784 shouldFail: true,
2785 expectedError: ":WRONG_CIPHER_RETURNED:",
2786 })
2787
2788 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2789 name: "ServerHelloBogusCipher",
2790 config: Config{
2791 MaxVersion: VersionTLS12,
2792 Bugs: ProtocolBugs{
2793 SendCipherSuite: bogusCipher,
2794 },
2795 },
2796 shouldFail: true,
2797 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2798 })
2799 testCases = append(testCases, testCase{
2800 name: "ServerHelloBogusCipher-TLS13",
2801 config: Config{
2802 MaxVersion: VersionTLS13,
2803 Bugs: ProtocolBugs{
2804 SendCipherSuite: bogusCipher,
2805 },
2806 },
2807 shouldFail: true,
2808 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2809 })
2810
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2811 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2812 testCases = append(testCases, testCase{
2813 testType: serverTest,
2814 name: "UnknownCipher",
2815 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2816 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2817 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2818 Bugs: ProtocolBugs{
2819 AdvertiseAllConfiguredCiphers: true,
2820 },
2821 },
2822 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2823
2824 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2825 testCases = append(testCases, testCase{
2826 testType: serverTest,
2827 name: "UnknownCipher-TLS13",
2828 config: Config{
2829 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2830 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2831 Bugs: ProtocolBugs{
2832 AdvertiseAllConfiguredCiphers: true,
2833 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2834 },
2835 })
2836
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2837 // Test empty ECDHE_PSK identity hints work as expected.
2838 testCases = append(testCases, testCase{
2839 name: "EmptyECDHEPSKHint",
2840 config: Config{
2841 MaxVersion: VersionTLS12,
2842 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2843 PreSharedKey: []byte("secret"),
2844 },
2845 flags: []string{"-psk", "secret"},
2846 })
2847
2848 // Test empty PSK identity hints work as expected, even if an explicit
2849 // ServerKeyExchange is sent.
2850 testCases = append(testCases, testCase{
2851 name: "ExplicitEmptyPSKHint",
2852 config: Config{
2853 MaxVersion: VersionTLS12,
2854 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2855 PreSharedKey: []byte("secret"),
2856 Bugs: ProtocolBugs{
2857 AlwaysSendPreSharedKeyIdentityHint: true,
2858 },
2859 },
2860 flags: []string{"-psk", "secret"},
2861 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]2862
2863 // Test that clients enforce that the server-sent certificate and cipher
2864 // suite match in TLS 1.2.
2865 testCases = append(testCases, testCase{
2866 name: "CertificateCipherMismatch-RSA",
2867 config: Config{
2868 MaxVersion: VersionTLS12,
2869 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2870 Certificates: []Certificate{rsaCertificate},
2871 Bugs: ProtocolBugs{
2872 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2873 },
2874 },
2875 shouldFail: true,
2876 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2877 })
2878 testCases = append(testCases, testCase{
2879 name: "CertificateCipherMismatch-ECDSA",
2880 config: Config{
2881 MaxVersion: VersionTLS12,
2882 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2883 Certificates: []Certificate{ecdsaP256Certificate},
2884 Bugs: ProtocolBugs{
2885 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2886 },
2887 },
2888 shouldFail: true,
2889 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2890 })
2891 testCases = append(testCases, testCase{
2892 name: "CertificateCipherMismatch-Ed25519",
2893 config: Config{
2894 MaxVersion: VersionTLS12,
2895 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2896 Certificates: []Certificate{ed25519Certificate},
2897 Bugs: ProtocolBugs{
2898 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2899 },
2900 },
2901 shouldFail: true,
2902 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2903 })
2904
2905 // Test that servers decline to select a cipher suite which is
2906 // inconsistent with their configured certificate.
2907 testCases = append(testCases, testCase{
2908 testType: serverTest,
2909 name: "ServerCipherFilter-RSA",
2910 config: Config{
2911 MaxVersion: VersionTLS12,
2912 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2913 },
2914 flags: []string{
2915 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2916 "-key-file", path.Join(*resourceDir, rsaKeyFile),
2917 },
2918 shouldFail: true,
2919 expectedError: ":NO_SHARED_CIPHER:",
2920 })
2921 testCases = append(testCases, testCase{
2922 testType: serverTest,
2923 name: "ServerCipherFilter-ECDSA",
2924 config: Config{
2925 MaxVersion: VersionTLS12,
2926 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2927 },
2928 flags: []string{
2929 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2930 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
2931 },
2932 shouldFail: true,
2933 expectedError: ":NO_SHARED_CIPHER:",
2934 })
2935 testCases = append(testCases, testCase{
2936 testType: serverTest,
2937 name: "ServerCipherFilter-Ed25519",
2938 config: Config{
2939 MaxVersion: VersionTLS12,
2940 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2941 },
2942 flags: []string{
2943 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
2944 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
2945 },
2946 shouldFail: true,
2947 expectedError: ":NO_SHARED_CIPHER:",
2948 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2949}
2950
2951func addBadECDSASignatureTests() {
2952 for badR := BadValue(1); badR < NumBadValues; badR++ {
2953 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2954 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2955 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2956 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2957 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2958 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2959 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2960 Bugs: ProtocolBugs{
2961 BadECDSAR: badR,
2962 BadECDSAS: badS,
2963 },
2964 },
2965 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2966 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2967 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2968 testCases = append(testCases, testCase{
2969 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2970 config: Config{
2971 MaxVersion: VersionTLS13,
2972 Certificates: []Certificate{ecdsaP256Certificate},
2973 Bugs: ProtocolBugs{
2974 BadECDSAR: badR,
2975 BadECDSAS: badS,
2976 },
2977 },
2978 shouldFail: true,
2979 expectedError: ":BAD_SIGNATURE:",
2980 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2981 }
2982 }
2983}
2984
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2985func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2986 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2987 name: "MaxCBCPadding",
2988 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2989 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2990 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2991 Bugs: ProtocolBugs{
2992 MaxPadding: true,
2993 },
2994 },
2995 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2996 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2997 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2998 name: "BadCBCPadding",
2999 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3000 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3001 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3002 Bugs: ProtocolBugs{
3003 PaddingFirstByteBad: true,
3004 },
3005 },
3006 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]3007 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3008 })
3009 // OpenSSL previously had an issue where the first byte of padding in
3010 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]3011 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3012 name: "BadCBCPadding255",
3013 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3014 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3015 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3016 Bugs: ProtocolBugs{
3017 MaxPadding: true,
3018 PaddingFirstByteBadIf255: true,
3019 },
3020 },
3021 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
3022 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]3023 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3024 })
3025}
3026
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3027func addCBCSplittingTests() {
3028 testCases = append(testCases, testCase{
3029 name: "CBCRecordSplitting",
3030 config: Config{
3031 MaxVersion: VersionTLS10,
3032 MinVersion: VersionTLS10,
3033 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3034 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]3035 messageLen: -1, // read until EOF
3036 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3037 flags: []string{
3038 "-async",
3039 "-write-different-record-sizes",
3040 "-cbc-record-splitting",
3041 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]3042 })
3043 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3044 name: "CBCRecordSplittingPartialWrite",
3045 config: Config{
3046 MaxVersion: VersionTLS10,
3047 MinVersion: VersionTLS10,
3048 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3049 },
3050 messageLen: -1, // read until EOF
3051 flags: []string{
3052 "-async",
3053 "-write-different-record-sizes",
3054 "-cbc-record-splitting",
3055 "-partial-write",
3056 },
3057 })
3058}
3059
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3060func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3061 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3062 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3063 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3064 cert, err := x509.ParseCertificate(cert.Certificate[0])
3065 if err != nil {
3066 panic(err)
3067 }
3068 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3069 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3070 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3071
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3072 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3073 testCases = append(testCases, testCase{
3074 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3075 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3076 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3077 MinVersion: ver.version,
3078 MaxVersion: ver.version,
3079 ClientAuth: RequireAnyClientCert,
3080 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3081 },
3082 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3083 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3084 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3085 },
3086 })
3087 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3088 testType: serverTest,
3089 name: ver.name + "-Server-ClientAuth-RSA",
3090 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3091 MinVersion: ver.version,
3092 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3093 Certificates: []Certificate{rsaCertificate},
3094 },
3095 flags: []string{"-require-any-client-certificate"},
3096 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3097 if ver.version != VersionSSL30 {
3098 testCases = append(testCases, testCase{
3099 testType: serverTest,
3100 name: ver.name + "-Server-ClientAuth-ECDSA",
3101 config: Config{
3102 MinVersion: ver.version,
3103 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3104 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3105 },
3106 flags: []string{"-require-any-client-certificate"},
3107 })
3108 testCases = append(testCases, testCase{
3109 testType: clientTest,
3110 name: ver.name + "-Client-ClientAuth-ECDSA",
3111 config: Config{
3112 MinVersion: ver.version,
3113 MaxVersion: ver.version,
3114 ClientAuth: RequireAnyClientCert,
3115 ClientCAs: certPool,
3116 },
3117 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3118 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3119 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3120 },
3121 })
3122 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3123
3124 testCases = append(testCases, testCase{
3125 name: "NoClientCertificate-" + ver.name,
3126 config: Config{
3127 MinVersion: ver.version,
3128 MaxVersion: ver.version,
3129 ClientAuth: RequireAnyClientCert,
3130 },
3131 shouldFail: true,
3132 expectedLocalError: "client didn't provide a certificate",
3133 })
3134
3135 testCases = append(testCases, testCase{
3136 // Even if not configured to expect a certificate, OpenSSL will
3137 // return X509_V_OK as the verify_result.
3138 testType: serverTest,
3139 name: "NoClientCertificateRequested-Server-" + ver.name,
3140 config: Config{
3141 MinVersion: ver.version,
3142 MaxVersion: ver.version,
3143 },
3144 flags: []string{
3145 "-expect-verify-result",
3146 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3147 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3148 })
3149
3150 testCases = append(testCases, testCase{
3151 // If a client certificate is not provided, OpenSSL will still
3152 // return X509_V_OK as the verify_result.
3153 testType: serverTest,
3154 name: "NoClientCertificate-Server-" + ver.name,
3155 config: Config{
3156 MinVersion: ver.version,
3157 MaxVersion: ver.version,
3158 },
3159 flags: []string{
3160 "-expect-verify-result",
3161 "-verify-peer",
3162 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3163 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3164 })
3165
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3166 certificateRequired := "remote error: certificate required"
3167 if ver.version < VersionTLS13 {
3168 // Prior to TLS 1.3, the generic handshake_failure alert
3169 // was used.
3170 certificateRequired = "remote error: handshake failure"
3171 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3172 testCases = append(testCases, testCase{
3173 testType: serverTest,
3174 name: "RequireAnyClientCertificate-" + ver.name,
3175 config: Config{
3176 MinVersion: ver.version,
3177 MaxVersion: ver.version,
3178 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3179 flags: []string{"-require-any-client-certificate"},
3180 shouldFail: true,
3181 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3182 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3183 })
3184
3185 if ver.version != VersionSSL30 {
3186 testCases = append(testCases, testCase{
3187 testType: serverTest,
3188 name: "SkipClientCertificate-" + ver.name,
3189 config: Config{
3190 MinVersion: ver.version,
3191 MaxVersion: ver.version,
3192 Bugs: ProtocolBugs{
3193 SkipClientCertificate: true,
3194 },
3195 },
3196 // Setting SSL_VERIFY_PEER allows anonymous clients.
3197 flags: []string{"-verify-peer"},
3198 shouldFail: true,
3199 expectedError: ":UNEXPECTED_MESSAGE:",
3200 })
3201 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3202
3203 testCases = append(testCases, testCase{
3204 testType: serverTest,
3205 name: ver.name + "-Server-CertReq-CA-List",
3206 config: Config{
3207 MinVersion: ver.version,
3208 MaxVersion: ver.version,
3209 Certificates: []Certificate{rsaCertificate},
3210 Bugs: ProtocolBugs{
3211 ExpectCertificateReqNames: caNames,
3212 },
3213 },
3214 flags: []string{
3215 "-require-any-client-certificate",
3216 "-use-client-ca-list", encodeDERValues(caNames),
3217 },
3218 })
3219
3220 testCases = append(testCases, testCase{
3221 testType: clientTest,
3222 name: ver.name + "-Client-CertReq-CA-List",
3223 config: Config{
3224 MinVersion: ver.version,
3225 MaxVersion: ver.version,
3226 Certificates: []Certificate{rsaCertificate},
3227 ClientAuth: RequireAnyClientCert,
3228 ClientCAs: certPool,
3229 },
3230 flags: []string{
3231 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3232 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3233 "-expect-client-ca-list", encodeDERValues(caNames),
3234 },
3235 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3236 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3237
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3238 // Client auth is only legal in certificate-based ciphers.
3239 testCases = append(testCases, testCase{
3240 testType: clientTest,
3241 name: "ClientAuth-PSK",
3242 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3243 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3244 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3245 PreSharedKey: []byte("secret"),
3246 ClientAuth: RequireAnyClientCert,
3247 },
3248 flags: []string{
3249 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3250 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3251 "-psk", "secret",
3252 },
3253 shouldFail: true,
3254 expectedError: ":UNEXPECTED_MESSAGE:",
3255 })
3256 testCases = append(testCases, testCase{
3257 testType: clientTest,
3258 name: "ClientAuth-ECDHE_PSK",
3259 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3260 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3261 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3262 PreSharedKey: []byte("secret"),
3263 ClientAuth: RequireAnyClientCert,
3264 },
3265 flags: []string{
3266 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3267 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3268 "-psk", "secret",
3269 },
3270 shouldFail: true,
3271 expectedError: ":UNEXPECTED_MESSAGE:",
3272 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3273
3274 // Regression test for a bug where the client CA list, if explicitly
3275 // set to NULL, was mis-encoded.
3276 testCases = append(testCases, testCase{
3277 testType: serverTest,
3278 name: "Null-Client-CA-List",
3279 config: Config{
3280 MaxVersion: VersionTLS12,
3281 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3282 Bugs: ProtocolBugs{
3283 ExpectCertificateReqNames: [][]byte{},
3284 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3285 },
3286 flags: []string{
3287 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3288 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3289 },
3290 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3291}
3292
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3293func addExtendedMasterSecretTests() {
3294 const expectEMSFlag = "-expect-extended-master-secret"
3295
3296 for _, with := range []bool{false, true} {
3297 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3298 if with {
3299 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3300 }
3301
3302 for _, isClient := range []bool{false, true} {
3303 suffix := "-Server"
3304 testType := serverTest
3305 if isClient {
3306 suffix = "-Client"
3307 testType = clientTest
3308 }
3309
3310 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3311 // In TLS 1.3, the extension is irrelevant and
3312 // always reports as enabled.
3313 var flags []string
3314 if with || ver.version >= VersionTLS13 {
3315 flags = []string{expectEMSFlag}
3316 }
3317
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3318 test := testCase{
3319 testType: testType,
3320 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3321 config: Config{
3322 MinVersion: ver.version,
3323 MaxVersion: ver.version,
3324 Bugs: ProtocolBugs{
3325 NoExtendedMasterSecret: !with,
3326 RequireExtendedMasterSecret: with,
3327 },
3328 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3329 flags: flags,
3330 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3331 }
3332 if test.shouldFail {
3333 test.expectedLocalError = "extended master secret required but not supported by peer"
3334 }
3335 testCases = append(testCases, test)
3336 }
3337 }
3338 }
3339
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3340 for _, isClient := range []bool{false, true} {
3341 for _, supportedInFirstConnection := range []bool{false, true} {
3342 for _, supportedInResumeConnection := range []bool{false, true} {
3343 boolToWord := func(b bool) string {
3344 if b {
3345 return "Yes"
3346 }
3347 return "No"
3348 }
3349 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3350 if isClient {
3351 suffix += "Client"
3352 } else {
3353 suffix += "Server"
3354 }
3355
3356 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3357 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3358 Bugs: ProtocolBugs{
3359 RequireExtendedMasterSecret: true,
3360 },
3361 }
3362
3363 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3364 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3365 Bugs: ProtocolBugs{
3366 NoExtendedMasterSecret: true,
3367 },
3368 }
3369
3370 test := testCase{
3371 name: "ExtendedMasterSecret-" + suffix,
3372 resumeSession: true,
3373 }
3374
3375 if !isClient {
3376 test.testType = serverTest
3377 }
3378
3379 if supportedInFirstConnection {
3380 test.config = supportedConfig
3381 } else {
3382 test.config = noSupportConfig
3383 }
3384
3385 if supportedInResumeConnection {
3386 test.resumeConfig = &supportedConfig
3387 } else {
3388 test.resumeConfig = &noSupportConfig
3389 }
3390
3391 switch suffix {
3392 case "YesToYes-Client", "YesToYes-Server":
3393 // When a session is resumed, it should
3394 // still be aware that its master
3395 // secret was generated via EMS and
3396 // thus it's safe to use tls-unique.
3397 test.flags = []string{expectEMSFlag}
3398 case "NoToYes-Server":
3399 // If an original connection did not
3400 // contain EMS, but a resumption
3401 // handshake does, then a server should
3402 // not resume the session.
3403 test.expectResumeRejected = true
3404 case "YesToNo-Server":
3405 // Resuming an EMS session without the
3406 // EMS extension should cause the
3407 // server to abort the connection.
3408 test.shouldFail = true
3409 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3410 case "NoToYes-Client":
3411 // A client should abort a connection
3412 // where the server resumed a non-EMS
3413 // session but echoed the EMS
3414 // extension.
3415 test.shouldFail = true
3416 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3417 case "YesToNo-Client":
3418 // A client should abort a connection
3419 // where the server didn't echo EMS
3420 // when the session used it.
3421 test.shouldFail = true
3422 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3423 }
3424
3425 testCases = append(testCases, test)
3426 }
3427 }
3428 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3429
3430 // Switching EMS on renegotiation is forbidden.
3431 testCases = append(testCases, testCase{
3432 name: "ExtendedMasterSecret-Renego-NoEMS",
3433 config: Config{
3434 MaxVersion: VersionTLS12,
3435 Bugs: ProtocolBugs{
3436 NoExtendedMasterSecret: true,
3437 NoExtendedMasterSecretOnRenegotiation: true,
3438 },
3439 },
3440 renegotiate: 1,
3441 flags: []string{
3442 "-renegotiate-freely",
3443 "-expect-total-renegotiations", "1",
3444 },
3445 })
3446
3447 testCases = append(testCases, testCase{
3448 name: "ExtendedMasterSecret-Renego-Upgrade",
3449 config: Config{
3450 MaxVersion: VersionTLS12,
3451 Bugs: ProtocolBugs{
3452 NoExtendedMasterSecret: true,
3453 },
3454 },
3455 renegotiate: 1,
3456 flags: []string{
3457 "-renegotiate-freely",
3458 "-expect-total-renegotiations", "1",
3459 },
3460 shouldFail: true,
3461 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3462 })
3463
3464 testCases = append(testCases, testCase{
3465 name: "ExtendedMasterSecret-Renego-Downgrade",
3466 config: Config{
3467 MaxVersion: VersionTLS12,
3468 Bugs: ProtocolBugs{
3469 NoExtendedMasterSecretOnRenegotiation: true,
3470 },
3471 },
3472 renegotiate: 1,
3473 flags: []string{
3474 "-renegotiate-freely",
3475 "-expect-total-renegotiations", "1",
3476 },
3477 shouldFail: true,
3478 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3479 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3480}
3481
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3482type stateMachineTestConfig struct {
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3483 protocol protocol
3484 async bool
3485 splitHandshake bool
3486 packHandshakeFlight bool
3487 implicitHandshake bool
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3488}
3489
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3490// Adds tests that try to cover the range of the handshake state machine, under
3491// various conditions. Some of these are redundant with other tests, but they
3492// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3493func addAllStateMachineCoverageTests() {
3494 for _, async := range []bool{false, true} {
3495 for _, protocol := range []protocol{tls, dtls} {
3496 addStateMachineCoverageTests(stateMachineTestConfig{
3497 protocol: protocol,
3498 async: async,
3499 })
3500 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3501 protocol: protocol,
3502 async: async,
3503 implicitHandshake: true,
3504 })
3505 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3506 protocol: protocol,
3507 async: async,
3508 splitHandshake: true,
3509 })
3510 if protocol == tls {
3511 addStateMachineCoverageTests(stateMachineTestConfig{
3512 protocol: protocol,
3513 async: async,
3514 packHandshakeFlight: true,
3515 })
3516 }
3517 }
3518 }
3519}
3520
3521func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3522 var tests []testCase
3523
3524 // Basic handshake, with resumption. Client and server,
3525 // session ID and session ticket.
3526 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3527 name: "Basic-Client",
3528 config: Config{
3529 MaxVersion: VersionTLS12,
3530 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3531 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3532 // Ensure session tickets are used, not session IDs.
3533 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3534 })
3535 tests = append(tests, testCase{
3536 name: "Basic-Client-RenewTicket",
3537 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3538 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3539 Bugs: ProtocolBugs{
3540 RenewTicketOnResume: true,
3541 },
3542 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3543 flags: []string{"-expect-ticket-renewal"},
3544 resumeSession: true,
3545 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3546 })
3547 tests = append(tests, testCase{
3548 name: "Basic-Client-NoTicket",
3549 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3550 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3551 SessionTicketsDisabled: true,
3552 },
3553 resumeSession: true,
3554 })
3555 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3556 testType: serverTest,
3557 name: "Basic-Server",
3558 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3559 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3560 Bugs: ProtocolBugs{
3561 RequireSessionTickets: true,
3562 },
3563 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3564 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3565 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3566 })
3567 tests = append(tests, testCase{
3568 testType: serverTest,
3569 name: "Basic-Server-NoTickets",
3570 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3571 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3572 SessionTicketsDisabled: true,
3573 },
3574 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3575 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3576 })
3577 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3578 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3579 name: "Basic-Server-EarlyCallback",
3580 config: Config{
3581 MaxVersion: VersionTLS12,
3582 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3583 flags: []string{"-use-early-callback"},
3584 resumeSession: true,
3585 })
3586
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3587 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3588 if config.protocol == tls {
3589 tests = append(tests, testCase{
3590 name: "TLS13-1RTT-Client",
3591 config: Config{
3592 MaxVersion: VersionTLS13,
3593 MinVersion: VersionTLS13,
3594 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3595 resumeSession: true,
3596 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3597 })
3598
3599 tests = append(tests, testCase{
3600 testType: serverTest,
3601 name: "TLS13-1RTT-Server",
3602 config: Config{
3603 MaxVersion: VersionTLS13,
3604 MinVersion: VersionTLS13,
3605 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3606 resumeSession: true,
3607 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3608 // TLS 1.3 uses tickets, so the session should not be
3609 // cached statefully.
3610 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3611 })
3612
3613 tests = append(tests, testCase{
3614 name: "TLS13-HelloRetryRequest-Client",
3615 config: Config{
3616 MaxVersion: VersionTLS13,
3617 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3618 // P-384 requires a HelloRetryRequest against BoringSSL's default
3619 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3620 CurvePreferences: []CurveID{CurveP384},
3621 Bugs: ProtocolBugs{
3622 ExpectMissingKeyShare: true,
3623 },
3624 },
3625 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3626 resumeSession: true,
3627 })
3628
3629 tests = append(tests, testCase{
3630 testType: serverTest,
3631 name: "TLS13-HelloRetryRequest-Server",
3632 config: Config{
3633 MaxVersion: VersionTLS13,
3634 MinVersion: VersionTLS13,
3635 // Require a HelloRetryRequest for every curve.
3636 DefaultCurves: []CurveID{},
3637 },
3638 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3639 resumeSession: true,
3640 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3641
3642 // TODO(svaldez): Send data on early data once implemented.
3643 tests = append(tests, testCase{
3644 testType: clientTest,
3645 name: "TLS13-EarlyData-Client",
3646 config: Config{
3647 MaxVersion: VersionTLS13,
3648 MinVersion: VersionTLS13,
3649 MaxEarlyDataSize: 16384,
3650 },
3651 resumeSession: true,
3652 flags: []string{
3653 "-enable-early-data",
3654 "-expect-early-data-info",
3655 "-expect-accept-early-data",
3656 },
3657 })
3658
3659 tests = append(tests, testCase{
3660 testType: serverTest,
3661 name: "TLS13-EarlyData-Server",
3662 config: Config{
3663 MaxVersion: VersionTLS13,
3664 MinVersion: VersionTLS13,
3665 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3666 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3667 ExpectEarlyDataAccepted: true,
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3668 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3669 },
3670 },
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3671 messageCount: 2,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3672 resumeSession: true,
3673 flags: []string{
3674 "-enable-early-data",
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3675 "-expect-accept-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3676 },
3677 })
Alessandro Ghedinide254b42017-04-17 19:12:33 +0100[diff] [blame]3678
3679 tests = append(tests, testCase{
3680 testType: serverTest,
3681 name: "TLS13-MaxEarlyData-Server",
3682 config: Config{
3683 MaxVersion: VersionTLS13,
3684 MinVersion: VersionTLS13,
3685 Bugs: ProtocolBugs{
David Benjamin29975892017-04-27 23:47:21 -0400[diff] [blame]3686 SendEarlyData: [][]byte{bytes.Repeat([]byte{1}, 14336+1)},
Alessandro Ghedinide254b42017-04-17 19:12:33 +0100[diff] [blame]3687 ExpectEarlyDataAccepted: true,
3688 },
3689 },
3690 messageCount: 2,
3691 resumeSession: true,
3692 flags: []string{
3693 "-enable-early-data",
3694 "-expect-accept-early-data",
3695 },
3696 shouldFail: true,
3697 expectedError: ":TOO_MUCH_READ_EARLY_DATA:",
3698 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3699 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3700
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3701 // TLS client auth.
3702 tests = append(tests, testCase{
3703 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3704 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3705 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3706 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3707 ClientAuth: RequestClientCert,
3708 },
3709 })
3710 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3711 testType: serverTest,
3712 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3713 config: Config{
3714 MaxVersion: VersionTLS12,
3715 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3716 // Setting SSL_VERIFY_PEER allows anonymous clients.
3717 flags: []string{"-verify-peer"},
3718 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3719 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3720 tests = append(tests, testCase{
3721 testType: clientTest,
3722 name: "ClientAuth-NoCertificate-Client-SSL3",
3723 config: Config{
3724 MaxVersion: VersionSSL30,
3725 ClientAuth: RequestClientCert,
3726 },
3727 })
3728 tests = append(tests, testCase{
3729 testType: serverTest,
3730 name: "ClientAuth-NoCertificate-Server-SSL3",
3731 config: Config{
3732 MaxVersion: VersionSSL30,
3733 },
3734 // Setting SSL_VERIFY_PEER allows anonymous clients.
3735 flags: []string{"-verify-peer"},
3736 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3737 tests = append(tests, testCase{
3738 testType: clientTest,
3739 name: "ClientAuth-NoCertificate-Client-TLS13",
3740 config: Config{
3741 MaxVersion: VersionTLS13,
3742 ClientAuth: RequestClientCert,
3743 },
3744 })
3745 tests = append(tests, testCase{
3746 testType: serverTest,
3747 name: "ClientAuth-NoCertificate-Server-TLS13",
3748 config: Config{
3749 MaxVersion: VersionTLS13,
3750 },
3751 // Setting SSL_VERIFY_PEER allows anonymous clients.
3752 flags: []string{"-verify-peer"},
3753 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3754 }
3755 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3756 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3757 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3758 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3759 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3760 ClientAuth: RequireAnyClientCert,
3761 },
3762 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3763 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3764 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3765 },
3766 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3767 tests = append(tests, testCase{
3768 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3769 name: "ClientAuth-RSA-Client-TLS13",
3770 config: Config{
3771 MaxVersion: VersionTLS13,
3772 ClientAuth: RequireAnyClientCert,
3773 },
3774 flags: []string{
3775 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3776 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3777 },
3778 })
3779 tests = append(tests, testCase{
3780 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3781 name: "ClientAuth-ECDSA-Client",
3782 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3783 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3784 ClientAuth: RequireAnyClientCert,
3785 },
3786 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3787 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3788 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3789 },
3790 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3791 tests = append(tests, testCase{
3792 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3793 name: "ClientAuth-ECDSA-Client-TLS13",
3794 config: Config{
3795 MaxVersion: VersionTLS13,
3796 ClientAuth: RequireAnyClientCert,
3797 },
3798 flags: []string{
3799 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3800 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3801 },
3802 })
3803 tests = append(tests, testCase{
3804 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3805 name: "ClientAuth-NoCertificate-OldCallback",
3806 config: Config{
3807 MaxVersion: VersionTLS12,
3808 ClientAuth: RequestClientCert,
3809 },
3810 flags: []string{"-use-old-client-cert-callback"},
3811 })
3812 tests = append(tests, testCase{
3813 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3814 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3815 config: Config{
3816 MaxVersion: VersionTLS13,
3817 ClientAuth: RequestClientCert,
3818 },
3819 flags: []string{"-use-old-client-cert-callback"},
3820 })
3821 tests = append(tests, testCase{
3822 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3823 name: "ClientAuth-OldCallback",
3824 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3825 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3826 ClientAuth: RequireAnyClientCert,
3827 },
3828 flags: []string{
3829 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3830 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3831 "-use-old-client-cert-callback",
3832 },
3833 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3834 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3835 testType: clientTest,
3836 name: "ClientAuth-OldCallback-TLS13",
3837 config: Config{
3838 MaxVersion: VersionTLS13,
3839 ClientAuth: RequireAnyClientCert,
3840 },
3841 flags: []string{
3842 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3843 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3844 "-use-old-client-cert-callback",
3845 },
3846 })
3847 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3848 testType: serverTest,
3849 name: "ClientAuth-Server",
3850 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3851 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3852 Certificates: []Certificate{rsaCertificate},
3853 },
3854 flags: []string{"-require-any-client-certificate"},
3855 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3856 tests = append(tests, testCase{
3857 testType: serverTest,
3858 name: "ClientAuth-Server-TLS13",
3859 config: Config{
3860 MaxVersion: VersionTLS13,
3861 Certificates: []Certificate{rsaCertificate},
3862 },
3863 flags: []string{"-require-any-client-certificate"},
3864 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3865
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3866 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3867 tests = append(tests, testCase{
3868 testType: serverTest,
3869 name: "Basic-Server-RSA",
3870 config: Config{
3871 MaxVersion: VersionTLS12,
3872 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3873 },
3874 flags: []string{
3875 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3876 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3877 },
3878 })
3879 tests = append(tests, testCase{
3880 testType: serverTest,
3881 name: "Basic-Server-ECDHE-RSA",
3882 config: Config{
3883 MaxVersion: VersionTLS12,
3884 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3885 },
3886 flags: []string{
3887 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3888 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3889 },
3890 })
3891 tests = append(tests, testCase{
3892 testType: serverTest,
3893 name: "Basic-Server-ECDHE-ECDSA",
3894 config: Config{
3895 MaxVersion: VersionTLS12,
3896 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3897 },
3898 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3899 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3900 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3901 },
3902 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]3903 tests = append(tests, testCase{
3904 testType: serverTest,
3905 name: "Basic-Server-Ed25519",
3906 config: Config{
3907 MaxVersion: VersionTLS12,
3908 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3909 },
3910 flags: []string{
3911 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3912 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
3913 "-enable-ed25519",
3914 },
3915 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3916
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3917 // No session ticket support; server doesn't send NewSessionTicket.
3918 tests = append(tests, testCase{
3919 name: "SessionTicketsDisabled-Client",
3920 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3921 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3922 SessionTicketsDisabled: true,
3923 },
3924 })
3925 tests = append(tests, testCase{
3926 testType: serverTest,
3927 name: "SessionTicketsDisabled-Server",
3928 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3929 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3930 SessionTicketsDisabled: true,
3931 },
3932 })
3933
3934 // Skip ServerKeyExchange in PSK key exchange if there's no
3935 // identity hint.
3936 tests = append(tests, testCase{
3937 name: "EmptyPSKHint-Client",
3938 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3939 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3940 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3941 PreSharedKey: []byte("secret"),
3942 },
3943 flags: []string{"-psk", "secret"},
3944 })
3945 tests = append(tests, testCase{
3946 testType: serverTest,
3947 name: "EmptyPSKHint-Server",
3948 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3949 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3950 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3951 PreSharedKey: []byte("secret"),
3952 },
3953 flags: []string{"-psk", "secret"},
3954 })
3955
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3956 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3957 tests = append(tests, testCase{
3958 testType: clientTest,
3959 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3960 config: Config{
3961 MaxVersion: VersionTLS12,
3962 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3963 flags: []string{
3964 "-enable-ocsp-stapling",
3965 "-expect-ocsp-response",
3966 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3967 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3968 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3969 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3970 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3971 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3972 testType: serverTest,
3973 name: "OCSPStapling-Server",
3974 config: Config{
3975 MaxVersion: VersionTLS12,
3976 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3977 expectedOCSPResponse: testOCSPResponse,
3978 flags: []string{
3979 "-ocsp-response",
3980 base64.StdEncoding.EncodeToString(testOCSPResponse),
3981 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3982 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3983 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3984 tests = append(tests, testCase{
3985 testType: clientTest,
3986 name: "OCSPStapling-Client-TLS13",
3987 config: Config{
3988 MaxVersion: VersionTLS13,
3989 },
3990 flags: []string{
3991 "-enable-ocsp-stapling",
3992 "-expect-ocsp-response",
3993 base64.StdEncoding.EncodeToString(testOCSPResponse),
3994 "-verify-peer",
3995 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3996 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3997 })
3998 tests = append(tests, testCase{
3999 testType: serverTest,
4000 name: "OCSPStapling-Server-TLS13",
4001 config: Config{
4002 MaxVersion: VersionTLS13,
4003 },
4004 expectedOCSPResponse: testOCSPResponse,
4005 flags: []string{
4006 "-ocsp-response",
4007 base64.StdEncoding.EncodeToString(testOCSPResponse),
4008 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4009 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]4010 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]4011
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4012 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4013 for _, vers := range tlsVersions {
4014 if config.protocol == dtls && !vers.hasDTLS {
4015 continue
4016 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4017 for _, testType := range []testType{clientTest, serverTest} {
4018 suffix := "-Client"
4019 if testType == serverTest {
4020 suffix = "-Server"
4021 }
4022 suffix += "-" + vers.name
4023
4024 flag := "-verify-peer"
4025 if testType == serverTest {
4026 flag = "-require-any-client-certificate"
4027 }
4028
4029 tests = append(tests, testCase{
4030 testType: testType,
4031 name: "CertificateVerificationSucceed" + suffix,
4032 config: Config{
4033 MaxVersion: vers.version,
4034 Certificates: []Certificate{rsaCertificate},
4035 },
4036 flags: []string{
4037 flag,
4038 "-expect-verify-result",
4039 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4040 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4041 })
4042 tests = append(tests, testCase{
4043 testType: testType,
4044 name: "CertificateVerificationFail" + suffix,
4045 config: Config{
4046 MaxVersion: vers.version,
4047 Certificates: []Certificate{rsaCertificate},
4048 },
4049 flags: []string{
4050 flag,
4051 "-verify-fail",
4052 },
4053 shouldFail: true,
4054 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
4055 })
4056 }
4057
4058 // By default, the client is in a soft fail mode where the peer
4059 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4060 tests = append(tests, testCase{
4061 testType: clientTest,
4062 name: "CertificateVerificationSoftFail-" + vers.name,
4063 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4064 MaxVersion: vers.version,
4065 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4066 },
4067 flags: []string{
4068 "-verify-fail",
4069 "-expect-verify-result",
4070 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4071 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4072 })
4073 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]4074
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]4075 tests = append(tests, testCase{
4076 name: "ShimSendAlert",
4077 flags: []string{"-send-alert"},
4078 shimWritesFirst: true,
4079 shouldFail: true,
4080 expectedLocalError: "remote error: decompression failure",
4081 })
4082
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4083 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4084 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4085 name: "Renegotiate-Client",
4086 config: Config{
4087 MaxVersion: VersionTLS12,
4088 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]4089 renegotiate: 1,
4090 flags: []string{
4091 "-renegotiate-freely",
4092 "-expect-total-renegotiations", "1",
4093 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4094 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4095
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]4096 tests = append(tests, testCase{
4097 name: "SendHalfHelloRequest",
4098 config: Config{
4099 MaxVersion: VersionTLS12,
4100 Bugs: ProtocolBugs{
4101 PackHelloRequestWithFinished: config.packHandshakeFlight,
4102 },
4103 },
4104 sendHalfHelloRequest: true,
4105 flags: []string{"-renegotiate-ignore"},
4106 shouldFail: true,
4107 expectedError: ":UNEXPECTED_RECORD:",
4108 })
4109
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4110 // NPN on client and server; results in post-handshake message.
4111 tests = append(tests, testCase{
4112 name: "NPN-Client",
4113 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4114 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4115 NextProtos: []string{"foo"},
4116 },
4117 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4118 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4119 expectedNextProto: "foo",
4120 expectedNextProtoType: npn,
4121 })
4122 tests = append(tests, testCase{
4123 testType: serverTest,
4124 name: "NPN-Server",
4125 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4126 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4127 NextProtos: []string{"bar"},
4128 },
4129 flags: []string{
4130 "-advertise-npn", "\x03foo\x03bar\x03baz",
4131 "-expect-next-proto", "bar",
4132 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4133 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4134 expectedNextProto: "bar",
4135 expectedNextProtoType: npn,
4136 })
4137
4138 // TODO(davidben): Add tests for when False Start doesn't trigger.
4139
4140 // Client does False Start and negotiates NPN.
4141 tests = append(tests, testCase{
4142 name: "FalseStart",
4143 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4144 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4145 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4146 NextProtos: []string{"foo"},
4147 Bugs: ProtocolBugs{
4148 ExpectFalseStart: true,
4149 },
4150 },
4151 flags: []string{
4152 "-false-start",
4153 "-select-next-proto", "foo",
4154 },
4155 shimWritesFirst: true,
4156 resumeSession: true,
4157 })
4158
4159 // Client does False Start and negotiates ALPN.
4160 tests = append(tests, testCase{
4161 name: "FalseStart-ALPN",
4162 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4163 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4164 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4165 NextProtos: []string{"foo"},
4166 Bugs: ProtocolBugs{
4167 ExpectFalseStart: true,
4168 },
4169 },
4170 flags: []string{
4171 "-false-start",
4172 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]4173 "-expect-alpn", "foo",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4174 },
4175 shimWritesFirst: true,
4176 resumeSession: true,
4177 })
4178
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4179 // False Start without session tickets.
4180 tests = append(tests, testCase{
4181 name: "FalseStart-SessionTicketsDisabled",
4182 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4183 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4184 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4185 NextProtos: []string{"foo"},
4186 SessionTicketsDisabled: true,
4187 Bugs: ProtocolBugs{
4188 ExpectFalseStart: true,
4189 },
4190 },
4191 flags: []string{
4192 "-false-start",
4193 "-select-next-proto", "foo",
4194 },
4195 shimWritesFirst: true,
4196 })
4197
4198 // Server parses a V2ClientHello.
4199 tests = append(tests, testCase{
4200 testType: serverTest,
4201 name: "SendV2ClientHello",
4202 config: Config{
4203 // Choose a cipher suite that does not involve
4204 // elliptic curves, so no extensions are
4205 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4206 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4207 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4208 Bugs: ProtocolBugs{
4209 SendV2ClientHello: true,
4210 },
4211 },
4212 })
4213
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4214 // Test Channel ID
4215 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4216 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4217 continue
4218 }
4219 // Client sends a Channel ID.
4220 tests = append(tests, testCase{
4221 name: "ChannelID-Client-" + ver.name,
4222 config: Config{
4223 MaxVersion: ver.version,
4224 RequestChannelID: true,
4225 },
4226 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4227 resumeSession: true,
4228 expectChannelID: true,
4229 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4230
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4231 // Server accepts a Channel ID.
4232 tests = append(tests, testCase{
4233 testType: serverTest,
4234 name: "ChannelID-Server-" + ver.name,
4235 config: Config{
4236 MaxVersion: ver.version,
4237 ChannelID: channelIDKey,
4238 },
4239 flags: []string{
4240 "-expect-channel-id",
4241 base64.StdEncoding.EncodeToString(channelIDBytes),
4242 },
4243 resumeSession: true,
4244 expectChannelID: true,
4245 })
4246
4247 tests = append(tests, testCase{
4248 testType: serverTest,
4249 name: "InvalidChannelIDSignature-" + ver.name,
4250 config: Config{
4251 MaxVersion: ver.version,
4252 ChannelID: channelIDKey,
4253 Bugs: ProtocolBugs{
4254 InvalidChannelIDSignature: true,
4255 },
4256 },
4257 flags: []string{"-enable-channel-id"},
4258 shouldFail: true,
4259 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4260 })
4261 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4262
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4263 // Channel ID and NPN at the same time, to ensure their relative
4264 // ordering is correct.
4265 tests = append(tests, testCase{
4266 name: "ChannelID-NPN-Client",
4267 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4268 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4269 RequestChannelID: true,
4270 NextProtos: []string{"foo"},
4271 },
4272 flags: []string{
4273 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4274 "-select-next-proto", "foo",
4275 },
4276 resumeSession: true,
4277 expectChannelID: true,
4278 expectedNextProto: "foo",
4279 expectedNextProtoType: npn,
4280 })
4281 tests = append(tests, testCase{
4282 testType: serverTest,
4283 name: "ChannelID-NPN-Server",
4284 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4285 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4286 ChannelID: channelIDKey,
4287 NextProtos: []string{"bar"},
4288 },
4289 flags: []string{
4290 "-expect-channel-id",
4291 base64.StdEncoding.EncodeToString(channelIDBytes),
4292 "-advertise-npn", "\x03foo\x03bar\x03baz",
4293 "-expect-next-proto", "bar",
4294 },
4295 resumeSession: true,
4296 expectChannelID: true,
4297 expectedNextProto: "bar",
4298 expectedNextProtoType: npn,
4299 })
4300
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4301 // Bidirectional shutdown with the runner initiating.
4302 tests = append(tests, testCase{
4303 name: "Shutdown-Runner",
4304 config: Config{
4305 Bugs: ProtocolBugs{
4306 ExpectCloseNotify: true,
4307 },
4308 },
4309 flags: []string{"-check-close-notify"},
4310 })
4311
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4312 if !config.implicitHandshake {
4313 // Bidirectional shutdown with the shim initiating. The runner,
4314 // in the meantime, sends garbage before the close_notify which
4315 // the shim must ignore. This test is disabled under implicit
4316 // handshake tests because the shim never reads or writes.
4317 tests = append(tests, testCase{
4318 name: "Shutdown-Shim",
4319 config: Config{
4320 MaxVersion: VersionTLS12,
4321 Bugs: ProtocolBugs{
4322 ExpectCloseNotify: true,
4323 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4324 },
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4325 shimShutsDown: true,
4326 sendEmptyRecords: 1,
4327 sendWarningAlerts: 1,
4328 flags: []string{"-check-close-notify"},
4329 })
4330 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4331 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4332 // TODO(davidben): DTLS 1.3 will want a similar thing for
4333 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4334 tests = append(tests, testCase{
4335 name: "SkipHelloVerifyRequest",
4336 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4337 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4338 Bugs: ProtocolBugs{
4339 SkipHelloVerifyRequest: true,
4340 },
4341 },
4342 })
4343 }
4344
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4345 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4346 test.protocol = config.protocol
4347 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4348 test.name += "-DTLS"
4349 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4350 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4351 test.name += "-Async"
4352 test.flags = append(test.flags, "-async")
4353 } else {
4354 test.name += "-Sync"
4355 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4356 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4357 test.name += "-SplitHandshakeRecords"
4358 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4359 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4360 test.config.Bugs.MaxPacketLength = 256
4361 test.flags = append(test.flags, "-mtu", "256")
4362 }
4363 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4364 if config.packHandshakeFlight {
4365 test.name += "-PackHandshakeFlight"
4366 test.config.Bugs.PackHandshakeFlight = true
4367 }
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4368 if config.implicitHandshake {
4369 test.name += "-ImplicitHandshake"
4370 test.flags = append(test.flags, "-implicit-handshake")
4371 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4372 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4373 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4374}
4375
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4376func addDDoSCallbackTests() {
4377 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4378 for _, resume := range []bool{false, true} {
4379 suffix := "Resume"
4380 if resume {
4381 suffix = "No" + suffix
4382 }
4383
4384 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4385 testType: serverTest,
4386 name: "Server-DDoS-OK-" + suffix,
4387 config: Config{
4388 MaxVersion: VersionTLS12,
4389 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4390 flags: []string{"-install-ddos-callback"},
4391 resumeSession: resume,
4392 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4393 testCases = append(testCases, testCase{
4394 testType: serverTest,
4395 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4396 config: Config{
4397 MaxVersion: VersionTLS13,
4398 },
4399 flags: []string{"-install-ddos-callback"},
4400 resumeSession: resume,
4401 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4402
4403 failFlag := "-fail-ddos-callback"
4404 if resume {
4405 failFlag = "-fail-second-ddos-callback"
4406 }
4407 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4408 testType: serverTest,
4409 name: "Server-DDoS-Reject-" + suffix,
4410 config: Config{
4411 MaxVersion: VersionTLS12,
4412 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4413 flags: []string{"-install-ddos-callback", failFlag},
4414 resumeSession: resume,
4415 shouldFail: true,
4416 expectedError: ":CONNECTION_REJECTED:",
4417 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4418 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4419 testCases = append(testCases, testCase{
4420 testType: serverTest,
4421 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4422 config: Config{
4423 MaxVersion: VersionTLS13,
4424 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4425 flags: []string{"-install-ddos-callback", failFlag},
4426 resumeSession: resume,
4427 shouldFail: true,
4428 expectedError: ":CONNECTION_REJECTED:",
4429 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4430 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4431 }
4432}
4433
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4434func addVersionNegotiationTests() {
4435 for i, shimVers := range tlsVersions {
4436 // Assemble flags to disable all newer versions on the shim.
4437 var flags []string
4438 for _, vers := range tlsVersions[i+1:] {
4439 flags = append(flags, vers.flag)
4440 }
4441
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4442 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4443 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4444 protocols := []protocol{tls}
4445 if runnerVers.hasDTLS && shimVers.hasDTLS {
4446 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4447 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4448 for _, protocol := range protocols {
4449 expectedVersion := shimVers.version
4450 if runnerVers.version < shimVers.version {
4451 expectedVersion = runnerVers.version
4452 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4453
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4454 suffix := shimVers.name + "-" + runnerVers.name
4455 if protocol == dtls {
4456 suffix += "-DTLS"
4457 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4458
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4459 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4460
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4461 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4462 clientVers := shimVers.version
4463 if clientVers > VersionTLS10 {
4464 clientVers = VersionTLS10
4465 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4466 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4467 serverVers := expectedVersion
4468 if expectedVersion >= VersionTLS13 {
4469 serverVers = VersionTLS10
4470 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4471 serverVers = versionToWire(serverVers, protocol == dtls)
4472
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4473 testCases = append(testCases, testCase{
4474 protocol: protocol,
4475 testType: clientTest,
4476 name: "VersionNegotiation-Client-" + suffix,
4477 config: Config{
4478 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4479 Bugs: ProtocolBugs{
4480 ExpectInitialRecordVersion: clientVers,
4481 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4482 },
4483 flags: flags,
4484 expectedVersion: expectedVersion,
4485 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4486 testCases = append(testCases, testCase{
4487 protocol: protocol,
4488 testType: clientTest,
4489 name: "VersionNegotiation-Client2-" + suffix,
4490 config: Config{
4491 MaxVersion: runnerVers.version,
4492 Bugs: ProtocolBugs{
4493 ExpectInitialRecordVersion: clientVers,
4494 },
4495 },
4496 flags: []string{"-max-version", shimVersFlag},
4497 expectedVersion: expectedVersion,
4498 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4499
4500 testCases = append(testCases, testCase{
4501 protocol: protocol,
4502 testType: serverTest,
4503 name: "VersionNegotiation-Server-" + suffix,
4504 config: Config{
4505 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4506 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4507 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4508 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4509 },
4510 flags: flags,
4511 expectedVersion: expectedVersion,
4512 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4513 testCases = append(testCases, testCase{
4514 protocol: protocol,
4515 testType: serverTest,
4516 name: "VersionNegotiation-Server2-" + suffix,
4517 config: Config{
4518 MaxVersion: runnerVers.version,
4519 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4520 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4521 },
4522 },
4523 flags: []string{"-max-version", shimVersFlag},
4524 expectedVersion: expectedVersion,
4525 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4526 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4527 }
4528 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4529
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4530 // Test the version extension at all versions.
4531 for _, vers := range tlsVersions {
4532 protocols := []protocol{tls}
4533 if vers.hasDTLS {
4534 protocols = append(protocols, dtls)
4535 }
4536 for _, protocol := range protocols {
4537 suffix := vers.name
4538 if protocol == dtls {
4539 suffix += "-DTLS"
4540 }
4541
4542 wireVersion := versionToWire(vers.version, protocol == dtls)
4543 testCases = append(testCases, testCase{
4544 protocol: protocol,
4545 testType: serverTest,
4546 name: "VersionNegotiationExtension-" + suffix,
4547 config: Config{
4548 Bugs: ProtocolBugs{
4549 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4550 },
4551 },
4552 expectedVersion: vers.version,
4553 })
4554 }
4555
4556 }
4557
4558 // If all versions are unknown, negotiation fails.
4559 testCases = append(testCases, testCase{
4560 testType: serverTest,
4561 name: "NoSupportedVersions",
4562 config: Config{
4563 Bugs: ProtocolBugs{
4564 SendSupportedVersions: []uint16{0x1111},
4565 },
4566 },
4567 shouldFail: true,
4568 expectedError: ":UNSUPPORTED_PROTOCOL:",
4569 })
4570 testCases = append(testCases, testCase{
4571 protocol: dtls,
4572 testType: serverTest,
4573 name: "NoSupportedVersions-DTLS",
4574 config: Config{
4575 Bugs: ProtocolBugs{
4576 SendSupportedVersions: []uint16{0x1111},
4577 },
4578 },
4579 shouldFail: true,
4580 expectedError: ":UNSUPPORTED_PROTOCOL:",
4581 })
4582
4583 testCases = append(testCases, testCase{
4584 testType: serverTest,
4585 name: "ClientHelloVersionTooHigh",
4586 config: Config{
4587 MaxVersion: VersionTLS13,
4588 Bugs: ProtocolBugs{
4589 SendClientVersion: 0x0304,
4590 OmitSupportedVersions: true,
4591 },
4592 },
4593 expectedVersion: VersionTLS12,
4594 })
4595
4596 testCases = append(testCases, testCase{
4597 testType: serverTest,
4598 name: "ConflictingVersionNegotiation",
4599 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4600 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4601 SendClientVersion: VersionTLS12,
4602 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4603 },
4604 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4605 // The extension takes precedence over the ClientHello version.
4606 expectedVersion: VersionTLS11,
4607 })
4608
4609 testCases = append(testCases, testCase{
4610 testType: serverTest,
4611 name: "ConflictingVersionNegotiation-2",
4612 config: Config{
4613 Bugs: ProtocolBugs{
4614 SendClientVersion: VersionTLS11,
4615 SendSupportedVersions: []uint16{VersionTLS12},
4616 },
4617 },
4618 // The extension takes precedence over the ClientHello version.
4619 expectedVersion: VersionTLS12,
4620 })
4621
4622 testCases = append(testCases, testCase{
4623 testType: serverTest,
4624 name: "RejectFinalTLS13",
4625 config: Config{
4626 Bugs: ProtocolBugs{
4627 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4628 },
4629 },
4630 // We currently implement a draft TLS 1.3 version. Ensure that
4631 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4632 expectedVersion: VersionTLS12,
4633 })
4634
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4635 // Test that the maximum version is selected regardless of the
4636 // client-sent order.
4637 testCases = append(testCases, testCase{
4638 testType: serverTest,
4639 name: "IgnoreClientVersionOrder",
4640 config: Config{
4641 Bugs: ProtocolBugs{
4642 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4643 },
4644 },
4645 expectedVersion: VersionTLS13,
4646 })
4647
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4648 // Test for version tolerance.
4649 testCases = append(testCases, testCase{
4650 testType: serverTest,
4651 name: "MinorVersionTolerance",
4652 config: Config{
4653 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4654 SendClientVersion: 0x03ff,
4655 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4656 },
4657 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4658 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4659 })
4660 testCases = append(testCases, testCase{
4661 testType: serverTest,
4662 name: "MajorVersionTolerance",
4663 config: Config{
4664 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4665 SendClientVersion: 0x0400,
4666 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4667 },
4668 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4669 // TLS 1.3 must be negotiated with the supported_versions
4670 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4671 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4672 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4673 testCases = append(testCases, testCase{
4674 testType: serverTest,
4675 name: "VersionTolerance-TLS13",
4676 config: Config{
4677 Bugs: ProtocolBugs{
4678 // Although TLS 1.3 does not use
4679 // ClientHello.version, it still tolerates high
4680 // values there.
4681 SendClientVersion: 0x0400,
4682 },
4683 },
4684 expectedVersion: VersionTLS13,
4685 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4686
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4687 testCases = append(testCases, testCase{
4688 protocol: dtls,
4689 testType: serverTest,
4690 name: "MinorVersionTolerance-DTLS",
4691 config: Config{
4692 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4693 SendClientVersion: 0xfe00,
4694 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4695 },
4696 },
4697 expectedVersion: VersionTLS12,
4698 })
4699 testCases = append(testCases, testCase{
4700 protocol: dtls,
4701 testType: serverTest,
4702 name: "MajorVersionTolerance-DTLS",
4703 config: Config{
4704 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4705 SendClientVersion: 0xfdff,
4706 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4707 },
4708 },
4709 expectedVersion: VersionTLS12,
4710 })
4711
4712 // Test that versions below 3.0 are rejected.
4713 testCases = append(testCases, testCase{
4714 testType: serverTest,
4715 name: "VersionTooLow",
4716 config: Config{
4717 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4718 SendClientVersion: 0x0200,
4719 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4720 },
4721 },
4722 shouldFail: true,
4723 expectedError: ":UNSUPPORTED_PROTOCOL:",
4724 })
4725 testCases = append(testCases, testCase{
4726 protocol: dtls,
4727 testType: serverTest,
4728 name: "VersionTooLow-DTLS",
4729 config: Config{
4730 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4731 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4732 },
4733 },
4734 shouldFail: true,
4735 expectedError: ":UNSUPPORTED_PROTOCOL:",
4736 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4737
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4738 testCases = append(testCases, testCase{
4739 name: "ServerBogusVersion",
4740 config: Config{
4741 Bugs: ProtocolBugs{
4742 SendServerHelloVersion: 0x1234,
4743 },
4744 },
4745 shouldFail: true,
4746 expectedError: ":UNSUPPORTED_PROTOCOL:",
4747 })
4748
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4749 // Test TLS 1.3's downgrade signal.
4750 testCases = append(testCases, testCase{
4751 name: "Downgrade-TLS12-Client",
4752 config: Config{
4753 Bugs: ProtocolBugs{
4754 NegotiateVersion: VersionTLS12,
4755 },
4756 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4757 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4758 // TODO(davidben): This test should fail once TLS 1.3 is final
4759 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4760 })
4761 testCases = append(testCases, testCase{
4762 testType: serverTest,
4763 name: "Downgrade-TLS12-Server",
4764 config: Config{
4765 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4766 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4767 },
4768 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4769 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4770 // TODO(davidben): This test should fail once TLS 1.3 is final
4771 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4772 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4773}
4774
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4775func addMinimumVersionTests() {
4776 for i, shimVers := range tlsVersions {
4777 // Assemble flags to disable all older versions on the shim.
4778 var flags []string
4779 for _, vers := range tlsVersions[:i] {
4780 flags = append(flags, vers.flag)
4781 }
4782
4783 for _, runnerVers := range tlsVersions {
4784 protocols := []protocol{tls}
4785 if runnerVers.hasDTLS && shimVers.hasDTLS {
4786 protocols = append(protocols, dtls)
4787 }
4788 for _, protocol := range protocols {
4789 suffix := shimVers.name + "-" + runnerVers.name
4790 if protocol == dtls {
4791 suffix += "-DTLS"
4792 }
4793 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4794
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4795 var expectedVersion uint16
4796 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4797 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4798 if runnerVers.version >= shimVers.version {
4799 expectedVersion = runnerVers.version
4800 } else {
4801 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4802 expectedError = ":UNSUPPORTED_PROTOCOL:"
4803 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4804 }
4805
4806 testCases = append(testCases, testCase{
4807 protocol: protocol,
4808 testType: clientTest,
4809 name: "MinimumVersion-Client-" + suffix,
4810 config: Config{
4811 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4812 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4813 // Ensure the server does not decline to
4814 // select a version (versions extension) or
4815 // cipher (some ciphers depend on versions).
4816 NegotiateVersion: runnerVers.version,
4817 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4818 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4819 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4820 flags: flags,
4821 expectedVersion: expectedVersion,
4822 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4823 expectedError: expectedError,
4824 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4825 })
4826 testCases = append(testCases, testCase{
4827 protocol: protocol,
4828 testType: clientTest,
4829 name: "MinimumVersion-Client2-" + suffix,
4830 config: Config{
4831 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4832 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4833 // Ensure the server does not decline to
4834 // select a version (versions extension) or
4835 // cipher (some ciphers depend on versions).
4836 NegotiateVersion: runnerVers.version,
4837 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4838 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4839 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4840 flags: []string{"-min-version", shimVersFlag},
4841 expectedVersion: expectedVersion,
4842 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4843 expectedError: expectedError,
4844 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4845 })
4846
4847 testCases = append(testCases, testCase{
4848 protocol: protocol,
4849 testType: serverTest,
4850 name: "MinimumVersion-Server-" + suffix,
4851 config: Config{
4852 MaxVersion: runnerVers.version,
4853 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4854 flags: flags,
4855 expectedVersion: expectedVersion,
4856 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4857 expectedError: expectedError,
4858 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4859 })
4860 testCases = append(testCases, testCase{
4861 protocol: protocol,
4862 testType: serverTest,
4863 name: "MinimumVersion-Server2-" + suffix,
4864 config: Config{
4865 MaxVersion: runnerVers.version,
4866 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4867 flags: []string{"-min-version", shimVersFlag},
4868 expectedVersion: expectedVersion,
4869 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4870 expectedError: expectedError,
4871 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4872 })
4873 }
4874 }
4875 }
4876}
4877
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4878func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4879 // TODO(davidben): Extensions, where applicable, all move their server
4880 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4881 // tests for both. Also test interaction with 0-RTT when implemented.
4882
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4883 // Repeat extensions tests all versions except SSL 3.0.
4884 for _, ver := range tlsVersions {
4885 if ver.version == VersionSSL30 {
4886 continue
4887 }
4888
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4889 // Test that duplicate extensions are rejected.
4890 testCases = append(testCases, testCase{
4891 testType: clientTest,
4892 name: "DuplicateExtensionClient-" + ver.name,
4893 config: Config{
4894 MaxVersion: ver.version,
4895 Bugs: ProtocolBugs{
4896 DuplicateExtension: true,
4897 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4898 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4899 shouldFail: true,
4900 expectedLocalError: "remote error: error decoding message",
4901 })
4902 testCases = append(testCases, testCase{
4903 testType: serverTest,
4904 name: "DuplicateExtensionServer-" + ver.name,
4905 config: Config{
4906 MaxVersion: ver.version,
4907 Bugs: ProtocolBugs{
4908 DuplicateExtension: true,
4909 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4910 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4911 shouldFail: true,
4912 expectedLocalError: "remote error: error decoding message",
4913 })
4914
4915 // Test SNI.
4916 testCases = append(testCases, testCase{
4917 testType: clientTest,
4918 name: "ServerNameExtensionClient-" + ver.name,
4919 config: Config{
4920 MaxVersion: ver.version,
4921 Bugs: ProtocolBugs{
4922 ExpectServerName: "example.com",
4923 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4924 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4925 flags: []string{"-host-name", "example.com"},
4926 })
4927 testCases = append(testCases, testCase{
4928 testType: clientTest,
4929 name: "ServerNameExtensionClientMismatch-" + ver.name,
4930 config: Config{
4931 MaxVersion: ver.version,
4932 Bugs: ProtocolBugs{
4933 ExpectServerName: "mismatch.com",
4934 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4935 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4936 flags: []string{"-host-name", "example.com"},
4937 shouldFail: true,
4938 expectedLocalError: "tls: unexpected server name",
4939 })
4940 testCases = append(testCases, testCase{
4941 testType: clientTest,
4942 name: "ServerNameExtensionClientMissing-" + ver.name,
4943 config: Config{
4944 MaxVersion: ver.version,
4945 Bugs: ProtocolBugs{
4946 ExpectServerName: "missing.com",
4947 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4948 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4949 shouldFail: true,
4950 expectedLocalError: "tls: unexpected server name",
4951 })
4952 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]4953 testType: clientTest,
4954 name: "TolerateServerNameAck-" + ver.name,
4955 config: Config{
4956 MaxVersion: ver.version,
4957 Bugs: ProtocolBugs{
4958 SendServerNameAck: true,
4959 },
4960 },
4961 flags: []string{"-host-name", "example.com"},
4962 resumeSession: true,
4963 })
4964 testCases = append(testCases, testCase{
4965 testType: clientTest,
4966 name: "UnsolicitedServerNameAck-" + ver.name,
4967 config: Config{
4968 MaxVersion: ver.version,
4969 Bugs: ProtocolBugs{
4970 SendServerNameAck: true,
4971 },
4972 },
4973 shouldFail: true,
4974 expectedError: ":UNEXPECTED_EXTENSION:",
4975 expectedLocalError: "remote error: unsupported extension",
4976 })
4977 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4978 testType: serverTest,
4979 name: "ServerNameExtensionServer-" + ver.name,
4980 config: Config{
4981 MaxVersion: ver.version,
4982 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4983 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4984 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4985 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4986 })
4987
4988 // Test ALPN.
4989 testCases = append(testCases, testCase{
4990 testType: clientTest,
4991 name: "ALPNClient-" + ver.name,
4992 config: Config{
4993 MaxVersion: ver.version,
4994 NextProtos: []string{"foo"},
4995 },
4996 flags: []string{
4997 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4998 "-expect-alpn", "foo",
4999 },
5000 expectedNextProto: "foo",
5001 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5002 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5003 })
5004 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]5005 testType: clientTest,
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]5006 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]5007 config: Config{
5008 MaxVersion: ver.version,
5009 Bugs: ProtocolBugs{
5010 SendALPN: "baz",
5011 },
5012 },
5013 flags: []string{
5014 "-advertise-alpn", "\x03foo\x03bar",
5015 },
5016 shouldFail: true,
5017 expectedError: ":INVALID_ALPN_PROTOCOL:",
5018 expectedLocalError: "remote error: illegal parameter",
5019 })
5020 testCases = append(testCases, testCase{
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]5021 testType: clientTest,
5022 name: "ALPNClient-AllowUnknown-" + ver.name,
5023 config: Config{
5024 MaxVersion: ver.version,
5025 Bugs: ProtocolBugs{
5026 SendALPN: "baz",
5027 },
5028 },
5029 flags: []string{
5030 "-advertise-alpn", "\x03foo\x03bar",
5031 "-allow-unknown-alpn-protos",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]5032 "-expect-alpn", "baz",
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]5033 },
5034 })
5035 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5036 testType: serverTest,
5037 name: "ALPNServer-" + ver.name,
5038 config: Config{
5039 MaxVersion: ver.version,
5040 NextProtos: []string{"foo", "bar", "baz"},
5041 },
5042 flags: []string{
5043 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5044 "-select-alpn", "foo",
5045 },
5046 expectedNextProto: "foo",
5047 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5048 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5049 })
5050 testCases = append(testCases, testCase{
5051 testType: serverTest,
5052 name: "ALPNServer-Decline-" + ver.name,
5053 config: Config{
5054 MaxVersion: ver.version,
5055 NextProtos: []string{"foo", "bar", "baz"},
5056 },
5057 flags: []string{"-decline-alpn"},
5058 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5059 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5060 })
5061
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5062 // Test ALPN in async mode as well to ensure that extensions callbacks are only
5063 // called once.
5064 testCases = append(testCases, testCase{
5065 testType: serverTest,
5066 name: "ALPNServer-Async-" + ver.name,
5067 config: Config{
5068 MaxVersion: ver.version,
5069 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]5070 // Prior to TLS 1.3, exercise the asynchronous session callback.
5071 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5072 },
5073 flags: []string{
5074 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5075 "-select-alpn", "foo",
5076 "-async",
5077 },
5078 expectedNextProto: "foo",
5079 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5080 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5081 })
5082
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5083 var emptyString string
5084 testCases = append(testCases, testCase{
5085 testType: clientTest,
5086 name: "ALPNClient-EmptyProtocolName-" + ver.name,
5087 config: Config{
5088 MaxVersion: ver.version,
5089 NextProtos: []string{""},
5090 Bugs: ProtocolBugs{
5091 // A server returning an empty ALPN protocol
5092 // should be rejected.
5093 ALPNProtocol: &emptyString,
5094 },
5095 },
5096 flags: []string{
5097 "-advertise-alpn", "\x03foo",
5098 },
5099 shouldFail: true,
5100 expectedError: ":PARSE_TLSEXT:",
5101 })
5102 testCases = append(testCases, testCase{
5103 testType: serverTest,
5104 name: "ALPNServer-EmptyProtocolName-" + ver.name,
5105 config: Config{
5106 MaxVersion: ver.version,
5107 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5108 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5109 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5110 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5111 flags: []string{
5112 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5113 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5114 shouldFail: true,
5115 expectedError: ":PARSE_TLSEXT:",
5116 })
5117
5118 // Test NPN and the interaction with ALPN.
5119 if ver.version < VersionTLS13 {
5120 // Test that the server prefers ALPN over NPN.
5121 testCases = append(testCases, testCase{
5122 testType: serverTest,
5123 name: "ALPNServer-Preferred-" + ver.name,
5124 config: Config{
5125 MaxVersion: ver.version,
5126 NextProtos: []string{"foo", "bar", "baz"},
5127 },
5128 flags: []string{
5129 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5130 "-select-alpn", "foo",
5131 "-advertise-npn", "\x03foo\x03bar\x03baz",
5132 },
5133 expectedNextProto: "foo",
5134 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5135 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5136 })
5137 testCases = append(testCases, testCase{
5138 testType: serverTest,
5139 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5140 config: Config{
5141 MaxVersion: ver.version,
5142 NextProtos: []string{"foo", "bar", "baz"},
5143 Bugs: ProtocolBugs{
5144 SwapNPNAndALPN: true,
5145 },
5146 },
5147 flags: []string{
5148 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5149 "-select-alpn", "foo",
5150 "-advertise-npn", "\x03foo\x03bar\x03baz",
5151 },
5152 expectedNextProto: "foo",
5153 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5154 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5155 })
5156
5157 // Test that negotiating both NPN and ALPN is forbidden.
5158 testCases = append(testCases, testCase{
5159 name: "NegotiateALPNAndNPN-" + ver.name,
5160 config: Config{
5161 MaxVersion: ver.version,
5162 NextProtos: []string{"foo", "bar", "baz"},
5163 Bugs: ProtocolBugs{
5164 NegotiateALPNAndNPN: true,
5165 },
5166 },
5167 flags: []string{
5168 "-advertise-alpn", "\x03foo",
5169 "-select-next-proto", "foo",
5170 },
5171 shouldFail: true,
5172 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5173 })
5174 testCases = append(testCases, testCase{
5175 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5176 config: Config{
5177 MaxVersion: ver.version,
5178 NextProtos: []string{"foo", "bar", "baz"},
5179 Bugs: ProtocolBugs{
5180 NegotiateALPNAndNPN: true,
5181 SwapNPNAndALPN: true,
5182 },
5183 },
5184 flags: []string{
5185 "-advertise-alpn", "\x03foo",
5186 "-select-next-proto", "foo",
5187 },
5188 shouldFail: true,
5189 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5190 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5191 }
5192
5193 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5194
5195 // Resume with a corrupt ticket.
5196 testCases = append(testCases, testCase{
5197 testType: serverTest,
5198 name: "CorruptTicket-" + ver.name,
5199 config: Config{
5200 MaxVersion: ver.version,
5201 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5202 FilterTicket: func(in []byte) ([]byte, error) {
5203 in[len(in)-1] ^= 1
5204 return in, nil
5205 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5206 },
5207 },
5208 resumeSession: true,
5209 expectResumeRejected: true,
5210 })
5211 // Test the ticket callback, with and without renewal.
5212 testCases = append(testCases, testCase{
5213 testType: serverTest,
5214 name: "TicketCallback-" + ver.name,
5215 config: Config{
5216 MaxVersion: ver.version,
5217 },
5218 resumeSession: true,
5219 flags: []string{"-use-ticket-callback"},
5220 })
5221 testCases = append(testCases, testCase{
5222 testType: serverTest,
5223 name: "TicketCallback-Renew-" + ver.name,
5224 config: Config{
5225 MaxVersion: ver.version,
5226 Bugs: ProtocolBugs{
5227 ExpectNewTicket: true,
5228 },
5229 },
5230 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5231 resumeSession: true,
5232 })
5233
5234 // Test that the ticket callback is only called once when everything before
5235 // it in the ClientHello is asynchronous. This corrupts the ticket so
5236 // certificate selection callbacks run.
5237 testCases = append(testCases, testCase{
5238 testType: serverTest,
5239 name: "TicketCallback-SingleCall-" + ver.name,
5240 config: Config{
5241 MaxVersion: ver.version,
5242 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5243 FilterTicket: func(in []byte) ([]byte, error) {
5244 in[len(in)-1] ^= 1
5245 return in, nil
5246 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5247 },
5248 },
5249 resumeSession: true,
5250 expectResumeRejected: true,
5251 flags: []string{
5252 "-use-ticket-callback",
5253 "-async",
5254 },
5255 })
5256
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5257 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5258 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5259 testCases = append(testCases, testCase{
5260 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5261 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5262 config: Config{
5263 MaxVersion: ver.version,
5264 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5265 EmptyTicketSessionID: true,
5266 },
5267 },
5268 resumeSession: true,
5269 })
5270 testCases = append(testCases, testCase{
5271 testType: serverTest,
5272 name: "TicketSessionIDLength-16-" + ver.name,
5273 config: Config{
5274 MaxVersion: ver.version,
5275 Bugs: ProtocolBugs{
5276 TicketSessionIDLength: 16,
5277 },
5278 },
5279 resumeSession: true,
5280 })
5281 testCases = append(testCases, testCase{
5282 testType: serverTest,
5283 name: "TicketSessionIDLength-32-" + ver.name,
5284 config: Config{
5285 MaxVersion: ver.version,
5286 Bugs: ProtocolBugs{
5287 TicketSessionIDLength: 32,
5288 },
5289 },
5290 resumeSession: true,
5291 })
5292 testCases = append(testCases, testCase{
5293 testType: serverTest,
5294 name: "TicketSessionIDLength-33-" + ver.name,
5295 config: Config{
5296 MaxVersion: ver.version,
5297 Bugs: ProtocolBugs{
5298 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5299 },
5300 },
5301 resumeSession: true,
5302 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5303 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5304 expectedError: ":DECODE_ERROR:",
5305 })
5306 }
5307
5308 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5309 // are ignored.
5310 if ver.hasDTLS {
5311 testCases = append(testCases, testCase{
5312 protocol: dtls,
5313 name: "SRTP-Client-" + ver.name,
5314 config: Config{
5315 MaxVersion: ver.version,
5316 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5317 },
5318 flags: []string{
5319 "-srtp-profiles",
5320 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5321 },
5322 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5323 })
5324 testCases = append(testCases, testCase{
5325 protocol: dtls,
5326 testType: serverTest,
5327 name: "SRTP-Server-" + ver.name,
5328 config: Config{
5329 MaxVersion: ver.version,
5330 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5331 },
5332 flags: []string{
5333 "-srtp-profiles",
5334 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5335 },
5336 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5337 })
5338 // Test that the MKI is ignored.
5339 testCases = append(testCases, testCase{
5340 protocol: dtls,
5341 testType: serverTest,
5342 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5343 config: Config{
5344 MaxVersion: ver.version,
5345 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5346 Bugs: ProtocolBugs{
5347 SRTPMasterKeyIdentifer: "bogus",
5348 },
5349 },
5350 flags: []string{
5351 "-srtp-profiles",
5352 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5353 },
5354 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5355 })
5356 // Test that SRTP isn't negotiated on the server if there were
5357 // no matching profiles.
5358 testCases = append(testCases, testCase{
5359 protocol: dtls,
5360 testType: serverTest,
5361 name: "SRTP-Server-NoMatch-" + ver.name,
5362 config: Config{
5363 MaxVersion: ver.version,
5364 SRTPProtectionProfiles: []uint16{100, 101, 102},
5365 },
5366 flags: []string{
5367 "-srtp-profiles",
5368 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5369 },
5370 expectedSRTPProtectionProfile: 0,
5371 })
5372 // Test that the server returning an invalid SRTP profile is
5373 // flagged as an error by the client.
5374 testCases = append(testCases, testCase{
5375 protocol: dtls,
5376 name: "SRTP-Client-NoMatch-" + ver.name,
5377 config: Config{
5378 MaxVersion: ver.version,
5379 Bugs: ProtocolBugs{
5380 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5381 },
5382 },
5383 flags: []string{
5384 "-srtp-profiles",
5385 "SRTP_AES128_CM_SHA1_80",
5386 },
5387 shouldFail: true,
5388 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5389 })
5390 }
5391
5392 // Test SCT list.
5393 testCases = append(testCases, testCase{
5394 name: "SignedCertificateTimestampList-Client-" + ver.name,
5395 testType: clientTest,
5396 config: Config{
5397 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5398 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5399 flags: []string{
5400 "-enable-signed-cert-timestamps",
5401 "-expect-signed-cert-timestamps",
5402 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5403 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5404 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5405 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5406
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5407 var differentSCTList []byte
5408 differentSCTList = append(differentSCTList, testSCTList...)
5409 differentSCTList[len(differentSCTList)-1] ^= 1
5410
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5411 // The SCT extension did not specify that it must only be sent on resumption as it
5412 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5413 testCases = append(testCases, testCase{
5414 name: "SendSCTListOnResume-" + ver.name,
5415 config: Config{
5416 MaxVersion: ver.version,
5417 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5418 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5419 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5420 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5421 flags: []string{
5422 "-enable-signed-cert-timestamps",
5423 "-expect-signed-cert-timestamps",
5424 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5425 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5426 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5427 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5428
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5429 testCases = append(testCases, testCase{
5430 name: "SignedCertificateTimestampList-Server-" + ver.name,
5431 testType: serverTest,
5432 config: Config{
5433 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5434 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5435 flags: []string{
5436 "-signed-cert-timestamps",
5437 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5438 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5439 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5440 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5441 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5442
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5443 emptySCTListCert := *testCerts[0].cert
5444 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5445
5446 // Test empty SCT list.
5447 testCases = append(testCases, testCase{
5448 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5449 testType: clientTest,
5450 config: Config{
5451 MaxVersion: ver.version,
5452 Certificates: []Certificate{emptySCTListCert},
5453 },
5454 flags: []string{
5455 "-enable-signed-cert-timestamps",
5456 },
5457 shouldFail: true,
5458 expectedError: ":ERROR_PARSING_EXTENSION:",
5459 })
5460
5461 emptySCTCert := *testCerts[0].cert
5462 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5463
5464 // Test empty SCT in non-empty list.
5465 testCases = append(testCases, testCase{
5466 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5467 testType: clientTest,
5468 config: Config{
5469 MaxVersion: ver.version,
5470 Certificates: []Certificate{emptySCTCert},
5471 },
5472 flags: []string{
5473 "-enable-signed-cert-timestamps",
5474 },
5475 shouldFail: true,
5476 expectedError: ":ERROR_PARSING_EXTENSION:",
5477 })
5478
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5479 // Test that certificate-related extensions are not sent unsolicited.
5480 testCases = append(testCases, testCase{
5481 testType: serverTest,
5482 name: "UnsolicitedCertificateExtensions-" + ver.name,
5483 config: Config{
5484 MaxVersion: ver.version,
5485 Bugs: ProtocolBugs{
5486 NoOCSPStapling: true,
5487 NoSignedCertificateTimestamps: true,
5488 },
5489 },
5490 flags: []string{
5491 "-ocsp-response",
5492 base64.StdEncoding.EncodeToString(testOCSPResponse),
5493 "-signed-cert-timestamps",
5494 base64.StdEncoding.EncodeToString(testSCTList),
5495 },
5496 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5497 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5498
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5499 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5500 testType: clientTest,
5501 name: "ClientHelloPadding",
5502 config: Config{
5503 Bugs: ProtocolBugs{
5504 RequireClientHelloSize: 512,
5505 },
5506 },
5507 // This hostname just needs to be long enough to push the
5508 // ClientHello into F5's danger zone between 256 and 511 bytes
5509 // long.
5510 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5511 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5512
5513 // Extensions should not function in SSL 3.0.
5514 testCases = append(testCases, testCase{
5515 testType: serverTest,
5516 name: "SSLv3Extensions-NoALPN",
5517 config: Config{
5518 MaxVersion: VersionSSL30,
5519 NextProtos: []string{"foo", "bar", "baz"},
5520 },
5521 flags: []string{
5522 "-select-alpn", "foo",
5523 },
5524 expectNoNextProto: true,
5525 })
5526
5527 // Test session tickets separately as they follow a different codepath.
5528 testCases = append(testCases, testCase{
5529 testType: serverTest,
5530 name: "SSLv3Extensions-NoTickets",
5531 config: Config{
5532 MaxVersion: VersionSSL30,
5533 Bugs: ProtocolBugs{
5534 // Historically, session tickets in SSL 3.0
5535 // failed in different ways depending on whether
5536 // the client supported renegotiation_info.
5537 NoRenegotiationInfo: true,
5538 },
5539 },
5540 resumeSession: true,
5541 })
5542 testCases = append(testCases, testCase{
5543 testType: serverTest,
5544 name: "SSLv3Extensions-NoTickets2",
5545 config: Config{
5546 MaxVersion: VersionSSL30,
5547 },
5548 resumeSession: true,
5549 })
5550
5551 // But SSL 3.0 does send and process renegotiation_info.
5552 testCases = append(testCases, testCase{
5553 testType: serverTest,
5554 name: "SSLv3Extensions-RenegotiationInfo",
5555 config: Config{
5556 MaxVersion: VersionSSL30,
5557 Bugs: ProtocolBugs{
5558 RequireRenegotiationInfo: true,
5559 },
5560 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5561 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5562 })
5563 testCases = append(testCases, testCase{
5564 testType: serverTest,
5565 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5566 config: Config{
5567 MaxVersion: VersionSSL30,
5568 Bugs: ProtocolBugs{
5569 NoRenegotiationInfo: true,
5570 SendRenegotiationSCSV: true,
5571 RequireRenegotiationInfo: true,
5572 },
5573 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5574 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5575 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5576
5577 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5578 // in ServerHello.
5579 testCases = append(testCases, testCase{
5580 name: "NPN-Forbidden-TLS13",
5581 config: Config{
5582 MaxVersion: VersionTLS13,
5583 NextProtos: []string{"foo"},
5584 Bugs: ProtocolBugs{
5585 NegotiateNPNAtAllVersions: true,
5586 },
5587 },
5588 flags: []string{"-select-next-proto", "foo"},
5589 shouldFail: true,
5590 expectedError: ":ERROR_PARSING_EXTENSION:",
5591 })
5592 testCases = append(testCases, testCase{
5593 name: "EMS-Forbidden-TLS13",
5594 config: Config{
5595 MaxVersion: VersionTLS13,
5596 Bugs: ProtocolBugs{
5597 NegotiateEMSAtAllVersions: true,
5598 },
5599 },
5600 shouldFail: true,
5601 expectedError: ":ERROR_PARSING_EXTENSION:",
5602 })
5603 testCases = append(testCases, testCase{
5604 name: "RenegotiationInfo-Forbidden-TLS13",
5605 config: Config{
5606 MaxVersion: VersionTLS13,
5607 Bugs: ProtocolBugs{
5608 NegotiateRenegotiationInfoAtAllVersions: true,
5609 },
5610 },
5611 shouldFail: true,
5612 expectedError: ":ERROR_PARSING_EXTENSION:",
5613 })
5614 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5615 name: "Ticket-Forbidden-TLS13",
5616 config: Config{
5617 MaxVersion: VersionTLS12,
5618 },
5619 resumeConfig: &Config{
5620 MaxVersion: VersionTLS13,
5621 Bugs: ProtocolBugs{
5622 AdvertiseTicketExtension: true,
5623 },
5624 },
5625 resumeSession: true,
5626 shouldFail: true,
5627 expectedError: ":ERROR_PARSING_EXTENSION:",
5628 })
5629
5630 // Test that illegal extensions in TLS 1.3 are declined by the server if
5631 // offered in ClientHello. The runner's server will fail if this occurs,
5632 // so we exercise the offering path. (EMS and Renegotiation Info are
5633 // implicit in every test.)
5634 testCases = append(testCases, testCase{
5635 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5636 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5637 config: Config{
5638 MaxVersion: VersionTLS13,
5639 NextProtos: []string{"bar"},
5640 },
5641 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5642 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5643
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5644 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5645 // tolerated.
5646 testCases = append(testCases, testCase{
5647 name: "SendOCSPResponseOnResume-TLS12",
5648 config: Config{
5649 MaxVersion: VersionTLS12,
5650 Bugs: ProtocolBugs{
5651 SendOCSPResponseOnResume: []byte("bogus"),
5652 },
5653 },
5654 flags: []string{
5655 "-enable-ocsp-stapling",
5656 "-expect-ocsp-response",
5657 base64.StdEncoding.EncodeToString(testOCSPResponse),
5658 },
5659 resumeSession: true,
5660 })
5661
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5662 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5663 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5664 config: Config{
5665 MaxVersion: VersionTLS13,
5666 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5667 SendExtensionOnCertificate: testOCSPExtension,
5668 },
5669 },
5670 shouldFail: true,
5671 expectedError: ":UNEXPECTED_EXTENSION:",
5672 })
5673
5674 testCases = append(testCases, testCase{
5675 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5676 config: Config{
5677 MaxVersion: VersionTLS13,
5678 Bugs: ProtocolBugs{
5679 SendExtensionOnCertificate: testSCTExtension,
5680 },
5681 },
5682 shouldFail: true,
5683 expectedError: ":UNEXPECTED_EXTENSION:",
5684 })
5685
5686 // Test that extensions on client certificates are never accepted.
5687 testCases = append(testCases, testCase{
5688 name: "SendExtensionOnClientCertificate-TLS13",
5689 testType: serverTest,
5690 config: Config{
5691 MaxVersion: VersionTLS13,
5692 Certificates: []Certificate{rsaCertificate},
5693 Bugs: ProtocolBugs{
5694 SendExtensionOnCertificate: testOCSPExtension,
5695 },
5696 },
5697 flags: []string{
5698 "-enable-ocsp-stapling",
5699 "-require-any-client-certificate",
5700 },
5701 shouldFail: true,
5702 expectedError: ":UNEXPECTED_EXTENSION:",
5703 })
5704
5705 testCases = append(testCases, testCase{
5706 name: "SendUnknownExtensionOnCertificate-TLS13",
5707 config: Config{
5708 MaxVersion: VersionTLS13,
5709 Bugs: ProtocolBugs{
5710 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5711 },
5712 },
5713 shouldFail: true,
5714 expectedError: ":UNEXPECTED_EXTENSION:",
5715 })
5716
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5717 var differentSCTList []byte
5718 differentSCTList = append(differentSCTList, testSCTList...)
5719 differentSCTList[len(differentSCTList)-1] ^= 1
5720
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5721 // Test that extensions on intermediates are allowed but ignored.
5722 testCases = append(testCases, testCase{
5723 name: "IgnoreExtensionsOnIntermediates-TLS13",
5724 config: Config{
5725 MaxVersion: VersionTLS13,
5726 Certificates: []Certificate{rsaChainCertificate},
5727 Bugs: ProtocolBugs{
5728 // Send different values on the intermediate. This tests
5729 // the intermediate's extensions do not override the
5730 // leaf's.
5731 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5732 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5733 },
5734 },
5735 flags: []string{
5736 "-enable-ocsp-stapling",
5737 "-expect-ocsp-response",
5738 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5739 "-enable-signed-cert-timestamps",
5740 "-expect-signed-cert-timestamps",
5741 base64.StdEncoding.EncodeToString(testSCTList),
5742 },
5743 resumeSession: true,
5744 })
5745
5746 // Test that extensions are not sent on intermediates when configured
5747 // only for a leaf.
5748 testCases = append(testCases, testCase{
5749 testType: serverTest,
5750 name: "SendNoExtensionsOnIntermediate-TLS13",
5751 config: Config{
5752 MaxVersion: VersionTLS13,
5753 Bugs: ProtocolBugs{
5754 ExpectNoExtensionsOnIntermediate: true,
5755 },
5756 },
5757 flags: []string{
5758 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5759 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5760 "-ocsp-response",
5761 base64.StdEncoding.EncodeToString(testOCSPResponse),
5762 "-signed-cert-timestamps",
5763 base64.StdEncoding.EncodeToString(testSCTList),
5764 },
5765 })
5766
5767 // Test that extensions are not sent on client certificates.
5768 testCases = append(testCases, testCase{
5769 name: "SendNoClientCertificateExtensions-TLS13",
5770 config: Config{
5771 MaxVersion: VersionTLS13,
5772 ClientAuth: RequireAnyClientCert,
5773 },
5774 flags: []string{
5775 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5776 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5777 "-ocsp-response",
5778 base64.StdEncoding.EncodeToString(testOCSPResponse),
5779 "-signed-cert-timestamps",
5780 base64.StdEncoding.EncodeToString(testSCTList),
5781 },
5782 })
5783
5784 testCases = append(testCases, testCase{
5785 name: "SendDuplicateExtensionsOnCerts-TLS13",
5786 config: Config{
5787 MaxVersion: VersionTLS13,
5788 Bugs: ProtocolBugs{
5789 SendDuplicateCertExtensions: true,
5790 },
5791 },
5792 flags: []string{
5793 "-enable-ocsp-stapling",
5794 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5795 },
5796 resumeSession: true,
5797 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5798 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5799 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5800
5801 testCases = append(testCases, testCase{
5802 name: "SignedCertificateTimestampListInvalid-Server",
5803 testType: serverTest,
5804 flags: []string{
5805 "-signed-cert-timestamps",
5806 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5807 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5808 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5809 expectedError: ":INVALID_SCT_LIST:",
5810 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5811}
5812
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5813func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5814 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5815 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5816 // SSL 3.0 does not have tickets and TLS 1.3 does not
5817 // have session IDs, so skip their cross-resumption
5818 // tests.
5819 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5820 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5821 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5822 }
5823
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5824 protocols := []protocol{tls}
5825 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5826 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5827 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5828 for _, protocol := range protocols {
5829 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5830 if protocol == dtls {
5831 suffix += "-DTLS"
5832 }
5833
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5834 if sessionVers.version == resumeVers.version {
5835 testCases = append(testCases, testCase{
5836 protocol: protocol,
5837 name: "Resume-Client" + suffix,
5838 resumeSession: true,
5839 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5840 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5841 Bugs: ProtocolBugs{
5842 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5843 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5844 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5845 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5846 expectedVersion: sessionVers.version,
5847 expectedResumeVersion: resumeVers.version,
5848 })
5849 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5850 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5851
5852 // Offering a TLS 1.3 session sends an empty session ID, so
5853 // there is no way to convince a non-lookahead client the
5854 // session was resumed. It will appear to the client that a
5855 // stray ChangeCipherSpec was sent.
5856 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5857 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5858 }
5859
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5860 testCases = append(testCases, testCase{
5861 protocol: protocol,
5862 name: "Resume-Client-Mismatch" + suffix,
5863 resumeSession: true,
5864 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5865 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5866 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5867 expectedVersion: sessionVers.version,
5868 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5869 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5870 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5871 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5872 },
5873 },
5874 expectedResumeVersion: resumeVers.version,
5875 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5876 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5877 })
5878 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5879
5880 testCases = append(testCases, testCase{
5881 protocol: protocol,
5882 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5883 resumeSession: true,
5884 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5885 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5886 },
5887 expectedVersion: sessionVers.version,
5888 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5889 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5890 },
5891 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5892 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5893 expectedResumeVersion: resumeVers.version,
5894 })
5895
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5896 testCases = append(testCases, testCase{
5897 protocol: protocol,
5898 testType: serverTest,
5899 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5900 resumeSession: true,
5901 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5902 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5903 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5904 expectedVersion: sessionVers.version,
5905 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5906 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5907 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5908 Bugs: ProtocolBugs{
5909 SendBothTickets: true,
5910 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5911 },
5912 expectedResumeVersion: resumeVers.version,
5913 })
5914 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5915 }
5916 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5917
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5918 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5919 testCases = append(testCases, testCase{
5920 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5921 name: "ShimTicketRewritable",
5922 resumeSession: true,
5923 config: Config{
5924 MaxVersion: VersionTLS12,
5925 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5926 Bugs: ProtocolBugs{
5927 FilterTicket: func(in []byte) ([]byte, error) {
5928 in, err := SetShimTicketVersion(in, VersionTLS12)
5929 if err != nil {
5930 return nil, err
5931 }
5932 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5933 },
5934 },
5935 },
5936 flags: []string{
5937 "-ticket-key",
5938 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5939 },
5940 })
5941
5942 // Resumptions are declined if the version does not match.
5943 testCases = append(testCases, testCase{
5944 testType: serverTest,
5945 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5946 resumeSession: true,
5947 config: Config{
5948 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5949 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5950 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5951 FilterTicket: func(in []byte) ([]byte, error) {
5952 return SetShimTicketVersion(in, VersionTLS13)
5953 },
5954 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5955 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5956 flags: []string{
5957 "-ticket-key",
5958 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5959 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5960 expectResumeRejected: true,
5961 })
5962
5963 testCases = append(testCases, testCase{
5964 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5965 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5966 resumeSession: true,
5967 config: Config{
5968 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5969 Bugs: ProtocolBugs{
5970 FilterTicket: func(in []byte) ([]byte, error) {
5971 return SetShimTicketVersion(in, VersionTLS12)
5972 },
5973 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5974 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5975 flags: []string{
5976 "-ticket-key",
5977 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5978 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5979 expectResumeRejected: true,
5980 })
5981
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5982 // Resumptions are declined if the cipher is invalid or disabled.
5983 testCases = append(testCases, testCase{
5984 testType: serverTest,
5985 name: "Resume-Server-DeclineBadCipher",
5986 resumeSession: true,
5987 config: Config{
5988 MaxVersion: VersionTLS12,
5989 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5990 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5991 FilterTicket: func(in []byte) ([]byte, error) {
5992 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5993 },
5994 },
5995 },
5996 flags: []string{
5997 "-ticket-key",
5998 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5999 },
6000 expectResumeRejected: true,
6001 })
6002
6003 testCases = append(testCases, testCase{
6004 testType: serverTest,
6005 name: "Resume-Server-DeclineBadCipher-2",
6006 resumeSession: true,
6007 config: Config{
6008 MaxVersion: VersionTLS12,
6009 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6010 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6011 FilterTicket: func(in []byte) ([]byte, error) {
6012 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
6013 },
6014 },
6015 },
6016 flags: []string{
6017 "-cipher", "AES128",
6018 "-ticket-key",
6019 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6020 },
6021 expectResumeRejected: true,
6022 })
6023
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6024 // Sessions are not resumed if they do not use the preferred cipher.
6025 testCases = append(testCases, testCase{
6026 testType: serverTest,
6027 name: "Resume-Server-CipherNotPreferred",
6028 resumeSession: true,
6029 config: Config{
6030 MaxVersion: VersionTLS12,
6031 Bugs: ProtocolBugs{
6032 ExpectNewTicket: true,
6033 FilterTicket: func(in []byte) ([]byte, error) {
6034 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
6035 },
6036 },
6037 },
6038 flags: []string{
6039 "-ticket-key",
6040 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6041 },
6042 shouldFail: false,
6043 expectResumeRejected: true,
6044 })
6045
6046 // TLS 1.3 allows sessions to be resumed at a different cipher if their
6047 // PRF hashes match, but BoringSSL will always decline such resumptions.
6048 testCases = append(testCases, testCase{
6049 testType: serverTest,
6050 name: "Resume-Server-CipherNotPreferred-TLS13",
6051 resumeSession: true,
6052 config: Config{
6053 MaxVersion: VersionTLS13,
6054 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
6055 Bugs: ProtocolBugs{
6056 FilterTicket: func(in []byte) ([]byte, error) {
6057 // If the client (runner) offers ChaCha20-Poly1305 first, the
6058 // server (shim) always prefers it. Switch it to AES-GCM.
6059 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
6060 },
6061 },
6062 },
6063 flags: []string{
6064 "-ticket-key",
6065 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6066 },
6067 shouldFail: false,
6068 expectResumeRejected: true,
6069 })
6070
6071 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6072 testCases = append(testCases, testCase{
6073 testType: serverTest,
6074 name: "Resume-Server-DeclineBadCipher-TLS13",
6075 resumeSession: true,
6076 config: Config{
6077 MaxVersion: VersionTLS13,
6078 Bugs: ProtocolBugs{
6079 FilterTicket: func(in []byte) ([]byte, error) {
6080 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
6081 },
6082 },
6083 },
6084 flags: []string{
6085 "-ticket-key",
6086 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6087 },
6088 expectResumeRejected: true,
6089 })
6090
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6091 // If the client does not offer the cipher from the session, decline to
6092 // resume. Clients are forbidden from doing this, but BoringSSL selects
6093 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6094 testCases = append(testCases, testCase{
6095 testType: serverTest,
6096 name: "Resume-Server-UnofferedCipher",
6097 resumeSession: true,
6098 config: Config{
6099 MaxVersion: VersionTLS12,
6100 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6101 },
6102 resumeConfig: &Config{
6103 MaxVersion: VersionTLS12,
6104 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6105 Bugs: ProtocolBugs{
6106 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6107 },
6108 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6109 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6110 })
6111
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6112 // In TLS 1.3, clients may advertise a cipher list which does not
6113 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]6114 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
6115 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6116 testCases = append(testCases, testCase{
6117 testType: serverTest,
6118 name: "Resume-Server-UnofferedCipher-TLS13",
6119 resumeSession: true,
6120 config: Config{
6121 MaxVersion: VersionTLS13,
6122 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6123 },
6124 resumeConfig: &Config{
6125 MaxVersion: VersionTLS13,
6126 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6127 Bugs: ProtocolBugs{
6128 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6129 },
6130 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6131 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6132 })
6133
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6134 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6135 testCases = append(testCases, testCase{
6136 name: "Resume-Client-CipherMismatch",
6137 resumeSession: true,
6138 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6139 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6140 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6141 },
6142 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6143 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6144 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6145 Bugs: ProtocolBugs{
6146 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6147 },
6148 },
6149 shouldFail: true,
6150 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6151 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6152
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6153 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6154 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6155 testCases = append(testCases, testCase{
6156 name: "Resume-Client-CipherMismatch-TLS13",
6157 resumeSession: true,
6158 config: Config{
6159 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6160 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6161 },
6162 resumeConfig: &Config{
6163 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6164 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6165 },
6166 })
6167
6168 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6169 testCases = append(testCases, testCase{
6170 name: "Resume-Client-PRFMismatch-TLS13",
6171 resumeSession: true,
6172 config: Config{
6173 MaxVersion: VersionTLS13,
6174 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6175 },
6176 resumeConfig: &Config{
6177 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6178 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6179 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6180 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6181 },
6182 },
6183 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6184 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6185 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6186
6187 testCases = append(testCases, testCase{
6188 testType: serverTest,
6189 name: "Resume-Server-BinderWrongLength",
6190 resumeSession: true,
6191 config: Config{
6192 MaxVersion: VersionTLS13,
6193 Bugs: ProtocolBugs{
6194 SendShortPSKBinder: true,
6195 },
6196 },
6197 shouldFail: true,
6198 expectedLocalError: "remote error: error decrypting message",
6199 expectedError: ":DIGEST_CHECK_FAILED:",
6200 })
6201
6202 testCases = append(testCases, testCase{
6203 testType: serverTest,
6204 name: "Resume-Server-NoPSKBinder",
6205 resumeSession: true,
6206 config: Config{
6207 MaxVersion: VersionTLS13,
6208 Bugs: ProtocolBugs{
6209 SendNoPSKBinder: true,
6210 },
6211 },
6212 shouldFail: true,
6213 expectedLocalError: "remote error: error decoding message",
6214 expectedError: ":DECODE_ERROR:",
6215 })
6216
6217 testCases = append(testCases, testCase{
6218 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6219 name: "Resume-Server-ExtraPSKBinder",
6220 resumeSession: true,
6221 config: Config{
6222 MaxVersion: VersionTLS13,
6223 Bugs: ProtocolBugs{
6224 SendExtraPSKBinder: true,
6225 },
6226 },
6227 shouldFail: true,
6228 expectedLocalError: "remote error: illegal parameter",
6229 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6230 })
6231
6232 testCases = append(testCases, testCase{
6233 testType: serverTest,
6234 name: "Resume-Server-ExtraIdentityNoBinder",
6235 resumeSession: true,
6236 config: Config{
6237 MaxVersion: VersionTLS13,
6238 Bugs: ProtocolBugs{
6239 ExtraPSKIdentity: true,
6240 },
6241 },
6242 shouldFail: true,
6243 expectedLocalError: "remote error: illegal parameter",
6244 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6245 })
6246
6247 testCases = append(testCases, testCase{
6248 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6249 name: "Resume-Server-InvalidPSKBinder",
6250 resumeSession: true,
6251 config: Config{
6252 MaxVersion: VersionTLS13,
6253 Bugs: ProtocolBugs{
6254 SendInvalidPSKBinder: true,
6255 },
6256 },
6257 shouldFail: true,
6258 expectedLocalError: "remote error: error decrypting message",
6259 expectedError: ":DIGEST_CHECK_FAILED:",
6260 })
6261
6262 testCases = append(testCases, testCase{
6263 testType: serverTest,
6264 name: "Resume-Server-PSKBinderFirstExtension",
6265 resumeSession: true,
6266 config: Config{
6267 MaxVersion: VersionTLS13,
6268 Bugs: ProtocolBugs{
6269 PSKBinderFirst: true,
6270 },
6271 },
6272 shouldFail: true,
6273 expectedLocalError: "remote error: illegal parameter",
6274 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6275 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6276}
6277
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6278func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6279 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6280 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6281 testType: serverTest,
6282 name: "Renegotiate-Server-Forbidden",
6283 config: Config{
6284 MaxVersion: VersionTLS12,
6285 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6286 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6287 shouldFail: true,
6288 expectedError: ":NO_RENEGOTIATION:",
6289 expectedLocalError: "remote error: no renegotiation",
6290 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6291 // The server shouldn't echo the renegotiation extension unless
6292 // requested by the client.
6293 testCases = append(testCases, testCase{
6294 testType: serverTest,
6295 name: "Renegotiate-Server-NoExt",
6296 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6297 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6298 Bugs: ProtocolBugs{
6299 NoRenegotiationInfo: true,
6300 RequireRenegotiationInfo: true,
6301 },
6302 },
6303 shouldFail: true,
6304 expectedLocalError: "renegotiation extension missing",
6305 })
6306 // The renegotiation SCSV should be sufficient for the server to echo
6307 // the extension.
6308 testCases = append(testCases, testCase{
6309 testType: serverTest,
6310 name: "Renegotiate-Server-NoExt-SCSV",
6311 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6312 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6313 Bugs: ProtocolBugs{
6314 NoRenegotiationInfo: true,
6315 SendRenegotiationSCSV: true,
6316 RequireRenegotiationInfo: true,
6317 },
6318 },
6319 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6320 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6321 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6322 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6323 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6324 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6325 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6326 },
6327 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6328 renegotiate: 1,
6329 flags: []string{
6330 "-renegotiate-freely",
6331 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6332 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6333 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6334 })
6335 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6336 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6337 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6338 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6339 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6340 Bugs: ProtocolBugs{
6341 EmptyRenegotiationInfo: true,
6342 },
6343 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6344 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6345 shouldFail: true,
6346 expectedError: ":RENEGOTIATION_MISMATCH:",
6347 })
6348 testCases = append(testCases, testCase{
6349 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6350 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6351 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6352 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6353 Bugs: ProtocolBugs{
6354 BadRenegotiationInfo: true,
6355 },
6356 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6357 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6358 shouldFail: true,
6359 expectedError: ":RENEGOTIATION_MISMATCH:",
6360 })
6361 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6362 name: "Renegotiate-Client-Downgrade",
6363 renegotiate: 1,
6364 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6365 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6366 Bugs: ProtocolBugs{
6367 NoRenegotiationInfoAfterInitial: true,
6368 },
6369 },
6370 flags: []string{"-renegotiate-freely"},
6371 shouldFail: true,
6372 expectedError: ":RENEGOTIATION_MISMATCH:",
6373 })
6374 testCases = append(testCases, testCase{
6375 name: "Renegotiate-Client-Upgrade",
6376 renegotiate: 1,
6377 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6378 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6379 Bugs: ProtocolBugs{
6380 NoRenegotiationInfoInInitial: true,
6381 },
6382 },
6383 flags: []string{"-renegotiate-freely"},
6384 shouldFail: true,
6385 expectedError: ":RENEGOTIATION_MISMATCH:",
6386 })
6387 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6388 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6389 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6390 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6391 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6392 Bugs: ProtocolBugs{
6393 NoRenegotiationInfo: true,
6394 },
6395 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6396 flags: []string{
6397 "-renegotiate-freely",
6398 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6399 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6400 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6401 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6402
6403 // Test that the server may switch ciphers on renegotiation without
6404 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6405 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6406 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6407 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6408 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6409 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6410 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6411 },
6412 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6413 flags: []string{
6414 "-renegotiate-freely",
6415 "-expect-total-renegotiations", "1",
6416 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6417 })
6418 testCases = append(testCases, testCase{
6419 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6420 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6421 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6422 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6423 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6424 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6425 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6426 flags: []string{
6427 "-renegotiate-freely",
6428 "-expect-total-renegotiations", "1",
6429 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6430 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6431
6432 // Test that the server may not switch versions on renegotiation.
6433 testCases = append(testCases, testCase{
6434 name: "Renegotiate-Client-SwitchVersion",
6435 config: Config{
6436 MaxVersion: VersionTLS12,
6437 // Pick a cipher which exists at both versions.
6438 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6439 Bugs: ProtocolBugs{
6440 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6441 // Avoid failing early at the record layer.
6442 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6443 },
6444 },
6445 renegotiate: 1,
6446 flags: []string{
6447 "-renegotiate-freely",
6448 "-expect-total-renegotiations", "1",
6449 },
6450 shouldFail: true,
6451 expectedError: ":WRONG_SSL_VERSION:",
6452 })
6453
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6454 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6455 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6456 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6457 config: Config{
6458 MaxVersion: VersionTLS10,
6459 Bugs: ProtocolBugs{
6460 RequireSameRenegoClientVersion: true,
6461 },
6462 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6463 flags: []string{
6464 "-renegotiate-freely",
6465 "-expect-total-renegotiations", "1",
6466 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6467 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6468 testCases = append(testCases, testCase{
6469 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6470 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6471 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6472 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6473 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6474 NextProtos: []string{"foo"},
6475 },
6476 flags: []string{
6477 "-false-start",
6478 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6479 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6480 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6481 },
6482 shimWritesFirst: true,
6483 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6484
6485 // Client-side renegotiation controls.
6486 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6487 name: "Renegotiate-Client-Forbidden-1",
6488 config: Config{
6489 MaxVersion: VersionTLS12,
6490 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6491 renegotiate: 1,
6492 shouldFail: true,
6493 expectedError: ":NO_RENEGOTIATION:",
6494 expectedLocalError: "remote error: no renegotiation",
6495 })
6496 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6497 name: "Renegotiate-Client-Once-1",
6498 config: Config{
6499 MaxVersion: VersionTLS12,
6500 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6501 renegotiate: 1,
6502 flags: []string{
6503 "-renegotiate-once",
6504 "-expect-total-renegotiations", "1",
6505 },
6506 })
6507 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6508 name: "Renegotiate-Client-Freely-1",
6509 config: Config{
6510 MaxVersion: VersionTLS12,
6511 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6512 renegotiate: 1,
6513 flags: []string{
6514 "-renegotiate-freely",
6515 "-expect-total-renegotiations", "1",
6516 },
6517 })
6518 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6519 name: "Renegotiate-Client-Once-2",
6520 config: Config{
6521 MaxVersion: VersionTLS12,
6522 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6523 renegotiate: 2,
6524 flags: []string{"-renegotiate-once"},
6525 shouldFail: true,
6526 expectedError: ":NO_RENEGOTIATION:",
6527 expectedLocalError: "remote error: no renegotiation",
6528 })
6529 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6530 name: "Renegotiate-Client-Freely-2",
6531 config: Config{
6532 MaxVersion: VersionTLS12,
6533 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6534 renegotiate: 2,
6535 flags: []string{
6536 "-renegotiate-freely",
6537 "-expect-total-renegotiations", "2",
6538 },
6539 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6540 testCases = append(testCases, testCase{
6541 name: "Renegotiate-Client-NoIgnore",
6542 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6543 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6544 Bugs: ProtocolBugs{
6545 SendHelloRequestBeforeEveryAppDataRecord: true,
6546 },
6547 },
6548 shouldFail: true,
6549 expectedError: ":NO_RENEGOTIATION:",
6550 })
6551 testCases = append(testCases, testCase{
6552 name: "Renegotiate-Client-Ignore",
6553 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6554 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6555 Bugs: ProtocolBugs{
6556 SendHelloRequestBeforeEveryAppDataRecord: true,
6557 },
6558 },
6559 flags: []string{
6560 "-renegotiate-ignore",
6561 "-expect-total-renegotiations", "0",
6562 },
6563 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6564
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6565 // Renegotiation is not allowed at SSL 3.0.
6566 testCases = append(testCases, testCase{
6567 name: "Renegotiate-Client-SSL3",
6568 config: Config{
6569 MaxVersion: VersionSSL30,
6570 },
6571 renegotiate: 1,
6572 flags: []string{
6573 "-renegotiate-freely",
6574 "-expect-total-renegotiations", "1",
6575 },
6576 shouldFail: true,
6577 expectedError: ":NO_RENEGOTIATION:",
6578 expectedLocalError: "remote error: no renegotiation",
6579 })
6580
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6581 // Renegotiation is not allowed when there is an unfinished write.
6582 testCases = append(testCases, testCase{
6583 name: "Renegotiate-Client-UnfinishedWrite",
6584 config: Config{
6585 MaxVersion: VersionTLS12,
6586 },
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]6587 renegotiate: 1,
6588 readWithUnfinishedWrite: true,
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6589 flags: []string{
6590 "-async",
6591 "-renegotiate-freely",
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6592 },
6593 shouldFail: true,
6594 expectedError: ":NO_RENEGOTIATION:",
6595 // We do not successfully send the no_renegotiation alert in
6596 // this case. https://crbug.com/boringssl/130
6597 })
6598
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6599 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6600 testCases = append(testCases, testCase{
6601 name: "StrayHelloRequest",
6602 config: Config{
6603 MaxVersion: VersionTLS12,
6604 Bugs: ProtocolBugs{
6605 SendHelloRequestBeforeEveryHandshakeMessage: true,
6606 },
6607 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6608 shouldFail: true,
6609 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6610 })
6611 testCases = append(testCases, testCase{
6612 name: "StrayHelloRequest-Packed",
6613 config: Config{
6614 MaxVersion: VersionTLS12,
6615 Bugs: ProtocolBugs{
6616 PackHandshakeFlight: true,
6617 SendHelloRequestBeforeEveryHandshakeMessage: true,
6618 },
6619 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6620 shouldFail: true,
6621 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6622 })
6623
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6624 // Test renegotiation works if HelloRequest and server Finished come in
6625 // the same record.
6626 testCases = append(testCases, testCase{
6627 name: "Renegotiate-Client-Packed",
6628 config: Config{
6629 MaxVersion: VersionTLS12,
6630 Bugs: ProtocolBugs{
6631 PackHandshakeFlight: true,
6632 PackHelloRequestWithFinished: true,
6633 },
6634 },
6635 renegotiate: 1,
6636 flags: []string{
6637 "-renegotiate-freely",
6638 "-expect-total-renegotiations", "1",
6639 },
6640 })
6641
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6642 // Renegotiation is forbidden in TLS 1.3.
6643 testCases = append(testCases, testCase{
6644 name: "Renegotiate-Client-TLS13",
6645 config: Config{
6646 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6647 Bugs: ProtocolBugs{
6648 SendHelloRequestBeforeEveryAppDataRecord: true,
6649 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6650 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6651 flags: []string{
6652 "-renegotiate-freely",
6653 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6654 shouldFail: true,
6655 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6656 })
6657
6658 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6659 testCases = append(testCases, testCase{
6660 name: "StrayHelloRequest-TLS13",
6661 config: Config{
6662 MaxVersion: VersionTLS13,
6663 Bugs: ProtocolBugs{
6664 SendHelloRequestBeforeEveryHandshakeMessage: true,
6665 },
6666 },
6667 shouldFail: true,
6668 expectedError: ":UNEXPECTED_MESSAGE:",
6669 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6670
6671 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6672 // always reads as supporting it, regardless of whether it was
6673 // negotiated.
6674 testCases = append(testCases, testCase{
6675 name: "AlwaysReportRenegotiationInfo-TLS13",
6676 config: Config{
6677 MaxVersion: VersionTLS13,
6678 Bugs: ProtocolBugs{
6679 NoRenegotiationInfo: true,
6680 },
6681 },
6682 flags: []string{
6683 "-expect-secure-renegotiation",
6684 },
6685 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]6686
6687 // Certificates may not change on renegotiation.
6688 testCases = append(testCases, testCase{
6689 name: "Renegotiation-CertificateChange",
6690 config: Config{
6691 MaxVersion: VersionTLS12,
6692 Certificates: []Certificate{rsaCertificate},
6693 Bugs: ProtocolBugs{
6694 RenegotiationCertificate: &rsaChainCertificate,
6695 },
6696 },
6697 renegotiate: 1,
6698 flags: []string{"-renegotiate-freely"},
6699 shouldFail: true,
6700 expectedError: ":SERVER_CERT_CHANGED:",
6701 })
6702 testCases = append(testCases, testCase{
6703 name: "Renegotiation-CertificateChange-2",
6704 config: Config{
6705 MaxVersion: VersionTLS12,
6706 Certificates: []Certificate{rsaCertificate},
6707 Bugs: ProtocolBugs{
6708 RenegotiationCertificate: &rsa1024Certificate,
6709 },
6710 },
6711 renegotiate: 1,
6712 flags: []string{"-renegotiate-freely"},
6713 shouldFail: true,
6714 expectedError: ":SERVER_CERT_CHANGED:",
6715 })
David Benjaminbbf42462017-03-14 21:27:10 -0400[diff] [blame]6716
6717 // We do not negotiate ALPN after the initial handshake. This is
6718 // error-prone and only risks bugs in consumers.
6719 testCases = append(testCases, testCase{
6720 testType: clientTest,
6721 name: "Renegotiation-ForbidALPN",
6722 config: Config{
6723 MaxVersion: VersionTLS12,
6724 Bugs: ProtocolBugs{
6725 // Forcibly negotiate ALPN on both initial and
6726 // renegotiation handshakes. The test stack will
6727 // internally check the client does not offer
6728 // it.
6729 SendALPN: "foo",
6730 },
6731 },
6732 flags: []string{
6733 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6734 "-expect-alpn", "foo",
6735 "-renegotiate-freely",
6736 },
6737 renegotiate: 1,
6738 shouldFail: true,
6739 expectedError: ":UNEXPECTED_EXTENSION:",
6740 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6741}
6742
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6743func addDTLSReplayTests() {
6744 // Test that sequence number replays are detected.
6745 testCases = append(testCases, testCase{
6746 protocol: dtls,
6747 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6748 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6749 replayWrites: true,
6750 })
6751
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6752 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6753 // than the retransmit window.
6754 testCases = append(testCases, testCase{
6755 protocol: dtls,
6756 name: "DTLS-Replay-LargeGaps",
6757 config: Config{
6758 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6759 SequenceNumberMapping: func(in uint64) uint64 {
6760 return in * 127
6761 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6762 },
6763 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6764 messageCount: 200,
6765 replayWrites: true,
6766 })
6767
6768 // Test the incoming sequence number changing non-monotonically.
6769 testCases = append(testCases, testCase{
6770 protocol: dtls,
6771 name: "DTLS-Replay-NonMonotonic",
6772 config: Config{
6773 Bugs: ProtocolBugs{
6774 SequenceNumberMapping: func(in uint64) uint64 {
6775 return in ^ 31
6776 },
6777 },
6778 },
6779 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6780 replayWrites: true,
6781 })
6782}
6783
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6784var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6785 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6786 id signatureAlgorithm
6787 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6788}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6789 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6790 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6791 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6792 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6793 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6794 // The “P256” in the following line is not a mistake. In TLS 1.2 the
6795 // hash function doesn't have to match the curve and so the same
6796 // signature algorithm works with P-224.
6797 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6798 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6799 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6800 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6801 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6802 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6803 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6804 {"Ed25519", signatureEd25519, testCertEd25519},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6805 // Tests for key types prior to TLS 1.2.
6806 {"RSA", 0, testCertRSA},
6807 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6808}
6809
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6810const fakeSigAlg1 signatureAlgorithm = 0x2a01
6811const fakeSigAlg2 signatureAlgorithm = 0xff01
6812
6813func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6814 // Not all ciphers involve a signature. Advertise a list which gives all
6815 // versions a signing cipher.
6816 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6817 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6818 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6819 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6820 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6821 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6822 }
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6823
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6824 var allAlgorithms []signatureAlgorithm
6825 for _, alg := range testSignatureAlgorithms {
6826 if alg.id != 0 {
6827 allAlgorithms = append(allAlgorithms, alg.id)
6828 }
6829 }
6830
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6831 // Make sure each signature algorithm works. Include some fake values in
6832 // the list and ensure they're ignored.
6833 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6834 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6835 if (ver.version < VersionTLS12) != (alg.id == 0) {
6836 continue
6837 }
6838
6839 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6840 // or remove it in C.
6841 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6842 continue
6843 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6844
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6845 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6846 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6847 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6848 shouldSignFail = true
6849 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6850 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6851 // RSA-PKCS1 does not exist in TLS 1.3.
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6852 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
6853 shouldSignFail = true
6854 shouldVerifyFail = true
6855 }
6856 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
6857 // the curve has to match the hash size.
6858 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6859 shouldSignFail = true
6860 shouldVerifyFail = true
6861 }
6862
6863 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6864 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6865 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6866 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6867
6868 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6869 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6870 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6871 }
6872 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6873 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6874 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6875
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6876 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6877
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6878 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6879 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6880 config: Config{
6881 MaxVersion: ver.version,
6882 ClientAuth: RequireAnyClientCert,
6883 VerifySignatureAlgorithms: []signatureAlgorithm{
6884 fakeSigAlg1,
6885 alg.id,
6886 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6887 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6888 },
6889 flags: []string{
6890 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6891 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6892 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6893 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6894 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6895 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6896 expectedError: signError,
6897 expectedPeerSignatureAlgorithm: alg.id,
6898 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6899
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6900 testCases = append(testCases, testCase{
6901 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6902 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6903 config: Config{
6904 MaxVersion: ver.version,
6905 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6906 SignSignatureAlgorithms: []signatureAlgorithm{
6907 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6908 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6909 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6910 SkipECDSACurveCheck: shouldVerifyFail,
6911 IgnoreSignatureVersionChecks: shouldVerifyFail,
6912 // Some signature algorithms may not be advertised.
6913 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6914 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6915 },
6916 flags: []string{
6917 "-require-any-client-certificate",
6918 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6919 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6920 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6921 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6922 // Resume the session to assert the peer signature
6923 // algorithm is reported on both handshakes.
6924 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6925 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6926 expectedError: verifyError,
6927 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6928
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6929 // No signing cipher for SSL 3.0.
David Benjamin96bc12a2017-04-14 16:48:08 -0400[diff] [blame]6930 if ver.version > VersionSSL30 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6931 testCases = append(testCases, testCase{
6932 testType: serverTest,
6933 name: "ServerAuth-Sign" + suffix,
6934 config: Config{
6935 MaxVersion: ver.version,
6936 CipherSuites: signingCiphers,
6937 VerifySignatureAlgorithms: []signatureAlgorithm{
6938 fakeSigAlg1,
6939 alg.id,
6940 fakeSigAlg2,
6941 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6942 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6943 flags: []string{
6944 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6945 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6946 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6947 "-enable-ed25519",
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6948 },
6949 shouldFail: shouldSignFail,
6950 expectedError: signError,
6951 expectedPeerSignatureAlgorithm: alg.id,
6952 })
6953 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6954
6955 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6956 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6957 config: Config{
6958 MaxVersion: ver.version,
6959 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6960 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6961 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6962 alg.id,
6963 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6964 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6965 SkipECDSACurveCheck: shouldVerifyFail,
6966 IgnoreSignatureVersionChecks: shouldVerifyFail,
6967 // Some signature algorithms may not be advertised.
6968 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6969 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6970 },
6971 flags: []string{
6972 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6973 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6974 "-enable-ed25519",
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6975 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6976 // Resume the session to assert the peer signature
6977 // algorithm is reported on both handshakes.
6978 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6979 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6980 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6981 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6982
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6983 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6984 testCases = append(testCases, testCase{
6985 testType: serverTest,
6986 name: "ClientAuth-InvalidSignature" + suffix,
6987 config: Config{
6988 MaxVersion: ver.version,
6989 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6990 SignSignatureAlgorithms: []signatureAlgorithm{
6991 alg.id,
6992 },
6993 Bugs: ProtocolBugs{
6994 InvalidSignature: true,
6995 },
6996 },
6997 flags: []string{
6998 "-require-any-client-certificate",
6999 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7000 "-enable-ed25519",
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7001 },
7002 shouldFail: true,
7003 expectedError: ":BAD_SIGNATURE:",
7004 })
7005
7006 testCases = append(testCases, testCase{
7007 name: "ServerAuth-InvalidSignature" + suffix,
7008 config: Config{
7009 MaxVersion: ver.version,
7010 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
7011 CipherSuites: signingCiphers,
7012 SignSignatureAlgorithms: []signatureAlgorithm{
7013 alg.id,
7014 },
7015 Bugs: ProtocolBugs{
7016 InvalidSignature: true,
7017 },
7018 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7019 flags: []string{
7020 "-enable-all-curves",
7021 "-enable-ed25519",
7022 },
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7023 shouldFail: true,
7024 expectedError: ":BAD_SIGNATURE:",
7025 })
7026 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7027
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7028 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7029 testCases = append(testCases, testCase{
7030 name: "ClientAuth-Sign-Negotiate" + suffix,
7031 config: Config{
7032 MaxVersion: ver.version,
7033 ClientAuth: RequireAnyClientCert,
7034 VerifySignatureAlgorithms: allAlgorithms,
7035 },
7036 flags: []string{
7037 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7038 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7039 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7040 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7041 "-signing-prefs", strconv.Itoa(int(alg.id)),
7042 },
7043 expectedPeerSignatureAlgorithm: alg.id,
7044 })
7045
7046 testCases = append(testCases, testCase{
7047 testType: serverTest,
7048 name: "ServerAuth-Sign-Negotiate" + suffix,
7049 config: Config{
7050 MaxVersion: ver.version,
7051 CipherSuites: signingCiphers,
7052 VerifySignatureAlgorithms: allAlgorithms,
7053 },
7054 flags: []string{
7055 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7056 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7057 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7058 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7059 "-signing-prefs", strconv.Itoa(int(alg.id)),
7060 },
7061 expectedPeerSignatureAlgorithm: alg.id,
7062 })
7063 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7064 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7065 }
7066
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7067 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7068 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7069 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7070 config: Config{
7071 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7072 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7073 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7074 signatureECDSAWithP521AndSHA512,
7075 signatureRSAPKCS1WithSHA384,
7076 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7077 },
7078 },
7079 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7080 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7081 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7082 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7083 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7084 })
7085
7086 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7087 name: "ClientAuth-SignatureType-TLS13",
7088 config: Config{
7089 ClientAuth: RequireAnyClientCert,
7090 MaxVersion: VersionTLS13,
7091 VerifySignatureAlgorithms: []signatureAlgorithm{
7092 signatureECDSAWithP521AndSHA512,
7093 signatureRSAPKCS1WithSHA384,
7094 signatureRSAPSSWithSHA384,
7095 signatureECDSAWithSHA1,
7096 },
7097 },
7098 flags: []string{
7099 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7100 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7101 },
7102 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7103 })
7104
7105 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7106 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7107 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7108 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7109 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7110 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7111 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7112 signatureECDSAWithP521AndSHA512,
7113 signatureRSAPKCS1WithSHA384,
7114 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7115 },
7116 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7117 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7118 })
7119
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7120 testCases = append(testCases, testCase{
7121 testType: serverTest,
7122 name: "ServerAuth-SignatureType-TLS13",
7123 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7124 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7125 VerifySignatureAlgorithms: []signatureAlgorithm{
7126 signatureECDSAWithP521AndSHA512,
7127 signatureRSAPKCS1WithSHA384,
7128 signatureRSAPSSWithSHA384,
7129 signatureECDSAWithSHA1,
7130 },
7131 },
7132 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7133 })
7134
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7135 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7136 testCases = append(testCases, testCase{
7137 testType: serverTest,
7138 name: "Verify-ClientAuth-SignatureType",
7139 config: Config{
7140 MaxVersion: VersionTLS12,
7141 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7142 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7143 signatureRSAPKCS1WithSHA256,
7144 },
7145 Bugs: ProtocolBugs{
7146 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7147 },
7148 },
7149 flags: []string{
7150 "-require-any-client-certificate",
7151 },
7152 shouldFail: true,
7153 expectedError: ":WRONG_SIGNATURE_TYPE:",
7154 })
7155
7156 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7157 testType: serverTest,
7158 name: "Verify-ClientAuth-SignatureType-TLS13",
7159 config: Config{
7160 MaxVersion: VersionTLS13,
7161 Certificates: []Certificate{rsaCertificate},
7162 SignSignatureAlgorithms: []signatureAlgorithm{
7163 signatureRSAPSSWithSHA256,
7164 },
7165 Bugs: ProtocolBugs{
7166 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7167 },
7168 },
7169 flags: []string{
7170 "-require-any-client-certificate",
7171 },
7172 shouldFail: true,
7173 expectedError: ":WRONG_SIGNATURE_TYPE:",
7174 })
7175
7176 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7177 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7178 config: Config{
7179 MaxVersion: VersionTLS12,
7180 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7181 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7182 signatureRSAPKCS1WithSHA256,
7183 },
7184 Bugs: ProtocolBugs{
7185 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7186 },
7187 },
7188 shouldFail: true,
7189 expectedError: ":WRONG_SIGNATURE_TYPE:",
7190 })
7191
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7192 testCases = append(testCases, testCase{
7193 name: "Verify-ServerAuth-SignatureType-TLS13",
7194 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7195 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7196 SignSignatureAlgorithms: []signatureAlgorithm{
7197 signatureRSAPSSWithSHA256,
7198 },
7199 Bugs: ProtocolBugs{
7200 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7201 },
7202 },
7203 shouldFail: true,
7204 expectedError: ":WRONG_SIGNATURE_TYPE:",
7205 })
7206
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7207 // Test that, if the list is missing, the peer falls back to SHA-1 in
7208 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7209 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7210 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7211 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7212 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7213 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7214 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7215 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7216 },
7217 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7218 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7219 },
7220 },
7221 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7222 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7223 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7224 },
7225 })
7226
7227 testCases = append(testCases, testCase{
7228 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7229 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7230 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7231 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7232 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7233 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7234 },
7235 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7236 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7237 },
7238 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7239 flags: []string{
7240 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7241 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7242 },
7243 })
7244
7245 testCases = append(testCases, testCase{
7246 name: "ClientAuth-SHA1-Fallback-ECDSA",
7247 config: Config{
7248 MaxVersion: VersionTLS12,
7249 ClientAuth: RequireAnyClientCert,
7250 VerifySignatureAlgorithms: []signatureAlgorithm{
7251 signatureECDSAWithSHA1,
7252 },
7253 Bugs: ProtocolBugs{
7254 NoSignatureAlgorithms: true,
7255 },
7256 },
7257 flags: []string{
7258 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7259 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7260 },
7261 })
7262
7263 testCases = append(testCases, testCase{
7264 testType: serverTest,
7265 name: "ServerAuth-SHA1-Fallback-ECDSA",
7266 config: Config{
7267 MaxVersion: VersionTLS12,
7268 VerifySignatureAlgorithms: []signatureAlgorithm{
7269 signatureECDSAWithSHA1,
7270 },
7271 Bugs: ProtocolBugs{
7272 NoSignatureAlgorithms: true,
7273 },
7274 },
7275 flags: []string{
7276 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7277 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7278 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7279 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7280
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7281 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7282 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7283 config: Config{
7284 MaxVersion: VersionTLS13,
7285 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7286 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7287 signatureRSAPKCS1WithSHA1,
7288 },
7289 Bugs: ProtocolBugs{
7290 NoSignatureAlgorithms: true,
7291 },
7292 },
7293 flags: []string{
7294 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7295 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7296 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7297 shouldFail: true,
7298 // An empty CertificateRequest signature algorithm list is a
7299 // syntax error in TLS 1.3.
7300 expectedError: ":DECODE_ERROR:",
7301 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7302 })
7303
7304 testCases = append(testCases, testCase{
7305 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7306 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7307 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7308 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7309 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7310 signatureRSAPKCS1WithSHA1,
7311 },
7312 Bugs: ProtocolBugs{
7313 NoSignatureAlgorithms: true,
7314 },
7315 },
7316 shouldFail: true,
7317 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7318 })
7319
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7320 // Test that hash preferences are enforced. BoringSSL does not implement
7321 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7322 testCases = append(testCases, testCase{
7323 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7324 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7325 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7326 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7327 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7328 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7329 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7330 },
7331 Bugs: ProtocolBugs{
7332 IgnorePeerSignatureAlgorithmPreferences: true,
7333 },
7334 },
7335 flags: []string{"-require-any-client-certificate"},
7336 shouldFail: true,
7337 expectedError: ":WRONG_SIGNATURE_TYPE:",
7338 })
7339
7340 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7341 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7342 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7343 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7344 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7345 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7346 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7347 },
7348 Bugs: ProtocolBugs{
7349 IgnorePeerSignatureAlgorithmPreferences: true,
7350 },
7351 },
7352 shouldFail: true,
7353 expectedError: ":WRONG_SIGNATURE_TYPE:",
7354 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7355 testCases = append(testCases, testCase{
7356 testType: serverTest,
7357 name: "ClientAuth-Enforced-TLS13",
7358 config: Config{
7359 MaxVersion: VersionTLS13,
7360 Certificates: []Certificate{rsaCertificate},
7361 SignSignatureAlgorithms: []signatureAlgorithm{
7362 signatureRSAPKCS1WithMD5,
7363 },
7364 Bugs: ProtocolBugs{
7365 IgnorePeerSignatureAlgorithmPreferences: true,
7366 IgnoreSignatureVersionChecks: true,
7367 },
7368 },
7369 flags: []string{"-require-any-client-certificate"},
7370 shouldFail: true,
7371 expectedError: ":WRONG_SIGNATURE_TYPE:",
7372 })
7373
7374 testCases = append(testCases, testCase{
7375 name: "ServerAuth-Enforced-TLS13",
7376 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7377 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7378 SignSignatureAlgorithms: []signatureAlgorithm{
7379 signatureRSAPKCS1WithMD5,
7380 },
7381 Bugs: ProtocolBugs{
7382 IgnorePeerSignatureAlgorithmPreferences: true,
7383 IgnoreSignatureVersionChecks: true,
7384 },
7385 },
7386 shouldFail: true,
7387 expectedError: ":WRONG_SIGNATURE_TYPE:",
7388 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7389
7390 // Test that the agreed upon digest respects the client preferences and
7391 // the server digests.
7392 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7393 name: "NoCommonAlgorithms-Digests",
7394 config: Config{
7395 MaxVersion: VersionTLS12,
7396 ClientAuth: RequireAnyClientCert,
7397 VerifySignatureAlgorithms: []signatureAlgorithm{
7398 signatureRSAPKCS1WithSHA512,
7399 signatureRSAPKCS1WithSHA1,
7400 },
7401 },
7402 flags: []string{
7403 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7404 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7405 "-digest-prefs", "SHA256",
7406 },
7407 shouldFail: true,
7408 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7409 })
7410 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7411 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7412 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7413 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7414 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7415 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7416 signatureRSAPKCS1WithSHA512,
7417 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7418 },
7419 },
7420 flags: []string{
7421 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7422 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7423 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7424 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7425 shouldFail: true,
7426 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7427 })
7428 testCases = append(testCases, testCase{
7429 name: "NoCommonAlgorithms-TLS13",
7430 config: Config{
7431 MaxVersion: VersionTLS13,
7432 ClientAuth: RequireAnyClientCert,
7433 VerifySignatureAlgorithms: []signatureAlgorithm{
7434 signatureRSAPSSWithSHA512,
7435 signatureRSAPSSWithSHA384,
7436 },
7437 },
7438 flags: []string{
7439 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7440 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7441 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7442 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7443 shouldFail: true,
7444 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7445 })
7446 testCases = append(testCases, testCase{
7447 name: "Agree-Digest-SHA256",
7448 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7449 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7450 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7451 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7452 signatureRSAPKCS1WithSHA1,
7453 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7454 },
7455 },
7456 flags: []string{
7457 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7458 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7459 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7460 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7461 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7462 })
7463 testCases = append(testCases, testCase{
7464 name: "Agree-Digest-SHA1",
7465 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7466 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7467 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7468 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7469 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7470 },
7471 },
7472 flags: []string{
7473 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7474 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7475 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7476 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7477 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7478 })
7479 testCases = append(testCases, testCase{
7480 name: "Agree-Digest-Default",
7481 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7482 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7483 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7484 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7485 signatureRSAPKCS1WithSHA256,
7486 signatureECDSAWithP256AndSHA256,
7487 signatureRSAPKCS1WithSHA1,
7488 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7489 },
7490 },
7491 flags: []string{
7492 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7493 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7494 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7495 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7496 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7497
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7498 // Test that the signing preference list may include extra algorithms
7499 // without negotiation problems.
7500 testCases = append(testCases, testCase{
7501 testType: serverTest,
7502 name: "FilterExtraAlgorithms",
7503 config: Config{
7504 MaxVersion: VersionTLS12,
7505 VerifySignatureAlgorithms: []signatureAlgorithm{
7506 signatureRSAPKCS1WithSHA256,
7507 },
7508 },
7509 flags: []string{
7510 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7511 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7512 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7513 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7514 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7515 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7516 },
7517 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7518 })
7519
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7520 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7521 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7522 testCases = append(testCases, testCase{
7523 name: "CheckLeafCurve",
7524 config: Config{
7525 MaxVersion: VersionTLS12,
7526 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7527 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7528 },
7529 flags: []string{"-p384-only"},
7530 shouldFail: true,
7531 expectedError: ":BAD_ECC_CERT:",
7532 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7533
7534 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7535 testCases = append(testCases, testCase{
7536 name: "CheckLeafCurve-TLS13",
7537 config: Config{
7538 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7539 Certificates: []Certificate{ecdsaP256Certificate},
7540 },
7541 flags: []string{"-p384-only"},
7542 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7543
7544 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7545 testCases = append(testCases, testCase{
7546 name: "ECDSACurveMismatch-Verify-TLS12",
7547 config: Config{
7548 MaxVersion: VersionTLS12,
7549 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7550 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7551 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7552 signatureECDSAWithP384AndSHA384,
7553 },
7554 },
7555 })
7556
7557 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7558 testCases = append(testCases, testCase{
7559 name: "ECDSACurveMismatch-Verify-TLS13",
7560 config: Config{
7561 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7562 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7563 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7564 signatureECDSAWithP384AndSHA384,
7565 },
7566 Bugs: ProtocolBugs{
7567 SkipECDSACurveCheck: true,
7568 },
7569 },
7570 shouldFail: true,
7571 expectedError: ":WRONG_SIGNATURE_TYPE:",
7572 })
7573
7574 // Signature algorithm selection in TLS 1.3 should take the curve into
7575 // account.
7576 testCases = append(testCases, testCase{
7577 testType: serverTest,
7578 name: "ECDSACurveMismatch-Sign-TLS13",
7579 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7580 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7581 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7582 signatureECDSAWithP384AndSHA384,
7583 signatureECDSAWithP256AndSHA256,
7584 },
7585 },
7586 flags: []string{
7587 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7588 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7589 },
7590 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7591 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7592
7593 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7594 // server does not attempt to sign in that case.
7595 testCases = append(testCases, testCase{
7596 testType: serverTest,
7597 name: "RSA-PSS-Large",
7598 config: Config{
7599 MaxVersion: VersionTLS13,
7600 VerifySignatureAlgorithms: []signatureAlgorithm{
7601 signatureRSAPSSWithSHA512,
7602 },
7603 },
7604 flags: []string{
7605 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7606 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7607 },
7608 shouldFail: true,
7609 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7610 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7611
7612 // Test that RSA-PSS is enabled by default for TLS 1.2.
7613 testCases = append(testCases, testCase{
7614 testType: clientTest,
7615 name: "RSA-PSS-Default-Verify",
7616 config: Config{
7617 MaxVersion: VersionTLS12,
7618 SignSignatureAlgorithms: []signatureAlgorithm{
7619 signatureRSAPSSWithSHA256,
7620 },
7621 },
7622 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7623 })
7624
7625 testCases = append(testCases, testCase{
7626 testType: serverTest,
7627 name: "RSA-PSS-Default-Sign",
7628 config: Config{
7629 MaxVersion: VersionTLS12,
7630 VerifySignatureAlgorithms: []signatureAlgorithm{
7631 signatureRSAPSSWithSHA256,
7632 },
7633 },
7634 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7635 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7636
7637 // TLS 1.1 and below has no way to advertise support for or negotiate
7638 // Ed25519's signature algorithm.
7639 testCases = append(testCases, testCase{
7640 testType: clientTest,
7641 name: "NoEd25519-TLS11-ServerAuth-Verify",
7642 config: Config{
7643 MaxVersion: VersionTLS11,
7644 Certificates: []Certificate{ed25519Certificate},
7645 Bugs: ProtocolBugs{
7646 // Sign with Ed25519 even though it is TLS 1.1.
7647 UseLegacySigningAlgorithm: signatureEd25519,
7648 },
7649 },
7650 flags: []string{"-enable-ed25519"},
7651 shouldFail: true,
7652 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7653 })
7654 testCases = append(testCases, testCase{
7655 testType: serverTest,
7656 name: "NoEd25519-TLS11-ServerAuth-Sign",
7657 config: Config{
7658 MaxVersion: VersionTLS11,
7659 },
7660 flags: []string{
7661 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7662 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7663 },
7664 shouldFail: true,
7665 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7666 })
7667 testCases = append(testCases, testCase{
7668 testType: serverTest,
7669 name: "NoEd25519-TLS11-ClientAuth-Verify",
7670 config: Config{
7671 MaxVersion: VersionTLS11,
7672 Certificates: []Certificate{ed25519Certificate},
7673 Bugs: ProtocolBugs{
7674 // Sign with Ed25519 even though it is TLS 1.1.
7675 UseLegacySigningAlgorithm: signatureEd25519,
7676 },
7677 },
7678 flags: []string{
7679 "-enable-ed25519",
7680 "-require-any-client-certificate",
7681 },
7682 shouldFail: true,
7683 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7684 })
7685 testCases = append(testCases, testCase{
7686 testType: clientTest,
7687 name: "NoEd25519-TLS11-ClientAuth-Sign",
7688 config: Config{
7689 MaxVersion: VersionTLS11,
7690 ClientAuth: RequireAnyClientCert,
7691 },
7692 flags: []string{
7693 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7694 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7695 },
7696 shouldFail: true,
7697 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7698 })
7699
7700 // Test Ed25519 is not advertised by default.
7701 testCases = append(testCases, testCase{
7702 testType: clientTest,
7703 name: "Ed25519DefaultDisable-NoAdvertise",
7704 config: Config{
7705 Certificates: []Certificate{ed25519Certificate},
7706 },
7707 shouldFail: true,
7708 expectedLocalError: "tls: no common signature algorithms",
7709 })
7710
7711 // Test Ed25519, when disabled, is not accepted if the peer ignores our
7712 // preferences.
7713 testCases = append(testCases, testCase{
7714 testType: clientTest,
7715 name: "Ed25519DefaultDisable-NoAccept",
7716 config: Config{
7717 Certificates: []Certificate{ed25519Certificate},
7718 Bugs: ProtocolBugs{
7719 IgnorePeerSignatureAlgorithmPreferences: true,
7720 },
7721 },
7722 shouldFail: true,
7723 expectedLocalError: "remote error: illegal parameter",
7724 expectedError: ":WRONG_SIGNATURE_TYPE:",
7725 })
David Benjamin71c21b42017-04-14 17:05:40 -0400[diff] [blame]7726
7727 // Test that configuring verify preferences changes what the client
7728 // advertises.
7729 testCases = append(testCases, testCase{
7730 name: "VerifyPreferences-Advertised",
7731 config: Config{
7732 Certificates: []Certificate{rsaCertificate},
7733 SignSignatureAlgorithms: []signatureAlgorithm{
7734 signatureRSAPSSWithSHA256,
7735 signatureRSAPSSWithSHA384,
7736 signatureRSAPSSWithSHA512,
7737 },
7738 },
7739 flags: []string{
7740 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7741 "-expect-peer-signature-algorithm", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7742 },
7743 })
7744
7745 // Test that the client advertises a set which the runner can find
7746 // nothing in common with.
7747 testCases = append(testCases, testCase{
7748 name: "VerifyPreferences-NoCommonAlgorithms",
7749 config: Config{
7750 Certificates: []Certificate{rsaCertificate},
7751 SignSignatureAlgorithms: []signatureAlgorithm{
7752 signatureRSAPSSWithSHA256,
7753 signatureRSAPSSWithSHA512,
7754 },
7755 },
7756 flags: []string{
7757 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7758 },
7759 shouldFail: true,
7760 expectedLocalError: "tls: no common signature algorithms",
7761 })
7762
7763 // Test that the client enforces its preferences when configured.
7764 testCases = append(testCases, testCase{
7765 name: "VerifyPreferences-Enforced",
7766 config: Config{
7767 Certificates: []Certificate{rsaCertificate},
7768 SignSignatureAlgorithms: []signatureAlgorithm{
7769 signatureRSAPSSWithSHA256,
7770 signatureRSAPSSWithSHA512,
7771 },
7772 Bugs: ProtocolBugs{
7773 IgnorePeerSignatureAlgorithmPreferences: true,
7774 },
7775 },
7776 flags: []string{
7777 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7778 },
7779 shouldFail: true,
7780 expectedLocalError: "remote error: illegal parameter",
7781 expectedError: ":WRONG_SIGNATURE_TYPE:",
7782 })
7783
7784 // Test that explicitly configuring Ed25519 is as good as changing the
7785 // boolean toggle.
7786 testCases = append(testCases, testCase{
7787 name: "VerifyPreferences-Ed25519",
7788 config: Config{
7789 Certificates: []Certificate{ed25519Certificate},
7790 },
7791 flags: []string{
7792 "-verify-prefs", strconv.Itoa(int(signatureEd25519)),
7793 },
7794 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7795}
7796
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7797// timeouts is the retransmit schedule for BoringSSL. It doubles and
7798// caps at 60 seconds. On the 13th timeout, it gives up.
7799var timeouts = []time.Duration{
7800 1 * time.Second,
7801 2 * time.Second,
7802 4 * time.Second,
7803 8 * time.Second,
7804 16 * time.Second,
7805 32 * time.Second,
7806 60 * time.Second,
7807 60 * time.Second,
7808 60 * time.Second,
7809 60 * time.Second,
7810 60 * time.Second,
7811 60 * time.Second,
7812 60 * time.Second,
7813}
7814
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7815// shortTimeouts is an alternate set of timeouts which would occur if the
7816// initial timeout duration was set to 250ms.
7817var shortTimeouts = []time.Duration{
7818 250 * time.Millisecond,
7819 500 * time.Millisecond,
7820 1 * time.Second,
7821 2 * time.Second,
7822 4 * time.Second,
7823 8 * time.Second,
7824 16 * time.Second,
7825 32 * time.Second,
7826 60 * time.Second,
7827 60 * time.Second,
7828 60 * time.Second,
7829 60 * time.Second,
7830 60 * time.Second,
7831}
7832
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7833func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7834 // These tests work by coordinating some behavior on both the shim and
7835 // the runner.
7836 //
7837 // TimeoutSchedule configures the runner to send a series of timeout
7838 // opcodes to the shim (see packetAdaptor) immediately before reading
7839 // each peer handshake flight N. The timeout opcode both simulates a
7840 // timeout in the shim and acts as a synchronization point to help the
7841 // runner bracket each handshake flight.
7842 //
7843 // We assume the shim does not read from the channel eagerly. It must
7844 // first wait until it has sent flight N and is ready to receive
7845 // handshake flight N+1. At this point, it will process the timeout
7846 // opcode. It must then immediately respond with a timeout ACK and act
7847 // as if the shim was idle for the specified amount of time.
7848 //
7849 // The runner then drops all packets received before the ACK and
7850 // continues waiting for flight N. This ordering results in one attempt
7851 // at sending flight N to be dropped. For the test to complete, the
7852 // shim must send flight N again, testing that the shim implements DTLS
7853 // retransmit on a timeout.
7854
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7855 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7856 // likely be more epochs to cross and the final message's retransmit may
7857 // be more complex.
7858
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7859 // Test that this is indeed the timeout schedule. Stress all
7860 // four patterns of handshake.
7861 for i := 1; i < len(timeouts); i++ {
7862 number := strconv.Itoa(i)
7863 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7864 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7865 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7866 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7867 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7868 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7869 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7870 },
7871 },
7872 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7873 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7874 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7875 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7876 protocol: dtls,
7877 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7878 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7879 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7880 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7881 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7882 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7883 },
7884 },
7885 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7886 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7887 })
7888 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7889
7890 // Test that exceeding the timeout schedule hits a read
7891 // timeout.
7892 testCases = append(testCases, testCase{
7893 protocol: dtls,
7894 name: "DTLS-Retransmit-Timeout",
7895 config: Config{
7896 MaxVersion: VersionTLS12,
7897 Bugs: ProtocolBugs{
7898 TimeoutSchedule: timeouts,
7899 },
7900 },
7901 resumeSession: true,
7902 flags: []string{"-async"},
7903 shouldFail: true,
7904 expectedError: ":READ_TIMEOUT_EXPIRED:",
7905 })
7906
7907 // Test that timeout handling has a fudge factor, due to API
7908 // problems.
7909 testCases = append(testCases, testCase{
7910 protocol: dtls,
7911 name: "DTLS-Retransmit-Fudge",
7912 config: Config{
7913 MaxVersion: VersionTLS12,
7914 Bugs: ProtocolBugs{
7915 TimeoutSchedule: []time.Duration{
7916 timeouts[0] - 10*time.Millisecond,
7917 },
7918 },
7919 },
7920 resumeSession: true,
7921 flags: []string{"-async"},
7922 })
7923
7924 // Test that the final Finished retransmitting isn't
7925 // duplicated if the peer badly fragments everything.
7926 testCases = append(testCases, testCase{
7927 testType: serverTest,
7928 protocol: dtls,
7929 name: "DTLS-Retransmit-Fragmented",
7930 config: Config{
7931 MaxVersion: VersionTLS12,
7932 Bugs: ProtocolBugs{
7933 TimeoutSchedule: []time.Duration{timeouts[0]},
7934 MaxHandshakeRecordLength: 2,
7935 },
7936 },
7937 flags: []string{"-async"},
7938 })
7939
7940 // Test the timeout schedule when a shorter initial timeout duration is set.
7941 testCases = append(testCases, testCase{
7942 protocol: dtls,
7943 name: "DTLS-Retransmit-Short-Client",
7944 config: Config{
7945 MaxVersion: VersionTLS12,
7946 Bugs: ProtocolBugs{
7947 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7948 },
7949 },
7950 resumeSession: true,
7951 flags: []string{
7952 "-async",
7953 "-initial-timeout-duration-ms", "250",
7954 },
7955 })
7956 testCases = append(testCases, testCase{
7957 protocol: dtls,
7958 testType: serverTest,
7959 name: "DTLS-Retransmit-Short-Server",
7960 config: Config{
7961 MaxVersion: VersionTLS12,
7962 Bugs: ProtocolBugs{
7963 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7964 },
7965 },
7966 resumeSession: true,
7967 flags: []string{
7968 "-async",
7969 "-initial-timeout-duration-ms", "250",
7970 },
7971 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7972}
7973
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7974func addExportKeyingMaterialTests() {
7975 for _, vers := range tlsVersions {
7976 if vers.version == VersionSSL30 {
7977 continue
7978 }
7979 testCases = append(testCases, testCase{
7980 name: "ExportKeyingMaterial-" + vers.name,
7981 config: Config{
7982 MaxVersion: vers.version,
7983 },
7984 exportKeyingMaterial: 1024,
7985 exportLabel: "label",
7986 exportContext: "context",
7987 useExportContext: true,
7988 })
7989 testCases = append(testCases, testCase{
7990 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7991 config: Config{
7992 MaxVersion: vers.version,
7993 },
7994 exportKeyingMaterial: 1024,
7995 })
7996 testCases = append(testCases, testCase{
7997 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7998 config: Config{
7999 MaxVersion: vers.version,
8000 },
8001 exportKeyingMaterial: 1024,
8002 useExportContext: true,
8003 })
8004 testCases = append(testCases, testCase{
8005 name: "ExportKeyingMaterial-Small-" + vers.name,
8006 config: Config{
8007 MaxVersion: vers.version,
8008 },
8009 exportKeyingMaterial: 1,
8010 exportLabel: "label",
8011 exportContext: "context",
8012 useExportContext: true,
8013 })
8014 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]8015
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]8016 testCases = append(testCases, testCase{
8017 name: "ExportKeyingMaterial-SSL3",
8018 config: Config{
8019 MaxVersion: VersionSSL30,
8020 },
8021 exportKeyingMaterial: 1024,
8022 exportLabel: "label",
8023 exportContext: "context",
8024 useExportContext: true,
8025 shouldFail: true,
8026 expectedError: "failed to export keying material",
8027 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]8028
8029 // Exporters work during a False Start.
8030 testCases = append(testCases, testCase{
8031 name: "ExportKeyingMaterial-FalseStart",
8032 config: Config{
8033 MaxVersion: VersionTLS12,
8034 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8035 NextProtos: []string{"foo"},
8036 Bugs: ProtocolBugs{
8037 ExpectFalseStart: true,
8038 },
8039 },
8040 flags: []string{
8041 "-false-start",
8042 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]8043 "-expect-alpn", "foo",
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]8044 },
8045 shimWritesFirst: true,
8046 exportKeyingMaterial: 1024,
8047 exportLabel: "label",
8048 exportContext: "context",
8049 useExportContext: true,
8050 })
8051
8052 // Exporters do not work in the middle of a renegotiation. Test this by
8053 // triggering the exporter after every SSL_read call and configuring the
8054 // shim to run asynchronously.
8055 testCases = append(testCases, testCase{
8056 name: "ExportKeyingMaterial-Renegotiate",
8057 config: Config{
8058 MaxVersion: VersionTLS12,
8059 },
8060 renegotiate: 1,
8061 flags: []string{
8062 "-async",
8063 "-use-exporter-between-reads",
8064 "-renegotiate-freely",
8065 "-expect-total-renegotiations", "1",
8066 },
8067 shouldFail: true,
8068 expectedError: "failed to export keying material",
8069 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]8070}
8071
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8072func addTLSUniqueTests() {
8073 for _, isClient := range []bool{false, true} {
8074 for _, isResumption := range []bool{false, true} {
8075 for _, hasEMS := range []bool{false, true} {
8076 var suffix string
8077 if isResumption {
8078 suffix = "Resume-"
8079 } else {
8080 suffix = "Full-"
8081 }
8082
8083 if hasEMS {
8084 suffix += "EMS-"
8085 } else {
8086 suffix += "NoEMS-"
8087 }
8088
8089 if isClient {
8090 suffix += "Client"
8091 } else {
8092 suffix += "Server"
8093 }
8094
8095 test := testCase{
8096 name: "TLSUnique-" + suffix,
8097 testTLSUnique: true,
8098 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8099 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8100 Bugs: ProtocolBugs{
8101 NoExtendedMasterSecret: !hasEMS,
8102 },
8103 },
8104 }
8105
8106 if isResumption {
8107 test.resumeSession = true
8108 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8109 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8110 Bugs: ProtocolBugs{
8111 NoExtendedMasterSecret: !hasEMS,
8112 },
8113 }
8114 }
8115
8116 if isResumption && !hasEMS {
8117 test.shouldFail = true
8118 test.expectedError = "failed to get tls-unique"
8119 }
8120
8121 testCases = append(testCases, test)
8122 }
8123 }
8124 }
8125}
8126
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8127func addCustomExtensionTests() {
8128 expectedContents := "custom extension"
8129 emptyString := ""
8130
8131 for _, isClient := range []bool{false, true} {
8132 suffix := "Server"
8133 flag := "-enable-server-custom-extension"
8134 testType := serverTest
8135 if isClient {
8136 suffix = "Client"
8137 flag = "-enable-client-custom-extension"
8138 testType = clientTest
8139 }
8140
8141 testCases = append(testCases, testCase{
8142 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8143 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8144 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8145 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8146 Bugs: ProtocolBugs{
8147 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8148 ExpectedCustomExtension: &expectedContents,
8149 },
8150 },
8151 flags: []string{flag},
8152 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8153 testCases = append(testCases, testCase{
8154 testType: testType,
8155 name: "CustomExtensions-" + suffix + "-TLS13",
8156 config: Config{
8157 MaxVersion: VersionTLS13,
8158 Bugs: ProtocolBugs{
8159 CustomExtension: expectedContents,
8160 ExpectedCustomExtension: &expectedContents,
8161 },
8162 },
8163 flags: []string{flag},
8164 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8165
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]8166 // 0-RTT is not currently supported with Custom Extensions.
8167 testCases = append(testCases, testCase{
8168 testType: testType,
8169 name: "CustomExtensions-" + suffix + "-EarlyData",
8170 config: Config{
8171 MaxVersion: VersionTLS13,
8172 Bugs: ProtocolBugs{
8173 CustomExtension: expectedContents,
8174 ExpectedCustomExtension: &expectedContents,
8175 },
8176 },
8177 shouldFail: true,
8178 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8179 flags: []string{flag, "-enable-early-data"},
8180 })
8181
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8182 // If the parse callback fails, the handshake should also fail.
8183 testCases = append(testCases, testCase{
8184 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8185 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8186 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8187 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8188 Bugs: ProtocolBugs{
8189 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8190 ExpectedCustomExtension: &expectedContents,
8191 },
8192 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8193 flags: []string{flag},
8194 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8195 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8196 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8197 testCases = append(testCases, testCase{
8198 testType: testType,
8199 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
8200 config: Config{
8201 MaxVersion: VersionTLS13,
8202 Bugs: ProtocolBugs{
8203 CustomExtension: expectedContents + "foo",
8204 ExpectedCustomExtension: &expectedContents,
8205 },
8206 },
8207 flags: []string{flag},
8208 shouldFail: true,
8209 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8210 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8211
8212 // If the add callback fails, the handshake should also fail.
8213 testCases = append(testCases, testCase{
8214 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8215 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8216 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8217 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8218 Bugs: ProtocolBugs{
8219 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8220 ExpectedCustomExtension: &expectedContents,
8221 },
8222 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8223 flags: []string{flag, "-custom-extension-fail-add"},
8224 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8225 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8226 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8227 testCases = append(testCases, testCase{
8228 testType: testType,
8229 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
8230 config: Config{
8231 MaxVersion: VersionTLS13,
8232 Bugs: ProtocolBugs{
8233 CustomExtension: expectedContents,
8234 ExpectedCustomExtension: &expectedContents,
8235 },
8236 },
8237 flags: []string{flag, "-custom-extension-fail-add"},
8238 shouldFail: true,
8239 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8240 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8241
8242 // If the add callback returns zero, no extension should be
8243 // added.
8244 skipCustomExtension := expectedContents
8245 if isClient {
8246 // For the case where the client skips sending the
8247 // custom extension, the server must not “echo” it.
8248 skipCustomExtension = ""
8249 }
8250 testCases = append(testCases, testCase{
8251 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8252 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8253 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8254 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8255 Bugs: ProtocolBugs{
8256 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8257 ExpectedCustomExtension: &emptyString,
8258 },
8259 },
8260 flags: []string{flag, "-custom-extension-skip"},
8261 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8262 testCases = append(testCases, testCase{
8263 testType: testType,
8264 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
8265 config: Config{
8266 MaxVersion: VersionTLS13,
8267 Bugs: ProtocolBugs{
8268 CustomExtension: skipCustomExtension,
8269 ExpectedCustomExtension: &emptyString,
8270 },
8271 },
8272 flags: []string{flag, "-custom-extension-skip"},
8273 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8274 }
8275
8276 // The custom extension add callback should not be called if the client
8277 // doesn't send the extension.
8278 testCases = append(testCases, testCase{
8279 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8280 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8281 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8282 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8283 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8284 ExpectedCustomExtension: &emptyString,
8285 },
8286 },
8287 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8288 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8289
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8290 testCases = append(testCases, testCase{
8291 testType: serverTest,
8292 name: "CustomExtensions-NotCalled-Server-TLS13",
8293 config: Config{
8294 MaxVersion: VersionTLS13,
8295 Bugs: ProtocolBugs{
8296 ExpectedCustomExtension: &emptyString,
8297 },
8298 },
8299 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8300 })
8301
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8302 // Test an unknown extension from the server.
8303 testCases = append(testCases, testCase{
8304 testType: clientTest,
8305 name: "UnknownExtension-Client",
8306 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8307 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8308 Bugs: ProtocolBugs{
8309 CustomExtension: expectedContents,
8310 },
8311 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8312 shouldFail: true,
8313 expectedError: ":UNEXPECTED_EXTENSION:",
8314 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8315 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8316 testCases = append(testCases, testCase{
8317 testType: clientTest,
8318 name: "UnknownExtension-Client-TLS13",
8319 config: Config{
8320 MaxVersion: VersionTLS13,
8321 Bugs: ProtocolBugs{
8322 CustomExtension: expectedContents,
8323 },
8324 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8325 shouldFail: true,
8326 expectedError: ":UNEXPECTED_EXTENSION:",
8327 expectedLocalError: "remote error: unsupported extension",
8328 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8329 testCases = append(testCases, testCase{
8330 testType: clientTest,
8331 name: "UnknownUnencryptedExtension-Client-TLS13",
8332 config: Config{
8333 MaxVersion: VersionTLS13,
8334 Bugs: ProtocolBugs{
8335 CustomUnencryptedExtension: expectedContents,
8336 },
8337 },
8338 shouldFail: true,
8339 expectedError: ":UNEXPECTED_EXTENSION:",
8340 // The shim must send an alert, but alerts at this point do not
8341 // get successfully decrypted by the runner.
8342 expectedLocalError: "local error: bad record MAC",
8343 })
8344 testCases = append(testCases, testCase{
8345 testType: clientTest,
8346 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8347 config: Config{
8348 MaxVersion: VersionTLS13,
8349 Bugs: ProtocolBugs{
8350 SendUnencryptedALPN: "foo",
8351 },
8352 },
8353 flags: []string{
8354 "-advertise-alpn", "\x03foo\x03bar",
8355 },
8356 shouldFail: true,
8357 expectedError: ":UNEXPECTED_EXTENSION:",
8358 // The shim must send an alert, but alerts at this point do not
8359 // get successfully decrypted by the runner.
8360 expectedLocalError: "local error: bad record MAC",
8361 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8362
8363 // Test a known but unoffered extension from the server.
8364 testCases = append(testCases, testCase{
8365 testType: clientTest,
8366 name: "UnofferedExtension-Client",
8367 config: Config{
8368 MaxVersion: VersionTLS12,
8369 Bugs: ProtocolBugs{
8370 SendALPN: "alpn",
8371 },
8372 },
8373 shouldFail: true,
8374 expectedError: ":UNEXPECTED_EXTENSION:",
8375 expectedLocalError: "remote error: unsupported extension",
8376 })
8377 testCases = append(testCases, testCase{
8378 testType: clientTest,
8379 name: "UnofferedExtension-Client-TLS13",
8380 config: Config{
8381 MaxVersion: VersionTLS13,
8382 Bugs: ProtocolBugs{
8383 SendALPN: "alpn",
8384 },
8385 },
8386 shouldFail: true,
8387 expectedError: ":UNEXPECTED_EXTENSION:",
8388 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8389 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8390}
8391
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8392func addRSAClientKeyExchangeTests() {
8393 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8394 testCases = append(testCases, testCase{
8395 testType: serverTest,
8396 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8397 config: Config{
8398 // Ensure the ClientHello version and final
8399 // version are different, to detect if the
8400 // server uses the wrong one.
8401 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8402 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8403 Bugs: ProtocolBugs{
8404 BadRSAClientKeyExchange: bad,
8405 },
8406 },
8407 shouldFail: true,
8408 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8409 })
8410 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8411
8412 // The server must compare whatever was in ClientHello.version for the
8413 // RSA premaster.
8414 testCases = append(testCases, testCase{
8415 testType: serverTest,
8416 name: "SendClientVersion-RSA",
8417 config: Config{
8418 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8419 Bugs: ProtocolBugs{
8420 SendClientVersion: 0x1234,
8421 },
8422 },
8423 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8424 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8425}
8426
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8427var testCurves = []struct {
8428 name string
8429 id CurveID
8430}{
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]8431 {"P-224", CurveP224},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8432 {"P-256", CurveP256},
8433 {"P-384", CurveP384},
8434 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8435 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8436}
8437
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8438const bogusCurve = 0x1234
8439
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8440func addCurveTests() {
8441 for _, curve := range testCurves {
8442 testCases = append(testCases, testCase{
8443 name: "CurveTest-Client-" + curve.name,
8444 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8445 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8446 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8447 CurvePreferences: []CurveID{curve.id},
8448 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8449 flags: []string{
8450 "-enable-all-curves",
8451 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8452 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8453 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8454 })
8455 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8456 name: "CurveTest-Client-" + curve.name + "-TLS13",
8457 config: Config{
8458 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8459 CurvePreferences: []CurveID{curve.id},
8460 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8461 flags: []string{
8462 "-enable-all-curves",
8463 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8464 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8465 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8466 })
8467 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8468 testType: serverTest,
8469 name: "CurveTest-Server-" + curve.name,
8470 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8471 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8472 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8473 CurvePreferences: []CurveID{curve.id},
8474 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8475 flags: []string{
8476 "-enable-all-curves",
8477 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8478 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8479 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8480 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8481 testCases = append(testCases, testCase{
8482 testType: serverTest,
8483 name: "CurveTest-Server-" + curve.name + "-TLS13",
8484 config: Config{
8485 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8486 CurvePreferences: []CurveID{curve.id},
8487 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8488 flags: []string{
8489 "-enable-all-curves",
8490 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8491 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8492 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8493 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8494 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8495
8496 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8497 testCases = append(testCases, testCase{
8498 testType: serverTest,
8499 name: "UnknownCurve",
8500 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8501 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8502 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8503 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8504 },
8505 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8506
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8507 // The server must be tolerant to bogus curves.
8508 testCases = append(testCases, testCase{
8509 testType: serverTest,
8510 name: "UnknownCurve-TLS13",
8511 config: Config{
8512 MaxVersion: VersionTLS13,
8513 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8514 },
8515 })
8516
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8517 // The server must not consider ECDHE ciphers when there are no
8518 // supported curves.
8519 testCases = append(testCases, testCase{
8520 testType: serverTest,
8521 name: "NoSupportedCurves",
8522 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8523 MaxVersion: VersionTLS12,
8524 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8525 Bugs: ProtocolBugs{
8526 NoSupportedCurves: true,
8527 },
8528 },
8529 shouldFail: true,
8530 expectedError: ":NO_SHARED_CIPHER:",
8531 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8532 testCases = append(testCases, testCase{
8533 testType: serverTest,
8534 name: "NoSupportedCurves-TLS13",
8535 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8536 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8537 Bugs: ProtocolBugs{
8538 NoSupportedCurves: true,
8539 },
8540 },
8541 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8542 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8543 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8544
8545 // The server must fall back to another cipher when there are no
8546 // supported curves.
8547 testCases = append(testCases, testCase{
8548 testType: serverTest,
8549 name: "NoCommonCurves",
8550 config: Config{
8551 MaxVersion: VersionTLS12,
8552 CipherSuites: []uint16{
8553 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8554 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8555 },
8556 CurvePreferences: []CurveID{CurveP224},
8557 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8558 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8559 })
8560
8561 // The client must reject bogus curves and disabled curves.
8562 testCases = append(testCases, testCase{
8563 name: "BadECDHECurve",
8564 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8565 MaxVersion: VersionTLS12,
8566 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8567 Bugs: ProtocolBugs{
8568 SendCurve: bogusCurve,
8569 },
8570 },
8571 shouldFail: true,
8572 expectedError: ":WRONG_CURVE:",
8573 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8574 testCases = append(testCases, testCase{
8575 name: "BadECDHECurve-TLS13",
8576 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8577 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8578 Bugs: ProtocolBugs{
8579 SendCurve: bogusCurve,
8580 },
8581 },
8582 shouldFail: true,
8583 expectedError: ":WRONG_CURVE:",
8584 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8585
8586 testCases = append(testCases, testCase{
8587 name: "UnsupportedCurve",
8588 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8589 MaxVersion: VersionTLS12,
8590 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8591 CurvePreferences: []CurveID{CurveP256},
8592 Bugs: ProtocolBugs{
8593 IgnorePeerCurvePreferences: true,
8594 },
8595 },
8596 flags: []string{"-p384-only"},
8597 shouldFail: true,
8598 expectedError: ":WRONG_CURVE:",
8599 })
8600
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8601 testCases = append(testCases, testCase{
8602 // TODO(davidben): Add a TLS 1.3 version where
8603 // HelloRetryRequest requests an unsupported curve.
8604 name: "UnsupportedCurve-ServerHello-TLS13",
8605 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8606 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8607 CurvePreferences: []CurveID{CurveP384},
8608 Bugs: ProtocolBugs{
8609 SendCurve: CurveP256,
8610 },
8611 },
8612 flags: []string{"-p384-only"},
8613 shouldFail: true,
8614 expectedError: ":WRONG_CURVE:",
8615 })
8616
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8617 // Test invalid curve points.
8618 testCases = append(testCases, testCase{
8619 name: "InvalidECDHPoint-Client",
8620 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8621 MaxVersion: VersionTLS12,
8622 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8623 CurvePreferences: []CurveID{CurveP256},
8624 Bugs: ProtocolBugs{
8625 InvalidECDHPoint: true,
8626 },
8627 },
8628 shouldFail: true,
8629 expectedError: ":INVALID_ENCODING:",
8630 })
8631 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8632 name: "InvalidECDHPoint-Client-TLS13",
8633 config: Config{
8634 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8635 CurvePreferences: []CurveID{CurveP256},
8636 Bugs: ProtocolBugs{
8637 InvalidECDHPoint: true,
8638 },
8639 },
8640 shouldFail: true,
8641 expectedError: ":INVALID_ENCODING:",
8642 })
8643 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8644 testType: serverTest,
8645 name: "InvalidECDHPoint-Server",
8646 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8647 MaxVersion: VersionTLS12,
8648 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8649 CurvePreferences: []CurveID{CurveP256},
8650 Bugs: ProtocolBugs{
8651 InvalidECDHPoint: true,
8652 },
8653 },
8654 shouldFail: true,
8655 expectedError: ":INVALID_ENCODING:",
8656 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8657 testCases = append(testCases, testCase{
8658 testType: serverTest,
8659 name: "InvalidECDHPoint-Server-TLS13",
8660 config: Config{
8661 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8662 CurvePreferences: []CurveID{CurveP256},
8663 Bugs: ProtocolBugs{
8664 InvalidECDHPoint: true,
8665 },
8666 },
8667 shouldFail: true,
8668 expectedError: ":INVALID_ENCODING:",
8669 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8670
8671 // The previous curve ID should be reported on TLS 1.2 resumption.
8672 testCases = append(testCases, testCase{
8673 name: "CurveID-Resume-Client",
8674 config: Config{
8675 MaxVersion: VersionTLS12,
8676 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8677 CurvePreferences: []CurveID{CurveX25519},
8678 },
8679 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8680 resumeSession: true,
8681 })
8682 testCases = append(testCases, testCase{
8683 testType: serverTest,
8684 name: "CurveID-Resume-Server",
8685 config: Config{
8686 MaxVersion: VersionTLS12,
8687 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8688 CurvePreferences: []CurveID{CurveX25519},
8689 },
8690 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8691 resumeSession: true,
8692 })
8693
8694 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8695 // one should be reported.
8696 testCases = append(testCases, testCase{
8697 name: "CurveID-Resume-Client-TLS13",
8698 config: Config{
8699 MaxVersion: VersionTLS13,
8700 CurvePreferences: []CurveID{CurveX25519},
8701 },
8702 resumeConfig: &Config{
8703 MaxVersion: VersionTLS13,
8704 CurvePreferences: []CurveID{CurveP256},
8705 },
8706 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]8707 "-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8708 "-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8709 },
8710 resumeSession: true,
8711 })
8712 testCases = append(testCases, testCase{
8713 testType: serverTest,
8714 name: "CurveID-Resume-Server-TLS13",
8715 config: Config{
8716 MaxVersion: VersionTLS13,
8717 CurvePreferences: []CurveID{CurveX25519},
8718 },
8719 resumeConfig: &Config{
8720 MaxVersion: VersionTLS13,
8721 CurvePreferences: []CurveID{CurveP256},
8722 },
8723 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]8724 "-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8725 "-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8726 },
8727 resumeSession: true,
8728 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8729
8730 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8731 testCases = append(testCases, testCase{
8732 name: "PointFormat-ServerHello-TLS12",
8733 config: Config{
8734 MaxVersion: VersionTLS12,
8735 Bugs: ProtocolBugs{
8736 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8737 },
8738 },
8739 })
8740 testCases = append(testCases, testCase{
8741 name: "PointFormat-EncryptedExtensions-TLS13",
8742 config: Config{
8743 MaxVersion: VersionTLS13,
8744 Bugs: ProtocolBugs{
8745 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8746 },
8747 },
8748 shouldFail: true,
8749 expectedError: ":ERROR_PARSING_EXTENSION:",
8750 })
8751
8752 // Test that we tolerate unknown point formats, as long as
8753 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8754 // check they are still functional.
8755 testCases = append(testCases, testCase{
8756 name: "PointFormat-Client-Tolerance",
8757 config: Config{
8758 MaxVersion: VersionTLS12,
8759 Bugs: ProtocolBugs{
8760 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8761 },
8762 },
8763 })
8764 testCases = append(testCases, testCase{
8765 testType: serverTest,
8766 name: "PointFormat-Server-Tolerance",
8767 config: Config{
8768 MaxVersion: VersionTLS12,
8769 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8770 Bugs: ProtocolBugs{
8771 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8772 },
8773 },
8774 })
8775
8776 // Test TLS 1.2 does not require the point format extension to be
8777 // present.
8778 testCases = append(testCases, testCase{
8779 name: "PointFormat-Client-Missing",
8780 config: Config{
8781 MaxVersion: VersionTLS12,
8782 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8783 Bugs: ProtocolBugs{
8784 SendSupportedPointFormats: []byte{},
8785 },
8786 },
8787 })
8788 testCases = append(testCases, testCase{
8789 testType: serverTest,
8790 name: "PointFormat-Server-Missing",
8791 config: Config{
8792 MaxVersion: VersionTLS12,
8793 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8794 Bugs: ProtocolBugs{
8795 SendSupportedPointFormats: []byte{},
8796 },
8797 },
8798 })
8799
8800 // If the point format extension is present, uncompressed points must be
8801 // offered. BoringSSL requires this whether or not ECDHE is used.
8802 testCases = append(testCases, testCase{
8803 name: "PointFormat-Client-MissingUncompressed",
8804 config: Config{
8805 MaxVersion: VersionTLS12,
8806 Bugs: ProtocolBugs{
8807 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8808 },
8809 },
8810 shouldFail: true,
8811 expectedError: ":ERROR_PARSING_EXTENSION:",
8812 })
8813 testCases = append(testCases, testCase{
8814 testType: serverTest,
8815 name: "PointFormat-Server-MissingUncompressed",
8816 config: Config{
8817 MaxVersion: VersionTLS12,
8818 Bugs: ProtocolBugs{
8819 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8820 },
8821 },
8822 shouldFail: true,
8823 expectedError: ":ERROR_PARSING_EXTENSION:",
8824 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8825}
8826
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8827func addTLS13RecordTests() {
8828 testCases = append(testCases, testCase{
8829 name: "TLS13-RecordPadding",
8830 config: Config{
8831 MaxVersion: VersionTLS13,
8832 MinVersion: VersionTLS13,
8833 Bugs: ProtocolBugs{
8834 RecordPadding: 10,
8835 },
8836 },
8837 })
8838
8839 testCases = append(testCases, testCase{
8840 name: "TLS13-EmptyRecords",
8841 config: Config{
8842 MaxVersion: VersionTLS13,
8843 MinVersion: VersionTLS13,
8844 Bugs: ProtocolBugs{
8845 OmitRecordContents: true,
8846 },
8847 },
8848 shouldFail: true,
8849 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8850 })
8851
8852 testCases = append(testCases, testCase{
8853 name: "TLS13-OnlyPadding",
8854 config: Config{
8855 MaxVersion: VersionTLS13,
8856 MinVersion: VersionTLS13,
8857 Bugs: ProtocolBugs{
8858 OmitRecordContents: true,
8859 RecordPadding: 10,
8860 },
8861 },
8862 shouldFail: true,
8863 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8864 })
8865
8866 testCases = append(testCases, testCase{
8867 name: "TLS13-WrongOuterRecord",
8868 config: Config{
8869 MaxVersion: VersionTLS13,
8870 MinVersion: VersionTLS13,
8871 Bugs: ProtocolBugs{
8872 OuterRecordType: recordTypeHandshake,
8873 },
8874 },
8875 shouldFail: true,
8876 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8877 })
8878}
8879
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8880func addSessionTicketTests() {
8881 testCases = append(testCases, testCase{
8882 // In TLS 1.2 and below, empty NewSessionTicket messages
8883 // mean the server changed its mind on sending a ticket.
8884 name: "SendEmptySessionTicket",
8885 config: Config{
8886 MaxVersion: VersionTLS12,
8887 Bugs: ProtocolBugs{
8888 SendEmptySessionTicket: true,
8889 },
8890 },
8891 flags: []string{"-expect-no-session"},
8892 })
8893
8894 // Test that the server ignores unknown PSK modes.
8895 testCases = append(testCases, testCase{
8896 testType: serverTest,
8897 name: "TLS13-SendUnknownModeSessionTicket-Server",
8898 config: Config{
8899 MaxVersion: VersionTLS13,
8900 Bugs: ProtocolBugs{
8901 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8902 },
8903 },
8904 resumeSession: true,
8905 expectedResumeVersion: VersionTLS13,
8906 })
8907
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8908 // Test that the server does not send session tickets with no matching key exchange mode.
8909 testCases = append(testCases, testCase{
8910 testType: serverTest,
8911 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8912 config: Config{
8913 MaxVersion: VersionTLS13,
8914 Bugs: ProtocolBugs{
8915 SendPSKKeyExchangeModes: []byte{0x1a},
8916 ExpectNoNewSessionTicket: true,
8917 },
8918 },
8919 })
8920
8921 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8922 testCases = append(testCases, testCase{
8923 testType: serverTest,
8924 name: "TLS13-SendBadKEModeSessionTicket-Server",
8925 config: Config{
8926 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8927 },
8928 resumeConfig: &Config{
8929 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8930 Bugs: ProtocolBugs{
8931 SendPSKKeyExchangeModes: []byte{0x1a},
8932 },
8933 },
8934 resumeSession: true,
8935 expectResumeRejected: true,
8936 })
8937
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8938 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8939 testCases = append(testCases, testCase{
8940 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8941 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8942 config: Config{
8943 MaxVersion: VersionTLS13,
8944 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8945 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8946 },
8947 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8948 resumeSession: true,
8949 flags: []string{
8950 "-resumption-delay", "10",
8951 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8952 })
8953
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8954 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8955 testCases = append(testCases, testCase{
8956 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8957 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8958 config: Config{
8959 MaxVersion: VersionTLS13,
8960 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8961 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8962 },
8963 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8964 resumeSession: true,
8965 shouldFail: true,
8966 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8967 })
8968
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8969 // Test that the server's ticket age skew reporting works.
8970 testCases = append(testCases, testCase{
8971 testType: serverTest,
8972 name: "TLS13-TicketAgeSkew-Forward",
8973 config: Config{
8974 MaxVersion: VersionTLS13,
8975 Bugs: ProtocolBugs{
8976 SendTicketAge: 15 * time.Second,
8977 },
8978 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8979 resumeSession: true,
8980 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8981 flags: []string{
8982 "-resumption-delay", "10",
8983 "-expect-ticket-age-skew", "5",
8984 },
8985 })
8986 testCases = append(testCases, testCase{
8987 testType: serverTest,
8988 name: "TLS13-TicketAgeSkew-Backward",
8989 config: Config{
8990 MaxVersion: VersionTLS13,
8991 Bugs: ProtocolBugs{
8992 SendTicketAge: 5 * time.Second,
8993 },
8994 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8995 resumeSession: true,
8996 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8997 flags: []string{
8998 "-resumption-delay", "10",
8999 "-expect-ticket-age-skew", "-5",
9000 },
9001 })
9002
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9003 testCases = append(testCases, testCase{
9004 testType: clientTest,
9005 name: "TLS13-SendTicketEarlyDataInfo",
9006 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]9007 MaxVersion: VersionTLS13,
9008 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9009 },
9010 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]9011 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9012 "-expect-early-data-info",
9013 },
9014 })
9015
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]9016 // Test that 0-RTT tickets are ignored in clients unless opted in.
9017 testCases = append(testCases, testCase{
9018 testType: clientTest,
9019 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
9020 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]9021 MaxVersion: VersionTLS13,
9022 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]9023 },
9024 })
9025
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9026 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9027 testType: clientTest,
9028 name: "TLS13-DuplicateTicketEarlyDataInfo",
9029 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]9030 MaxVersion: VersionTLS13,
9031 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9032 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9033 DuplicateTicketEarlyDataInfo: true,
9034 },
9035 },
9036 shouldFail: true,
9037 expectedError: ":DUPLICATE_EXTENSION:",
9038 expectedLocalError: "remote error: illegal parameter",
9039 })
9040
9041 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9042 testType: serverTest,
9043 name: "TLS13-ExpectTicketEarlyDataInfo",
9044 config: Config{
9045 MaxVersion: VersionTLS13,
9046 Bugs: ProtocolBugs{
9047 ExpectTicketEarlyDataInfo: true,
9048 },
9049 },
9050 flags: []string{
9051 "-enable-early-data",
9052 },
9053 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9054
9055 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
9056 // is honored.
9057 testCases = append(testCases, testCase{
9058 testType: clientTest,
9059 name: "TLS13-HonorServerSessionTicketLifetime",
9060 config: Config{
9061 MaxVersion: VersionTLS13,
9062 Bugs: ProtocolBugs{
9063 SendTicketLifetime: 20 * time.Second,
9064 },
9065 },
9066 flags: []string{
9067 "-resumption-delay", "19",
9068 },
9069 resumeSession: true,
9070 })
9071 testCases = append(testCases, testCase{
9072 testType: clientTest,
9073 name: "TLS13-HonorServerSessionTicketLifetime-2",
9074 config: Config{
9075 MaxVersion: VersionTLS13,
9076 Bugs: ProtocolBugs{
9077 SendTicketLifetime: 20 * time.Second,
9078 // The client should not offer the expired session.
9079 ExpectNoTLS13PSK: true,
9080 },
9081 },
9082 flags: []string{
9083 "-resumption-delay", "21",
9084 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]9085 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9086 expectResumeRejected: true,
9087 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9088}
9089
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9090func addChangeCipherSpecTests() {
9091 // Test missing ChangeCipherSpecs.
9092 testCases = append(testCases, testCase{
9093 name: "SkipChangeCipherSpec-Client",
9094 config: Config{
9095 MaxVersion: VersionTLS12,
9096 Bugs: ProtocolBugs{
9097 SkipChangeCipherSpec: true,
9098 },
9099 },
9100 shouldFail: true,
9101 expectedError: ":UNEXPECTED_RECORD:",
9102 })
9103 testCases = append(testCases, testCase{
9104 testType: serverTest,
9105 name: "SkipChangeCipherSpec-Server",
9106 config: Config{
9107 MaxVersion: VersionTLS12,
9108 Bugs: ProtocolBugs{
9109 SkipChangeCipherSpec: true,
9110 },
9111 },
9112 shouldFail: true,
9113 expectedError: ":UNEXPECTED_RECORD:",
9114 })
9115 testCases = append(testCases, testCase{
9116 testType: serverTest,
9117 name: "SkipChangeCipherSpec-Server-NPN",
9118 config: Config{
9119 MaxVersion: VersionTLS12,
9120 NextProtos: []string{"bar"},
9121 Bugs: ProtocolBugs{
9122 SkipChangeCipherSpec: true,
9123 },
9124 },
9125 flags: []string{
9126 "-advertise-npn", "\x03foo\x03bar\x03baz",
9127 },
9128 shouldFail: true,
9129 expectedError: ":UNEXPECTED_RECORD:",
9130 })
9131
9132 // Test synchronization between the handshake and ChangeCipherSpec.
9133 // Partial post-CCS handshake messages before ChangeCipherSpec should be
9134 // rejected. Test both with and without handshake packing to handle both
9135 // when the partial post-CCS message is in its own record and when it is
9136 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9137 for _, packed := range []bool{false, true} {
9138 var suffix string
9139 if packed {
9140 suffix = "-Packed"
9141 }
9142
9143 testCases = append(testCases, testCase{
9144 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
9145 config: Config{
9146 MaxVersion: VersionTLS12,
9147 Bugs: ProtocolBugs{
9148 FragmentAcrossChangeCipherSpec: true,
9149 PackHandshakeFlight: packed,
9150 },
9151 },
9152 shouldFail: true,
9153 expectedError: ":UNEXPECTED_RECORD:",
9154 })
9155 testCases = append(testCases, testCase{
9156 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
9157 config: Config{
9158 MaxVersion: VersionTLS12,
9159 },
9160 resumeSession: true,
9161 resumeConfig: &Config{
9162 MaxVersion: VersionTLS12,
9163 Bugs: ProtocolBugs{
9164 FragmentAcrossChangeCipherSpec: true,
9165 PackHandshakeFlight: packed,
9166 },
9167 },
9168 shouldFail: true,
9169 expectedError: ":UNEXPECTED_RECORD:",
9170 })
9171 testCases = append(testCases, testCase{
9172 testType: serverTest,
9173 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
9174 config: Config{
9175 MaxVersion: VersionTLS12,
9176 Bugs: ProtocolBugs{
9177 FragmentAcrossChangeCipherSpec: true,
9178 PackHandshakeFlight: packed,
9179 },
9180 },
9181 shouldFail: true,
9182 expectedError: ":UNEXPECTED_RECORD:",
9183 })
9184 testCases = append(testCases, testCase{
9185 testType: serverTest,
9186 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
9187 config: Config{
9188 MaxVersion: VersionTLS12,
9189 },
9190 resumeSession: true,
9191 resumeConfig: &Config{
9192 MaxVersion: VersionTLS12,
9193 Bugs: ProtocolBugs{
9194 FragmentAcrossChangeCipherSpec: true,
9195 PackHandshakeFlight: packed,
9196 },
9197 },
9198 shouldFail: true,
9199 expectedError: ":UNEXPECTED_RECORD:",
9200 })
9201 testCases = append(testCases, testCase{
9202 testType: serverTest,
9203 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
9204 config: Config{
9205 MaxVersion: VersionTLS12,
9206 NextProtos: []string{"bar"},
9207 Bugs: ProtocolBugs{
9208 FragmentAcrossChangeCipherSpec: true,
9209 PackHandshakeFlight: packed,
9210 },
9211 },
9212 flags: []string{
9213 "-advertise-npn", "\x03foo\x03bar\x03baz",
9214 },
9215 shouldFail: true,
9216 expectedError: ":UNEXPECTED_RECORD:",
9217 })
9218 }
9219
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]9220 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
9221 // messages in the handshake queue. Do this by testing the server
9222 // reading the client Finished, reversing the flight so Finished comes
9223 // first.
9224 testCases = append(testCases, testCase{
9225 protocol: dtls,
9226 testType: serverTest,
9227 name: "SendUnencryptedFinished-DTLS",
9228 config: Config{
9229 MaxVersion: VersionTLS12,
9230 Bugs: ProtocolBugs{
9231 SendUnencryptedFinished: true,
9232 ReverseHandshakeFragments: true,
9233 },
9234 },
9235 shouldFail: true,
9236 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9237 })
9238
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9239 // Test synchronization between encryption changes and the handshake in
9240 // TLS 1.3, where ChangeCipherSpec is implicit.
9241 testCases = append(testCases, testCase{
9242 name: "PartialEncryptedExtensionsWithServerHello",
9243 config: Config{
9244 MaxVersion: VersionTLS13,
9245 Bugs: ProtocolBugs{
9246 PartialEncryptedExtensionsWithServerHello: true,
9247 },
9248 },
9249 shouldFail: true,
9250 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9251 })
9252 testCases = append(testCases, testCase{
9253 testType: serverTest,
9254 name: "PartialClientFinishedWithClientHello",
9255 config: Config{
9256 MaxVersion: VersionTLS13,
9257 Bugs: ProtocolBugs{
9258 PartialClientFinishedWithClientHello: true,
9259 },
9260 },
9261 shouldFail: true,
9262 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9263 })
9264
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9265 // Test that early ChangeCipherSpecs are handled correctly.
9266 testCases = append(testCases, testCase{
9267 testType: serverTest,
9268 name: "EarlyChangeCipherSpec-server-1",
9269 config: Config{
9270 MaxVersion: VersionTLS12,
9271 Bugs: ProtocolBugs{
9272 EarlyChangeCipherSpec: 1,
9273 },
9274 },
9275 shouldFail: true,
9276 expectedError: ":UNEXPECTED_RECORD:",
9277 })
9278 testCases = append(testCases, testCase{
9279 testType: serverTest,
9280 name: "EarlyChangeCipherSpec-server-2",
9281 config: Config{
9282 MaxVersion: VersionTLS12,
9283 Bugs: ProtocolBugs{
9284 EarlyChangeCipherSpec: 2,
9285 },
9286 },
9287 shouldFail: true,
9288 expectedError: ":UNEXPECTED_RECORD:",
9289 })
9290 testCases = append(testCases, testCase{
9291 protocol: dtls,
9292 name: "StrayChangeCipherSpec",
9293 config: Config{
9294 // TODO(davidben): Once DTLS 1.3 exists, test
9295 // that stray ChangeCipherSpec messages are
9296 // rejected.
9297 MaxVersion: VersionTLS12,
9298 Bugs: ProtocolBugs{
9299 StrayChangeCipherSpec: true,
9300 },
9301 },
9302 })
9303
9304 // Test that the contents of ChangeCipherSpec are checked.
9305 testCases = append(testCases, testCase{
9306 name: "BadChangeCipherSpec-1",
9307 config: Config{
9308 MaxVersion: VersionTLS12,
9309 Bugs: ProtocolBugs{
9310 BadChangeCipherSpec: []byte{2},
9311 },
9312 },
9313 shouldFail: true,
9314 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9315 })
9316 testCases = append(testCases, testCase{
9317 name: "BadChangeCipherSpec-2",
9318 config: Config{
9319 MaxVersion: VersionTLS12,
9320 Bugs: ProtocolBugs{
9321 BadChangeCipherSpec: []byte{1, 1},
9322 },
9323 },
9324 shouldFail: true,
9325 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9326 })
9327 testCases = append(testCases, testCase{
9328 protocol: dtls,
9329 name: "BadChangeCipherSpec-DTLS-1",
9330 config: Config{
9331 MaxVersion: VersionTLS12,
9332 Bugs: ProtocolBugs{
9333 BadChangeCipherSpec: []byte{2},
9334 },
9335 },
9336 shouldFail: true,
9337 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9338 })
9339 testCases = append(testCases, testCase{
9340 protocol: dtls,
9341 name: "BadChangeCipherSpec-DTLS-2",
9342 config: Config{
9343 MaxVersion: VersionTLS12,
9344 Bugs: ProtocolBugs{
9345 BadChangeCipherSpec: []byte{1, 1},
9346 },
9347 },
9348 shouldFail: true,
9349 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9350 })
9351}
9352
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9353type perMessageTest struct {
9354 messageType uint8
9355 test testCase
9356}
9357
9358// makePerMessageTests returns a series of test templates which cover each
9359// message in the TLS handshake. These may be used with bugs like
9360// WrongMessageType to fully test a per-message bug.
9361func makePerMessageTests() []perMessageTest {
9362 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9363 for _, protocol := range []protocol{tls, dtls} {
9364 var suffix string
9365 if protocol == dtls {
9366 suffix = "-DTLS"
9367 }
9368
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9369 ret = append(ret, perMessageTest{
9370 messageType: typeClientHello,
9371 test: testCase{
9372 protocol: protocol,
9373 testType: serverTest,
9374 name: "ClientHello" + suffix,
9375 config: Config{
9376 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9377 },
9378 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9379 })
9380
9381 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9382 ret = append(ret, perMessageTest{
9383 messageType: typeHelloVerifyRequest,
9384 test: testCase{
9385 protocol: protocol,
9386 name: "HelloVerifyRequest" + suffix,
9387 config: Config{
9388 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9389 },
9390 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9391 })
9392 }
9393
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9394 ret = append(ret, perMessageTest{
9395 messageType: typeServerHello,
9396 test: testCase{
9397 protocol: protocol,
9398 name: "ServerHello" + suffix,
9399 config: Config{
9400 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9401 },
9402 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9403 })
9404
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9405 ret = append(ret, perMessageTest{
9406 messageType: typeCertificate,
9407 test: testCase{
9408 protocol: protocol,
9409 name: "ServerCertificate" + suffix,
9410 config: Config{
9411 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9412 },
9413 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9414 })
9415
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9416 ret = append(ret, perMessageTest{
9417 messageType: typeCertificateStatus,
9418 test: testCase{
9419 protocol: protocol,
9420 name: "CertificateStatus" + suffix,
9421 config: Config{
9422 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9423 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9424 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9425 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9426 })
9427
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9428 ret = append(ret, perMessageTest{
9429 messageType: typeServerKeyExchange,
9430 test: testCase{
9431 protocol: protocol,
9432 name: "ServerKeyExchange" + suffix,
9433 config: Config{
9434 MaxVersion: VersionTLS12,
9435 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9436 },
9437 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9438 })
9439
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9440 ret = append(ret, perMessageTest{
9441 messageType: typeCertificateRequest,
9442 test: testCase{
9443 protocol: protocol,
9444 name: "CertificateRequest" + suffix,
9445 config: Config{
9446 MaxVersion: VersionTLS12,
9447 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9448 },
9449 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9450 })
9451
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9452 ret = append(ret, perMessageTest{
9453 messageType: typeServerHelloDone,
9454 test: testCase{
9455 protocol: protocol,
9456 name: "ServerHelloDone" + suffix,
9457 config: Config{
9458 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9459 },
9460 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9461 })
9462
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9463 ret = append(ret, perMessageTest{
9464 messageType: typeCertificate,
9465 test: testCase{
9466 testType: serverTest,
9467 protocol: protocol,
9468 name: "ClientCertificate" + suffix,
9469 config: Config{
9470 Certificates: []Certificate{rsaCertificate},
9471 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9472 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9473 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9474 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9475 })
9476
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9477 ret = append(ret, perMessageTest{
9478 messageType: typeCertificateVerify,
9479 test: testCase{
9480 testType: serverTest,
9481 protocol: protocol,
9482 name: "CertificateVerify" + suffix,
9483 config: Config{
9484 Certificates: []Certificate{rsaCertificate},
9485 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9486 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9487 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9488 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9489 })
9490
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9491 ret = append(ret, perMessageTest{
9492 messageType: typeClientKeyExchange,
9493 test: testCase{
9494 testType: serverTest,
9495 protocol: protocol,
9496 name: "ClientKeyExchange" + suffix,
9497 config: Config{
9498 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9499 },
9500 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9501 })
9502
9503 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9504 ret = append(ret, perMessageTest{
9505 messageType: typeNextProtocol,
9506 test: testCase{
9507 testType: serverTest,
9508 protocol: protocol,
9509 name: "NextProtocol" + suffix,
9510 config: Config{
9511 MaxVersion: VersionTLS12,
9512 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9513 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9514 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9515 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9516 })
9517
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9518 ret = append(ret, perMessageTest{
9519 messageType: typeChannelID,
9520 test: testCase{
9521 testType: serverTest,
9522 protocol: protocol,
9523 name: "ChannelID" + suffix,
9524 config: Config{
9525 MaxVersion: VersionTLS12,
9526 ChannelID: channelIDKey,
9527 },
9528 flags: []string{
9529 "-expect-channel-id",
9530 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9531 },
9532 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9533 })
9534 }
9535
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9536 ret = append(ret, perMessageTest{
9537 messageType: typeFinished,
9538 test: testCase{
9539 testType: serverTest,
9540 protocol: protocol,
9541 name: "ClientFinished" + suffix,
9542 config: Config{
9543 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9544 },
9545 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9546 })
9547
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9548 ret = append(ret, perMessageTest{
9549 messageType: typeNewSessionTicket,
9550 test: testCase{
9551 protocol: protocol,
9552 name: "NewSessionTicket" + suffix,
9553 config: Config{
9554 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9555 },
9556 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9557 })
9558
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9559 ret = append(ret, perMessageTest{
9560 messageType: typeFinished,
9561 test: testCase{
9562 protocol: protocol,
9563 name: "ServerFinished" + suffix,
9564 config: Config{
9565 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9566 },
9567 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9568 })
9569
9570 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9571
9572 ret = append(ret, perMessageTest{
9573 messageType: typeClientHello,
9574 test: testCase{
9575 testType: serverTest,
9576 name: "TLS13-ClientHello",
9577 config: Config{
9578 MaxVersion: VersionTLS13,
9579 },
9580 },
9581 })
9582
9583 ret = append(ret, perMessageTest{
9584 messageType: typeServerHello,
9585 test: testCase{
9586 name: "TLS13-ServerHello",
9587 config: Config{
9588 MaxVersion: VersionTLS13,
9589 },
9590 },
9591 })
9592
9593 ret = append(ret, perMessageTest{
9594 messageType: typeEncryptedExtensions,
9595 test: testCase{
9596 name: "TLS13-EncryptedExtensions",
9597 config: Config{
9598 MaxVersion: VersionTLS13,
9599 },
9600 },
9601 })
9602
9603 ret = append(ret, perMessageTest{
9604 messageType: typeCertificateRequest,
9605 test: testCase{
9606 name: "TLS13-CertificateRequest",
9607 config: Config{
9608 MaxVersion: VersionTLS13,
9609 ClientAuth: RequireAnyClientCert,
9610 },
9611 },
9612 })
9613
9614 ret = append(ret, perMessageTest{
9615 messageType: typeCertificate,
9616 test: testCase{
9617 name: "TLS13-ServerCertificate",
9618 config: Config{
9619 MaxVersion: VersionTLS13,
9620 },
9621 },
9622 })
9623
9624 ret = append(ret, perMessageTest{
9625 messageType: typeCertificateVerify,
9626 test: testCase{
9627 name: "TLS13-ServerCertificateVerify",
9628 config: Config{
9629 MaxVersion: VersionTLS13,
9630 },
9631 },
9632 })
9633
9634 ret = append(ret, perMessageTest{
9635 messageType: typeFinished,
9636 test: testCase{
9637 name: "TLS13-ServerFinished",
9638 config: Config{
9639 MaxVersion: VersionTLS13,
9640 },
9641 },
9642 })
9643
9644 ret = append(ret, perMessageTest{
9645 messageType: typeCertificate,
9646 test: testCase{
9647 testType: serverTest,
9648 name: "TLS13-ClientCertificate",
9649 config: Config{
9650 Certificates: []Certificate{rsaCertificate},
9651 MaxVersion: VersionTLS13,
9652 },
9653 flags: []string{"-require-any-client-certificate"},
9654 },
9655 })
9656
9657 ret = append(ret, perMessageTest{
9658 messageType: typeCertificateVerify,
9659 test: testCase{
9660 testType: serverTest,
9661 name: "TLS13-ClientCertificateVerify",
9662 config: Config{
9663 Certificates: []Certificate{rsaCertificate},
9664 MaxVersion: VersionTLS13,
9665 },
9666 flags: []string{"-require-any-client-certificate"},
9667 },
9668 })
9669
9670 ret = append(ret, perMessageTest{
9671 messageType: typeFinished,
9672 test: testCase{
9673 testType: serverTest,
9674 name: "TLS13-ClientFinished",
9675 config: Config{
9676 MaxVersion: VersionTLS13,
9677 },
9678 },
9679 })
9680
9681 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9682}
9683
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9684func addWrongMessageTypeTests() {
9685 for _, t := range makePerMessageTests() {
9686 t.test.name = "WrongMessageType-" + t.test.name
9687 t.test.config.Bugs.SendWrongMessageType = t.messageType
9688 t.test.shouldFail = true
9689 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9690 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9691
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9692 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9693 // In TLS 1.3, a bad ServerHello means the client sends
9694 // an unencrypted alert while the server expects
9695 // encryption, so the alert is not readable by runner.
9696 t.test.expectedLocalError = "local error: bad record MAC"
9697 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9698
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9699 testCases = append(testCases, t.test)
9700 }
David Benjaminebacdee2017-04-08 11:00:45 -0400[diff] [blame]9701
9702 // The processing order for TLS 1.3 version negotiation is such that one
9703 // may accidentally accept a HelloRetryRequest in lieu of ServerHello in
9704 // TLS 1.2. Test that we do not do this.
9705 testCases = append(testCases, testCase{
9706 name: "SendServerHelloAsHelloRetryRequest",
9707 config: Config{
9708 MaxVersion: VersionTLS12,
9709 Bugs: ProtocolBugs{
9710 SendServerHelloAsHelloRetryRequest: true,
9711 },
9712 },
9713 shouldFail: true,
9714 expectedError: ":UNEXPECTED_MESSAGE:",
9715 expectedLocalError: "remote error: unexpected message",
9716 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9717}
9718
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9719func addTrailingMessageDataTests() {
9720 for _, t := range makePerMessageTests() {
9721 t.test.name = "TrailingMessageData-" + t.test.name
9722 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9723 t.test.shouldFail = true
9724 t.test.expectedError = ":DECODE_ERROR:"
9725 t.test.expectedLocalError = "remote error: error decoding message"
9726
9727 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9728 // In TLS 1.3, a bad ServerHello means the client sends
9729 // an unencrypted alert while the server expects
9730 // encryption, so the alert is not readable by runner.
9731 t.test.expectedLocalError = "local error: bad record MAC"
9732 }
9733
9734 if t.messageType == typeFinished {
9735 // Bad Finished messages read as the verify data having
9736 // the wrong length.
9737 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9738 t.test.expectedLocalError = "remote error: error decrypting message"
9739 }
9740
9741 testCases = append(testCases, t.test)
9742 }
9743}
9744
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9745func addTLS13HandshakeTests() {
9746 testCases = append(testCases, testCase{
9747 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9748 name: "NegotiatePSKResumption-TLS13",
9749 config: Config{
9750 MaxVersion: VersionTLS13,
9751 Bugs: ProtocolBugs{
9752 NegotiatePSKResumption: true,
9753 },
9754 },
9755 resumeSession: true,
9756 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9757 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9758 })
9759
9760 testCases = append(testCases, testCase{
9761 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9762 name: "MissingKeyShare-Client",
9763 config: Config{
9764 MaxVersion: VersionTLS13,
9765 Bugs: ProtocolBugs{
9766 MissingKeyShare: true,
9767 },
9768 },
9769 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9770 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9771 })
9772
9773 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9774 testType: serverTest,
9775 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9776 config: Config{
9777 MaxVersion: VersionTLS13,
9778 Bugs: ProtocolBugs{
9779 MissingKeyShare: true,
9780 },
9781 },
9782 shouldFail: true,
9783 expectedError: ":MISSING_KEY_SHARE:",
9784 })
9785
9786 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9787 testType: serverTest,
9788 name: "DuplicateKeyShares",
9789 config: Config{
9790 MaxVersion: VersionTLS13,
9791 Bugs: ProtocolBugs{
9792 DuplicateKeyShares: true,
9793 },
9794 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9795 shouldFail: true,
9796 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9797 })
9798
9799 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9800 testType: serverTest,
9801 name: "SkipEarlyData",
9802 config: Config{
9803 MaxVersion: VersionTLS13,
9804 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9805 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9806 },
9807 },
9808 })
9809
9810 testCases = append(testCases, testCase{
9811 testType: serverTest,
9812 name: "SkipEarlyData-OmitEarlyDataExtension",
9813 config: Config{
9814 MaxVersion: VersionTLS13,
9815 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9816 SendFakeEarlyDataLength: 4,
9817 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9818 },
9819 },
9820 shouldFail: true,
9821 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9822 })
9823
9824 testCases = append(testCases, testCase{
9825 testType: serverTest,
9826 name: "SkipEarlyData-TooMuchData",
9827 config: Config{
9828 MaxVersion: VersionTLS13,
9829 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9830 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9831 },
9832 },
9833 shouldFail: true,
9834 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9835 })
9836
9837 testCases = append(testCases, testCase{
9838 testType: serverTest,
9839 name: "SkipEarlyData-Interleaved",
9840 config: Config{
9841 MaxVersion: VersionTLS13,
9842 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9843 SendFakeEarlyDataLength: 4,
9844 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9845 },
9846 },
9847 shouldFail: true,
9848 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9849 })
9850
9851 testCases = append(testCases, testCase{
9852 testType: serverTest,
9853 name: "SkipEarlyData-EarlyDataInTLS12",
9854 config: Config{
9855 MaxVersion: VersionTLS13,
9856 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9857 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9858 },
9859 },
9860 shouldFail: true,
9861 expectedError: ":UNEXPECTED_RECORD:",
9862 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9863 })
9864
9865 testCases = append(testCases, testCase{
9866 testType: serverTest,
9867 name: "SkipEarlyData-HRR",
9868 config: Config{
9869 MaxVersion: VersionTLS13,
9870 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9871 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9872 },
9873 DefaultCurves: []CurveID{},
9874 },
9875 })
9876
9877 testCases = append(testCases, testCase{
9878 testType: serverTest,
9879 name: "SkipEarlyData-HRR-Interleaved",
9880 config: Config{
9881 MaxVersion: VersionTLS13,
9882 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9883 SendFakeEarlyDataLength: 4,
9884 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9885 },
9886 DefaultCurves: []CurveID{},
9887 },
9888 shouldFail: true,
9889 expectedError: ":UNEXPECTED_RECORD:",
9890 })
9891
9892 testCases = append(testCases, testCase{
9893 testType: serverTest,
9894 name: "SkipEarlyData-HRR-TooMuchData",
9895 config: Config{
9896 MaxVersion: VersionTLS13,
9897 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9898 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9899 },
9900 DefaultCurves: []CurveID{},
9901 },
9902 shouldFail: true,
9903 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9904 })
9905
9906 // Test that skipping early data looking for cleartext correctly
9907 // processes an alert record.
9908 testCases = append(testCases, testCase{
9909 testType: serverTest,
9910 name: "SkipEarlyData-HRR-FatalAlert",
9911 config: Config{
9912 MaxVersion: VersionTLS13,
9913 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9914 SendEarlyAlert: true,
9915 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9916 },
9917 DefaultCurves: []CurveID{},
9918 },
9919 shouldFail: true,
9920 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9921 })
9922
9923 testCases = append(testCases, testCase{
9924 testType: serverTest,
9925 name: "SkipEarlyData-SecondClientHelloEarlyData",
9926 config: Config{
9927 MaxVersion: VersionTLS13,
9928 Bugs: ProtocolBugs{
9929 SendEarlyDataOnSecondClientHello: true,
9930 },
9931 DefaultCurves: []CurveID{},
9932 },
9933 shouldFail: true,
9934 expectedLocalError: "remote error: bad record MAC",
9935 })
9936
9937 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9938 testType: clientTest,
9939 name: "EmptyEncryptedExtensions",
9940 config: Config{
9941 MaxVersion: VersionTLS13,
9942 Bugs: ProtocolBugs{
9943 EmptyEncryptedExtensions: true,
9944 },
9945 },
9946 shouldFail: true,
9947 expectedLocalError: "remote error: error decoding message",
9948 })
9949
9950 testCases = append(testCases, testCase{
9951 testType: clientTest,
9952 name: "EncryptedExtensionsWithKeyShare",
9953 config: Config{
9954 MaxVersion: VersionTLS13,
9955 Bugs: ProtocolBugs{
9956 EncryptedExtensionsWithKeyShare: true,
9957 },
9958 },
9959 shouldFail: true,
9960 expectedLocalError: "remote error: unsupported extension",
9961 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9962
9963 testCases = append(testCases, testCase{
9964 testType: serverTest,
9965 name: "SendHelloRetryRequest",
9966 config: Config{
9967 MaxVersion: VersionTLS13,
9968 // Require a HelloRetryRequest for every curve.
9969 DefaultCurves: []CurveID{},
9970 },
9971 expectedCurveID: CurveX25519,
9972 })
9973
9974 testCases = append(testCases, testCase{
9975 testType: serverTest,
9976 name: "SendHelloRetryRequest-2",
9977 config: Config{
9978 MaxVersion: VersionTLS13,
9979 DefaultCurves: []CurveID{CurveP384},
9980 },
9981 // Although the ClientHello did not predict our preferred curve,
9982 // we always select it whether it is predicted or not.
9983 expectedCurveID: CurveX25519,
9984 })
9985
9986 testCases = append(testCases, testCase{
9987 name: "UnknownCurve-HelloRetryRequest",
9988 config: Config{
9989 MaxVersion: VersionTLS13,
9990 // P-384 requires HelloRetryRequest in BoringSSL.
9991 CurvePreferences: []CurveID{CurveP384},
9992 Bugs: ProtocolBugs{
9993 SendHelloRetryRequestCurve: bogusCurve,
9994 },
9995 },
9996 shouldFail: true,
9997 expectedError: ":WRONG_CURVE:",
9998 })
9999
10000 testCases = append(testCases, testCase{
10001 name: "DisabledCurve-HelloRetryRequest",
10002 config: Config{
10003 MaxVersion: VersionTLS13,
10004 CurvePreferences: []CurveID{CurveP256},
10005 Bugs: ProtocolBugs{
10006 IgnorePeerCurvePreferences: true,
10007 },
10008 },
10009 flags: []string{"-p384-only"},
10010 shouldFail: true,
10011 expectedError: ":WRONG_CURVE:",
10012 })
10013
10014 testCases = append(testCases, testCase{
10015 name: "UnnecessaryHelloRetryRequest",
10016 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]10017 MaxVersion: VersionTLS13,
10018 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10019 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]10020 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10021 },
10022 },
10023 shouldFail: true,
10024 expectedError: ":WRONG_CURVE:",
10025 })
10026
10027 testCases = append(testCases, testCase{
10028 name: "SecondHelloRetryRequest",
10029 config: Config{
10030 MaxVersion: VersionTLS13,
10031 // P-384 requires HelloRetryRequest in BoringSSL.
10032 CurvePreferences: []CurveID{CurveP384},
10033 Bugs: ProtocolBugs{
10034 SecondHelloRetryRequest: true,
10035 },
10036 },
10037 shouldFail: true,
10038 expectedError: ":UNEXPECTED_MESSAGE:",
10039 })
10040
10041 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]10042 name: "HelloRetryRequest-Empty",
10043 config: Config{
10044 MaxVersion: VersionTLS13,
10045 Bugs: ProtocolBugs{
10046 AlwaysSendHelloRetryRequest: true,
10047 },
10048 },
10049 shouldFail: true,
10050 expectedError: ":DECODE_ERROR:",
10051 })
10052
10053 testCases = append(testCases, testCase{
10054 name: "HelloRetryRequest-DuplicateCurve",
10055 config: Config{
10056 MaxVersion: VersionTLS13,
10057 // P-384 requires a HelloRetryRequest against BoringSSL's default
10058 // configuration. Assert this ExpectMissingKeyShare.
10059 CurvePreferences: []CurveID{CurveP384},
10060 Bugs: ProtocolBugs{
10061 ExpectMissingKeyShare: true,
10062 DuplicateHelloRetryRequestExtensions: true,
10063 },
10064 },
10065 shouldFail: true,
10066 expectedError: ":DUPLICATE_EXTENSION:",
10067 expectedLocalError: "remote error: illegal parameter",
10068 })
10069
10070 testCases = append(testCases, testCase{
10071 name: "HelloRetryRequest-Cookie",
10072 config: Config{
10073 MaxVersion: VersionTLS13,
10074 Bugs: ProtocolBugs{
10075 SendHelloRetryRequestCookie: []byte("cookie"),
10076 },
10077 },
10078 })
10079
10080 testCases = append(testCases, testCase{
10081 name: "HelloRetryRequest-DuplicateCookie",
10082 config: Config{
10083 MaxVersion: VersionTLS13,
10084 Bugs: ProtocolBugs{
10085 SendHelloRetryRequestCookie: []byte("cookie"),
10086 DuplicateHelloRetryRequestExtensions: true,
10087 },
10088 },
10089 shouldFail: true,
10090 expectedError: ":DUPLICATE_EXTENSION:",
10091 expectedLocalError: "remote error: illegal parameter",
10092 })
10093
10094 testCases = append(testCases, testCase{
10095 name: "HelloRetryRequest-EmptyCookie",
10096 config: Config{
10097 MaxVersion: VersionTLS13,
10098 Bugs: ProtocolBugs{
10099 SendHelloRetryRequestCookie: []byte{},
10100 },
10101 },
10102 shouldFail: true,
10103 expectedError: ":DECODE_ERROR:",
10104 })
10105
10106 testCases = append(testCases, testCase{
10107 name: "HelloRetryRequest-Cookie-Curve",
10108 config: Config{
10109 MaxVersion: VersionTLS13,
10110 // P-384 requires HelloRetryRequest in BoringSSL.
10111 CurvePreferences: []CurveID{CurveP384},
10112 Bugs: ProtocolBugs{
10113 SendHelloRetryRequestCookie: []byte("cookie"),
10114 ExpectMissingKeyShare: true,
10115 },
10116 },
10117 })
10118
10119 testCases = append(testCases, testCase{
10120 name: "HelloRetryRequest-Unknown",
10121 config: Config{
10122 MaxVersion: VersionTLS13,
10123 Bugs: ProtocolBugs{
10124 CustomHelloRetryRequestExtension: "extension",
10125 },
10126 },
10127 shouldFail: true,
10128 expectedError: ":UNEXPECTED_EXTENSION:",
10129 expectedLocalError: "remote error: unsupported extension",
10130 })
10131
10132 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10133 testType: serverTest,
10134 name: "SecondClientHelloMissingKeyShare",
10135 config: Config{
10136 MaxVersion: VersionTLS13,
10137 DefaultCurves: []CurveID{},
10138 Bugs: ProtocolBugs{
10139 SecondClientHelloMissingKeyShare: true,
10140 },
10141 },
10142 shouldFail: true,
10143 expectedError: ":MISSING_KEY_SHARE:",
10144 })
10145
10146 testCases = append(testCases, testCase{
10147 testType: serverTest,
10148 name: "SecondClientHelloWrongCurve",
10149 config: Config{
10150 MaxVersion: VersionTLS13,
10151 DefaultCurves: []CurveID{},
10152 Bugs: ProtocolBugs{
10153 MisinterpretHelloRetryRequestCurve: CurveP521,
10154 },
10155 },
10156 shouldFail: true,
10157 expectedError: ":WRONG_CURVE:",
10158 })
10159
10160 testCases = append(testCases, testCase{
10161 name: "HelloRetryRequestVersionMismatch",
10162 config: Config{
10163 MaxVersion: VersionTLS13,
10164 // P-384 requires HelloRetryRequest in BoringSSL.
10165 CurvePreferences: []CurveID{CurveP384},
10166 Bugs: ProtocolBugs{
10167 SendServerHelloVersion: 0x0305,
10168 },
10169 },
10170 shouldFail: true,
10171 expectedError: ":WRONG_VERSION_NUMBER:",
10172 })
10173
10174 testCases = append(testCases, testCase{
10175 name: "HelloRetryRequestCurveMismatch",
10176 config: Config{
10177 MaxVersion: VersionTLS13,
10178 // P-384 requires HelloRetryRequest in BoringSSL.
10179 CurvePreferences: []CurveID{CurveP384},
10180 Bugs: ProtocolBugs{
10181 // Send P-384 (correct) in the HelloRetryRequest.
10182 SendHelloRetryRequestCurve: CurveP384,
10183 // But send P-256 in the ServerHello.
10184 SendCurve: CurveP256,
10185 },
10186 },
10187 shouldFail: true,
10188 expectedError: ":WRONG_CURVE:",
10189 })
10190
10191 // Test the server selecting a curve that requires a HelloRetryRequest
10192 // without sending it.
10193 testCases = append(testCases, testCase{
10194 name: "SkipHelloRetryRequest",
10195 config: Config{
10196 MaxVersion: VersionTLS13,
10197 // P-384 requires HelloRetryRequest in BoringSSL.
10198 CurvePreferences: []CurveID{CurveP384},
10199 Bugs: ProtocolBugs{
10200 SkipHelloRetryRequest: true,
10201 },
10202 },
10203 shouldFail: true,
10204 expectedError: ":WRONG_CURVE:",
10205 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]10206
10207 testCases = append(testCases, testCase{
10208 name: "TLS13-RequestContextInHandshake",
10209 config: Config{
10210 MaxVersion: VersionTLS13,
10211 MinVersion: VersionTLS13,
10212 ClientAuth: RequireAnyClientCert,
10213 Bugs: ProtocolBugs{
10214 SendRequestContext: []byte("request context"),
10215 },
10216 },
10217 flags: []string{
10218 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10219 "-key-file", path.Join(*resourceDir, rsaKeyFile),
10220 },
10221 shouldFail: true,
10222 expectedError: ":DECODE_ERROR:",
10223 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]10224
10225 testCases = append(testCases, testCase{
10226 testType: serverTest,
10227 name: "TLS13-TrailingKeyShareData",
10228 config: Config{
10229 MaxVersion: VersionTLS13,
10230 Bugs: ProtocolBugs{
10231 TrailingKeyShareData: true,
10232 },
10233 },
10234 shouldFail: true,
10235 expectedError: ":DECODE_ERROR:",
10236 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]10237
10238 testCases = append(testCases, testCase{
10239 name: "TLS13-AlwaysSelectPSKIdentity",
10240 config: Config{
10241 MaxVersion: VersionTLS13,
10242 Bugs: ProtocolBugs{
10243 AlwaysSelectPSKIdentity: true,
10244 },
10245 },
10246 shouldFail: true,
10247 expectedError: ":UNEXPECTED_EXTENSION:",
10248 })
10249
10250 testCases = append(testCases, testCase{
10251 name: "TLS13-InvalidPSKIdentity",
10252 config: Config{
10253 MaxVersion: VersionTLS13,
10254 Bugs: ProtocolBugs{
10255 SelectPSKIdentityOnResume: 1,
10256 },
10257 },
10258 resumeSession: true,
10259 shouldFail: true,
10260 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
10261 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10262
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10263 testCases = append(testCases, testCase{
10264 testType: serverTest,
10265 name: "TLS13-ExtraPSKIdentity",
10266 config: Config{
10267 MaxVersion: VersionTLS13,
10268 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]10269 ExtraPSKIdentity: true,
10270 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10271 },
10272 },
10273 resumeSession: true,
10274 })
10275
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10276 // Test that unknown NewSessionTicket extensions are tolerated.
10277 testCases = append(testCases, testCase{
10278 name: "TLS13-CustomTicketExtension",
10279 config: Config{
10280 MaxVersion: VersionTLS13,
10281 Bugs: ProtocolBugs{
10282 CustomTicketExtension: "1234",
10283 },
10284 },
10285 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10286
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10287 testCases = append(testCases, testCase{
10288 testType: clientTest,
10289 name: "TLS13-DataLessEarlyData-Reject-Client",
10290 config: Config{
10291 MaxVersion: VersionTLS13,
10292 MaxEarlyDataSize: 16384,
10293 },
10294 resumeConfig: &Config{
10295 MaxVersion: VersionTLS13,
10296 MaxEarlyDataSize: 16384,
10297 Bugs: ProtocolBugs{
10298 AlwaysRejectEarlyData: true,
10299 },
10300 },
10301 resumeSession: true,
10302 flags: []string{
10303 "-enable-early-data",
10304 "-expect-early-data-info",
10305 "-expect-reject-early-data",
10306 },
10307 })
10308
10309 testCases = append(testCases, testCase{
10310 testType: clientTest,
10311 name: "TLS13-DataLessEarlyData-HRR-Client",
10312 config: Config{
10313 MaxVersion: VersionTLS13,
10314 MaxEarlyDataSize: 16384,
10315 },
10316 resumeConfig: &Config{
10317 MaxVersion: VersionTLS13,
10318 MaxEarlyDataSize: 16384,
10319 Bugs: ProtocolBugs{
10320 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10321 },
10322 },
10323 resumeSession: true,
10324 flags: []string{
10325 "-enable-early-data",
10326 "-expect-early-data-info",
10327 "-expect-reject-early-data",
10328 },
10329 })
10330
10331 // The client must check the server does not send the early_data
10332 // extension while rejecting the session.
10333 testCases = append(testCases, testCase{
10334 testType: clientTest,
10335 name: "TLS13-EarlyDataWithoutResume-Client",
10336 config: Config{
10337 MaxVersion: VersionTLS13,
10338 MaxEarlyDataSize: 16384,
10339 },
10340 resumeConfig: &Config{
10341 MaxVersion: VersionTLS13,
10342 SessionTicketsDisabled: true,
10343 Bugs: ProtocolBugs{
10344 SendEarlyDataExtension: true,
10345 },
10346 },
10347 resumeSession: true,
10348 flags: []string{
10349 "-enable-early-data",
10350 "-expect-early-data-info",
10351 },
10352 shouldFail: true,
10353 expectedError: ":UNEXPECTED_EXTENSION:",
10354 })
10355
10356 // The client must fail with a dedicated error code if the server
10357 // responds with TLS 1.2 when offering 0-RTT.
10358 testCases = append(testCases, testCase{
10359 testType: clientTest,
10360 name: "TLS13-EarlyDataVersionDowngrade-Client",
10361 config: Config{
10362 MaxVersion: VersionTLS13,
10363 MaxEarlyDataSize: 16384,
10364 },
10365 resumeConfig: &Config{
10366 MaxVersion: VersionTLS12,
10367 },
10368 resumeSession: true,
10369 flags: []string{
10370 "-enable-early-data",
10371 "-expect-early-data-info",
10372 },
10373 shouldFail: true,
10374 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10375 })
10376
10377 // Test that the client rejects an (unsolicited) early_data extension if
10378 // the server sent an HRR.
10379 testCases = append(testCases, testCase{
10380 testType: clientTest,
10381 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10382 config: Config{
10383 MaxVersion: VersionTLS13,
10384 MaxEarlyDataSize: 16384,
10385 },
10386 resumeConfig: &Config{
10387 MaxVersion: VersionTLS13,
10388 MaxEarlyDataSize: 16384,
10389 Bugs: ProtocolBugs{
10390 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10391 SendEarlyDataExtension: true,
10392 },
10393 },
10394 resumeSession: true,
10395 flags: []string{
10396 "-enable-early-data",
10397 "-expect-early-data-info",
10398 },
10399 shouldFail: true,
10400 expectedError: ":UNEXPECTED_EXTENSION:",
10401 })
10402
10403 fooString := "foo"
10404 barString := "bar"
10405
10406 // Test that the client reports the correct ALPN after a 0-RTT reject
10407 // that changed it.
10408 testCases = append(testCases, testCase{
10409 testType: clientTest,
10410 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10411 config: Config{
10412 MaxVersion: VersionTLS13,
10413 MaxEarlyDataSize: 16384,
10414 Bugs: ProtocolBugs{
10415 ALPNProtocol: &fooString,
10416 },
10417 },
10418 resumeConfig: &Config{
10419 MaxVersion: VersionTLS13,
10420 MaxEarlyDataSize: 16384,
10421 Bugs: ProtocolBugs{
10422 ALPNProtocol: &barString,
10423 },
10424 },
10425 resumeSession: true,
10426 flags: []string{
10427 "-advertise-alpn", "\x03foo\x03bar",
10428 "-enable-early-data",
10429 "-expect-early-data-info",
10430 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10431 "-on-initial-expect-alpn", "foo",
10432 "-on-resume-expect-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10433 },
10434 })
10435
10436 // Test that the client reports the correct ALPN after a 0-RTT reject if
10437 // ALPN was omitted from the first connection.
10438 testCases = append(testCases, testCase{
10439 testType: clientTest,
10440 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10441 config: Config{
10442 MaxVersion: VersionTLS13,
10443 MaxEarlyDataSize: 16384,
10444 },
10445 resumeConfig: &Config{
10446 MaxVersion: VersionTLS13,
10447 MaxEarlyDataSize: 16384,
10448 NextProtos: []string{"foo"},
10449 },
10450 resumeSession: true,
10451 flags: []string{
10452 "-advertise-alpn", "\x03foo\x03bar",
10453 "-enable-early-data",
10454 "-expect-early-data-info",
10455 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10456 "-on-initial-expect-alpn", "",
10457 "-on-resume-expect-alpn", "foo",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10458 },
10459 })
10460
10461 // Test that the client reports the correct ALPN after a 0-RTT reject if
10462 // ALPN was omitted from the second connection.
10463 testCases = append(testCases, testCase{
10464 testType: clientTest,
10465 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10466 config: Config{
10467 MaxVersion: VersionTLS13,
10468 MaxEarlyDataSize: 16384,
10469 NextProtos: []string{"foo"},
10470 },
10471 resumeConfig: &Config{
10472 MaxVersion: VersionTLS13,
10473 MaxEarlyDataSize: 16384,
10474 },
10475 resumeSession: true,
10476 flags: []string{
10477 "-advertise-alpn", "\x03foo\x03bar",
10478 "-enable-early-data",
10479 "-expect-early-data-info",
10480 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10481 "-on-initial-expect-alpn", "foo",
10482 "-on-resume-expect-alpn", "",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10483 },
10484 })
10485
10486 // Test that the client enforces ALPN match on 0-RTT accept.
10487 testCases = append(testCases, testCase{
10488 testType: clientTest,
10489 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10490 config: Config{
10491 MaxVersion: VersionTLS13,
10492 MaxEarlyDataSize: 16384,
10493 Bugs: ProtocolBugs{
10494 ALPNProtocol: &fooString,
10495 },
10496 },
10497 resumeConfig: &Config{
10498 MaxVersion: VersionTLS13,
10499 MaxEarlyDataSize: 16384,
10500 Bugs: ProtocolBugs{
10501 AlwaysAcceptEarlyData: true,
10502 ALPNProtocol: &barString,
10503 },
10504 },
10505 resumeSession: true,
10506 flags: []string{
10507 "-advertise-alpn", "\x03foo\x03bar",
10508 "-enable-early-data",
10509 "-expect-early-data-info",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10510 "-on-initial-expect-alpn", "foo",
10511 "-on-resume-expect-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10512 },
10513 shouldFail: true,
10514 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10515 })
10516
10517 // Test that the server correctly rejects 0-RTT when the previous
10518 // session did not allow early data on resumption.
10519 testCases = append(testCases, testCase{
10520 testType: serverTest,
10521 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10522 config: Config{
10523 MaxVersion: VersionTLS13,
10524 },
10525 resumeConfig: &Config{
10526 MaxVersion: VersionTLS13,
10527 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10528 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10529 ExpectEarlyDataAccepted: false,
10530 },
10531 },
10532 resumeSession: true,
10533 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10534 "-on-resume-enable-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10535 "-expect-reject-early-data",
10536 },
10537 })
10538
10539 // Test that we reject early data where ALPN is omitted from the first
10540 // connection.
10541 testCases = append(testCases, testCase{
10542 testType: serverTest,
10543 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10544 config: Config{
10545 MaxVersion: VersionTLS13,
10546 NextProtos: []string{},
10547 },
10548 resumeConfig: &Config{
10549 MaxVersion: VersionTLS13,
10550 NextProtos: []string{"foo"},
10551 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10552 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10553 ExpectEarlyDataAccepted: false,
10554 },
10555 },
10556 resumeSession: true,
10557 flags: []string{
10558 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10559 "-on-initial-select-alpn", "",
10560 "-on-resume-select-alpn", "foo",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10561 },
10562 })
10563
10564 // Test that we reject early data where ALPN is omitted from the second
10565 // connection.
10566 testCases = append(testCases, testCase{
10567 testType: serverTest,
10568 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10569 config: Config{
10570 MaxVersion: VersionTLS13,
10571 NextProtos: []string{"foo"},
10572 },
10573 resumeConfig: &Config{
10574 MaxVersion: VersionTLS13,
10575 NextProtos: []string{},
10576 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10577 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10578 ExpectEarlyDataAccepted: false,
10579 },
10580 },
10581 resumeSession: true,
10582 flags: []string{
10583 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10584 "-on-initial-select-alpn", "foo",
10585 "-on-resume-select-alpn", "",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10586 },
10587 })
10588
10589 // Test that we reject early data with mismatched ALPN.
10590 testCases = append(testCases, testCase{
10591 testType: serverTest,
10592 name: "TLS13-EarlyData-ALPNMismatch-Server",
10593 config: Config{
10594 MaxVersion: VersionTLS13,
10595 NextProtos: []string{"foo"},
10596 },
10597 resumeConfig: &Config{
10598 MaxVersion: VersionTLS13,
10599 NextProtos: []string{"bar"},
10600 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10601 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10602 ExpectEarlyDataAccepted: false,
10603 },
10604 },
10605 resumeSession: true,
10606 flags: []string{
10607 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10608 "-on-initial-select-alpn", "foo",
10609 "-on-resume-select-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10610 },
10611 })
10612
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10613 // Test that the client offering 0-RTT and Channel ID forbids the server
10614 // from accepting both.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10615 testCases = append(testCases, testCase{
10616 testType: clientTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10617 name: "TLS13-EarlyDataChannelID-AcceptBoth-Client",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10618 config: Config{
10619 MaxVersion: VersionTLS13,
10620 MaxEarlyDataSize: 16384,
10621 RequestChannelID: true,
10622 },
10623 resumeSession: true,
10624 expectChannelID: true,
10625 shouldFail: true,
10626 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
10627 flags: []string{
10628 "-enable-early-data",
10629 "-expect-early-data-info",
10630 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10631 },
10632 })
10633
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10634 // Test that the client offering Channel ID and 0-RTT allows the server
10635 // to decline 0-RTT.
10636 testCases = append(testCases, testCase{
10637 testType: clientTest,
10638 name: "TLS13-EarlyDataChannelID-AcceptChannelID-Client",
10639 config: Config{
10640 MaxVersion: VersionTLS13,
10641 MaxEarlyDataSize: 16384,
10642 RequestChannelID: true,
10643 Bugs: ProtocolBugs{
10644 AlwaysRejectEarlyData: true,
10645 },
10646 },
10647 resumeSession: true,
10648 expectChannelID: true,
10649 flags: []string{
10650 "-enable-early-data",
10651 "-expect-early-data-info",
10652 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10653 "-expect-reject-early-data",
10654 },
10655 })
10656
10657 // Test that the client offering Channel ID and 0-RTT allows the server
10658 // to decline Channel ID.
10659 testCases = append(testCases, testCase{
10660 testType: clientTest,
10661 name: "TLS13-EarlyDataChannelID-AcceptEarlyData-Client",
10662 config: Config{
10663 MaxVersion: VersionTLS13,
10664 MaxEarlyDataSize: 16384,
10665 },
10666 resumeSession: true,
10667 flags: []string{
10668 "-enable-early-data",
10669 "-expect-early-data-info",
10670 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10671 "-expect-accept-early-data",
10672 },
10673 })
10674
10675 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
10676 // if it would negotiate Channel ID.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10677 testCases = append(testCases, testCase{
10678 testType: serverTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10679 name: "TLS13-EarlyDataChannelID-OfferBoth-Server",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10680 config: Config{
10681 MaxVersion: VersionTLS13,
10682 ChannelID: channelIDKey,
10683 Bugs: ProtocolBugs{
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10684 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10685 ExpectEarlyDataAccepted: false,
10686 },
10687 },
10688 resumeSession: true,
10689 expectChannelID: true,
10690 flags: []string{
10691 "-enable-early-data",
10692 "-expect-reject-early-data",
10693 "-expect-channel-id",
10694 base64.StdEncoding.EncodeToString(channelIDBytes),
10695 },
10696 })
10697
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10698 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
10699 // if not offered Channel ID.
10700 testCases = append(testCases, testCase{
10701 testType: serverTest,
10702 name: "TLS13-EarlyDataChannelID-OfferEarlyData-Server",
10703 config: Config{
10704 MaxVersion: VersionTLS13,
10705 Bugs: ProtocolBugs{
10706 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10707 ExpectEarlyDataAccepted: true,
10708 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
10709 },
10710 },
10711 resumeSession: true,
10712 expectChannelID: false,
10713 flags: []string{
10714 "-enable-early-data",
10715 "-expect-accept-early-data",
10716 "-enable-channel-id",
10717 },
10718 })
10719
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10720 // Test that the server rejects 0-RTT streams without end_of_early_data.
10721 // The subsequent records should fail to decrypt.
10722 testCases = append(testCases, testCase{
10723 testType: serverTest,
10724 name: "TLS13-EarlyData-SkipEndOfEarlyData",
10725 config: Config{
10726 MaxVersion: VersionTLS13,
10727 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10728 SendEarlyData: [][]byte{{1, 2, 3, 4}},
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10729 ExpectEarlyDataAccepted: true,
10730 SkipEndOfEarlyData: true,
10731 },
10732 },
10733 resumeSession: true,
10734 flags: []string{"-enable-early-data"},
10735 shouldFail: true,
10736 expectedLocalError: "remote error: bad record MAC",
10737 expectedError: ":BAD_DECRYPT:",
10738 })
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10739
10740 testCases = append(testCases, testCase{
10741 testType: serverTest,
10742 name: "TLS13-EarlyData-UnexpectedHandshake-Server",
10743 config: Config{
10744 MaxVersion: VersionTLS13,
10745 },
10746 resumeConfig: &Config{
10747 MaxVersion: VersionTLS13,
10748 Bugs: ProtocolBugs{
10749 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10750 SendStrayEarlyHandshake: true,
10751 ExpectEarlyDataAccepted: true},
10752 },
10753 resumeSession: true,
10754 shouldFail: true,
10755 expectedError: ":UNEXPECTED_RECORD:",
10756 expectedLocalError: "remote error: unexpected message",
10757 flags: []string{
10758 "-enable-early-data",
10759 },
10760 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10761}
10762
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10763func addTLS13CipherPreferenceTests() {
10764 // Test that client preference is honored if the shim has AES hardware
10765 // and ChaCha20-Poly1305 is preferred otherwise.
10766 testCases = append(testCases, testCase{
10767 testType: serverTest,
10768 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10769 config: Config{
10770 MaxVersion: VersionTLS13,
10771 CipherSuites: []uint16{
10772 TLS_CHACHA20_POLY1305_SHA256,
10773 TLS_AES_128_GCM_SHA256,
10774 },
10775 },
10776 flags: []string{
10777 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10778 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10779 },
10780 })
10781
10782 testCases = append(testCases, testCase{
10783 testType: serverTest,
10784 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10785 config: Config{
10786 MaxVersion: VersionTLS13,
10787 CipherSuites: []uint16{
10788 TLS_AES_128_GCM_SHA256,
10789 TLS_CHACHA20_POLY1305_SHA256,
10790 },
10791 },
10792 flags: []string{
10793 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10794 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10795 },
10796 })
10797
10798 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10799 // whether it has AES hardware.
10800 testCases = append(testCases, testCase{
10801 name: "TLS13-CipherPreference-Client",
10802 config: Config{
10803 MaxVersion: VersionTLS13,
10804 // Use the client cipher order. (This is the default but
10805 // is listed to be explicit.)
10806 PreferServerCipherSuites: false,
10807 },
10808 flags: []string{
10809 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10810 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10811 },
10812 })
10813}
10814
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10815func addPeekTests() {
10816 // Test SSL_peek works, including on empty records.
10817 testCases = append(testCases, testCase{
10818 name: "Peek-Basic",
10819 sendEmptyRecords: 1,
10820 flags: []string{"-peek-then-read"},
10821 })
10822
10823 // Test SSL_peek can drive the initial handshake.
10824 testCases = append(testCases, testCase{
10825 name: "Peek-ImplicitHandshake",
10826 flags: []string{
10827 "-peek-then-read",
10828 "-implicit-handshake",
10829 },
10830 })
10831
10832 // Test SSL_peek can discover and drive a renegotiation.
10833 testCases = append(testCases, testCase{
10834 name: "Peek-Renegotiate",
10835 config: Config{
10836 MaxVersion: VersionTLS12,
10837 },
10838 renegotiate: 1,
10839 flags: []string{
10840 "-peek-then-read",
10841 "-renegotiate-freely",
10842 "-expect-total-renegotiations", "1",
10843 },
10844 })
10845
10846 // Test SSL_peek can discover a close_notify.
10847 testCases = append(testCases, testCase{
10848 name: "Peek-Shutdown",
10849 config: Config{
10850 Bugs: ProtocolBugs{
10851 ExpectCloseNotify: true,
10852 },
10853 },
10854 flags: []string{
10855 "-peek-then-read",
10856 "-check-close-notify",
10857 },
10858 })
10859
10860 // Test SSL_peek can discover an alert.
10861 testCases = append(testCases, testCase{
10862 name: "Peek-Alert",
10863 config: Config{
10864 Bugs: ProtocolBugs{
10865 SendSpuriousAlert: alertRecordOverflow,
10866 },
10867 },
10868 flags: []string{"-peek-then-read"},
10869 shouldFail: true,
10870 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10871 })
10872
10873 // Test SSL_peek can handle KeyUpdate.
10874 testCases = append(testCases, testCase{
10875 name: "Peek-KeyUpdate",
10876 config: Config{
10877 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10878 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]10879 sendKeyUpdates: 1,
10880 keyUpdateRequest: keyUpdateNotRequested,
10881 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10882 })
10883}
10884
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10885func addRecordVersionTests() {
10886 for _, ver := range tlsVersions {
10887 // Test that the record version is enforced.
10888 testCases = append(testCases, testCase{
10889 name: "CheckRecordVersion-" + ver.name,
10890 config: Config{
10891 MinVersion: ver.version,
10892 MaxVersion: ver.version,
10893 Bugs: ProtocolBugs{
10894 SendRecordVersion: 0x03ff,
10895 },
10896 },
10897 shouldFail: true,
10898 expectedError: ":WRONG_VERSION_NUMBER:",
10899 })
10900
10901 // Test that the ClientHello may use any record version, for
10902 // compatibility reasons.
10903 testCases = append(testCases, testCase{
10904 testType: serverTest,
10905 name: "LooseInitialRecordVersion-" + ver.name,
10906 config: Config{
10907 MinVersion: ver.version,
10908 MaxVersion: ver.version,
10909 Bugs: ProtocolBugs{
10910 SendInitialRecordVersion: 0x03ff,
10911 },
10912 },
10913 })
10914
10915 // Test that garbage ClientHello record versions are rejected.
10916 testCases = append(testCases, testCase{
10917 testType: serverTest,
10918 name: "GarbageInitialRecordVersion-" + ver.name,
10919 config: Config{
10920 MinVersion: ver.version,
10921 MaxVersion: ver.version,
10922 Bugs: ProtocolBugs{
10923 SendInitialRecordVersion: 0xffff,
10924 },
10925 },
10926 shouldFail: true,
10927 expectedError: ":WRONG_VERSION_NUMBER:",
10928 })
10929 }
10930}
10931
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10932func addCertificateTests() {
10933 // Test that a certificate chain with intermediate may be sent and
10934 // received as both client and server.
10935 for _, ver := range tlsVersions {
10936 testCases = append(testCases, testCase{
10937 testType: clientTest,
10938 name: "SendReceiveIntermediate-Client-" + ver.name,
10939 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10940 MinVersion: ver.version,
10941 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10942 Certificates: []Certificate{rsaChainCertificate},
10943 ClientAuth: RequireAnyClientCert,
10944 },
10945 expectPeerCertificate: &rsaChainCertificate,
10946 flags: []string{
10947 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10948 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10949 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10950 },
10951 })
10952
10953 testCases = append(testCases, testCase{
10954 testType: serverTest,
10955 name: "SendReceiveIntermediate-Server-" + ver.name,
10956 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10957 MinVersion: ver.version,
10958 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10959 Certificates: []Certificate{rsaChainCertificate},
10960 },
10961 expectPeerCertificate: &rsaChainCertificate,
10962 flags: []string{
10963 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10964 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10965 "-require-any-client-certificate",
10966 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10967 },
10968 })
10969 }
10970}
10971
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10972func addRetainOnlySHA256ClientCertTests() {
10973 for _, ver := range tlsVersions {
10974 // Test that enabling
10975 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10976 // actually requesting a client certificate is a no-op.
10977 testCases = append(testCases, testCase{
10978 testType: serverTest,
10979 name: "RetainOnlySHA256-NoCert-" + ver.name,
10980 config: Config{
10981 MinVersion: ver.version,
10982 MaxVersion: ver.version,
10983 },
10984 flags: []string{
10985 "-retain-only-sha256-client-cert-initial",
10986 "-retain-only-sha256-client-cert-resume",
10987 },
10988 resumeSession: true,
10989 })
10990
10991 // Test that when retaining only a SHA-256 certificate is
10992 // enabled, the hash appears as expected.
10993 testCases = append(testCases, testCase{
10994 testType: serverTest,
10995 name: "RetainOnlySHA256-Cert-" + ver.name,
10996 config: Config{
10997 MinVersion: ver.version,
10998 MaxVersion: ver.version,
10999 Certificates: []Certificate{rsaCertificate},
11000 },
11001 flags: []string{
11002 "-verify-peer",
11003 "-retain-only-sha256-client-cert-initial",
11004 "-retain-only-sha256-client-cert-resume",
11005 "-expect-sha256-client-cert-initial",
11006 "-expect-sha256-client-cert-resume",
11007 },
11008 resumeSession: true,
11009 })
11010
11011 // Test that when the config changes from on to off, a
11012 // resumption is rejected because the server now wants the full
11013 // certificate chain.
11014 testCases = append(testCases, testCase{
11015 testType: serverTest,
11016 name: "RetainOnlySHA256-OnOff-" + ver.name,
11017 config: Config{
11018 MinVersion: ver.version,
11019 MaxVersion: ver.version,
11020 Certificates: []Certificate{rsaCertificate},
11021 },
11022 flags: []string{
11023 "-verify-peer",
11024 "-retain-only-sha256-client-cert-initial",
11025 "-expect-sha256-client-cert-initial",
11026 },
11027 resumeSession: true,
11028 expectResumeRejected: true,
11029 })
11030
11031 // Test that when the config changes from off to on, a
11032 // resumption is rejected because the server now wants just the
11033 // hash.
11034 testCases = append(testCases, testCase{
11035 testType: serverTest,
11036 name: "RetainOnlySHA256-OffOn-" + ver.name,
11037 config: Config{
11038 MinVersion: ver.version,
11039 MaxVersion: ver.version,
11040 Certificates: []Certificate{rsaCertificate},
11041 },
11042 flags: []string{
11043 "-verify-peer",
11044 "-retain-only-sha256-client-cert-resume",
11045 "-expect-sha256-client-cert-resume",
11046 },
11047 resumeSession: true,
11048 expectResumeRejected: true,
11049 })
11050 }
11051}
11052
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11053func addECDSAKeyUsageTests() {
11054 p256 := elliptic.P256()
11055 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
11056 if err != nil {
11057 panic(err)
11058 }
11059
11060 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
11061 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
11062 if err != nil {
11063 panic(err)
11064 }
11065
11066 template := x509.Certificate{
11067 SerialNumber: serialNumber,
11068 Subject: pkix.Name{
11069 Organization: []string{"Acme Co"},
11070 },
11071 NotBefore: time.Now(),
11072 NotAfter: time.Now(),
11073
11074 // An ECC certificate with only the keyAgreement key usgae may
11075 // be used with ECDH, but not ECDSA.
11076 KeyUsage: x509.KeyUsageKeyAgreement,
11077 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
11078 BasicConstraintsValid: true,
11079 }
11080
11081 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
11082 if err != nil {
11083 panic(err)
11084 }
11085
11086 cert := Certificate{
11087 Certificate: [][]byte{derBytes},
11088 PrivateKey: priv,
11089 }
11090
11091 for _, ver := range tlsVersions {
11092 if ver.version < VersionTLS12 {
11093 continue
11094 }
11095
11096 testCases = append(testCases, testCase{
11097 testType: clientTest,
11098 name: "ECDSAKeyUsage-" + ver.name,
11099 config: Config{
11100 MinVersion: ver.version,
11101 MaxVersion: ver.version,
11102 Certificates: []Certificate{cert},
11103 },
11104 shouldFail: true,
11105 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
11106 })
11107 }
11108}
11109
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11110func addExtraHandshakeTests() {
11111 // An extra SSL_do_handshake is normally a no-op. These tests use -async
11112 // to ensure there is no transport I/O.
11113 testCases = append(testCases, testCase{
11114 testType: clientTest,
11115 name: "ExtraHandshake-Client-TLS12",
11116 config: Config{
11117 MinVersion: VersionTLS12,
11118 MaxVersion: VersionTLS12,
11119 },
11120 flags: []string{
11121 "-async",
11122 "-no-op-extra-handshake",
11123 },
11124 })
11125 testCases = append(testCases, testCase{
11126 testType: serverTest,
11127 name: "ExtraHandshake-Server-TLS12",
11128 config: Config{
11129 MinVersion: VersionTLS12,
11130 MaxVersion: VersionTLS12,
11131 },
11132 flags: []string{
11133 "-async",
11134 "-no-op-extra-handshake",
11135 },
11136 })
11137 testCases = append(testCases, testCase{
11138 testType: clientTest,
11139 name: "ExtraHandshake-Client-TLS13",
11140 config: Config{
11141 MinVersion: VersionTLS13,
11142 MaxVersion: VersionTLS13,
11143 },
11144 flags: []string{
11145 "-async",
11146 "-no-op-extra-handshake",
11147 },
11148 })
11149 testCases = append(testCases, testCase{
11150 testType: serverTest,
11151 name: "ExtraHandshake-Server-TLS13",
11152 config: Config{
11153 MinVersion: VersionTLS13,
11154 MaxVersion: VersionTLS13,
11155 },
11156 flags: []string{
11157 "-async",
11158 "-no-op-extra-handshake",
11159 },
11160 })
11161
11162 // An extra SSL_do_handshake is a no-op in server 0-RTT.
11163 testCases = append(testCases, testCase{
11164 testType: serverTest,
11165 name: "ExtraHandshake-Server-EarlyData-TLS13",
11166 config: Config{
11167 MaxVersion: VersionTLS13,
11168 MinVersion: VersionTLS13,
11169 Bugs: ProtocolBugs{
11170 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11171 ExpectEarlyDataAccepted: true,
11172 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
11173 },
11174 },
11175 messageCount: 2,
11176 resumeSession: true,
11177 flags: []string{
11178 "-async",
11179 "-enable-early-data",
11180 "-expect-accept-early-data",
11181 "-no-op-extra-handshake",
11182 },
11183 })
11184
11185 // An extra SSL_do_handshake drives the handshake to completion in False
11186 // Start. We test this by handshaking twice and asserting the False
11187 // Start does not appear to happen. See AlertBeforeFalseStartTest for
11188 // how the test works.
11189 testCases = append(testCases, testCase{
11190 testType: clientTest,
11191 name: "ExtraHandshake-FalseStart",
11192 config: Config{
11193 MaxVersion: VersionTLS12,
11194 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
11195 NextProtos: []string{"foo"},
11196 Bugs: ProtocolBugs{
11197 ExpectFalseStart: true,
11198 AlertBeforeFalseStartTest: alertAccessDenied,
11199 },
11200 },
11201 flags: []string{
11202 "-handshake-twice",
11203 "-false-start",
11204 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11205 "-expect-alpn", "foo",
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11206 },
11207 shimWritesFirst: true,
11208 shouldFail: true,
11209 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
11210 expectedLocalError: "tls: peer did not false start: EOF",
11211 })
11212}
11213
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11214func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11215 defer wg.Done()
11216
11217 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11218 var err error
11219
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11220 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11221 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
11222 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11223 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11224 if err != nil {
11225 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
11226 }
11227 break
11228 }
11229 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11230 } else if *repeatUntilFailure {
11231 for err == nil {
11232 statusChan <- statusMsg{test: test, started: true}
11233 err = runTest(test, shimPath, -1)
11234 }
11235 } else {
11236 statusChan <- statusMsg{test: test, started: true}
11237 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11238 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11239 statusChan <- statusMsg{test: test, err: err}
11240 }
11241}
11242
11243type statusMsg struct {
11244 test *testCase
11245 started bool
11246 err error
11247}
11248
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11249func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11250 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11251
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11252 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11253 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11254 if !*pipe {
11255 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]11256 var erase string
11257 for i := 0; i < lineLen; i++ {
11258 erase += "\b \b"
11259 }
11260 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11261 }
11262
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11263 if msg.started {
11264 started++
11265 } else {
11266 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11267
11268 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11269 if msg.err == errUnimplemented {
11270 if *pipe {
11271 // Print each test instead of a status line.
11272 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
11273 }
11274 unimplemented++
11275 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
11276 } else {
11277 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
11278 failed++
11279 testOutput.addResult(msg.test.name, "FAIL")
11280 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11281 } else {
11282 if *pipe {
11283 // Print each test instead of a status line.
11284 fmt.Printf("PASSED (%s)\n", msg.test.name)
11285 }
11286 testOutput.addResult(msg.test.name, "PASS")
11287 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11288 }
11289
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11290 if !*pipe {
11291 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11292 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11293 lineLen = len(line)
11294 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11295 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11296 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11297
11298 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11299}
11300
11301func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11302 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11303 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]11304 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11305
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11306 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11307 addCipherSuiteTests()
11308 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]11309 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]11310 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]11311 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]11312 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]11313 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]11314 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]11315 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]11316 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]11317 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]11318 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]11319 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]11320 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]11321 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]11322 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]11323 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]11324 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]11325 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]11326 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]11327 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]11328 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]11329 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]11330 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]11331 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]11332 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]11333 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]11334 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11335 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]11336 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11337 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]11338 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11339 addECDSAKeyUsageTests()
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11340 addExtraHandshakeTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11341
11342 var wg sync.WaitGroup
11343
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11344 statusChan := make(chan statusMsg, *numWorkers)
11345 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11346 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11347
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11348 if len(*shimConfigFile) != 0 {
11349 encoded, err := ioutil.ReadFile(*shimConfigFile)
11350 if err != nil {
11351 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
11352 os.Exit(1)
11353 }
11354
11355 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
11356 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
11357 os.Exit(1)
11358 }
11359 }
11360
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11361 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11362
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11363 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11364 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11365 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11366 }
11367
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11368 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11369 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11370 matched := true
11371 if len(*testToRun) != 0 {
11372 var err error
11373 matched, err = filepath.Match(*testToRun, testCases[i].name)
11374 if err != nil {
11375 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
11376 os.Exit(1)
11377 }
11378 }
11379
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11380 if !*includeDisabled {
11381 for pattern := range shimConfig.DisabledTests {
11382 isDisabled, err := filepath.Match(pattern, testCases[i].name)
11383 if err != nil {
11384 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
11385 os.Exit(1)
11386 }
11387
11388 if isDisabled {
11389 matched = false
11390 break
11391 }
11392 }
11393 }
11394
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11395 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11396 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11397 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11398
11399 // Only run one test if repeating until failure.
11400 if *repeatUntilFailure {
11401 break
11402 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11403 }
11404 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11405
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11406 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11407 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11408 os.Exit(1)
11409 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11410
11411 close(testChan)
11412 wg.Wait()
11413 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11414 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11415
11416 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11417
11418 if *jsonOutput != "" {
11419 if err := testOutput.writeTo(*jsonOutput); err != nil {
11420 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
11421 }
11422 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11423
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11424 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
11425 os.Exit(1)
11426 }
11427
11428 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11429 os.Exit(1)
11430 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11431}