Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 7c075b99e2b946d2772d8f4fc974d3a7b20db5bd / . / ssl / test / runner / runner.go
blob: 6239dba16dc4fb7ecddf6fc5c1bd622350a18ae9 [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]68 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]69)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]70
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]71// ShimConfigurations is used with the “json” package and represents a shim
72// config file.
73type ShimConfiguration struct {
74 // DisabledTests maps from a glob-based pattern to a freeform string.
75 // The glob pattern is used to exclude tests from being run and the
76 // freeform string is unparsed but expected to explain why the test is
77 // disabled.
78 DisabledTests map[string]string
79
80 // ErrorMap maps from expected error strings to the correct error
81 // string for the shim in question. For example, it might map
82 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
83 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
84 ErrorMap map[string]string
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]85
86 // HalfRTTTickets is the number of half-RTT tickets the client should
87 // expect before half-RTT data when testing 0-RTT.
88 HalfRTTTickets int
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]89}
90
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]91// Setup shimConfig defaults aligning with BoringSSL.
92var shimConfig ShimConfiguration = ShimConfiguration{
93 HalfRTTTickets: 2,
94}
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]95
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]96type testCert int
97
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]98const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]99 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]100 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]101 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]102 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]103 testCertECDSAP256
104 testCertECDSAP384
105 testCertECDSAP521
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]106 testCertEd25519
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]107)
108
109const (
110 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]111 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]112 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]113 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]114 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
115 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
116 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]117 ed25519CertificateFile = "ed25519_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]118)
119
120const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]121 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]122 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]123 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]124 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]125 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
126 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
127 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]128 ed25519KeyFile = "ed25519_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]129 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]130)
131
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]132var (
133 rsaCertificate Certificate
134 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]135 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]136 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]137 ecdsaP256Certificate Certificate
138 ecdsaP384Certificate Certificate
139 ecdsaP521Certificate Certificate
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]140 ed25519Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]141)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]142
143var testCerts = []struct {
144 id testCert
145 certFile, keyFile string
146 cert *Certificate
147}{
148 {
149 id: testCertRSA,
150 certFile: rsaCertificateFile,
151 keyFile: rsaKeyFile,
152 cert: &rsaCertificate,
153 },
154 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]155 id: testCertRSA1024,
156 certFile: rsa1024CertificateFile,
157 keyFile: rsa1024KeyFile,
158 cert: &rsa1024Certificate,
159 },
160 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]161 id: testCertRSAChain,
162 certFile: rsaChainCertificateFile,
163 keyFile: rsaChainKeyFile,
164 cert: &rsaChainCertificate,
165 },
166 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]167 id: testCertECDSAP224,
168 certFile: ecdsaP224CertificateFile,
169 keyFile: ecdsaP224KeyFile,
170 cert: &ecdsaP224Certificate,
171 },
172 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]173 id: testCertECDSAP256,
174 certFile: ecdsaP256CertificateFile,
175 keyFile: ecdsaP256KeyFile,
176 cert: &ecdsaP256Certificate,
177 },
178 {
179 id: testCertECDSAP384,
180 certFile: ecdsaP384CertificateFile,
181 keyFile: ecdsaP384KeyFile,
182 cert: &ecdsaP384Certificate,
183 },
184 {
185 id: testCertECDSAP521,
186 certFile: ecdsaP521CertificateFile,
187 keyFile: ecdsaP521KeyFile,
188 cert: &ecdsaP521Certificate,
189 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]190 {
191 id: testCertEd25519,
192 certFile: ed25519CertificateFile,
193 keyFile: ed25519KeyFile,
194 cert: &ed25519Certificate,
195 },
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]196}
197
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]198var channelIDKey *ecdsa.PrivateKey
199var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]200
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]201var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]202var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]203
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]204var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]205var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]206
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]207func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]208 for i := range testCerts {
209 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
210 if err != nil {
211 panic(err)
212 }
213 cert.OCSPStaple = testOCSPResponse
214 cert.SignedCertificateTimestampList = testSCTList
215 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]216 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]217
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]218 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]219 if err != nil {
220 panic(err)
221 }
222 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
223 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
224 panic("bad key type")
225 }
226 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
227 if err != nil {
228 panic(err)
229 }
230 if channelIDKey.Curve != elliptic.P256() {
231 panic("bad curve")
232 }
233
234 channelIDBytes = make([]byte, 64)
235 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
236 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]237}
238
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]239func getRunnerCertificate(t testCert) Certificate {
240 for _, cert := range testCerts {
241 if cert.id == t {
242 return *cert.cert
243 }
244 }
245 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]246}
247
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]248func getShimCertificate(t testCert) string {
249 for _, cert := range testCerts {
250 if cert.id == t {
251 return cert.certFile
252 }
253 }
254 panic("Unknown test certificate")
255}
256
257func getShimKey(t testCert) string {
258 for _, cert := range testCerts {
259 if cert.id == t {
260 return cert.keyFile
261 }
262 }
263 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]264}
265
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]266// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
267func encodeDERValues(values [][]byte) string {
268 var ret string
269 for i, v := range values {
270 if i > 0 {
271 ret += ","
272 }
273 ret += hex.EncodeToString(v)
274 }
275
276 return ret
277}
278
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]279type testType int
280
281const (
282 clientTest testType = iota
283 serverTest
284)
285
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]286type protocol int
287
288const (
289 tls protocol = iota
290 dtls
291)
292
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]293const (
294 alpn = 1
295 npn = 2
296)
297
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]298type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]299 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]300 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]301 name string
302 config Config
303 shouldFail bool
304 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]305 // expectedLocalError, if not empty, contains a substring that must be
306 // found in the local error.
307 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]308 // expectedVersion, if non-zero, specifies the TLS version that must be
309 // negotiated.
310 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]311 // expectedResumeVersion, if non-zero, specifies the TLS version that
312 // must be negotiated on resumption. If zero, expectedVersion is used.
313 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]314 // expectedCipher, if non-zero, specifies the TLS cipher suite that
315 // should be negotiated.
316 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]317 // expectChannelID controls whether the connection should have
318 // negotiated a Channel ID with channelIDKey.
319 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]320 // expectedNextProto controls whether the connection should
321 // negotiate a next protocol via NPN or ALPN.
322 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]323 // expectNoNextProto, if true, means that no next protocol should be
324 // negotiated.
325 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]326 // expectedNextProtoType, if non-zero, is the expected next
327 // protocol negotiation mechanism.
328 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]329 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
330 // should be negotiated. If zero, none should be negotiated.
331 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]332 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
333 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]334 // expectedSCTList, if not nil, is the expected SCT list to be received.
335 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]336 // expectedPeerSignatureAlgorithm, if not zero, is the signature
337 // algorithm that the peer should have used in the handshake.
338 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]339 // expectedCurveID, if not zero, is the curve that the handshake should
340 // have used.
341 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]342 // messageLen is the length, in bytes, of the test message that will be
343 // sent.
344 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]345 // messageCount is the number of test messages that will be sent.
346 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]347 // certFile is the path to the certificate to use for the server.
348 certFile string
349 // keyFile is the path to the private key to use for the server.
350 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]351 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]352 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]353 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]354 // resumeRenewedSession controls whether a third connection should be
355 // tested which attempts to resume the second connection's session.
356 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]357 // expectResumeRejected, if true, specifies that the attempted
358 // resumption must be rejected by the client. This is only valid for a
359 // serverTest.
360 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]361 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]362 // resumption. Unless newSessionsOnResume is set,
363 // SessionTicketKey, ServerSessionCache, and
364 // ClientSessionCache are copied from the initial connection's
365 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]366 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]367 // newSessionsOnResume, if true, will cause resumeConfig to
368 // use a different session resumption context.
369 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]370 // noSessionCache, if true, will cause the server to run without a
371 // session cache.
372 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]373 // sendPrefix sends a prefix on the socket before actually performing a
374 // handshake.
375 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]376 // shimWritesFirst controls whether the shim sends an initial "hello"
377 // message before doing a roundtrip with the runner.
378 shimWritesFirst bool
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]379 // readWithUnfinishedWrite behaves like shimWritesFirst, but the shim
380 // does not complete the write until responding to the first runner
381 // message.
382 readWithUnfinishedWrite bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]383 // shimShutsDown, if true, runs a test where the shim shuts down the
384 // connection immediately after the handshake rather than echoing
385 // messages from the runner.
386 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]387 // renegotiate indicates the number of times the connection should be
388 // renegotiated during the exchange.
389 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]390 // sendHalfHelloRequest, if true, causes the server to send half a
391 // HelloRequest when the handshake completes.
392 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]393 // renegotiateCiphers is a list of ciphersuite ids that will be
394 // switched in just before renegotiation.
395 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]396 // replayWrites, if true, configures the underlying transport
397 // to replay every write it makes in DTLS tests.
398 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]399 // damageFirstWrite, if true, configures the underlying transport to
400 // damage the final byte of the first application data write.
401 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]402 // exportKeyingMaterial, if non-zero, configures the test to exchange
403 // keying material and verify they match.
404 exportKeyingMaterial int
405 exportLabel string
406 exportContext string
407 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]408 // flags, if not empty, contains a list of command-line flags that will
409 // be passed to the shim program.
410 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]411 // testTLSUnique, if true, causes the shim to send the tls-unique value
412 // which will be compared against the expected value.
413 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]414 // sendEmptyRecords is the number of consecutive empty records to send
415 // before and after the test message.
416 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]417 // sendWarningAlerts is the number of consecutive warning alerts to send
418 // before and after the test message.
419 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]420 // sendKeyUpdates is the number of consecutive key updates to send
421 // before and after the test message.
422 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]423 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
424 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]425 // expectMessageDropped, if true, means the test message is expected to
426 // be dropped by the client rather than echoed back.
427 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]428 // expectPeerCertificate, if not nil, is the certificate chain the peer
429 // is expected to send.
430 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]431}
432
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]433var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]434
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]435func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]436 if len(data) == 0 {
437 return
438 }
439
440 protocol := "tls"
441 if test.protocol == dtls {
442 protocol = "dtls"
443 }
444
445 side := "client"
446 if test.testType == serverTest {
447 side = "server"
448 }
449
450 dir := path.Join(*transcriptDir, protocol, side)
451 if err := os.MkdirAll(dir, 0755); err != nil {
452 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
453 return
454 }
455
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]456 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]457 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
458 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
459 }
460}
461
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]462// A timeoutConn implements an idle timeout on each Read and Write operation.
463type timeoutConn struct {
464 net.Conn
465 timeout time.Duration
466}
467
468func (t *timeoutConn) Read(b []byte) (int, error) {
469 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
470 return 0, err
471 }
472 return t.Conn.Read(b)
473}
474
475func (t *timeoutConn) Write(b []byte) (int, error) {
476 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
477 return 0, err
478 }
479 return t.Conn.Write(b)
480}
481
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]482func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]483 if !test.noSessionCache {
484 if config.ClientSessionCache == nil {
485 config.ClientSessionCache = NewLRUClientSessionCache(1)
486 }
487 if config.ServerSessionCache == nil {
488 config.ServerSessionCache = NewLRUServerSessionCache(1)
489 }
490 }
491 if test.testType == clientTest {
492 if len(config.Certificates) == 0 {
493 config.Certificates = []Certificate{rsaCertificate}
494 }
495 } else {
496 // Supply a ServerName to ensure a constant session cache key,
497 // rather than falling back to net.Conn.RemoteAddr.
498 if len(config.ServerName) == 0 {
499 config.ServerName = "test"
500 }
501 }
502 if *fuzzer {
503 config.Bugs.NullAllCiphers = true
504 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]505 if *deterministic {
506 config.Time = func() time.Time { return time.Unix(1234, 1234) }
507 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]508
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]509 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]510
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]511 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]512 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
513 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]514 }
515
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]516 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]517 local, peer := "client", "server"
518 if test.testType == clientTest {
519 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]520 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]521 connDebug := &recordingConn{
522 Conn: conn,
523 isDatagram: test.protocol == dtls,
524 local: local,
525 peer: peer,
526 }
527 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]528 if *flagDebug {
529 defer connDebug.WriteTo(os.Stdout)
530 }
531 if len(*transcriptDir) != 0 {
532 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]533 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]534 }()
535 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]536
537 if config.Bugs.PacketAdaptor != nil {
538 config.Bugs.PacketAdaptor.debug = connDebug
539 }
540 }
541
542 if test.replayWrites {
543 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]544 }
545
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]546 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]547 if test.damageFirstWrite {
548 connDamage = newDamageAdaptor(conn)
549 conn = connDamage
550 }
551
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]552 if test.sendPrefix != "" {
553 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
554 return err
555 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]556 }
557
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]558 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]559 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]560 if test.protocol == dtls {
561 tlsConn = DTLSServer(conn, config)
562 } else {
563 tlsConn = Server(conn, config)
564 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]565 } else {
566 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]567 if test.protocol == dtls {
568 tlsConn = DTLSClient(conn, config)
569 } else {
570 tlsConn = Client(conn, config)
571 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]572 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]573 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]574
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]575 if err := tlsConn.Handshake(); err != nil {
576 return err
577 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]578
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]579 // TODO(davidben): move all per-connection expectations into a dedicated
580 // expectations struct that can be specified separately for the two
581 // legs.
582 expectedVersion := test.expectedVersion
583 if isResume && test.expectedResumeVersion != 0 {
584 expectedVersion = test.expectedResumeVersion
585 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]586 connState := tlsConn.ConnectionState()
587 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]588 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]589 }
590
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]591 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]592 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
593 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]594 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
595 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
596 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]597
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]598 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]599 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]600 if channelID == nil {
601 return fmt.Errorf("no channel ID negotiated")
602 }
603 if channelID.Curve != channelIDKey.Curve ||
604 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
605 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
606 return fmt.Errorf("incorrect channel ID")
607 }
608 }
609
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]610 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]611 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]612 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
613 }
614 }
615
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]616 if test.expectNoNextProto {
617 if actual := connState.NegotiatedProtocol; actual != "" {
618 return fmt.Errorf("got unexpected next proto %s", actual)
619 }
620 }
621
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]622 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]623 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]624 return fmt.Errorf("next proto type mismatch")
625 }
626 }
627
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]628 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]629 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
630 }
631
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]632 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]633 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]634 }
635
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]636 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
637 return fmt.Errorf("SCT list mismatch")
638 }
639
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]640 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
641 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]642 }
643
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]644 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
645 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
646 }
647
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]648 if test.expectPeerCertificate != nil {
649 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
650 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
651 }
652 for i, cert := range connState.PeerCertificates {
653 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
654 return fmt.Errorf("peer certificate %d did not match", i+1)
655 }
656 }
657 }
658
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]659 if test.exportKeyingMaterial > 0 {
660 actual := make([]byte, test.exportKeyingMaterial)
661 if _, err := io.ReadFull(tlsConn, actual); err != nil {
662 return err
663 }
664 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
665 if err != nil {
666 return err
667 }
668 if !bytes.Equal(actual, expected) {
669 return fmt.Errorf("keying material mismatch")
670 }
671 }
672
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]673 if test.testTLSUnique {
674 var peersValue [12]byte
675 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
676 return err
677 }
678 expected := tlsConn.ConnectionState().TLSUnique
679 if !bytes.Equal(peersValue[:], expected) {
680 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
681 }
682 }
683
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]684 if test.sendHalfHelloRequest {
685 tlsConn.SendHalfHelloRequest()
686 }
687
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]688 shimPrefixPending := test.shimWritesFirst || test.readWithUnfinishedWrite
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]689 if test.renegotiate > 0 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]690 // If readWithUnfinishedWrite is set, the shim prefix will be
691 // available later.
692 if shimPrefixPending && !test.readWithUnfinishedWrite {
693 var buf [5]byte
694 _, err := io.ReadFull(tlsConn, buf[:])
695 if err != nil {
696 return err
697 }
698 if string(buf[:]) != "hello" {
699 return fmt.Errorf("bad initial message")
700 }
701 shimPrefixPending = false
702 }
703
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]704 if test.renegotiateCiphers != nil {
705 config.CipherSuites = test.renegotiateCiphers
706 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]707 for i := 0; i < test.renegotiate; i++ {
708 if err := tlsConn.Renegotiate(); err != nil {
709 return err
710 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]711 }
712 } else if test.renegotiateCiphers != nil {
713 panic("renegotiateCiphers without renegotiate")
714 }
715
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]716 if test.damageFirstWrite {
717 connDamage.setDamage(true)
718 tlsConn.Write([]byte("DAMAGED WRITE"))
719 connDamage.setDamage(false)
720 }
721
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]722 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]723 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]724 if test.protocol == dtls {
725 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
726 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]727 // Read until EOF.
728 _, err := io.Copy(ioutil.Discard, tlsConn)
729 return err
730 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]731 if messageLen == 0 {
732 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]733 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]734
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]735 messageCount := test.messageCount
736 if messageCount == 0 {
737 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]738 }
739
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]740 for j := 0; j < messageCount; j++ {
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]741 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]742 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]743 }
744
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]745 for i := 0; i < test.sendEmptyRecords; i++ {
746 tlsConn.Write(nil)
747 }
748
749 for i := 0; i < test.sendWarningAlerts; i++ {
750 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
751 }
752
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]753 testMessage := make([]byte, messageLen)
754 for i := range testMessage {
755 testMessage[i] = 0x42 ^ byte(j)
756 }
757 tlsConn.Write(testMessage)
758
759 // Consume the shim prefix if needed.
760 if shimPrefixPending {
761 var buf [5]byte
762 _, err := io.ReadFull(tlsConn, buf[:])
763 if err != nil {
764 return err
765 }
766 if string(buf[:]) != "hello" {
767 return fmt.Errorf("bad initial message")
768 }
769 shimPrefixPending = false
770 }
771
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]772 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]773 // The shim will not respond.
774 continue
775 }
776
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]777 // Process the KeyUpdate ACK. However many KeyUpdates the runner
778 // sends, the shim should respond only once.
779 if test.sendKeyUpdates > 0 && test.keyUpdateRequest == keyUpdateRequested {
780 if err := tlsConn.ReadKeyUpdateACK(); err != nil {
781 return err
782 }
783 }
784
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]785 buf := make([]byte, len(testMessage))
786 if test.protocol == dtls {
787 bufTmp := make([]byte, len(buf)+1)
788 n, err := tlsConn.Read(bufTmp)
789 if err != nil {
790 return err
791 }
792 if n != len(buf) {
793 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
794 }
795 copy(buf, bufTmp)
796 } else {
797 _, err := io.ReadFull(tlsConn, buf)
798 if err != nil {
799 return err
800 }
801 }
802
803 for i, v := range buf {
804 if v != testMessage[i]^0xff {
805 return fmt.Errorf("bad reply contents at byte %d", i)
806 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]807 }
808 }
809
810 return nil
811}
812
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]813func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]814 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]815 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]816 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]817 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]818 valgrindArgs = append(valgrindArgs, path)
819 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]820
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]821 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]822}
823
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]824func gdbOf(path string, args ...string) *exec.Cmd {
825 xtermArgs := []string{"-e", "gdb", "--args"}
826 xtermArgs = append(xtermArgs, path)
827 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]828
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]829 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]830}
831
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]832func lldbOf(path string, args ...string) *exec.Cmd {
833 xtermArgs := []string{"-e", "lldb", "--"}
834 xtermArgs = append(xtermArgs, path)
835 xtermArgs = append(xtermArgs, args...)
836
837 return exec.Command("xterm", xtermArgs...)
838}
839
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]840var (
841 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
842 errUnimplemented = errors.New("child process does not implement needed flags")
843)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]844
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]845// accept accepts a connection from listener, unless waitChan signals a process
846// exit first.
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]847func acceptOrWait(listener *net.TCPListener, waitChan chan error) (net.Conn, error) {
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]848 type connOrError struct {
849 conn net.Conn
850 err error
851 }
852 connChan := make(chan connOrError, 1)
853 go func() {
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]854 listener.SetDeadline(time.Now().Add(*idleTimeout))
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]855 conn, err := listener.Accept()
856 connChan <- connOrError{conn, err}
857 close(connChan)
858 }()
859 select {
860 case result := <-connChan:
861 return result.conn, result.err
862 case childErr := <-waitChan:
863 waitChan <- childErr
864 return nil, fmt.Errorf("child exited early: %s", childErr)
865 }
866}
867
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]868func translateExpectedError(errorStr string) string {
869 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
870 return translated
871 }
872
873 if *looseErrors {
874 return ""
875 }
876
877 return errorStr
878}
879
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]880func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]881 // Help debugging panics on the Go side.
882 defer func() {
883 if r := recover(); r != nil {
884 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
885 panic(r)
886 }
887 }()
888
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]889 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
890 panic("Error expected without shouldFail in " + test.name)
891 }
892
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]893 if test.expectResumeRejected && !test.resumeSession {
894 panic("expectResumeRejected without resumeSession in " + test.name)
895 }
896
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]897 for _, ver := range tlsVersions {
898 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
899 continue
900 }
901
902 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
903 continue
904 }
905
906 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
907 }
908
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]909 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
910 if err != nil {
911 panic(err)
912 }
913 defer func() {
914 if listener != nil {
915 listener.Close()
916 }
917 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]918
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]919 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]920 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]921 flags = append(flags, "-server")
922
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]923 flags = append(flags, "-key-file")
924 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]925 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]926 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]927 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]928 }
929
930 flags = append(flags, "-cert-file")
931 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]932 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]933 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]934 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]935 }
936 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]937
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]938 if test.protocol == dtls {
939 flags = append(flags, "-dtls")
940 }
941
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]942 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]943 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]944 resumeCount++
945 if test.resumeRenewedSession {
946 resumeCount++
947 }
948 }
949
950 if resumeCount > 0 {
951 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]952 }
953
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]954 if test.shimWritesFirst {
955 flags = append(flags, "-shim-writes-first")
956 }
957
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]958 if test.readWithUnfinishedWrite {
959 flags = append(flags, "-read-with-unfinished-write")
960 }
961
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]962 if test.shimShutsDown {
963 flags = append(flags, "-shim-shuts-down")
964 }
965
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]966 if test.exportKeyingMaterial > 0 {
967 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
968 flags = append(flags, "-export-label", test.exportLabel)
969 flags = append(flags, "-export-context", test.exportContext)
970 if test.useExportContext {
971 flags = append(flags, "-use-export-context")
972 }
973 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]974 if test.expectResumeRejected {
975 flags = append(flags, "-expect-session-miss")
976 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]977
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]978 if test.testTLSUnique {
979 flags = append(flags, "-tls-unique")
980 }
981
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]982 flags = append(flags, test.flags...)
983
984 var shim *exec.Cmd
985 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]986 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]987 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]988 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]989 } else if *useLLDB {
990 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]991 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]992 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]993 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]994 shim.Stdin = os.Stdin
995 var stdoutBuf, stderrBuf bytes.Buffer
996 shim.Stdout = &stdoutBuf
997 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]998 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]999 shim.Env = os.Environ()
1000 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1001 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]1002 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1003 }
1004 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
1005 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1006
1007 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1008 panic(err)
1009 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1010 waitChan := make(chan error, 1)
1011 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1012
1013 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1014
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]1015 if *deterministic {
1016 config.Rand = &deterministicRand{}
1017 }
1018
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1019 conn, err := acceptOrWait(listener, waitChan)
1020 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1021 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1022 conn.Close()
1023 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]1024
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]1025 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1026 var resumeConfig Config
1027 if test.resumeConfig != nil {
1028 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]1029 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1030 resumeConfig.SessionTicketKey = config.SessionTicketKey
1031 resumeConfig.ClientSessionCache = config.ClientSessionCache
1032 resumeConfig.ServerSessionCache = config.ServerSessionCache
1033 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]1034 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1035 } else {
1036 resumeConfig = config
1037 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1038 var connResume net.Conn
1039 connResume, err = acceptOrWait(listener, waitChan)
1040 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1041 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1042 connResume.Close()
1043 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1044 }
1045
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1046 // Close the listener now. This is to avoid hangs should the shim try to
1047 // open more connections than expected.
1048 listener.Close()
1049 listener = nil
1050
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]1051 var shimKilledLock sync.Mutex
1052 var shimKilled bool
1053 waitTimeout := time.AfterFunc(*idleTimeout, func() {
1054 shimKilledLock.Lock()
1055 shimKilled = true
1056 shimKilledLock.Unlock()
1057 shim.Process.Kill()
1058 })
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1059 childErr := <-waitChan
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]1060 waitTimeout.Stop()
1061 shimKilledLock.Lock()
1062 if shimKilled && err == nil {
1063 err = errors.New("timeout waiting for the shim to exit.")
1064 }
1065 shimKilledLock.Unlock()
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1066 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1067 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1068 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1069 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1070 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1071 case 89:
1072 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1073 case 99:
1074 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1075 }
1076 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1077
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1078 // Account for Windows line endings.
1079 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1080 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1081
1082 // Separate the errors from the shim and those from tools like
1083 // AddressSanitizer.
1084 var extraStderr string
1085 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1086 stderr = stderrParts[0]
1087 extraStderr = stderrParts[1]
1088 }
1089
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1090 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1091 expectedError := translateExpectedError(test.expectedError)
1092 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1093
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1094 localError := "none"
1095 if err != nil {
1096 localError = err.Error()
1097 }
1098 if len(test.expectedLocalError) != 0 {
1099 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1100 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1101
1102 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1103 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1104 if childErr != nil {
1105 childError = childErr.Error()
1106 }
1107
1108 var msg string
1109 switch {
1110 case failed && !test.shouldFail:
1111 msg = "unexpected failure"
1112 case !failed && test.shouldFail:
1113 msg = "unexpected success"
1114 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1115 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1116 default:
1117 panic("internal error")
1118 }
1119
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1120 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1121 }
1122
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1123 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
Adam Langleyc88f2452017-04-27 14:15:37 -0700[diff] [blame]1124 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1125 }
1126
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1127 if *useValgrind && isValgrindError {
1128 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1129 }
1130
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1131 return nil
1132}
1133
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1134type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1135 name string
1136 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1137 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1138 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1139}
1140
1141var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1142 {"SSL3", VersionSSL30, "-no-ssl3", false},
1143 {"TLS1", VersionTLS10, "-no-tls1", true},
1144 {"TLS11", VersionTLS11, "-no-tls11", false},
1145 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1146 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1147}
1148
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1149type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1150 name string
1151 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1152}
1153
1154var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1155 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1156 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1157 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1158 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1159 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1160 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1161 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1162 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1163 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1164 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1165 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1166 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1167 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1168 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1169 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1170 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1171 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1172 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1173 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1174 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1175 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1176 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1177 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1178 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1179 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1180 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1181 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1182 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1183 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1184 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1185}
1186
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1187func hasComponent(suiteName, component string) bool {
1188 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1189}
1190
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1191func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1192 return hasComponent(suiteName, "GCM") ||
1193 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1194 hasComponent(suiteName, "SHA384") ||
1195 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1196}
1197
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1198func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1199 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1200}
1201
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1202func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1203 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1204}
1205
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1206func bigFromHex(hex string) *big.Int {
1207 ret, ok := new(big.Int).SetString(hex, 16)
1208 if !ok {
1209 panic("failed to parse hex number 0x" + hex)
1210 }
1211 return ret
1212}
1213
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1214func addBasicTests() {
1215 basicTests := []testCase{
1216 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1217 name: "NoFallbackSCSV",
1218 config: Config{
1219 Bugs: ProtocolBugs{
1220 FailIfNotFallbackSCSV: true,
1221 },
1222 },
1223 shouldFail: true,
1224 expectedLocalError: "no fallback SCSV found",
1225 },
1226 {
1227 name: "SendFallbackSCSV",
1228 config: Config{
1229 Bugs: ProtocolBugs{
1230 FailIfNotFallbackSCSV: true,
1231 },
1232 },
1233 flags: []string{"-fallback-scsv"},
1234 },
1235 {
1236 name: "ClientCertificateTypes",
1237 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1238 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1239 ClientAuth: RequestClientCert,
1240 ClientCertificateTypes: []byte{
1241 CertTypeDSSSign,
1242 CertTypeRSASign,
1243 CertTypeECDSASign,
1244 },
1245 },
1246 flags: []string{
1247 "-expect-certificate-types",
1248 base64.StdEncoding.EncodeToString([]byte{
1249 CertTypeDSSSign,
1250 CertTypeRSASign,
1251 CertTypeECDSASign,
1252 }),
1253 },
1254 },
1255 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1256 name: "UnauthenticatedECDH",
1257 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1258 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1259 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1260 Bugs: ProtocolBugs{
1261 UnauthenticatedECDH: true,
1262 },
1263 },
1264 shouldFail: true,
1265 expectedError: ":UNEXPECTED_MESSAGE:",
1266 },
1267 {
1268 name: "SkipCertificateStatus",
1269 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1270 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1271 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1272 Bugs: ProtocolBugs{
1273 SkipCertificateStatus: true,
1274 },
1275 },
1276 flags: []string{
1277 "-enable-ocsp-stapling",
1278 },
1279 },
1280 {
1281 name: "SkipServerKeyExchange",
1282 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1283 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1284 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1285 Bugs: ProtocolBugs{
1286 SkipServerKeyExchange: true,
1287 },
1288 },
1289 shouldFail: true,
1290 expectedError: ":UNEXPECTED_MESSAGE:",
1291 },
1292 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1293 testType: serverTest,
1294 name: "Alert",
1295 config: Config{
1296 Bugs: ProtocolBugs{
1297 SendSpuriousAlert: alertRecordOverflow,
1298 },
1299 },
1300 shouldFail: true,
1301 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1302 },
1303 {
1304 protocol: dtls,
1305 testType: serverTest,
1306 name: "Alert-DTLS",
1307 config: Config{
1308 Bugs: ProtocolBugs{
1309 SendSpuriousAlert: alertRecordOverflow,
1310 },
1311 },
1312 shouldFail: true,
1313 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1314 },
1315 {
1316 testType: serverTest,
1317 name: "FragmentAlert",
1318 config: Config{
1319 Bugs: ProtocolBugs{
1320 FragmentAlert: true,
1321 SendSpuriousAlert: alertRecordOverflow,
1322 },
1323 },
1324 shouldFail: true,
1325 expectedError: ":BAD_ALERT:",
1326 },
1327 {
1328 protocol: dtls,
1329 testType: serverTest,
1330 name: "FragmentAlert-DTLS",
1331 config: Config{
1332 Bugs: ProtocolBugs{
1333 FragmentAlert: true,
1334 SendSpuriousAlert: alertRecordOverflow,
1335 },
1336 },
1337 shouldFail: true,
1338 expectedError: ":BAD_ALERT:",
1339 },
1340 {
1341 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1342 name: "DoubleAlert",
1343 config: Config{
1344 Bugs: ProtocolBugs{
1345 DoubleAlert: true,
1346 SendSpuriousAlert: alertRecordOverflow,
1347 },
1348 },
1349 shouldFail: true,
1350 expectedError: ":BAD_ALERT:",
1351 },
1352 {
1353 protocol: dtls,
1354 testType: serverTest,
1355 name: "DoubleAlert-DTLS",
1356 config: Config{
1357 Bugs: ProtocolBugs{
1358 DoubleAlert: true,
1359 SendSpuriousAlert: alertRecordOverflow,
1360 },
1361 },
1362 shouldFail: true,
1363 expectedError: ":BAD_ALERT:",
1364 },
1365 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1366 name: "SkipNewSessionTicket",
1367 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1368 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1369 Bugs: ProtocolBugs{
1370 SkipNewSessionTicket: true,
1371 },
1372 },
1373 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1374 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1375 },
1376 {
1377 testType: serverTest,
1378 name: "FallbackSCSV",
1379 config: Config{
1380 MaxVersion: VersionTLS11,
1381 Bugs: ProtocolBugs{
1382 SendFallbackSCSV: true,
1383 },
1384 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1385 shouldFail: true,
1386 expectedError: ":INAPPROPRIATE_FALLBACK:",
1387 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1388 },
1389 {
1390 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1391 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1392 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1393 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1394 Bugs: ProtocolBugs{
1395 SendFallbackSCSV: true,
1396 },
1397 },
1398 },
1399 {
1400 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1401 name: "FallbackSCSV-VersionMatch-TLS12",
1402 config: Config{
1403 MaxVersion: VersionTLS12,
1404 Bugs: ProtocolBugs{
1405 SendFallbackSCSV: true,
1406 },
1407 },
1408 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1409 },
1410 {
1411 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1412 name: "FragmentedClientVersion",
1413 config: Config{
1414 Bugs: ProtocolBugs{
1415 MaxHandshakeRecordLength: 1,
1416 FragmentClientVersion: true,
1417 },
1418 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1419 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1420 },
1421 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1422 testType: serverTest,
1423 name: "HttpGET",
1424 sendPrefix: "GET / HTTP/1.0\n",
1425 shouldFail: true,
1426 expectedError: ":HTTP_REQUEST:",
1427 },
1428 {
1429 testType: serverTest,
1430 name: "HttpPOST",
1431 sendPrefix: "POST / HTTP/1.0\n",
1432 shouldFail: true,
1433 expectedError: ":HTTP_REQUEST:",
1434 },
1435 {
1436 testType: serverTest,
1437 name: "HttpHEAD",
1438 sendPrefix: "HEAD / HTTP/1.0\n",
1439 shouldFail: true,
1440 expectedError: ":HTTP_REQUEST:",
1441 },
1442 {
1443 testType: serverTest,
1444 name: "HttpPUT",
1445 sendPrefix: "PUT / HTTP/1.0\n",
1446 shouldFail: true,
1447 expectedError: ":HTTP_REQUEST:",
1448 },
1449 {
1450 testType: serverTest,
1451 name: "HttpCONNECT",
1452 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1453 shouldFail: true,
1454 expectedError: ":HTTPS_PROXY_REQUEST:",
1455 },
1456 {
1457 testType: serverTest,
1458 name: "Garbage",
1459 sendPrefix: "blah",
1460 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1461 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1462 },
1463 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1464 name: "RSAEphemeralKey",
1465 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1466 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1467 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1468 Bugs: ProtocolBugs{
1469 RSAEphemeralKey: true,
1470 },
1471 },
1472 shouldFail: true,
1473 expectedError: ":UNEXPECTED_MESSAGE:",
1474 },
1475 {
1476 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1477 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1478 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1479 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1480 },
1481 {
1482 protocol: dtls,
1483 name: "DisableEverything-DTLS",
1484 flags: []string{"-no-tls12", "-no-tls1"},
1485 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1486 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1487 },
1488 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1489 protocol: dtls,
1490 testType: serverTest,
1491 name: "MTU",
1492 config: Config{
1493 Bugs: ProtocolBugs{
1494 MaxPacketLength: 256,
1495 },
1496 },
1497 flags: []string{"-mtu", "256"},
1498 },
1499 {
1500 protocol: dtls,
1501 testType: serverTest,
1502 name: "MTUExceeded",
1503 config: Config{
1504 Bugs: ProtocolBugs{
1505 MaxPacketLength: 255,
1506 },
1507 },
1508 flags: []string{"-mtu", "256"},
1509 shouldFail: true,
1510 expectedLocalError: "dtls: exceeded maximum packet length",
1511 },
1512 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1513 name: "EmptyCertificateList",
1514 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1515 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1516 Bugs: ProtocolBugs{
1517 EmptyCertificateList: true,
1518 },
1519 },
1520 shouldFail: true,
1521 expectedError: ":DECODE_ERROR:",
1522 },
1523 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1524 name: "EmptyCertificateList-TLS13",
1525 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1526 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1527 Bugs: ProtocolBugs{
1528 EmptyCertificateList: true,
1529 },
1530 },
1531 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1532 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1533 },
1534 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1535 name: "TLSFatalBadPackets",
1536 damageFirstWrite: true,
1537 shouldFail: true,
1538 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1539 },
1540 {
1541 protocol: dtls,
1542 name: "DTLSIgnoreBadPackets",
1543 damageFirstWrite: true,
1544 },
1545 {
1546 protocol: dtls,
1547 name: "DTLSIgnoreBadPackets-Async",
1548 damageFirstWrite: true,
1549 flags: []string{"-async"},
1550 },
1551 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1552 name: "AppDataBeforeHandshake",
1553 config: Config{
1554 Bugs: ProtocolBugs{
1555 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1556 },
1557 },
1558 shouldFail: true,
1559 expectedError: ":UNEXPECTED_RECORD:",
1560 },
1561 {
1562 name: "AppDataBeforeHandshake-Empty",
1563 config: Config{
1564 Bugs: ProtocolBugs{
1565 AppDataBeforeHandshake: []byte{},
1566 },
1567 },
1568 shouldFail: true,
1569 expectedError: ":UNEXPECTED_RECORD:",
1570 },
1571 {
1572 protocol: dtls,
1573 name: "AppDataBeforeHandshake-DTLS",
1574 config: Config{
1575 Bugs: ProtocolBugs{
1576 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1577 },
1578 },
1579 shouldFail: true,
1580 expectedError: ":UNEXPECTED_RECORD:",
1581 },
1582 {
1583 protocol: dtls,
1584 name: "AppDataBeforeHandshake-DTLS-Empty",
1585 config: Config{
1586 Bugs: ProtocolBugs{
1587 AppDataBeforeHandshake: []byte{},
1588 },
1589 },
1590 shouldFail: true,
1591 expectedError: ":UNEXPECTED_RECORD:",
1592 },
1593 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1594 name: "AppDataAfterChangeCipherSpec",
1595 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1596 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1597 Bugs: ProtocolBugs{
1598 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1599 },
1600 },
1601 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1602 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1603 },
1604 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1605 name: "AppDataAfterChangeCipherSpec-Empty",
1606 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1607 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1608 Bugs: ProtocolBugs{
1609 AppDataAfterChangeCipherSpec: []byte{},
1610 },
1611 },
1612 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1613 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1614 },
1615 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1616 protocol: dtls,
1617 name: "AppDataAfterChangeCipherSpec-DTLS",
1618 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1619 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1620 Bugs: ProtocolBugs{
1621 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1622 },
1623 },
1624 // BoringSSL's DTLS implementation will drop the out-of-order
1625 // application data.
1626 },
1627 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1628 protocol: dtls,
1629 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1630 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1631 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1632 Bugs: ProtocolBugs{
1633 AppDataAfterChangeCipherSpec: []byte{},
1634 },
1635 },
1636 // BoringSSL's DTLS implementation will drop the out-of-order
1637 // application data.
1638 },
1639 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1640 name: "AlertAfterChangeCipherSpec",
1641 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1642 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1643 Bugs: ProtocolBugs{
1644 AlertAfterChangeCipherSpec: alertRecordOverflow,
1645 },
1646 },
1647 shouldFail: true,
1648 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1649 },
1650 {
1651 protocol: dtls,
1652 name: "AlertAfterChangeCipherSpec-DTLS",
1653 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1654 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1655 Bugs: ProtocolBugs{
1656 AlertAfterChangeCipherSpec: alertRecordOverflow,
1657 },
1658 },
1659 shouldFail: true,
1660 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1661 },
1662 {
1663 protocol: dtls,
1664 name: "ReorderHandshakeFragments-Small-DTLS",
1665 config: Config{
1666 Bugs: ProtocolBugs{
1667 ReorderHandshakeFragments: true,
1668 // Small enough that every handshake message is
1669 // fragmented.
1670 MaxHandshakeRecordLength: 2,
1671 },
1672 },
1673 },
1674 {
1675 protocol: dtls,
1676 name: "ReorderHandshakeFragments-Large-DTLS",
1677 config: Config{
1678 Bugs: ProtocolBugs{
1679 ReorderHandshakeFragments: true,
1680 // Large enough that no handshake message is
1681 // fragmented.
1682 MaxHandshakeRecordLength: 2048,
1683 },
1684 },
1685 },
1686 {
1687 protocol: dtls,
1688 name: "MixCompleteMessageWithFragments-DTLS",
1689 config: Config{
1690 Bugs: ProtocolBugs{
1691 ReorderHandshakeFragments: true,
1692 MixCompleteMessageWithFragments: true,
1693 MaxHandshakeRecordLength: 2,
1694 },
1695 },
1696 },
1697 {
1698 name: "SendInvalidRecordType",
1699 config: Config{
1700 Bugs: ProtocolBugs{
1701 SendInvalidRecordType: true,
1702 },
1703 },
1704 shouldFail: true,
1705 expectedError: ":UNEXPECTED_RECORD:",
1706 },
1707 {
1708 protocol: dtls,
1709 name: "SendInvalidRecordType-DTLS",
1710 config: Config{
1711 Bugs: ProtocolBugs{
1712 SendInvalidRecordType: true,
1713 },
1714 },
1715 shouldFail: true,
1716 expectedError: ":UNEXPECTED_RECORD:",
1717 },
1718 {
1719 name: "FalseStart-SkipServerSecondLeg",
1720 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1721 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1722 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1723 NextProtos: []string{"foo"},
1724 Bugs: ProtocolBugs{
1725 SkipNewSessionTicket: true,
1726 SkipChangeCipherSpec: true,
1727 SkipFinished: true,
1728 ExpectFalseStart: true,
1729 },
1730 },
1731 flags: []string{
1732 "-false-start",
1733 "-handshake-never-done",
1734 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]1735 "-expect-alpn", "foo",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1736 },
1737 shimWritesFirst: true,
1738 shouldFail: true,
1739 expectedError: ":UNEXPECTED_RECORD:",
1740 },
1741 {
1742 name: "FalseStart-SkipServerSecondLeg-Implicit",
1743 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1744 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1745 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1746 NextProtos: []string{"foo"},
1747 Bugs: ProtocolBugs{
1748 SkipNewSessionTicket: true,
1749 SkipChangeCipherSpec: true,
1750 SkipFinished: true,
1751 },
1752 },
1753 flags: []string{
1754 "-implicit-handshake",
1755 "-false-start",
1756 "-handshake-never-done",
1757 "-advertise-alpn", "\x03foo",
1758 },
1759 shouldFail: true,
1760 expectedError: ":UNEXPECTED_RECORD:",
1761 },
1762 {
1763 testType: serverTest,
1764 name: "FailEarlyCallback",
1765 flags: []string{"-fail-early-callback"},
1766 shouldFail: true,
1767 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1768 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1769 },
1770 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1771 name: "FailCertCallback-Client-TLS12",
1772 config: Config{
1773 MaxVersion: VersionTLS12,
1774 ClientAuth: RequestClientCert,
1775 },
1776 flags: []string{"-fail-cert-callback"},
1777 shouldFail: true,
1778 expectedError: ":CERT_CB_ERROR:",
1779 expectedLocalError: "remote error: internal error",
1780 },
1781 {
1782 testType: serverTest,
1783 name: "FailCertCallback-Server-TLS12",
1784 config: Config{
1785 MaxVersion: VersionTLS12,
1786 },
1787 flags: []string{"-fail-cert-callback"},
1788 shouldFail: true,
1789 expectedError: ":CERT_CB_ERROR:",
1790 expectedLocalError: "remote error: internal error",
1791 },
1792 {
1793 name: "FailCertCallback-Client-TLS13",
1794 config: Config{
1795 MaxVersion: VersionTLS13,
1796 ClientAuth: RequestClientCert,
1797 },
1798 flags: []string{"-fail-cert-callback"},
1799 shouldFail: true,
1800 expectedError: ":CERT_CB_ERROR:",
1801 expectedLocalError: "remote error: internal error",
1802 },
1803 {
1804 testType: serverTest,
1805 name: "FailCertCallback-Server-TLS13",
1806 config: Config{
1807 MaxVersion: VersionTLS13,
1808 },
1809 flags: []string{"-fail-cert-callback"},
1810 shouldFail: true,
1811 expectedError: ":CERT_CB_ERROR:",
1812 expectedLocalError: "remote error: internal error",
1813 },
1814 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1815 protocol: dtls,
1816 name: "FragmentMessageTypeMismatch-DTLS",
1817 config: Config{
1818 Bugs: ProtocolBugs{
1819 MaxHandshakeRecordLength: 2,
1820 FragmentMessageTypeMismatch: true,
1821 },
1822 },
1823 shouldFail: true,
1824 expectedError: ":FRAGMENT_MISMATCH:",
1825 },
1826 {
1827 protocol: dtls,
1828 name: "FragmentMessageLengthMismatch-DTLS",
1829 config: Config{
1830 Bugs: ProtocolBugs{
1831 MaxHandshakeRecordLength: 2,
1832 FragmentMessageLengthMismatch: true,
1833 },
1834 },
1835 shouldFail: true,
1836 expectedError: ":FRAGMENT_MISMATCH:",
1837 },
1838 {
1839 protocol: dtls,
1840 name: "SplitFragments-Header-DTLS",
1841 config: Config{
1842 Bugs: ProtocolBugs{
1843 SplitFragments: 2,
1844 },
1845 },
1846 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1847 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1848 },
1849 {
1850 protocol: dtls,
1851 name: "SplitFragments-Boundary-DTLS",
1852 config: Config{
1853 Bugs: ProtocolBugs{
1854 SplitFragments: dtlsRecordHeaderLen,
1855 },
1856 },
1857 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1858 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1859 },
1860 {
1861 protocol: dtls,
1862 name: "SplitFragments-Body-DTLS",
1863 config: Config{
1864 Bugs: ProtocolBugs{
1865 SplitFragments: dtlsRecordHeaderLen + 1,
1866 },
1867 },
1868 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1869 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1870 },
1871 {
1872 protocol: dtls,
1873 name: "SendEmptyFragments-DTLS",
1874 config: Config{
1875 Bugs: ProtocolBugs{
1876 SendEmptyFragments: true,
1877 },
1878 },
1879 },
1880 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1881 name: "BadFinished-Client",
1882 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1883 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1884 Bugs: ProtocolBugs{
1885 BadFinished: true,
1886 },
1887 },
1888 shouldFail: true,
1889 expectedError: ":DIGEST_CHECK_FAILED:",
1890 },
1891 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1892 name: "BadFinished-Client-TLS13",
1893 config: Config{
1894 MaxVersion: VersionTLS13,
1895 Bugs: ProtocolBugs{
1896 BadFinished: true,
1897 },
1898 },
1899 shouldFail: true,
1900 expectedError: ":DIGEST_CHECK_FAILED:",
1901 },
1902 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1903 testType: serverTest,
1904 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1905 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1906 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1907 Bugs: ProtocolBugs{
1908 BadFinished: true,
1909 },
1910 },
1911 shouldFail: true,
1912 expectedError: ":DIGEST_CHECK_FAILED:",
1913 },
1914 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1915 testType: serverTest,
1916 name: "BadFinished-Server-TLS13",
1917 config: Config{
1918 MaxVersion: VersionTLS13,
1919 Bugs: ProtocolBugs{
1920 BadFinished: true,
1921 },
1922 },
1923 shouldFail: true,
1924 expectedError: ":DIGEST_CHECK_FAILED:",
1925 },
1926 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1927 name: "FalseStart-BadFinished",
1928 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1929 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1930 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1931 NextProtos: []string{"foo"},
1932 Bugs: ProtocolBugs{
1933 BadFinished: true,
1934 ExpectFalseStart: true,
1935 },
1936 },
1937 flags: []string{
1938 "-false-start",
1939 "-handshake-never-done",
1940 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]1941 "-expect-alpn", "foo",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1942 },
1943 shimWritesFirst: true,
1944 shouldFail: true,
1945 expectedError: ":DIGEST_CHECK_FAILED:",
1946 },
1947 {
1948 name: "NoFalseStart-NoALPN",
1949 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1950 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1951 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1952 Bugs: ProtocolBugs{
1953 ExpectFalseStart: true,
1954 AlertBeforeFalseStartTest: alertAccessDenied,
1955 },
1956 },
1957 flags: []string{
1958 "-false-start",
1959 },
1960 shimWritesFirst: true,
1961 shouldFail: true,
1962 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1963 expectedLocalError: "tls: peer did not false start: EOF",
1964 },
1965 {
1966 name: "NoFalseStart-NoAEAD",
1967 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1968 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1969 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1970 NextProtos: []string{"foo"},
1971 Bugs: ProtocolBugs{
1972 ExpectFalseStart: true,
1973 AlertBeforeFalseStartTest: alertAccessDenied,
1974 },
1975 },
1976 flags: []string{
1977 "-false-start",
1978 "-advertise-alpn", "\x03foo",
1979 },
1980 shimWritesFirst: true,
1981 shouldFail: true,
1982 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1983 expectedLocalError: "tls: peer did not false start: EOF",
1984 },
1985 {
1986 name: "NoFalseStart-RSA",
1987 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1988 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1989 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1990 NextProtos: []string{"foo"},
1991 Bugs: ProtocolBugs{
1992 ExpectFalseStart: true,
1993 AlertBeforeFalseStartTest: alertAccessDenied,
1994 },
1995 },
1996 flags: []string{
1997 "-false-start",
1998 "-advertise-alpn", "\x03foo",
1999 },
2000 shimWritesFirst: true,
2001 shouldFail: true,
2002 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2003 expectedLocalError: "tls: peer did not false start: EOF",
2004 },
2005 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2006 protocol: dtls,
2007 name: "SendSplitAlert-Sync",
2008 config: Config{
2009 Bugs: ProtocolBugs{
2010 SendSplitAlert: true,
2011 },
2012 },
2013 },
2014 {
2015 protocol: dtls,
2016 name: "SendSplitAlert-Async",
2017 config: Config{
2018 Bugs: ProtocolBugs{
2019 SendSplitAlert: true,
2020 },
2021 },
2022 flags: []string{"-async"},
2023 },
2024 {
2025 protocol: dtls,
2026 name: "PackDTLSHandshake",
2027 config: Config{
2028 Bugs: ProtocolBugs{
2029 MaxHandshakeRecordLength: 2,
2030 PackHandshakeFragments: 20,
2031 PackHandshakeRecords: 200,
2032 },
2033 },
2034 },
2035 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2036 name: "SendEmptyRecords-Pass",
2037 sendEmptyRecords: 32,
2038 },
2039 {
2040 name: "SendEmptyRecords",
2041 sendEmptyRecords: 33,
2042 shouldFail: true,
2043 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2044 },
2045 {
2046 name: "SendEmptyRecords-Async",
2047 sendEmptyRecords: 33,
2048 flags: []string{"-async"},
2049 shouldFail: true,
2050 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2051 },
2052 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2053 name: "SendWarningAlerts-Pass",
2054 config: Config{
2055 MaxVersion: VersionTLS12,
2056 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2057 sendWarningAlerts: 4,
2058 },
2059 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2060 protocol: dtls,
2061 name: "SendWarningAlerts-DTLS-Pass",
2062 config: Config{
2063 MaxVersion: VersionTLS12,
2064 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2065 sendWarningAlerts: 4,
2066 },
2067 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2068 name: "SendWarningAlerts-TLS13",
2069 config: Config{
2070 MaxVersion: VersionTLS13,
2071 },
2072 sendWarningAlerts: 4,
2073 shouldFail: true,
2074 expectedError: ":BAD_ALERT:",
2075 expectedLocalError: "remote error: error decoding message",
2076 },
2077 {
2078 name: "SendWarningAlerts",
2079 config: Config{
2080 MaxVersion: VersionTLS12,
2081 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2082 sendWarningAlerts: 5,
2083 shouldFail: true,
2084 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2085 },
2086 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2087 name: "SendWarningAlerts-Async",
2088 config: Config{
2089 MaxVersion: VersionTLS12,
2090 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2091 sendWarningAlerts: 5,
2092 flags: []string{"-async"},
2093 shouldFail: true,
2094 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2095 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2096 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2097 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2098 config: Config{
2099 MaxVersion: VersionTLS13,
2100 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2101 sendKeyUpdates: 33,
2102 keyUpdateRequest: keyUpdateNotRequested,
2103 shouldFail: true,
2104 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2105 },
2106 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2107 name: "EmptySessionID",
2108 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2109 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2110 SessionTicketsDisabled: true,
2111 },
2112 noSessionCache: true,
2113 flags: []string{"-expect-no-session"},
2114 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2115 {
2116 name: "Unclean-Shutdown",
2117 config: Config{
2118 Bugs: ProtocolBugs{
2119 NoCloseNotify: true,
2120 ExpectCloseNotify: true,
2121 },
2122 },
2123 shimShutsDown: true,
2124 flags: []string{"-check-close-notify"},
2125 shouldFail: true,
2126 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2127 },
2128 {
2129 name: "Unclean-Shutdown-Ignored",
2130 config: Config{
2131 Bugs: ProtocolBugs{
2132 NoCloseNotify: true,
2133 },
2134 },
2135 shimShutsDown: true,
2136 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2137 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2138 name: "Unclean-Shutdown-Alert",
2139 config: Config{
2140 Bugs: ProtocolBugs{
2141 SendAlertOnShutdown: alertDecompressionFailure,
2142 ExpectCloseNotify: true,
2143 },
2144 },
2145 shimShutsDown: true,
2146 flags: []string{"-check-close-notify"},
2147 shouldFail: true,
2148 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2149 },
2150 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2151 name: "LargePlaintext",
2152 config: Config{
2153 Bugs: ProtocolBugs{
2154 SendLargeRecords: true,
2155 },
2156 },
2157 messageLen: maxPlaintext + 1,
2158 shouldFail: true,
2159 expectedError: ":DATA_LENGTH_TOO_LONG:",
2160 },
2161 {
2162 protocol: dtls,
2163 name: "LargePlaintext-DTLS",
2164 config: Config{
2165 Bugs: ProtocolBugs{
2166 SendLargeRecords: true,
2167 },
2168 },
2169 messageLen: maxPlaintext + 1,
2170 shouldFail: true,
2171 expectedError: ":DATA_LENGTH_TOO_LONG:",
2172 },
2173 {
2174 name: "LargeCiphertext",
2175 config: Config{
2176 Bugs: ProtocolBugs{
2177 SendLargeRecords: true,
2178 },
2179 },
2180 messageLen: maxPlaintext * 2,
2181 shouldFail: true,
2182 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2183 },
2184 {
2185 protocol: dtls,
2186 name: "LargeCiphertext-DTLS",
2187 config: Config{
2188 Bugs: ProtocolBugs{
2189 SendLargeRecords: true,
2190 },
2191 },
2192 messageLen: maxPlaintext * 2,
2193 // Unlike the other four cases, DTLS drops records which
2194 // are invalid before authentication, so the connection
2195 // does not fail.
2196 expectMessageDropped: true,
2197 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2198 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2199 name: "BadHelloRequest-1",
2200 renegotiate: 1,
2201 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2202 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2203 Bugs: ProtocolBugs{
2204 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2205 },
2206 },
2207 flags: []string{
2208 "-renegotiate-freely",
2209 "-expect-total-renegotiations", "1",
2210 },
2211 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2212 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2213 },
2214 {
2215 name: "BadHelloRequest-2",
2216 renegotiate: 1,
2217 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2218 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2219 Bugs: ProtocolBugs{
2220 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2221 },
2222 },
2223 flags: []string{
2224 "-renegotiate-freely",
2225 "-expect-total-renegotiations", "1",
2226 },
2227 shouldFail: true,
2228 expectedError: ":BAD_HELLO_REQUEST:",
2229 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2230 {
2231 testType: serverTest,
2232 name: "SupportTicketsWithSessionID",
2233 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2234 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2235 SessionTicketsDisabled: true,
2236 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2237 resumeConfig: &Config{
2238 MaxVersion: VersionTLS12,
2239 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2240 resumeSession: true,
2241 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2242 {
2243 protocol: dtls,
2244 name: "DTLS-SendExtraFinished",
2245 config: Config{
2246 Bugs: ProtocolBugs{
2247 SendExtraFinished: true,
2248 },
2249 },
2250 shouldFail: true,
2251 expectedError: ":UNEXPECTED_RECORD:",
2252 },
2253 {
2254 protocol: dtls,
2255 name: "DTLS-SendExtraFinished-Reordered",
2256 config: Config{
2257 Bugs: ProtocolBugs{
2258 MaxHandshakeRecordLength: 2,
2259 ReorderHandshakeFragments: true,
2260 SendExtraFinished: true,
2261 },
2262 },
2263 shouldFail: true,
2264 expectedError: ":UNEXPECTED_RECORD:",
2265 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2266 {
2267 testType: serverTest,
2268 name: "V2ClientHello-EmptyRecordPrefix",
2269 config: Config{
2270 // Choose a cipher suite that does not involve
2271 // elliptic curves, so no extensions are
2272 // involved.
2273 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2274 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2275 Bugs: ProtocolBugs{
2276 SendV2ClientHello: true,
2277 },
2278 },
2279 sendPrefix: string([]byte{
2280 byte(recordTypeHandshake),
2281 3, 1, // version
2282 0, 0, // length
2283 }),
2284 // A no-op empty record may not be sent before V2ClientHello.
2285 shouldFail: true,
2286 expectedError: ":WRONG_VERSION_NUMBER:",
2287 },
2288 {
2289 testType: serverTest,
2290 name: "V2ClientHello-WarningAlertPrefix",
2291 config: Config{
2292 // Choose a cipher suite that does not involve
2293 // elliptic curves, so no extensions are
2294 // involved.
2295 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2296 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2297 Bugs: ProtocolBugs{
2298 SendV2ClientHello: true,
2299 },
2300 },
2301 sendPrefix: string([]byte{
2302 byte(recordTypeAlert),
2303 3, 1, // version
2304 0, 2, // length
2305 alertLevelWarning, byte(alertDecompressionFailure),
2306 }),
2307 // A no-op warning alert may not be sent before V2ClientHello.
2308 shouldFail: true,
2309 expectedError: ":WRONG_VERSION_NUMBER:",
2310 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2311 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2312 name: "KeyUpdate-Client",
2313 config: Config{
2314 MaxVersion: VersionTLS13,
2315 },
2316 sendKeyUpdates: 1,
2317 keyUpdateRequest: keyUpdateNotRequested,
2318 },
2319 {
2320 testType: serverTest,
2321 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2322 config: Config{
2323 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2324 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2325 sendKeyUpdates: 1,
2326 keyUpdateRequest: keyUpdateNotRequested,
2327 },
2328 {
2329 name: "KeyUpdate-InvalidRequestMode",
2330 config: Config{
2331 MaxVersion: VersionTLS13,
2332 },
2333 sendKeyUpdates: 1,
2334 keyUpdateRequest: 42,
2335 shouldFail: true,
2336 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2337 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2338 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]2339 // Test that KeyUpdates are acknowledged properly.
2340 name: "KeyUpdate-RequestACK",
2341 config: Config{
2342 MaxVersion: VersionTLS13,
2343 Bugs: ProtocolBugs{
2344 RejectUnsolicitedKeyUpdate: true,
2345 },
2346 },
2347 // Test the shim receiving many KeyUpdates in a row.
2348 sendKeyUpdates: 5,
2349 messageCount: 5,
2350 keyUpdateRequest: keyUpdateRequested,
2351 },
2352 {
2353 // Test that KeyUpdates are acknowledged properly if the
2354 // peer's KeyUpdate is discovered while a write is
2355 // pending.
2356 name: "KeyUpdate-RequestACK-UnfinishedWrite",
2357 config: Config{
2358 MaxVersion: VersionTLS13,
2359 Bugs: ProtocolBugs{
2360 RejectUnsolicitedKeyUpdate: true,
2361 },
2362 },
2363 // Test the shim receiving many KeyUpdates in a row.
2364 sendKeyUpdates: 5,
2365 messageCount: 5,
2366 keyUpdateRequest: keyUpdateRequested,
2367 readWithUnfinishedWrite: true,
2368 flags: []string{"-async"},
2369 },
2370 {
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2371 name: "SendSNIWarningAlert",
2372 config: Config{
2373 MaxVersion: VersionTLS12,
2374 Bugs: ProtocolBugs{
2375 SendSNIWarningAlert: true,
2376 },
2377 },
2378 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2379 {
2380 testType: serverTest,
2381 name: "ExtraCompressionMethods-TLS12",
2382 config: Config{
2383 MaxVersion: VersionTLS12,
2384 Bugs: ProtocolBugs{
2385 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2386 },
2387 },
2388 },
2389 {
2390 testType: serverTest,
2391 name: "ExtraCompressionMethods-TLS13",
2392 config: Config{
2393 MaxVersion: VersionTLS13,
2394 Bugs: ProtocolBugs{
2395 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2396 },
2397 },
2398 shouldFail: true,
2399 expectedError: ":INVALID_COMPRESSION_LIST:",
2400 expectedLocalError: "remote error: illegal parameter",
2401 },
2402 {
2403 testType: serverTest,
2404 name: "NoNullCompression-TLS12",
2405 config: Config{
2406 MaxVersion: VersionTLS12,
2407 Bugs: ProtocolBugs{
2408 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2409 },
2410 },
2411 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2412 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2413 expectedLocalError: "remote error: illegal parameter",
2414 },
2415 {
2416 testType: serverTest,
2417 name: "NoNullCompression-TLS13",
2418 config: Config{
2419 MaxVersion: VersionTLS13,
2420 Bugs: ProtocolBugs{
2421 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2422 },
2423 },
2424 shouldFail: true,
2425 expectedError: ":INVALID_COMPRESSION_LIST:",
2426 expectedLocalError: "remote error: illegal parameter",
2427 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2428 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2429 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2430 config: Config{
2431 MaxVersion: VersionTLS12,
2432 Bugs: ProtocolBugs{
2433 ExpectGREASE: true,
2434 },
2435 },
2436 flags: []string{"-enable-grease"},
2437 },
2438 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2439 name: "GREASE-Client-TLS13",
2440 config: Config{
2441 MaxVersion: VersionTLS13,
2442 Bugs: ProtocolBugs{
2443 ExpectGREASE: true,
2444 },
2445 },
2446 flags: []string{"-enable-grease"},
2447 },
2448 {
2449 testType: serverTest,
2450 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2451 config: Config{
2452 MaxVersion: VersionTLS13,
2453 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2454 // TLS 1.3 servers are expected to
2455 // always enable GREASE. TLS 1.3 is new,
2456 // so there is no existing ecosystem to
2457 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2458 ExpectGREASE: true,
2459 },
2460 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2461 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2462 {
2463 // Test the server so there is a large certificate as
2464 // well as application data.
2465 testType: serverTest,
2466 name: "MaxSendFragment",
2467 config: Config{
2468 Bugs: ProtocolBugs{
2469 MaxReceivePlaintext: 512,
2470 },
2471 },
2472 messageLen: 1024,
2473 flags: []string{
2474 "-max-send-fragment", "512",
2475 "-read-size", "1024",
2476 },
2477 },
2478 {
2479 // Test the server so there is a large certificate as
2480 // well as application data.
2481 testType: serverTest,
2482 name: "MaxSendFragment-TooLarge",
2483 config: Config{
2484 Bugs: ProtocolBugs{
2485 // Ensure that some of the records are
2486 // 512.
2487 MaxReceivePlaintext: 511,
2488 },
2489 },
2490 messageLen: 1024,
2491 flags: []string{
2492 "-max-send-fragment", "512",
2493 "-read-size", "1024",
2494 },
2495 shouldFail: true,
2496 expectedLocalError: "local error: record overflow",
2497 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2498 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2499 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2500
2501 // Test that very large messages can be received.
2502 cert := rsaCertificate
2503 for i := 0; i < 50; i++ {
2504 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2505 }
2506 testCases = append(testCases, testCase{
2507 name: "LargeMessage",
2508 config: Config{
2509 Certificates: []Certificate{cert},
2510 },
2511 })
2512 testCases = append(testCases, testCase{
2513 protocol: dtls,
2514 name: "LargeMessage-DTLS",
2515 config: Config{
2516 Certificates: []Certificate{cert},
2517 },
2518 })
2519
2520 // They are rejected if the maximum certificate chain length is capped.
2521 testCases = append(testCases, testCase{
2522 name: "LargeMessage-Reject",
2523 config: Config{
2524 Certificates: []Certificate{cert},
2525 },
2526 flags: []string{"-max-cert-list", "16384"},
2527 shouldFail: true,
2528 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2529 })
2530 testCases = append(testCases, testCase{
2531 protocol: dtls,
2532 name: "LargeMessage-Reject-DTLS",
2533 config: Config{
2534 Certificates: []Certificate{cert},
2535 },
2536 flags: []string{"-max-cert-list", "16384"},
2537 shouldFail: true,
2538 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2539 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2540}
2541
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2542func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2543 const psk = "12345"
2544 const pskIdentity = "luggage combo"
2545
2546 var prefix string
2547 if protocol == dtls {
2548 if !ver.hasDTLS {
2549 return
2550 }
2551 prefix = "D"
2552 }
2553
2554 var cert Certificate
2555 var certFile string
2556 var keyFile string
2557 if hasComponent(suite.name, "ECDSA") {
2558 cert = ecdsaP256Certificate
2559 certFile = ecdsaP256CertificateFile
2560 keyFile = ecdsaP256KeyFile
2561 } else {
2562 cert = rsaCertificate
2563 certFile = rsaCertificateFile
2564 keyFile = rsaKeyFile
2565 }
2566
2567 var flags []string
2568 if hasComponent(suite.name, "PSK") {
2569 flags = append(flags,
2570 "-psk", psk,
2571 "-psk-identity", pskIdentity)
2572 }
2573 if hasComponent(suite.name, "NULL") {
2574 // NULL ciphers must be explicitly enabled.
2575 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2576 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2577
2578 var shouldServerFail, shouldClientFail bool
2579 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2580 // BoringSSL clients accept ECDHE on SSLv3, but
2581 // a BoringSSL server will never select it
2582 // because the extension is missing.
2583 shouldServerFail = true
2584 }
2585 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2586 shouldClientFail = true
2587 shouldServerFail = true
2588 }
2589 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2590 shouldClientFail = true
2591 shouldServerFail = true
2592 }
2593 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2594 shouldClientFail = true
2595 shouldServerFail = true
2596 }
2597 if !isDTLSCipher(suite.name) && protocol == dtls {
2598 shouldClientFail = true
2599 shouldServerFail = true
2600 }
2601
2602 var sendCipherSuite uint16
2603 var expectedServerError, expectedClientError string
2604 serverCipherSuites := []uint16{suite.id}
2605 if shouldServerFail {
2606 expectedServerError = ":NO_SHARED_CIPHER:"
2607 }
2608 if shouldClientFail {
2609 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2610 // Configure the server to select ciphers as normal but
2611 // select an incompatible cipher in ServerHello.
2612 serverCipherSuites = nil
2613 sendCipherSuite = suite.id
2614 }
2615
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2616 // For cipher suites and versions where exporters are defined, verify
2617 // that they interoperate.
2618 var exportKeyingMaterial int
2619 if ver.version > VersionSSL30 {
2620 exportKeyingMaterial = 1024
2621 }
2622
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2623 testCases = append(testCases, testCase{
2624 testType: serverTest,
2625 protocol: protocol,
2626 name: prefix + ver.name + "-" + suite.name + "-server",
2627 config: Config{
2628 MinVersion: ver.version,
2629 MaxVersion: ver.version,
2630 CipherSuites: []uint16{suite.id},
2631 Certificates: []Certificate{cert},
2632 PreSharedKey: []byte(psk),
2633 PreSharedKeyIdentity: pskIdentity,
2634 Bugs: ProtocolBugs{
2635 AdvertiseAllConfiguredCiphers: true,
2636 },
2637 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2638 certFile: certFile,
2639 keyFile: keyFile,
2640 flags: flags,
2641 resumeSession: true,
2642 shouldFail: shouldServerFail,
2643 expectedError: expectedServerError,
2644 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2645 })
2646
2647 testCases = append(testCases, testCase{
2648 testType: clientTest,
2649 protocol: protocol,
2650 name: prefix + ver.name + "-" + suite.name + "-client",
2651 config: Config{
2652 MinVersion: ver.version,
2653 MaxVersion: ver.version,
2654 CipherSuites: serverCipherSuites,
2655 Certificates: []Certificate{cert},
2656 PreSharedKey: []byte(psk),
2657 PreSharedKeyIdentity: pskIdentity,
2658 Bugs: ProtocolBugs{
2659 IgnorePeerCipherPreferences: shouldClientFail,
2660 SendCipherSuite: sendCipherSuite,
2661 },
2662 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2663 flags: flags,
2664 resumeSession: true,
2665 shouldFail: shouldClientFail,
2666 expectedError: expectedClientError,
2667 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2668 })
2669
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2670 if shouldClientFail {
2671 return
2672 }
2673
2674 // Ensure the maximum record size is accepted.
2675 testCases = append(testCases, testCase{
2676 protocol: protocol,
2677 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2678 config: Config{
2679 MinVersion: ver.version,
2680 MaxVersion: ver.version,
2681 CipherSuites: []uint16{suite.id},
2682 Certificates: []Certificate{cert},
2683 PreSharedKey: []byte(psk),
2684 PreSharedKeyIdentity: pskIdentity,
2685 },
2686 flags: flags,
2687 messageLen: maxPlaintext,
2688 })
2689
2690 // Test bad records for all ciphers. Bad records are fatal in TLS
2691 // and ignored in DTLS.
2692 var shouldFail bool
2693 var expectedError string
2694 if protocol == tls {
2695 shouldFail = true
2696 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2697 }
2698
2699 testCases = append(testCases, testCase{
2700 protocol: protocol,
2701 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2702 config: Config{
2703 MinVersion: ver.version,
2704 MaxVersion: ver.version,
2705 CipherSuites: []uint16{suite.id},
2706 Certificates: []Certificate{cert},
2707 PreSharedKey: []byte(psk),
2708 PreSharedKeyIdentity: pskIdentity,
2709 },
2710 flags: flags,
2711 damageFirstWrite: true,
2712 messageLen: maxPlaintext,
2713 shouldFail: shouldFail,
2714 expectedError: expectedError,
2715 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2716}
2717
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2718func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2719 const bogusCipher = 0xfe00
2720
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2721 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2722 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2723 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2724 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2725 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2726 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2727 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2728
2729 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2730 name: "NoSharedCipher",
2731 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2732 MaxVersion: VersionTLS12,
2733 CipherSuites: []uint16{},
2734 },
2735 shouldFail: true,
2736 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2737 })
2738
2739 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2740 name: "NoSharedCipher-TLS13",
2741 config: Config{
2742 MaxVersion: VersionTLS13,
2743 CipherSuites: []uint16{},
2744 },
2745 shouldFail: true,
2746 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2747 })
2748
2749 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2750 name: "UnsupportedCipherSuite",
2751 config: Config{
2752 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2753 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2754 Bugs: ProtocolBugs{
2755 IgnorePeerCipherPreferences: true,
2756 },
2757 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2758 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2759 shouldFail: true,
2760 expectedError: ":WRONG_CIPHER_RETURNED:",
2761 })
2762
2763 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2764 name: "ServerHelloBogusCipher",
2765 config: Config{
2766 MaxVersion: VersionTLS12,
2767 Bugs: ProtocolBugs{
2768 SendCipherSuite: bogusCipher,
2769 },
2770 },
2771 shouldFail: true,
2772 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2773 })
2774 testCases = append(testCases, testCase{
2775 name: "ServerHelloBogusCipher-TLS13",
2776 config: Config{
2777 MaxVersion: VersionTLS13,
2778 Bugs: ProtocolBugs{
2779 SendCipherSuite: bogusCipher,
2780 },
2781 },
2782 shouldFail: true,
2783 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2784 })
2785
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2786 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2787 testCases = append(testCases, testCase{
2788 testType: serverTest,
2789 name: "UnknownCipher",
2790 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2791 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2792 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2793 Bugs: ProtocolBugs{
2794 AdvertiseAllConfiguredCiphers: true,
2795 },
2796 },
2797 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2798
2799 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2800 testCases = append(testCases, testCase{
2801 testType: serverTest,
2802 name: "UnknownCipher-TLS13",
2803 config: Config{
2804 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2805 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2806 Bugs: ProtocolBugs{
2807 AdvertiseAllConfiguredCiphers: true,
2808 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2809 },
2810 })
2811
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2812 // Test empty ECDHE_PSK identity hints work as expected.
2813 testCases = append(testCases, testCase{
2814 name: "EmptyECDHEPSKHint",
2815 config: Config{
2816 MaxVersion: VersionTLS12,
2817 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2818 PreSharedKey: []byte("secret"),
2819 },
2820 flags: []string{"-psk", "secret"},
2821 })
2822
2823 // Test empty PSK identity hints work as expected, even if an explicit
2824 // ServerKeyExchange is sent.
2825 testCases = append(testCases, testCase{
2826 name: "ExplicitEmptyPSKHint",
2827 config: Config{
2828 MaxVersion: VersionTLS12,
2829 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2830 PreSharedKey: []byte("secret"),
2831 Bugs: ProtocolBugs{
2832 AlwaysSendPreSharedKeyIdentityHint: true,
2833 },
2834 },
2835 flags: []string{"-psk", "secret"},
2836 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]2837
2838 // Test that clients enforce that the server-sent certificate and cipher
2839 // suite match in TLS 1.2.
2840 testCases = append(testCases, testCase{
2841 name: "CertificateCipherMismatch-RSA",
2842 config: Config{
2843 MaxVersion: VersionTLS12,
2844 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2845 Certificates: []Certificate{rsaCertificate},
2846 Bugs: ProtocolBugs{
2847 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2848 },
2849 },
2850 shouldFail: true,
2851 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2852 })
2853 testCases = append(testCases, testCase{
2854 name: "CertificateCipherMismatch-ECDSA",
2855 config: Config{
2856 MaxVersion: VersionTLS12,
2857 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2858 Certificates: []Certificate{ecdsaP256Certificate},
2859 Bugs: ProtocolBugs{
2860 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2861 },
2862 },
2863 shouldFail: true,
2864 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2865 })
2866 testCases = append(testCases, testCase{
2867 name: "CertificateCipherMismatch-Ed25519",
2868 config: Config{
2869 MaxVersion: VersionTLS12,
2870 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2871 Certificates: []Certificate{ed25519Certificate},
2872 Bugs: ProtocolBugs{
2873 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2874 },
2875 },
2876 shouldFail: true,
2877 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2878 })
2879
2880 // Test that servers decline to select a cipher suite which is
2881 // inconsistent with their configured certificate.
2882 testCases = append(testCases, testCase{
2883 testType: serverTest,
2884 name: "ServerCipherFilter-RSA",
2885 config: Config{
2886 MaxVersion: VersionTLS12,
2887 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2888 },
2889 flags: []string{
2890 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2891 "-key-file", path.Join(*resourceDir, rsaKeyFile),
2892 },
2893 shouldFail: true,
2894 expectedError: ":NO_SHARED_CIPHER:",
2895 })
2896 testCases = append(testCases, testCase{
2897 testType: serverTest,
2898 name: "ServerCipherFilter-ECDSA",
2899 config: Config{
2900 MaxVersion: VersionTLS12,
2901 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2902 },
2903 flags: []string{
2904 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2905 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
2906 },
2907 shouldFail: true,
2908 expectedError: ":NO_SHARED_CIPHER:",
2909 })
2910 testCases = append(testCases, testCase{
2911 testType: serverTest,
2912 name: "ServerCipherFilter-Ed25519",
2913 config: Config{
2914 MaxVersion: VersionTLS12,
2915 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2916 },
2917 flags: []string{
2918 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
2919 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
2920 },
2921 shouldFail: true,
2922 expectedError: ":NO_SHARED_CIPHER:",
2923 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2924}
2925
2926func addBadECDSASignatureTests() {
2927 for badR := BadValue(1); badR < NumBadValues; badR++ {
2928 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2929 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2930 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2931 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2932 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2933 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2934 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2935 Bugs: ProtocolBugs{
2936 BadECDSAR: badR,
2937 BadECDSAS: badS,
2938 },
2939 },
2940 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2941 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2942 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2943 testCases = append(testCases, testCase{
2944 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2945 config: Config{
2946 MaxVersion: VersionTLS13,
2947 Certificates: []Certificate{ecdsaP256Certificate},
2948 Bugs: ProtocolBugs{
2949 BadECDSAR: badR,
2950 BadECDSAS: badS,
2951 },
2952 },
2953 shouldFail: true,
2954 expectedError: ":BAD_SIGNATURE:",
2955 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2956 }
2957 }
2958}
2959
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2960func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2961 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2962 name: "MaxCBCPadding",
2963 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2964 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2965 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2966 Bugs: ProtocolBugs{
2967 MaxPadding: true,
2968 },
2969 },
2970 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2971 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2972 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2973 name: "BadCBCPadding",
2974 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2975 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2976 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2977 Bugs: ProtocolBugs{
2978 PaddingFirstByteBad: true,
2979 },
2980 },
2981 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2982 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2983 })
2984 // OpenSSL previously had an issue where the first byte of padding in
2985 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2986 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2987 name: "BadCBCPadding255",
2988 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2989 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2990 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2991 Bugs: ProtocolBugs{
2992 MaxPadding: true,
2993 PaddingFirstByteBadIf255: true,
2994 },
2995 },
2996 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2997 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2998 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2999 })
3000}
3001
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3002func addCBCSplittingTests() {
3003 testCases = append(testCases, testCase{
3004 name: "CBCRecordSplitting",
3005 config: Config{
3006 MaxVersion: VersionTLS10,
3007 MinVersion: VersionTLS10,
3008 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3009 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]3010 messageLen: -1, // read until EOF
3011 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3012 flags: []string{
3013 "-async",
3014 "-write-different-record-sizes",
3015 "-cbc-record-splitting",
3016 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]3017 })
3018 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3019 name: "CBCRecordSplittingPartialWrite",
3020 config: Config{
3021 MaxVersion: VersionTLS10,
3022 MinVersion: VersionTLS10,
3023 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3024 },
3025 messageLen: -1, // read until EOF
3026 flags: []string{
3027 "-async",
3028 "-write-different-record-sizes",
3029 "-cbc-record-splitting",
3030 "-partial-write",
3031 },
3032 })
3033}
3034
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3035func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3036 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3037 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3038 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3039 cert, err := x509.ParseCertificate(cert.Certificate[0])
3040 if err != nil {
3041 panic(err)
3042 }
3043 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3044 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3045 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3046
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3047 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3048 testCases = append(testCases, testCase{
3049 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3050 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3051 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3052 MinVersion: ver.version,
3053 MaxVersion: ver.version,
3054 ClientAuth: RequireAnyClientCert,
3055 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3056 },
3057 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3058 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3059 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3060 },
3061 })
3062 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3063 testType: serverTest,
3064 name: ver.name + "-Server-ClientAuth-RSA",
3065 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3066 MinVersion: ver.version,
3067 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3068 Certificates: []Certificate{rsaCertificate},
3069 },
3070 flags: []string{"-require-any-client-certificate"},
3071 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3072 if ver.version != VersionSSL30 {
3073 testCases = append(testCases, testCase{
3074 testType: serverTest,
3075 name: ver.name + "-Server-ClientAuth-ECDSA",
3076 config: Config{
3077 MinVersion: ver.version,
3078 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3079 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3080 },
3081 flags: []string{"-require-any-client-certificate"},
3082 })
3083 testCases = append(testCases, testCase{
3084 testType: clientTest,
3085 name: ver.name + "-Client-ClientAuth-ECDSA",
3086 config: Config{
3087 MinVersion: ver.version,
3088 MaxVersion: ver.version,
3089 ClientAuth: RequireAnyClientCert,
3090 ClientCAs: certPool,
3091 },
3092 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3093 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3094 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3095 },
3096 })
3097 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3098
3099 testCases = append(testCases, testCase{
3100 name: "NoClientCertificate-" + ver.name,
3101 config: Config{
3102 MinVersion: ver.version,
3103 MaxVersion: ver.version,
3104 ClientAuth: RequireAnyClientCert,
3105 },
3106 shouldFail: true,
3107 expectedLocalError: "client didn't provide a certificate",
3108 })
3109
3110 testCases = append(testCases, testCase{
3111 // Even if not configured to expect a certificate, OpenSSL will
3112 // return X509_V_OK as the verify_result.
3113 testType: serverTest,
3114 name: "NoClientCertificateRequested-Server-" + ver.name,
3115 config: Config{
3116 MinVersion: ver.version,
3117 MaxVersion: ver.version,
3118 },
3119 flags: []string{
3120 "-expect-verify-result",
3121 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3122 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3123 })
3124
3125 testCases = append(testCases, testCase{
3126 // If a client certificate is not provided, OpenSSL will still
3127 // return X509_V_OK as the verify_result.
3128 testType: serverTest,
3129 name: "NoClientCertificate-Server-" + ver.name,
3130 config: Config{
3131 MinVersion: ver.version,
3132 MaxVersion: ver.version,
3133 },
3134 flags: []string{
3135 "-expect-verify-result",
3136 "-verify-peer",
3137 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3138 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3139 })
3140
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3141 certificateRequired := "remote error: certificate required"
3142 if ver.version < VersionTLS13 {
3143 // Prior to TLS 1.3, the generic handshake_failure alert
3144 // was used.
3145 certificateRequired = "remote error: handshake failure"
3146 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3147 testCases = append(testCases, testCase{
3148 testType: serverTest,
3149 name: "RequireAnyClientCertificate-" + ver.name,
3150 config: Config{
3151 MinVersion: ver.version,
3152 MaxVersion: ver.version,
3153 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3154 flags: []string{"-require-any-client-certificate"},
3155 shouldFail: true,
3156 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3157 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3158 })
3159
3160 if ver.version != VersionSSL30 {
3161 testCases = append(testCases, testCase{
3162 testType: serverTest,
3163 name: "SkipClientCertificate-" + ver.name,
3164 config: Config{
3165 MinVersion: ver.version,
3166 MaxVersion: ver.version,
3167 Bugs: ProtocolBugs{
3168 SkipClientCertificate: true,
3169 },
3170 },
3171 // Setting SSL_VERIFY_PEER allows anonymous clients.
3172 flags: []string{"-verify-peer"},
3173 shouldFail: true,
3174 expectedError: ":UNEXPECTED_MESSAGE:",
3175 })
3176 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3177
3178 testCases = append(testCases, testCase{
3179 testType: serverTest,
3180 name: ver.name + "-Server-CertReq-CA-List",
3181 config: Config{
3182 MinVersion: ver.version,
3183 MaxVersion: ver.version,
3184 Certificates: []Certificate{rsaCertificate},
3185 Bugs: ProtocolBugs{
3186 ExpectCertificateReqNames: caNames,
3187 },
3188 },
3189 flags: []string{
3190 "-require-any-client-certificate",
3191 "-use-client-ca-list", encodeDERValues(caNames),
3192 },
3193 })
3194
3195 testCases = append(testCases, testCase{
3196 testType: clientTest,
3197 name: ver.name + "-Client-CertReq-CA-List",
3198 config: Config{
3199 MinVersion: ver.version,
3200 MaxVersion: ver.version,
3201 Certificates: []Certificate{rsaCertificate},
3202 ClientAuth: RequireAnyClientCert,
3203 ClientCAs: certPool,
3204 },
3205 flags: []string{
3206 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3207 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3208 "-expect-client-ca-list", encodeDERValues(caNames),
3209 },
3210 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3211 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3212
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3213 // Client auth is only legal in certificate-based ciphers.
3214 testCases = append(testCases, testCase{
3215 testType: clientTest,
3216 name: "ClientAuth-PSK",
3217 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3218 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3219 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3220 PreSharedKey: []byte("secret"),
3221 ClientAuth: RequireAnyClientCert,
3222 },
3223 flags: []string{
3224 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3225 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3226 "-psk", "secret",
3227 },
3228 shouldFail: true,
3229 expectedError: ":UNEXPECTED_MESSAGE:",
3230 })
3231 testCases = append(testCases, testCase{
3232 testType: clientTest,
3233 name: "ClientAuth-ECDHE_PSK",
3234 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3235 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3236 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3237 PreSharedKey: []byte("secret"),
3238 ClientAuth: RequireAnyClientCert,
3239 },
3240 flags: []string{
3241 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3242 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3243 "-psk", "secret",
3244 },
3245 shouldFail: true,
3246 expectedError: ":UNEXPECTED_MESSAGE:",
3247 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3248
3249 // Regression test for a bug where the client CA list, if explicitly
3250 // set to NULL, was mis-encoded.
3251 testCases = append(testCases, testCase{
3252 testType: serverTest,
3253 name: "Null-Client-CA-List",
3254 config: Config{
3255 MaxVersion: VersionTLS12,
3256 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3257 Bugs: ProtocolBugs{
3258 ExpectCertificateReqNames: [][]byte{},
3259 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3260 },
3261 flags: []string{
3262 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3263 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3264 },
3265 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3266}
3267
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3268func addExtendedMasterSecretTests() {
3269 const expectEMSFlag = "-expect-extended-master-secret"
3270
3271 for _, with := range []bool{false, true} {
3272 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3273 if with {
3274 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3275 }
3276
3277 for _, isClient := range []bool{false, true} {
3278 suffix := "-Server"
3279 testType := serverTest
3280 if isClient {
3281 suffix = "-Client"
3282 testType = clientTest
3283 }
3284
3285 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3286 // In TLS 1.3, the extension is irrelevant and
3287 // always reports as enabled.
3288 var flags []string
3289 if with || ver.version >= VersionTLS13 {
3290 flags = []string{expectEMSFlag}
3291 }
3292
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3293 test := testCase{
3294 testType: testType,
3295 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3296 config: Config{
3297 MinVersion: ver.version,
3298 MaxVersion: ver.version,
3299 Bugs: ProtocolBugs{
3300 NoExtendedMasterSecret: !with,
3301 RequireExtendedMasterSecret: with,
3302 },
3303 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3304 flags: flags,
3305 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3306 }
3307 if test.shouldFail {
3308 test.expectedLocalError = "extended master secret required but not supported by peer"
3309 }
3310 testCases = append(testCases, test)
3311 }
3312 }
3313 }
3314
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3315 for _, isClient := range []bool{false, true} {
3316 for _, supportedInFirstConnection := range []bool{false, true} {
3317 for _, supportedInResumeConnection := range []bool{false, true} {
3318 boolToWord := func(b bool) string {
3319 if b {
3320 return "Yes"
3321 }
3322 return "No"
3323 }
3324 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3325 if isClient {
3326 suffix += "Client"
3327 } else {
3328 suffix += "Server"
3329 }
3330
3331 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3332 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3333 Bugs: ProtocolBugs{
3334 RequireExtendedMasterSecret: true,
3335 },
3336 }
3337
3338 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3339 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3340 Bugs: ProtocolBugs{
3341 NoExtendedMasterSecret: true,
3342 },
3343 }
3344
3345 test := testCase{
3346 name: "ExtendedMasterSecret-" + suffix,
3347 resumeSession: true,
3348 }
3349
3350 if !isClient {
3351 test.testType = serverTest
3352 }
3353
3354 if supportedInFirstConnection {
3355 test.config = supportedConfig
3356 } else {
3357 test.config = noSupportConfig
3358 }
3359
3360 if supportedInResumeConnection {
3361 test.resumeConfig = &supportedConfig
3362 } else {
3363 test.resumeConfig = &noSupportConfig
3364 }
3365
3366 switch suffix {
3367 case "YesToYes-Client", "YesToYes-Server":
3368 // When a session is resumed, it should
3369 // still be aware that its master
3370 // secret was generated via EMS and
3371 // thus it's safe to use tls-unique.
3372 test.flags = []string{expectEMSFlag}
3373 case "NoToYes-Server":
3374 // If an original connection did not
3375 // contain EMS, but a resumption
3376 // handshake does, then a server should
3377 // not resume the session.
3378 test.expectResumeRejected = true
3379 case "YesToNo-Server":
3380 // Resuming an EMS session without the
3381 // EMS extension should cause the
3382 // server to abort the connection.
3383 test.shouldFail = true
3384 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3385 case "NoToYes-Client":
3386 // A client should abort a connection
3387 // where the server resumed a non-EMS
3388 // session but echoed the EMS
3389 // extension.
3390 test.shouldFail = true
3391 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3392 case "YesToNo-Client":
3393 // A client should abort a connection
3394 // where the server didn't echo EMS
3395 // when the session used it.
3396 test.shouldFail = true
3397 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3398 }
3399
3400 testCases = append(testCases, test)
3401 }
3402 }
3403 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3404
3405 // Switching EMS on renegotiation is forbidden.
3406 testCases = append(testCases, testCase{
3407 name: "ExtendedMasterSecret-Renego-NoEMS",
3408 config: Config{
3409 MaxVersion: VersionTLS12,
3410 Bugs: ProtocolBugs{
3411 NoExtendedMasterSecret: true,
3412 NoExtendedMasterSecretOnRenegotiation: true,
3413 },
3414 },
3415 renegotiate: 1,
3416 flags: []string{
3417 "-renegotiate-freely",
3418 "-expect-total-renegotiations", "1",
3419 },
3420 })
3421
3422 testCases = append(testCases, testCase{
3423 name: "ExtendedMasterSecret-Renego-Upgrade",
3424 config: Config{
3425 MaxVersion: VersionTLS12,
3426 Bugs: ProtocolBugs{
3427 NoExtendedMasterSecret: true,
3428 },
3429 },
3430 renegotiate: 1,
3431 flags: []string{
3432 "-renegotiate-freely",
3433 "-expect-total-renegotiations", "1",
3434 },
3435 shouldFail: true,
3436 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3437 })
3438
3439 testCases = append(testCases, testCase{
3440 name: "ExtendedMasterSecret-Renego-Downgrade",
3441 config: Config{
3442 MaxVersion: VersionTLS12,
3443 Bugs: ProtocolBugs{
3444 NoExtendedMasterSecretOnRenegotiation: true,
3445 },
3446 },
3447 renegotiate: 1,
3448 flags: []string{
3449 "-renegotiate-freely",
3450 "-expect-total-renegotiations", "1",
3451 },
3452 shouldFail: true,
3453 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3454 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3455}
3456
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3457type stateMachineTestConfig struct {
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3458 protocol protocol
3459 async bool
3460 splitHandshake bool
3461 packHandshakeFlight bool
3462 implicitHandshake bool
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3463}
3464
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3465// Adds tests that try to cover the range of the handshake state machine, under
3466// various conditions. Some of these are redundant with other tests, but they
3467// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3468func addAllStateMachineCoverageTests() {
3469 for _, async := range []bool{false, true} {
3470 for _, protocol := range []protocol{tls, dtls} {
3471 addStateMachineCoverageTests(stateMachineTestConfig{
3472 protocol: protocol,
3473 async: async,
3474 })
3475 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3476 protocol: protocol,
3477 async: async,
3478 implicitHandshake: true,
3479 })
3480 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3481 protocol: protocol,
3482 async: async,
3483 splitHandshake: true,
3484 })
3485 if protocol == tls {
3486 addStateMachineCoverageTests(stateMachineTestConfig{
3487 protocol: protocol,
3488 async: async,
3489 packHandshakeFlight: true,
3490 })
3491 }
3492 }
3493 }
3494}
3495
3496func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3497 var tests []testCase
3498
3499 // Basic handshake, with resumption. Client and server,
3500 // session ID and session ticket.
3501 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3502 name: "Basic-Client",
3503 config: Config{
3504 MaxVersion: VersionTLS12,
3505 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3506 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3507 // Ensure session tickets are used, not session IDs.
3508 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3509 })
3510 tests = append(tests, testCase{
3511 name: "Basic-Client-RenewTicket",
3512 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3513 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3514 Bugs: ProtocolBugs{
3515 RenewTicketOnResume: true,
3516 },
3517 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3518 flags: []string{"-expect-ticket-renewal"},
3519 resumeSession: true,
3520 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3521 })
3522 tests = append(tests, testCase{
3523 name: "Basic-Client-NoTicket",
3524 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3525 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3526 SessionTicketsDisabled: true,
3527 },
3528 resumeSession: true,
3529 })
3530 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3531 testType: serverTest,
3532 name: "Basic-Server",
3533 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3534 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3535 Bugs: ProtocolBugs{
3536 RequireSessionTickets: true,
3537 },
3538 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3539 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3540 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3541 })
3542 tests = append(tests, testCase{
3543 testType: serverTest,
3544 name: "Basic-Server-NoTickets",
3545 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3546 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3547 SessionTicketsDisabled: true,
3548 },
3549 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3550 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3551 })
3552 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3553 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3554 name: "Basic-Server-EarlyCallback",
3555 config: Config{
3556 MaxVersion: VersionTLS12,
3557 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3558 flags: []string{"-use-early-callback"},
3559 resumeSession: true,
3560 })
3561
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3562 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3563 if config.protocol == tls {
3564 tests = append(tests, testCase{
3565 name: "TLS13-1RTT-Client",
3566 config: Config{
3567 MaxVersion: VersionTLS13,
3568 MinVersion: VersionTLS13,
3569 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3570 resumeSession: true,
3571 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3572 })
3573
3574 tests = append(tests, testCase{
3575 testType: serverTest,
3576 name: "TLS13-1RTT-Server",
3577 config: Config{
3578 MaxVersion: VersionTLS13,
3579 MinVersion: VersionTLS13,
3580 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3581 resumeSession: true,
3582 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3583 // TLS 1.3 uses tickets, so the session should not be
3584 // cached statefully.
3585 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3586 })
3587
3588 tests = append(tests, testCase{
3589 name: "TLS13-HelloRetryRequest-Client",
3590 config: Config{
3591 MaxVersion: VersionTLS13,
3592 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3593 // P-384 requires a HelloRetryRequest against BoringSSL's default
3594 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3595 CurvePreferences: []CurveID{CurveP384},
3596 Bugs: ProtocolBugs{
3597 ExpectMissingKeyShare: true,
3598 },
3599 },
3600 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3601 resumeSession: true,
3602 })
3603
3604 tests = append(tests, testCase{
3605 testType: serverTest,
3606 name: "TLS13-HelloRetryRequest-Server",
3607 config: Config{
3608 MaxVersion: VersionTLS13,
3609 MinVersion: VersionTLS13,
3610 // Require a HelloRetryRequest for every curve.
3611 DefaultCurves: []CurveID{},
3612 },
3613 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3614 resumeSession: true,
3615 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3616
3617 // TODO(svaldez): Send data on early data once implemented.
3618 tests = append(tests, testCase{
3619 testType: clientTest,
3620 name: "TLS13-EarlyData-Client",
3621 config: Config{
3622 MaxVersion: VersionTLS13,
3623 MinVersion: VersionTLS13,
3624 MaxEarlyDataSize: 16384,
3625 },
3626 resumeSession: true,
3627 flags: []string{
3628 "-enable-early-data",
3629 "-expect-early-data-info",
3630 "-expect-accept-early-data",
3631 },
3632 })
3633
3634 tests = append(tests, testCase{
3635 testType: serverTest,
3636 name: "TLS13-EarlyData-Server",
3637 config: Config{
3638 MaxVersion: VersionTLS13,
3639 MinVersion: VersionTLS13,
3640 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3641 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3642 ExpectEarlyDataAccepted: true,
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3643 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3644 },
3645 },
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3646 messageCount: 2,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3647 resumeSession: true,
3648 flags: []string{
3649 "-enable-early-data",
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3650 "-expect-accept-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3651 },
3652 })
Alessandro Ghedinide254b42017-04-17 19:12:33 +0100[diff] [blame]3653
3654 tests = append(tests, testCase{
3655 testType: serverTest,
3656 name: "TLS13-MaxEarlyData-Server",
3657 config: Config{
3658 MaxVersion: VersionTLS13,
3659 MinVersion: VersionTLS13,
3660 Bugs: ProtocolBugs{
David Benjamin29975892017-04-27 23:47:21 -0400[diff] [blame]3661 SendEarlyData: [][]byte{bytes.Repeat([]byte{1}, 14336+1)},
Alessandro Ghedinide254b42017-04-17 19:12:33 +0100[diff] [blame]3662 ExpectEarlyDataAccepted: true,
3663 },
3664 },
3665 messageCount: 2,
3666 resumeSession: true,
3667 flags: []string{
3668 "-enable-early-data",
3669 "-expect-accept-early-data",
3670 },
3671 shouldFail: true,
3672 expectedError: ":TOO_MUCH_READ_EARLY_DATA:",
3673 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3674 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3675
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3676 // TLS client auth.
3677 tests = append(tests, testCase{
3678 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3679 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3680 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3681 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3682 ClientAuth: RequestClientCert,
3683 },
3684 })
3685 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3686 testType: serverTest,
3687 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3688 config: Config{
3689 MaxVersion: VersionTLS12,
3690 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3691 // Setting SSL_VERIFY_PEER allows anonymous clients.
3692 flags: []string{"-verify-peer"},
3693 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3694 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3695 tests = append(tests, testCase{
3696 testType: clientTest,
3697 name: "ClientAuth-NoCertificate-Client-SSL3",
3698 config: Config{
3699 MaxVersion: VersionSSL30,
3700 ClientAuth: RequestClientCert,
3701 },
3702 })
3703 tests = append(tests, testCase{
3704 testType: serverTest,
3705 name: "ClientAuth-NoCertificate-Server-SSL3",
3706 config: Config{
3707 MaxVersion: VersionSSL30,
3708 },
3709 // Setting SSL_VERIFY_PEER allows anonymous clients.
3710 flags: []string{"-verify-peer"},
3711 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3712 tests = append(tests, testCase{
3713 testType: clientTest,
3714 name: "ClientAuth-NoCertificate-Client-TLS13",
3715 config: Config{
3716 MaxVersion: VersionTLS13,
3717 ClientAuth: RequestClientCert,
3718 },
3719 })
3720 tests = append(tests, testCase{
3721 testType: serverTest,
3722 name: "ClientAuth-NoCertificate-Server-TLS13",
3723 config: Config{
3724 MaxVersion: VersionTLS13,
3725 },
3726 // Setting SSL_VERIFY_PEER allows anonymous clients.
3727 flags: []string{"-verify-peer"},
3728 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3729 }
3730 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3731 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3732 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3733 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3734 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3735 ClientAuth: RequireAnyClientCert,
3736 },
3737 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3738 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3739 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3740 },
3741 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3742 tests = append(tests, testCase{
3743 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3744 name: "ClientAuth-RSA-Client-TLS13",
3745 config: Config{
3746 MaxVersion: VersionTLS13,
3747 ClientAuth: RequireAnyClientCert,
3748 },
3749 flags: []string{
3750 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3751 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3752 },
3753 })
3754 tests = append(tests, testCase{
3755 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3756 name: "ClientAuth-ECDSA-Client",
3757 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3758 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3759 ClientAuth: RequireAnyClientCert,
3760 },
3761 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3762 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3763 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3764 },
3765 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3766 tests = append(tests, testCase{
3767 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3768 name: "ClientAuth-ECDSA-Client-TLS13",
3769 config: Config{
3770 MaxVersion: VersionTLS13,
3771 ClientAuth: RequireAnyClientCert,
3772 },
3773 flags: []string{
3774 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3775 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3776 },
3777 })
3778 tests = append(tests, testCase{
3779 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3780 name: "ClientAuth-NoCertificate-OldCallback",
3781 config: Config{
3782 MaxVersion: VersionTLS12,
3783 ClientAuth: RequestClientCert,
3784 },
3785 flags: []string{"-use-old-client-cert-callback"},
3786 })
3787 tests = append(tests, testCase{
3788 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3789 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3790 config: Config{
3791 MaxVersion: VersionTLS13,
3792 ClientAuth: RequestClientCert,
3793 },
3794 flags: []string{"-use-old-client-cert-callback"},
3795 })
3796 tests = append(tests, testCase{
3797 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3798 name: "ClientAuth-OldCallback",
3799 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3800 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3801 ClientAuth: RequireAnyClientCert,
3802 },
3803 flags: []string{
3804 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3805 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3806 "-use-old-client-cert-callback",
3807 },
3808 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3809 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3810 testType: clientTest,
3811 name: "ClientAuth-OldCallback-TLS13",
3812 config: Config{
3813 MaxVersion: VersionTLS13,
3814 ClientAuth: RequireAnyClientCert,
3815 },
3816 flags: []string{
3817 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3818 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3819 "-use-old-client-cert-callback",
3820 },
3821 })
3822 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3823 testType: serverTest,
3824 name: "ClientAuth-Server",
3825 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3826 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3827 Certificates: []Certificate{rsaCertificate},
3828 },
3829 flags: []string{"-require-any-client-certificate"},
3830 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3831 tests = append(tests, testCase{
3832 testType: serverTest,
3833 name: "ClientAuth-Server-TLS13",
3834 config: Config{
3835 MaxVersion: VersionTLS13,
3836 Certificates: []Certificate{rsaCertificate},
3837 },
3838 flags: []string{"-require-any-client-certificate"},
3839 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3840
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3841 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3842 tests = append(tests, testCase{
3843 testType: serverTest,
3844 name: "Basic-Server-RSA",
3845 config: Config{
3846 MaxVersion: VersionTLS12,
3847 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3848 },
3849 flags: []string{
3850 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3851 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3852 },
3853 })
3854 tests = append(tests, testCase{
3855 testType: serverTest,
3856 name: "Basic-Server-ECDHE-RSA",
3857 config: Config{
3858 MaxVersion: VersionTLS12,
3859 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3860 },
3861 flags: []string{
3862 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3863 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3864 },
3865 })
3866 tests = append(tests, testCase{
3867 testType: serverTest,
3868 name: "Basic-Server-ECDHE-ECDSA",
3869 config: Config{
3870 MaxVersion: VersionTLS12,
3871 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3872 },
3873 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3874 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3875 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3876 },
3877 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]3878 tests = append(tests, testCase{
3879 testType: serverTest,
3880 name: "Basic-Server-Ed25519",
3881 config: Config{
3882 MaxVersion: VersionTLS12,
3883 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3884 },
3885 flags: []string{
3886 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3887 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
3888 "-enable-ed25519",
3889 },
3890 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3891
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3892 // No session ticket support; server doesn't send NewSessionTicket.
3893 tests = append(tests, testCase{
3894 name: "SessionTicketsDisabled-Client",
3895 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3896 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3897 SessionTicketsDisabled: true,
3898 },
3899 })
3900 tests = append(tests, testCase{
3901 testType: serverTest,
3902 name: "SessionTicketsDisabled-Server",
3903 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3904 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3905 SessionTicketsDisabled: true,
3906 },
3907 })
3908
3909 // Skip ServerKeyExchange in PSK key exchange if there's no
3910 // identity hint.
3911 tests = append(tests, testCase{
3912 name: "EmptyPSKHint-Client",
3913 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3914 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3915 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3916 PreSharedKey: []byte("secret"),
3917 },
3918 flags: []string{"-psk", "secret"},
3919 })
3920 tests = append(tests, testCase{
3921 testType: serverTest,
3922 name: "EmptyPSKHint-Server",
3923 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3924 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3925 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3926 PreSharedKey: []byte("secret"),
3927 },
3928 flags: []string{"-psk", "secret"},
3929 })
3930
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3931 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3932 tests = append(tests, testCase{
3933 testType: clientTest,
3934 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3935 config: Config{
3936 MaxVersion: VersionTLS12,
3937 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3938 flags: []string{
3939 "-enable-ocsp-stapling",
3940 "-expect-ocsp-response",
3941 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3942 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3943 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3944 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3945 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3946 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3947 testType: serverTest,
3948 name: "OCSPStapling-Server",
3949 config: Config{
3950 MaxVersion: VersionTLS12,
3951 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3952 expectedOCSPResponse: testOCSPResponse,
3953 flags: []string{
3954 "-ocsp-response",
3955 base64.StdEncoding.EncodeToString(testOCSPResponse),
3956 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3957 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3958 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3959 tests = append(tests, testCase{
3960 testType: clientTest,
3961 name: "OCSPStapling-Client-TLS13",
3962 config: Config{
3963 MaxVersion: VersionTLS13,
3964 },
3965 flags: []string{
3966 "-enable-ocsp-stapling",
3967 "-expect-ocsp-response",
3968 base64.StdEncoding.EncodeToString(testOCSPResponse),
3969 "-verify-peer",
3970 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3971 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3972 })
3973 tests = append(tests, testCase{
3974 testType: serverTest,
3975 name: "OCSPStapling-Server-TLS13",
3976 config: Config{
3977 MaxVersion: VersionTLS13,
3978 },
3979 expectedOCSPResponse: testOCSPResponse,
3980 flags: []string{
3981 "-ocsp-response",
3982 base64.StdEncoding.EncodeToString(testOCSPResponse),
3983 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3984 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3985 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3986
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3987 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3988 for _, vers := range tlsVersions {
3989 if config.protocol == dtls && !vers.hasDTLS {
3990 continue
3991 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3992 for _, testType := range []testType{clientTest, serverTest} {
3993 suffix := "-Client"
3994 if testType == serverTest {
3995 suffix = "-Server"
3996 }
3997 suffix += "-" + vers.name
3998
3999 flag := "-verify-peer"
4000 if testType == serverTest {
4001 flag = "-require-any-client-certificate"
4002 }
4003
4004 tests = append(tests, testCase{
4005 testType: testType,
4006 name: "CertificateVerificationSucceed" + suffix,
4007 config: Config{
4008 MaxVersion: vers.version,
4009 Certificates: []Certificate{rsaCertificate},
4010 },
4011 flags: []string{
4012 flag,
4013 "-expect-verify-result",
4014 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4015 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4016 })
4017 tests = append(tests, testCase{
4018 testType: testType,
4019 name: "CertificateVerificationFail" + suffix,
4020 config: Config{
4021 MaxVersion: vers.version,
4022 Certificates: []Certificate{rsaCertificate},
4023 },
4024 flags: []string{
4025 flag,
4026 "-verify-fail",
4027 },
4028 shouldFail: true,
4029 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
4030 })
4031 }
4032
4033 // By default, the client is in a soft fail mode where the peer
4034 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4035 tests = append(tests, testCase{
4036 testType: clientTest,
4037 name: "CertificateVerificationSoftFail-" + vers.name,
4038 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4039 MaxVersion: vers.version,
4040 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4041 },
4042 flags: []string{
4043 "-verify-fail",
4044 "-expect-verify-result",
4045 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4046 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4047 })
4048 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]4049
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]4050 tests = append(tests, testCase{
4051 name: "ShimSendAlert",
4052 flags: []string{"-send-alert"},
4053 shimWritesFirst: true,
4054 shouldFail: true,
4055 expectedLocalError: "remote error: decompression failure",
4056 })
4057
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4058 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4059 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4060 name: "Renegotiate-Client",
4061 config: Config{
4062 MaxVersion: VersionTLS12,
4063 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]4064 renegotiate: 1,
4065 flags: []string{
4066 "-renegotiate-freely",
4067 "-expect-total-renegotiations", "1",
4068 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4069 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4070
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]4071 tests = append(tests, testCase{
4072 name: "SendHalfHelloRequest",
4073 config: Config{
4074 MaxVersion: VersionTLS12,
4075 Bugs: ProtocolBugs{
4076 PackHelloRequestWithFinished: config.packHandshakeFlight,
4077 },
4078 },
4079 sendHalfHelloRequest: true,
4080 flags: []string{"-renegotiate-ignore"},
4081 shouldFail: true,
4082 expectedError: ":UNEXPECTED_RECORD:",
4083 })
4084
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4085 // NPN on client and server; results in post-handshake message.
4086 tests = append(tests, testCase{
4087 name: "NPN-Client",
4088 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4089 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4090 NextProtos: []string{"foo"},
4091 },
4092 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4093 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4094 expectedNextProto: "foo",
4095 expectedNextProtoType: npn,
4096 })
4097 tests = append(tests, testCase{
4098 testType: serverTest,
4099 name: "NPN-Server",
4100 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4101 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4102 NextProtos: []string{"bar"},
4103 },
4104 flags: []string{
4105 "-advertise-npn", "\x03foo\x03bar\x03baz",
4106 "-expect-next-proto", "bar",
4107 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4108 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4109 expectedNextProto: "bar",
4110 expectedNextProtoType: npn,
4111 })
4112
4113 // TODO(davidben): Add tests for when False Start doesn't trigger.
4114
4115 // Client does False Start and negotiates NPN.
4116 tests = append(tests, testCase{
4117 name: "FalseStart",
4118 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4119 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4120 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4121 NextProtos: []string{"foo"},
4122 Bugs: ProtocolBugs{
4123 ExpectFalseStart: true,
4124 },
4125 },
4126 flags: []string{
4127 "-false-start",
4128 "-select-next-proto", "foo",
4129 },
4130 shimWritesFirst: true,
4131 resumeSession: true,
4132 })
4133
4134 // Client does False Start and negotiates ALPN.
4135 tests = append(tests, testCase{
4136 name: "FalseStart-ALPN",
4137 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4138 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4139 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4140 NextProtos: []string{"foo"},
4141 Bugs: ProtocolBugs{
4142 ExpectFalseStart: true,
4143 },
4144 },
4145 flags: []string{
4146 "-false-start",
4147 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]4148 "-expect-alpn", "foo",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4149 },
4150 shimWritesFirst: true,
4151 resumeSession: true,
4152 })
4153
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4154 // False Start without session tickets.
4155 tests = append(tests, testCase{
4156 name: "FalseStart-SessionTicketsDisabled",
4157 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4158 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4159 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4160 NextProtos: []string{"foo"},
4161 SessionTicketsDisabled: true,
4162 Bugs: ProtocolBugs{
4163 ExpectFalseStart: true,
4164 },
4165 },
4166 flags: []string{
4167 "-false-start",
4168 "-select-next-proto", "foo",
4169 },
4170 shimWritesFirst: true,
4171 })
4172
4173 // Server parses a V2ClientHello.
4174 tests = append(tests, testCase{
4175 testType: serverTest,
4176 name: "SendV2ClientHello",
4177 config: Config{
4178 // Choose a cipher suite that does not involve
4179 // elliptic curves, so no extensions are
4180 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4181 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4182 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4183 Bugs: ProtocolBugs{
4184 SendV2ClientHello: true,
4185 },
4186 },
4187 })
4188
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4189 // Test Channel ID
4190 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4191 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4192 continue
4193 }
4194 // Client sends a Channel ID.
4195 tests = append(tests, testCase{
4196 name: "ChannelID-Client-" + ver.name,
4197 config: Config{
4198 MaxVersion: ver.version,
4199 RequestChannelID: true,
4200 },
4201 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4202 resumeSession: true,
4203 expectChannelID: true,
4204 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4205
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4206 // Server accepts a Channel ID.
4207 tests = append(tests, testCase{
4208 testType: serverTest,
4209 name: "ChannelID-Server-" + ver.name,
4210 config: Config{
4211 MaxVersion: ver.version,
4212 ChannelID: channelIDKey,
4213 },
4214 flags: []string{
4215 "-expect-channel-id",
4216 base64.StdEncoding.EncodeToString(channelIDBytes),
4217 },
4218 resumeSession: true,
4219 expectChannelID: true,
4220 })
4221
4222 tests = append(tests, testCase{
4223 testType: serverTest,
4224 name: "InvalidChannelIDSignature-" + ver.name,
4225 config: Config{
4226 MaxVersion: ver.version,
4227 ChannelID: channelIDKey,
4228 Bugs: ProtocolBugs{
4229 InvalidChannelIDSignature: true,
4230 },
4231 },
4232 flags: []string{"-enable-channel-id"},
4233 shouldFail: true,
4234 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4235 })
4236 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4237
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4238 // Channel ID and NPN at the same time, to ensure their relative
4239 // ordering is correct.
4240 tests = append(tests, testCase{
4241 name: "ChannelID-NPN-Client",
4242 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4243 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4244 RequestChannelID: true,
4245 NextProtos: []string{"foo"},
4246 },
4247 flags: []string{
4248 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4249 "-select-next-proto", "foo",
4250 },
4251 resumeSession: true,
4252 expectChannelID: true,
4253 expectedNextProto: "foo",
4254 expectedNextProtoType: npn,
4255 })
4256 tests = append(tests, testCase{
4257 testType: serverTest,
4258 name: "ChannelID-NPN-Server",
4259 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4260 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4261 ChannelID: channelIDKey,
4262 NextProtos: []string{"bar"},
4263 },
4264 flags: []string{
4265 "-expect-channel-id",
4266 base64.StdEncoding.EncodeToString(channelIDBytes),
4267 "-advertise-npn", "\x03foo\x03bar\x03baz",
4268 "-expect-next-proto", "bar",
4269 },
4270 resumeSession: true,
4271 expectChannelID: true,
4272 expectedNextProto: "bar",
4273 expectedNextProtoType: npn,
4274 })
4275
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4276 // Bidirectional shutdown with the runner initiating.
4277 tests = append(tests, testCase{
4278 name: "Shutdown-Runner",
4279 config: Config{
4280 Bugs: ProtocolBugs{
4281 ExpectCloseNotify: true,
4282 },
4283 },
4284 flags: []string{"-check-close-notify"},
4285 })
4286
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4287 if !config.implicitHandshake {
4288 // Bidirectional shutdown with the shim initiating. The runner,
4289 // in the meantime, sends garbage before the close_notify which
4290 // the shim must ignore. This test is disabled under implicit
4291 // handshake tests because the shim never reads or writes.
4292 tests = append(tests, testCase{
4293 name: "Shutdown-Shim",
4294 config: Config{
4295 MaxVersion: VersionTLS12,
4296 Bugs: ProtocolBugs{
4297 ExpectCloseNotify: true,
4298 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4299 },
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4300 shimShutsDown: true,
4301 sendEmptyRecords: 1,
4302 sendWarningAlerts: 1,
4303 flags: []string{"-check-close-notify"},
4304 })
4305 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4306 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4307 // TODO(davidben): DTLS 1.3 will want a similar thing for
4308 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4309 tests = append(tests, testCase{
4310 name: "SkipHelloVerifyRequest",
4311 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4312 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4313 Bugs: ProtocolBugs{
4314 SkipHelloVerifyRequest: true,
4315 },
4316 },
4317 })
4318 }
4319
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4320 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4321 test.protocol = config.protocol
4322 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4323 test.name += "-DTLS"
4324 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4325 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4326 test.name += "-Async"
4327 test.flags = append(test.flags, "-async")
4328 } else {
4329 test.name += "-Sync"
4330 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4331 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4332 test.name += "-SplitHandshakeRecords"
4333 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4334 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4335 test.config.Bugs.MaxPacketLength = 256
4336 test.flags = append(test.flags, "-mtu", "256")
4337 }
4338 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4339 if config.packHandshakeFlight {
4340 test.name += "-PackHandshakeFlight"
4341 test.config.Bugs.PackHandshakeFlight = true
4342 }
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4343 if config.implicitHandshake {
4344 test.name += "-ImplicitHandshake"
4345 test.flags = append(test.flags, "-implicit-handshake")
4346 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4347 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4348 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4349}
4350
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4351func addDDoSCallbackTests() {
4352 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4353 for _, resume := range []bool{false, true} {
4354 suffix := "Resume"
4355 if resume {
4356 suffix = "No" + suffix
4357 }
4358
4359 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4360 testType: serverTest,
4361 name: "Server-DDoS-OK-" + suffix,
4362 config: Config{
4363 MaxVersion: VersionTLS12,
4364 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4365 flags: []string{"-install-ddos-callback"},
4366 resumeSession: resume,
4367 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4368 testCases = append(testCases, testCase{
4369 testType: serverTest,
4370 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4371 config: Config{
4372 MaxVersion: VersionTLS13,
4373 },
4374 flags: []string{"-install-ddos-callback"},
4375 resumeSession: resume,
4376 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4377
4378 failFlag := "-fail-ddos-callback"
4379 if resume {
4380 failFlag = "-fail-second-ddos-callback"
4381 }
4382 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4383 testType: serverTest,
4384 name: "Server-DDoS-Reject-" + suffix,
4385 config: Config{
4386 MaxVersion: VersionTLS12,
4387 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4388 flags: []string{"-install-ddos-callback", failFlag},
4389 resumeSession: resume,
4390 shouldFail: true,
4391 expectedError: ":CONNECTION_REJECTED:",
4392 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4393 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4394 testCases = append(testCases, testCase{
4395 testType: serverTest,
4396 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4397 config: Config{
4398 MaxVersion: VersionTLS13,
4399 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4400 flags: []string{"-install-ddos-callback", failFlag},
4401 resumeSession: resume,
4402 shouldFail: true,
4403 expectedError: ":CONNECTION_REJECTED:",
4404 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4405 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4406 }
4407}
4408
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4409func addVersionNegotiationTests() {
4410 for i, shimVers := range tlsVersions {
4411 // Assemble flags to disable all newer versions on the shim.
4412 var flags []string
4413 for _, vers := range tlsVersions[i+1:] {
4414 flags = append(flags, vers.flag)
4415 }
4416
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4417 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4418 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4419 protocols := []protocol{tls}
4420 if runnerVers.hasDTLS && shimVers.hasDTLS {
4421 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4422 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4423 for _, protocol := range protocols {
4424 expectedVersion := shimVers.version
4425 if runnerVers.version < shimVers.version {
4426 expectedVersion = runnerVers.version
4427 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4428
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4429 suffix := shimVers.name + "-" + runnerVers.name
4430 if protocol == dtls {
4431 suffix += "-DTLS"
4432 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4433
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4434 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4435
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4436 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4437 clientVers := shimVers.version
4438 if clientVers > VersionTLS10 {
4439 clientVers = VersionTLS10
4440 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4441 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4442 serverVers := expectedVersion
4443 if expectedVersion >= VersionTLS13 {
4444 serverVers = VersionTLS10
4445 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4446 serverVers = versionToWire(serverVers, protocol == dtls)
4447
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4448 testCases = append(testCases, testCase{
4449 protocol: protocol,
4450 testType: clientTest,
4451 name: "VersionNegotiation-Client-" + suffix,
4452 config: Config{
4453 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4454 Bugs: ProtocolBugs{
4455 ExpectInitialRecordVersion: clientVers,
4456 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4457 },
4458 flags: flags,
4459 expectedVersion: expectedVersion,
4460 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4461 testCases = append(testCases, testCase{
4462 protocol: protocol,
4463 testType: clientTest,
4464 name: "VersionNegotiation-Client2-" + suffix,
4465 config: Config{
4466 MaxVersion: runnerVers.version,
4467 Bugs: ProtocolBugs{
4468 ExpectInitialRecordVersion: clientVers,
4469 },
4470 },
4471 flags: []string{"-max-version", shimVersFlag},
4472 expectedVersion: expectedVersion,
4473 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4474
4475 testCases = append(testCases, testCase{
4476 protocol: protocol,
4477 testType: serverTest,
4478 name: "VersionNegotiation-Server-" + suffix,
4479 config: Config{
4480 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4481 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4482 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4483 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4484 },
4485 flags: flags,
4486 expectedVersion: expectedVersion,
4487 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4488 testCases = append(testCases, testCase{
4489 protocol: protocol,
4490 testType: serverTest,
4491 name: "VersionNegotiation-Server2-" + suffix,
4492 config: Config{
4493 MaxVersion: runnerVers.version,
4494 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4495 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4496 },
4497 },
4498 flags: []string{"-max-version", shimVersFlag},
4499 expectedVersion: expectedVersion,
4500 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4501 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4502 }
4503 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4504
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4505 // Test the version extension at all versions.
4506 for _, vers := range tlsVersions {
4507 protocols := []protocol{tls}
4508 if vers.hasDTLS {
4509 protocols = append(protocols, dtls)
4510 }
4511 for _, protocol := range protocols {
4512 suffix := vers.name
4513 if protocol == dtls {
4514 suffix += "-DTLS"
4515 }
4516
4517 wireVersion := versionToWire(vers.version, protocol == dtls)
4518 testCases = append(testCases, testCase{
4519 protocol: protocol,
4520 testType: serverTest,
4521 name: "VersionNegotiationExtension-" + suffix,
4522 config: Config{
4523 Bugs: ProtocolBugs{
4524 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4525 },
4526 },
4527 expectedVersion: vers.version,
4528 })
4529 }
4530
4531 }
4532
4533 // If all versions are unknown, negotiation fails.
4534 testCases = append(testCases, testCase{
4535 testType: serverTest,
4536 name: "NoSupportedVersions",
4537 config: Config{
4538 Bugs: ProtocolBugs{
4539 SendSupportedVersions: []uint16{0x1111},
4540 },
4541 },
4542 shouldFail: true,
4543 expectedError: ":UNSUPPORTED_PROTOCOL:",
4544 })
4545 testCases = append(testCases, testCase{
4546 protocol: dtls,
4547 testType: serverTest,
4548 name: "NoSupportedVersions-DTLS",
4549 config: Config{
4550 Bugs: ProtocolBugs{
4551 SendSupportedVersions: []uint16{0x1111},
4552 },
4553 },
4554 shouldFail: true,
4555 expectedError: ":UNSUPPORTED_PROTOCOL:",
4556 })
4557
4558 testCases = append(testCases, testCase{
4559 testType: serverTest,
4560 name: "ClientHelloVersionTooHigh",
4561 config: Config{
4562 MaxVersion: VersionTLS13,
4563 Bugs: ProtocolBugs{
4564 SendClientVersion: 0x0304,
4565 OmitSupportedVersions: true,
4566 },
4567 },
4568 expectedVersion: VersionTLS12,
4569 })
4570
4571 testCases = append(testCases, testCase{
4572 testType: serverTest,
4573 name: "ConflictingVersionNegotiation",
4574 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4575 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4576 SendClientVersion: VersionTLS12,
4577 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4578 },
4579 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4580 // The extension takes precedence over the ClientHello version.
4581 expectedVersion: VersionTLS11,
4582 })
4583
4584 testCases = append(testCases, testCase{
4585 testType: serverTest,
4586 name: "ConflictingVersionNegotiation-2",
4587 config: Config{
4588 Bugs: ProtocolBugs{
4589 SendClientVersion: VersionTLS11,
4590 SendSupportedVersions: []uint16{VersionTLS12},
4591 },
4592 },
4593 // The extension takes precedence over the ClientHello version.
4594 expectedVersion: VersionTLS12,
4595 })
4596
4597 testCases = append(testCases, testCase{
4598 testType: serverTest,
4599 name: "RejectFinalTLS13",
4600 config: Config{
4601 Bugs: ProtocolBugs{
4602 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4603 },
4604 },
4605 // We currently implement a draft TLS 1.3 version. Ensure that
4606 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4607 expectedVersion: VersionTLS12,
4608 })
4609
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4610 // Test that the maximum version is selected regardless of the
4611 // client-sent order.
4612 testCases = append(testCases, testCase{
4613 testType: serverTest,
4614 name: "IgnoreClientVersionOrder",
4615 config: Config{
4616 Bugs: ProtocolBugs{
4617 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4618 },
4619 },
4620 expectedVersion: VersionTLS13,
4621 })
4622
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4623 // Test for version tolerance.
4624 testCases = append(testCases, testCase{
4625 testType: serverTest,
4626 name: "MinorVersionTolerance",
4627 config: Config{
4628 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4629 SendClientVersion: 0x03ff,
4630 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4631 },
4632 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4633 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4634 })
4635 testCases = append(testCases, testCase{
4636 testType: serverTest,
4637 name: "MajorVersionTolerance",
4638 config: Config{
4639 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4640 SendClientVersion: 0x0400,
4641 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4642 },
4643 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4644 // TLS 1.3 must be negotiated with the supported_versions
4645 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4646 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4647 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4648 testCases = append(testCases, testCase{
4649 testType: serverTest,
4650 name: "VersionTolerance-TLS13",
4651 config: Config{
4652 Bugs: ProtocolBugs{
4653 // Although TLS 1.3 does not use
4654 // ClientHello.version, it still tolerates high
4655 // values there.
4656 SendClientVersion: 0x0400,
4657 },
4658 },
4659 expectedVersion: VersionTLS13,
4660 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4661
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4662 testCases = append(testCases, testCase{
4663 protocol: dtls,
4664 testType: serverTest,
4665 name: "MinorVersionTolerance-DTLS",
4666 config: Config{
4667 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4668 SendClientVersion: 0xfe00,
4669 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4670 },
4671 },
4672 expectedVersion: VersionTLS12,
4673 })
4674 testCases = append(testCases, testCase{
4675 protocol: dtls,
4676 testType: serverTest,
4677 name: "MajorVersionTolerance-DTLS",
4678 config: Config{
4679 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4680 SendClientVersion: 0xfdff,
4681 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4682 },
4683 },
4684 expectedVersion: VersionTLS12,
4685 })
4686
4687 // Test that versions below 3.0 are rejected.
4688 testCases = append(testCases, testCase{
4689 testType: serverTest,
4690 name: "VersionTooLow",
4691 config: Config{
4692 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4693 SendClientVersion: 0x0200,
4694 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4695 },
4696 },
4697 shouldFail: true,
4698 expectedError: ":UNSUPPORTED_PROTOCOL:",
4699 })
4700 testCases = append(testCases, testCase{
4701 protocol: dtls,
4702 testType: serverTest,
4703 name: "VersionTooLow-DTLS",
4704 config: Config{
4705 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4706 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4707 },
4708 },
4709 shouldFail: true,
4710 expectedError: ":UNSUPPORTED_PROTOCOL:",
4711 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4712
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4713 testCases = append(testCases, testCase{
4714 name: "ServerBogusVersion",
4715 config: Config{
4716 Bugs: ProtocolBugs{
4717 SendServerHelloVersion: 0x1234,
4718 },
4719 },
4720 shouldFail: true,
4721 expectedError: ":UNSUPPORTED_PROTOCOL:",
4722 })
4723
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4724 // Test TLS 1.3's downgrade signal.
4725 testCases = append(testCases, testCase{
4726 name: "Downgrade-TLS12-Client",
4727 config: Config{
4728 Bugs: ProtocolBugs{
4729 NegotiateVersion: VersionTLS12,
4730 },
4731 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4732 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4733 // TODO(davidben): This test should fail once TLS 1.3 is final
4734 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4735 })
4736 testCases = append(testCases, testCase{
4737 testType: serverTest,
4738 name: "Downgrade-TLS12-Server",
4739 config: Config{
4740 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4741 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4742 },
4743 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4744 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4745 // TODO(davidben): This test should fail once TLS 1.3 is final
4746 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4747 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4748}
4749
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4750func addMinimumVersionTests() {
4751 for i, shimVers := range tlsVersions {
4752 // Assemble flags to disable all older versions on the shim.
4753 var flags []string
4754 for _, vers := range tlsVersions[:i] {
4755 flags = append(flags, vers.flag)
4756 }
4757
4758 for _, runnerVers := range tlsVersions {
4759 protocols := []protocol{tls}
4760 if runnerVers.hasDTLS && shimVers.hasDTLS {
4761 protocols = append(protocols, dtls)
4762 }
4763 for _, protocol := range protocols {
4764 suffix := shimVers.name + "-" + runnerVers.name
4765 if protocol == dtls {
4766 suffix += "-DTLS"
4767 }
4768 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4769
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4770 var expectedVersion uint16
4771 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4772 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4773 if runnerVers.version >= shimVers.version {
4774 expectedVersion = runnerVers.version
4775 } else {
4776 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4777 expectedError = ":UNSUPPORTED_PROTOCOL:"
4778 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4779 }
4780
4781 testCases = append(testCases, testCase{
4782 protocol: protocol,
4783 testType: clientTest,
4784 name: "MinimumVersion-Client-" + suffix,
4785 config: Config{
4786 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4787 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4788 // Ensure the server does not decline to
4789 // select a version (versions extension) or
4790 // cipher (some ciphers depend on versions).
4791 NegotiateVersion: runnerVers.version,
4792 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4793 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4794 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4795 flags: flags,
4796 expectedVersion: expectedVersion,
4797 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4798 expectedError: expectedError,
4799 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4800 })
4801 testCases = append(testCases, testCase{
4802 protocol: protocol,
4803 testType: clientTest,
4804 name: "MinimumVersion-Client2-" + suffix,
4805 config: Config{
4806 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4807 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4808 // Ensure the server does not decline to
4809 // select a version (versions extension) or
4810 // cipher (some ciphers depend on versions).
4811 NegotiateVersion: runnerVers.version,
4812 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4813 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4814 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4815 flags: []string{"-min-version", shimVersFlag},
4816 expectedVersion: expectedVersion,
4817 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4818 expectedError: expectedError,
4819 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4820 })
4821
4822 testCases = append(testCases, testCase{
4823 protocol: protocol,
4824 testType: serverTest,
4825 name: "MinimumVersion-Server-" + suffix,
4826 config: Config{
4827 MaxVersion: runnerVers.version,
4828 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4829 flags: flags,
4830 expectedVersion: expectedVersion,
4831 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4832 expectedError: expectedError,
4833 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4834 })
4835 testCases = append(testCases, testCase{
4836 protocol: protocol,
4837 testType: serverTest,
4838 name: "MinimumVersion-Server2-" + suffix,
4839 config: Config{
4840 MaxVersion: runnerVers.version,
4841 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4842 flags: []string{"-min-version", shimVersFlag},
4843 expectedVersion: expectedVersion,
4844 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4845 expectedError: expectedError,
4846 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4847 })
4848 }
4849 }
4850 }
4851}
4852
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4853func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4854 // TODO(davidben): Extensions, where applicable, all move their server
4855 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4856 // tests for both. Also test interaction with 0-RTT when implemented.
4857
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4858 // Repeat extensions tests all versions except SSL 3.0.
4859 for _, ver := range tlsVersions {
4860 if ver.version == VersionSSL30 {
4861 continue
4862 }
4863
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4864 // Test that duplicate extensions are rejected.
4865 testCases = append(testCases, testCase{
4866 testType: clientTest,
4867 name: "DuplicateExtensionClient-" + ver.name,
4868 config: Config{
4869 MaxVersion: ver.version,
4870 Bugs: ProtocolBugs{
4871 DuplicateExtension: true,
4872 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4873 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4874 shouldFail: true,
4875 expectedLocalError: "remote error: error decoding message",
4876 })
4877 testCases = append(testCases, testCase{
4878 testType: serverTest,
4879 name: "DuplicateExtensionServer-" + ver.name,
4880 config: Config{
4881 MaxVersion: ver.version,
4882 Bugs: ProtocolBugs{
4883 DuplicateExtension: true,
4884 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4885 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4886 shouldFail: true,
4887 expectedLocalError: "remote error: error decoding message",
4888 })
4889
4890 // Test SNI.
4891 testCases = append(testCases, testCase{
4892 testType: clientTest,
4893 name: "ServerNameExtensionClient-" + ver.name,
4894 config: Config{
4895 MaxVersion: ver.version,
4896 Bugs: ProtocolBugs{
4897 ExpectServerName: "example.com",
4898 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4899 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4900 flags: []string{"-host-name", "example.com"},
4901 })
4902 testCases = append(testCases, testCase{
4903 testType: clientTest,
4904 name: "ServerNameExtensionClientMismatch-" + ver.name,
4905 config: Config{
4906 MaxVersion: ver.version,
4907 Bugs: ProtocolBugs{
4908 ExpectServerName: "mismatch.com",
4909 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4910 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4911 flags: []string{"-host-name", "example.com"},
4912 shouldFail: true,
4913 expectedLocalError: "tls: unexpected server name",
4914 })
4915 testCases = append(testCases, testCase{
4916 testType: clientTest,
4917 name: "ServerNameExtensionClientMissing-" + ver.name,
4918 config: Config{
4919 MaxVersion: ver.version,
4920 Bugs: ProtocolBugs{
4921 ExpectServerName: "missing.com",
4922 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4923 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4924 shouldFail: true,
4925 expectedLocalError: "tls: unexpected server name",
4926 })
4927 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]4928 testType: clientTest,
4929 name: "TolerateServerNameAck-" + ver.name,
4930 config: Config{
4931 MaxVersion: ver.version,
4932 Bugs: ProtocolBugs{
4933 SendServerNameAck: true,
4934 },
4935 },
4936 flags: []string{"-host-name", "example.com"},
4937 resumeSession: true,
4938 })
4939 testCases = append(testCases, testCase{
4940 testType: clientTest,
4941 name: "UnsolicitedServerNameAck-" + ver.name,
4942 config: Config{
4943 MaxVersion: ver.version,
4944 Bugs: ProtocolBugs{
4945 SendServerNameAck: true,
4946 },
4947 },
4948 shouldFail: true,
4949 expectedError: ":UNEXPECTED_EXTENSION:",
4950 expectedLocalError: "remote error: unsupported extension",
4951 })
4952 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4953 testType: serverTest,
4954 name: "ServerNameExtensionServer-" + ver.name,
4955 config: Config{
4956 MaxVersion: ver.version,
4957 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4958 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4959 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4960 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4961 })
4962
4963 // Test ALPN.
4964 testCases = append(testCases, testCase{
4965 testType: clientTest,
4966 name: "ALPNClient-" + ver.name,
4967 config: Config{
4968 MaxVersion: ver.version,
4969 NextProtos: []string{"foo"},
4970 },
4971 flags: []string{
4972 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4973 "-expect-alpn", "foo",
4974 },
4975 expectedNextProto: "foo",
4976 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4977 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4978 })
4979 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4980 testType: clientTest,
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4981 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4982 config: Config{
4983 MaxVersion: ver.version,
4984 Bugs: ProtocolBugs{
4985 SendALPN: "baz",
4986 },
4987 },
4988 flags: []string{
4989 "-advertise-alpn", "\x03foo\x03bar",
4990 },
4991 shouldFail: true,
4992 expectedError: ":INVALID_ALPN_PROTOCOL:",
4993 expectedLocalError: "remote error: illegal parameter",
4994 })
4995 testCases = append(testCases, testCase{
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4996 testType: clientTest,
4997 name: "ALPNClient-AllowUnknown-" + ver.name,
4998 config: Config{
4999 MaxVersion: ver.version,
5000 Bugs: ProtocolBugs{
5001 SendALPN: "baz",
5002 },
5003 },
5004 flags: []string{
5005 "-advertise-alpn", "\x03foo\x03bar",
5006 "-allow-unknown-alpn-protos",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]5007 "-expect-alpn", "baz",
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]5008 },
5009 })
5010 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5011 testType: serverTest,
5012 name: "ALPNServer-" + ver.name,
5013 config: Config{
5014 MaxVersion: ver.version,
5015 NextProtos: []string{"foo", "bar", "baz"},
5016 },
5017 flags: []string{
5018 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5019 "-select-alpn", "foo",
5020 },
5021 expectedNextProto: "foo",
5022 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5023 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5024 })
5025 testCases = append(testCases, testCase{
5026 testType: serverTest,
5027 name: "ALPNServer-Decline-" + ver.name,
5028 config: Config{
5029 MaxVersion: ver.version,
5030 NextProtos: []string{"foo", "bar", "baz"},
5031 },
5032 flags: []string{"-decline-alpn"},
5033 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5034 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5035 })
5036
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5037 // Test ALPN in async mode as well to ensure that extensions callbacks are only
5038 // called once.
5039 testCases = append(testCases, testCase{
5040 testType: serverTest,
5041 name: "ALPNServer-Async-" + ver.name,
5042 config: Config{
5043 MaxVersion: ver.version,
5044 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]5045 // Prior to TLS 1.3, exercise the asynchronous session callback.
5046 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5047 },
5048 flags: []string{
5049 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5050 "-select-alpn", "foo",
5051 "-async",
5052 },
5053 expectedNextProto: "foo",
5054 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5055 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5056 })
5057
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5058 var emptyString string
5059 testCases = append(testCases, testCase{
5060 testType: clientTest,
5061 name: "ALPNClient-EmptyProtocolName-" + ver.name,
5062 config: Config{
5063 MaxVersion: ver.version,
5064 NextProtos: []string{""},
5065 Bugs: ProtocolBugs{
5066 // A server returning an empty ALPN protocol
5067 // should be rejected.
5068 ALPNProtocol: &emptyString,
5069 },
5070 },
5071 flags: []string{
5072 "-advertise-alpn", "\x03foo",
5073 },
5074 shouldFail: true,
5075 expectedError: ":PARSE_TLSEXT:",
5076 })
5077 testCases = append(testCases, testCase{
5078 testType: serverTest,
5079 name: "ALPNServer-EmptyProtocolName-" + ver.name,
5080 config: Config{
5081 MaxVersion: ver.version,
5082 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5083 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5084 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5085 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5086 flags: []string{
5087 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5088 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5089 shouldFail: true,
5090 expectedError: ":PARSE_TLSEXT:",
5091 })
5092
5093 // Test NPN and the interaction with ALPN.
5094 if ver.version < VersionTLS13 {
5095 // Test that the server prefers ALPN over NPN.
5096 testCases = append(testCases, testCase{
5097 testType: serverTest,
5098 name: "ALPNServer-Preferred-" + ver.name,
5099 config: Config{
5100 MaxVersion: ver.version,
5101 NextProtos: []string{"foo", "bar", "baz"},
5102 },
5103 flags: []string{
5104 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5105 "-select-alpn", "foo",
5106 "-advertise-npn", "\x03foo\x03bar\x03baz",
5107 },
5108 expectedNextProto: "foo",
5109 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5110 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5111 })
5112 testCases = append(testCases, testCase{
5113 testType: serverTest,
5114 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5115 config: Config{
5116 MaxVersion: ver.version,
5117 NextProtos: []string{"foo", "bar", "baz"},
5118 Bugs: ProtocolBugs{
5119 SwapNPNAndALPN: true,
5120 },
5121 },
5122 flags: []string{
5123 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5124 "-select-alpn", "foo",
5125 "-advertise-npn", "\x03foo\x03bar\x03baz",
5126 },
5127 expectedNextProto: "foo",
5128 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5129 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5130 })
5131
5132 // Test that negotiating both NPN and ALPN is forbidden.
5133 testCases = append(testCases, testCase{
5134 name: "NegotiateALPNAndNPN-" + ver.name,
5135 config: Config{
5136 MaxVersion: ver.version,
5137 NextProtos: []string{"foo", "bar", "baz"},
5138 Bugs: ProtocolBugs{
5139 NegotiateALPNAndNPN: true,
5140 },
5141 },
5142 flags: []string{
5143 "-advertise-alpn", "\x03foo",
5144 "-select-next-proto", "foo",
5145 },
5146 shouldFail: true,
5147 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5148 })
5149 testCases = append(testCases, testCase{
5150 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5151 config: Config{
5152 MaxVersion: ver.version,
5153 NextProtos: []string{"foo", "bar", "baz"},
5154 Bugs: ProtocolBugs{
5155 NegotiateALPNAndNPN: true,
5156 SwapNPNAndALPN: true,
5157 },
5158 },
5159 flags: []string{
5160 "-advertise-alpn", "\x03foo",
5161 "-select-next-proto", "foo",
5162 },
5163 shouldFail: true,
5164 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5165 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5166 }
5167
5168 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5169
5170 // Resume with a corrupt ticket.
5171 testCases = append(testCases, testCase{
5172 testType: serverTest,
5173 name: "CorruptTicket-" + ver.name,
5174 config: Config{
5175 MaxVersion: ver.version,
5176 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5177 FilterTicket: func(in []byte) ([]byte, error) {
5178 in[len(in)-1] ^= 1
5179 return in, nil
5180 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5181 },
5182 },
5183 resumeSession: true,
5184 expectResumeRejected: true,
5185 })
5186 // Test the ticket callback, with and without renewal.
5187 testCases = append(testCases, testCase{
5188 testType: serverTest,
5189 name: "TicketCallback-" + ver.name,
5190 config: Config{
5191 MaxVersion: ver.version,
5192 },
5193 resumeSession: true,
5194 flags: []string{"-use-ticket-callback"},
5195 })
5196 testCases = append(testCases, testCase{
5197 testType: serverTest,
5198 name: "TicketCallback-Renew-" + ver.name,
5199 config: Config{
5200 MaxVersion: ver.version,
5201 Bugs: ProtocolBugs{
5202 ExpectNewTicket: true,
5203 },
5204 },
5205 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5206 resumeSession: true,
5207 })
5208
5209 // Test that the ticket callback is only called once when everything before
5210 // it in the ClientHello is asynchronous. This corrupts the ticket so
5211 // certificate selection callbacks run.
5212 testCases = append(testCases, testCase{
5213 testType: serverTest,
5214 name: "TicketCallback-SingleCall-" + ver.name,
5215 config: Config{
5216 MaxVersion: ver.version,
5217 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5218 FilterTicket: func(in []byte) ([]byte, error) {
5219 in[len(in)-1] ^= 1
5220 return in, nil
5221 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5222 },
5223 },
5224 resumeSession: true,
5225 expectResumeRejected: true,
5226 flags: []string{
5227 "-use-ticket-callback",
5228 "-async",
5229 },
5230 })
5231
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5232 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5233 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5234 testCases = append(testCases, testCase{
5235 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5236 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5237 config: Config{
5238 MaxVersion: ver.version,
5239 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5240 EmptyTicketSessionID: true,
5241 },
5242 },
5243 resumeSession: true,
5244 })
5245 testCases = append(testCases, testCase{
5246 testType: serverTest,
5247 name: "TicketSessionIDLength-16-" + ver.name,
5248 config: Config{
5249 MaxVersion: ver.version,
5250 Bugs: ProtocolBugs{
5251 TicketSessionIDLength: 16,
5252 },
5253 },
5254 resumeSession: true,
5255 })
5256 testCases = append(testCases, testCase{
5257 testType: serverTest,
5258 name: "TicketSessionIDLength-32-" + ver.name,
5259 config: Config{
5260 MaxVersion: ver.version,
5261 Bugs: ProtocolBugs{
5262 TicketSessionIDLength: 32,
5263 },
5264 },
5265 resumeSession: true,
5266 })
5267 testCases = append(testCases, testCase{
5268 testType: serverTest,
5269 name: "TicketSessionIDLength-33-" + ver.name,
5270 config: Config{
5271 MaxVersion: ver.version,
5272 Bugs: ProtocolBugs{
5273 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5274 },
5275 },
5276 resumeSession: true,
5277 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5278 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5279 expectedError: ":DECODE_ERROR:",
5280 })
5281 }
5282
5283 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5284 // are ignored.
5285 if ver.hasDTLS {
5286 testCases = append(testCases, testCase{
5287 protocol: dtls,
5288 name: "SRTP-Client-" + ver.name,
5289 config: Config{
5290 MaxVersion: ver.version,
5291 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5292 },
5293 flags: []string{
5294 "-srtp-profiles",
5295 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5296 },
5297 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5298 })
5299 testCases = append(testCases, testCase{
5300 protocol: dtls,
5301 testType: serverTest,
5302 name: "SRTP-Server-" + ver.name,
5303 config: Config{
5304 MaxVersion: ver.version,
5305 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5306 },
5307 flags: []string{
5308 "-srtp-profiles",
5309 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5310 },
5311 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5312 })
5313 // Test that the MKI is ignored.
5314 testCases = append(testCases, testCase{
5315 protocol: dtls,
5316 testType: serverTest,
5317 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5318 config: Config{
5319 MaxVersion: ver.version,
5320 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5321 Bugs: ProtocolBugs{
5322 SRTPMasterKeyIdentifer: "bogus",
5323 },
5324 },
5325 flags: []string{
5326 "-srtp-profiles",
5327 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5328 },
5329 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5330 })
5331 // Test that SRTP isn't negotiated on the server if there were
5332 // no matching profiles.
5333 testCases = append(testCases, testCase{
5334 protocol: dtls,
5335 testType: serverTest,
5336 name: "SRTP-Server-NoMatch-" + ver.name,
5337 config: Config{
5338 MaxVersion: ver.version,
5339 SRTPProtectionProfiles: []uint16{100, 101, 102},
5340 },
5341 flags: []string{
5342 "-srtp-profiles",
5343 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5344 },
5345 expectedSRTPProtectionProfile: 0,
5346 })
5347 // Test that the server returning an invalid SRTP profile is
5348 // flagged as an error by the client.
5349 testCases = append(testCases, testCase{
5350 protocol: dtls,
5351 name: "SRTP-Client-NoMatch-" + ver.name,
5352 config: Config{
5353 MaxVersion: ver.version,
5354 Bugs: ProtocolBugs{
5355 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5356 },
5357 },
5358 flags: []string{
5359 "-srtp-profiles",
5360 "SRTP_AES128_CM_SHA1_80",
5361 },
5362 shouldFail: true,
5363 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5364 })
5365 }
5366
5367 // Test SCT list.
5368 testCases = append(testCases, testCase{
5369 name: "SignedCertificateTimestampList-Client-" + ver.name,
5370 testType: clientTest,
5371 config: Config{
5372 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5373 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5374 flags: []string{
5375 "-enable-signed-cert-timestamps",
5376 "-expect-signed-cert-timestamps",
5377 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5378 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5379 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5380 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5381
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5382 var differentSCTList []byte
5383 differentSCTList = append(differentSCTList, testSCTList...)
5384 differentSCTList[len(differentSCTList)-1] ^= 1
5385
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5386 // The SCT extension did not specify that it must only be sent on resumption as it
5387 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5388 testCases = append(testCases, testCase{
5389 name: "SendSCTListOnResume-" + ver.name,
5390 config: Config{
5391 MaxVersion: ver.version,
5392 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5393 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5394 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5395 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5396 flags: []string{
5397 "-enable-signed-cert-timestamps",
5398 "-expect-signed-cert-timestamps",
5399 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5400 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5401 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5402 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5403
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5404 testCases = append(testCases, testCase{
5405 name: "SignedCertificateTimestampList-Server-" + ver.name,
5406 testType: serverTest,
5407 config: Config{
5408 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5409 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5410 flags: []string{
5411 "-signed-cert-timestamps",
5412 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5413 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5414 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5415 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5416 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5417
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5418 emptySCTListCert := *testCerts[0].cert
5419 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5420
5421 // Test empty SCT list.
5422 testCases = append(testCases, testCase{
5423 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5424 testType: clientTest,
5425 config: Config{
5426 MaxVersion: ver.version,
5427 Certificates: []Certificate{emptySCTListCert},
5428 },
5429 flags: []string{
5430 "-enable-signed-cert-timestamps",
5431 },
5432 shouldFail: true,
5433 expectedError: ":ERROR_PARSING_EXTENSION:",
5434 })
5435
5436 emptySCTCert := *testCerts[0].cert
5437 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5438
5439 // Test empty SCT in non-empty list.
5440 testCases = append(testCases, testCase{
5441 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5442 testType: clientTest,
5443 config: Config{
5444 MaxVersion: ver.version,
5445 Certificates: []Certificate{emptySCTCert},
5446 },
5447 flags: []string{
5448 "-enable-signed-cert-timestamps",
5449 },
5450 shouldFail: true,
5451 expectedError: ":ERROR_PARSING_EXTENSION:",
5452 })
5453
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5454 // Test that certificate-related extensions are not sent unsolicited.
5455 testCases = append(testCases, testCase{
5456 testType: serverTest,
5457 name: "UnsolicitedCertificateExtensions-" + ver.name,
5458 config: Config{
5459 MaxVersion: ver.version,
5460 Bugs: ProtocolBugs{
5461 NoOCSPStapling: true,
5462 NoSignedCertificateTimestamps: true,
5463 },
5464 },
5465 flags: []string{
5466 "-ocsp-response",
5467 base64.StdEncoding.EncodeToString(testOCSPResponse),
5468 "-signed-cert-timestamps",
5469 base64.StdEncoding.EncodeToString(testSCTList),
5470 },
5471 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5472 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5473
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5474 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5475 testType: clientTest,
5476 name: "ClientHelloPadding",
5477 config: Config{
5478 Bugs: ProtocolBugs{
5479 RequireClientHelloSize: 512,
5480 },
5481 },
5482 // This hostname just needs to be long enough to push the
5483 // ClientHello into F5's danger zone between 256 and 511 bytes
5484 // long.
5485 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5486 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5487
5488 // Extensions should not function in SSL 3.0.
5489 testCases = append(testCases, testCase{
5490 testType: serverTest,
5491 name: "SSLv3Extensions-NoALPN",
5492 config: Config{
5493 MaxVersion: VersionSSL30,
5494 NextProtos: []string{"foo", "bar", "baz"},
5495 },
5496 flags: []string{
5497 "-select-alpn", "foo",
5498 },
5499 expectNoNextProto: true,
5500 })
5501
5502 // Test session tickets separately as they follow a different codepath.
5503 testCases = append(testCases, testCase{
5504 testType: serverTest,
5505 name: "SSLv3Extensions-NoTickets",
5506 config: Config{
5507 MaxVersion: VersionSSL30,
5508 Bugs: ProtocolBugs{
5509 // Historically, session tickets in SSL 3.0
5510 // failed in different ways depending on whether
5511 // the client supported renegotiation_info.
5512 NoRenegotiationInfo: true,
5513 },
5514 },
5515 resumeSession: true,
5516 })
5517 testCases = append(testCases, testCase{
5518 testType: serverTest,
5519 name: "SSLv3Extensions-NoTickets2",
5520 config: Config{
5521 MaxVersion: VersionSSL30,
5522 },
5523 resumeSession: true,
5524 })
5525
5526 // But SSL 3.0 does send and process renegotiation_info.
5527 testCases = append(testCases, testCase{
5528 testType: serverTest,
5529 name: "SSLv3Extensions-RenegotiationInfo",
5530 config: Config{
5531 MaxVersion: VersionSSL30,
5532 Bugs: ProtocolBugs{
5533 RequireRenegotiationInfo: true,
5534 },
5535 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5536 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5537 })
5538 testCases = append(testCases, testCase{
5539 testType: serverTest,
5540 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5541 config: Config{
5542 MaxVersion: VersionSSL30,
5543 Bugs: ProtocolBugs{
5544 NoRenegotiationInfo: true,
5545 SendRenegotiationSCSV: true,
5546 RequireRenegotiationInfo: true,
5547 },
5548 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5549 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5550 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5551
5552 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5553 // in ServerHello.
5554 testCases = append(testCases, testCase{
5555 name: "NPN-Forbidden-TLS13",
5556 config: Config{
5557 MaxVersion: VersionTLS13,
5558 NextProtos: []string{"foo"},
5559 Bugs: ProtocolBugs{
5560 NegotiateNPNAtAllVersions: true,
5561 },
5562 },
5563 flags: []string{"-select-next-proto", "foo"},
5564 shouldFail: true,
5565 expectedError: ":ERROR_PARSING_EXTENSION:",
5566 })
5567 testCases = append(testCases, testCase{
5568 name: "EMS-Forbidden-TLS13",
5569 config: Config{
5570 MaxVersion: VersionTLS13,
5571 Bugs: ProtocolBugs{
5572 NegotiateEMSAtAllVersions: true,
5573 },
5574 },
5575 shouldFail: true,
5576 expectedError: ":ERROR_PARSING_EXTENSION:",
5577 })
5578 testCases = append(testCases, testCase{
5579 name: "RenegotiationInfo-Forbidden-TLS13",
5580 config: Config{
5581 MaxVersion: VersionTLS13,
5582 Bugs: ProtocolBugs{
5583 NegotiateRenegotiationInfoAtAllVersions: true,
5584 },
5585 },
5586 shouldFail: true,
5587 expectedError: ":ERROR_PARSING_EXTENSION:",
5588 })
5589 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5590 name: "Ticket-Forbidden-TLS13",
5591 config: Config{
5592 MaxVersion: VersionTLS12,
5593 },
5594 resumeConfig: &Config{
5595 MaxVersion: VersionTLS13,
5596 Bugs: ProtocolBugs{
5597 AdvertiseTicketExtension: true,
5598 },
5599 },
5600 resumeSession: true,
5601 shouldFail: true,
5602 expectedError: ":ERROR_PARSING_EXTENSION:",
5603 })
5604
5605 // Test that illegal extensions in TLS 1.3 are declined by the server if
5606 // offered in ClientHello. The runner's server will fail if this occurs,
5607 // so we exercise the offering path. (EMS and Renegotiation Info are
5608 // implicit in every test.)
5609 testCases = append(testCases, testCase{
5610 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5611 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5612 config: Config{
5613 MaxVersion: VersionTLS13,
5614 NextProtos: []string{"bar"},
5615 },
5616 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5617 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5618
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5619 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5620 // tolerated.
5621 testCases = append(testCases, testCase{
5622 name: "SendOCSPResponseOnResume-TLS12",
5623 config: Config{
5624 MaxVersion: VersionTLS12,
5625 Bugs: ProtocolBugs{
5626 SendOCSPResponseOnResume: []byte("bogus"),
5627 },
5628 },
5629 flags: []string{
5630 "-enable-ocsp-stapling",
5631 "-expect-ocsp-response",
5632 base64.StdEncoding.EncodeToString(testOCSPResponse),
5633 },
5634 resumeSession: true,
5635 })
5636
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5637 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5638 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5639 config: Config{
5640 MaxVersion: VersionTLS13,
5641 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5642 SendExtensionOnCertificate: testOCSPExtension,
5643 },
5644 },
5645 shouldFail: true,
5646 expectedError: ":UNEXPECTED_EXTENSION:",
5647 })
5648
5649 testCases = append(testCases, testCase{
5650 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5651 config: Config{
5652 MaxVersion: VersionTLS13,
5653 Bugs: ProtocolBugs{
5654 SendExtensionOnCertificate: testSCTExtension,
5655 },
5656 },
5657 shouldFail: true,
5658 expectedError: ":UNEXPECTED_EXTENSION:",
5659 })
5660
5661 // Test that extensions on client certificates are never accepted.
5662 testCases = append(testCases, testCase{
5663 name: "SendExtensionOnClientCertificate-TLS13",
5664 testType: serverTest,
5665 config: Config{
5666 MaxVersion: VersionTLS13,
5667 Certificates: []Certificate{rsaCertificate},
5668 Bugs: ProtocolBugs{
5669 SendExtensionOnCertificate: testOCSPExtension,
5670 },
5671 },
5672 flags: []string{
5673 "-enable-ocsp-stapling",
5674 "-require-any-client-certificate",
5675 },
5676 shouldFail: true,
5677 expectedError: ":UNEXPECTED_EXTENSION:",
5678 })
5679
5680 testCases = append(testCases, testCase{
5681 name: "SendUnknownExtensionOnCertificate-TLS13",
5682 config: Config{
5683 MaxVersion: VersionTLS13,
5684 Bugs: ProtocolBugs{
5685 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5686 },
5687 },
5688 shouldFail: true,
5689 expectedError: ":UNEXPECTED_EXTENSION:",
5690 })
5691
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5692 var differentSCTList []byte
5693 differentSCTList = append(differentSCTList, testSCTList...)
5694 differentSCTList[len(differentSCTList)-1] ^= 1
5695
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5696 // Test that extensions on intermediates are allowed but ignored.
5697 testCases = append(testCases, testCase{
5698 name: "IgnoreExtensionsOnIntermediates-TLS13",
5699 config: Config{
5700 MaxVersion: VersionTLS13,
5701 Certificates: []Certificate{rsaChainCertificate},
5702 Bugs: ProtocolBugs{
5703 // Send different values on the intermediate. This tests
5704 // the intermediate's extensions do not override the
5705 // leaf's.
5706 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5707 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5708 },
5709 },
5710 flags: []string{
5711 "-enable-ocsp-stapling",
5712 "-expect-ocsp-response",
5713 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5714 "-enable-signed-cert-timestamps",
5715 "-expect-signed-cert-timestamps",
5716 base64.StdEncoding.EncodeToString(testSCTList),
5717 },
5718 resumeSession: true,
5719 })
5720
5721 // Test that extensions are not sent on intermediates when configured
5722 // only for a leaf.
5723 testCases = append(testCases, testCase{
5724 testType: serverTest,
5725 name: "SendNoExtensionsOnIntermediate-TLS13",
5726 config: Config{
5727 MaxVersion: VersionTLS13,
5728 Bugs: ProtocolBugs{
5729 ExpectNoExtensionsOnIntermediate: true,
5730 },
5731 },
5732 flags: []string{
5733 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5734 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5735 "-ocsp-response",
5736 base64.StdEncoding.EncodeToString(testOCSPResponse),
5737 "-signed-cert-timestamps",
5738 base64.StdEncoding.EncodeToString(testSCTList),
5739 },
5740 })
5741
5742 // Test that extensions are not sent on client certificates.
5743 testCases = append(testCases, testCase{
5744 name: "SendNoClientCertificateExtensions-TLS13",
5745 config: Config{
5746 MaxVersion: VersionTLS13,
5747 ClientAuth: RequireAnyClientCert,
5748 },
5749 flags: []string{
5750 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5751 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5752 "-ocsp-response",
5753 base64.StdEncoding.EncodeToString(testOCSPResponse),
5754 "-signed-cert-timestamps",
5755 base64.StdEncoding.EncodeToString(testSCTList),
5756 },
5757 })
5758
5759 testCases = append(testCases, testCase{
5760 name: "SendDuplicateExtensionsOnCerts-TLS13",
5761 config: Config{
5762 MaxVersion: VersionTLS13,
5763 Bugs: ProtocolBugs{
5764 SendDuplicateCertExtensions: true,
5765 },
5766 },
5767 flags: []string{
5768 "-enable-ocsp-stapling",
5769 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5770 },
5771 resumeSession: true,
5772 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5773 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5774 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5775
5776 testCases = append(testCases, testCase{
5777 name: "SignedCertificateTimestampListInvalid-Server",
5778 testType: serverTest,
5779 flags: []string{
5780 "-signed-cert-timestamps",
5781 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5782 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5783 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5784 expectedError: ":INVALID_SCT_LIST:",
5785 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5786}
5787
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5788func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5789 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5790 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5791 // SSL 3.0 does not have tickets and TLS 1.3 does not
5792 // have session IDs, so skip their cross-resumption
5793 // tests.
5794 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5795 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5796 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5797 }
5798
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5799 protocols := []protocol{tls}
5800 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5801 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5802 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5803 for _, protocol := range protocols {
5804 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5805 if protocol == dtls {
5806 suffix += "-DTLS"
5807 }
5808
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5809 if sessionVers.version == resumeVers.version {
5810 testCases = append(testCases, testCase{
5811 protocol: protocol,
5812 name: "Resume-Client" + suffix,
5813 resumeSession: true,
5814 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5815 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5816 Bugs: ProtocolBugs{
5817 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5818 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5819 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5820 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5821 expectedVersion: sessionVers.version,
5822 expectedResumeVersion: resumeVers.version,
5823 })
5824 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5825 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5826
5827 // Offering a TLS 1.3 session sends an empty session ID, so
5828 // there is no way to convince a non-lookahead client the
5829 // session was resumed. It will appear to the client that a
5830 // stray ChangeCipherSpec was sent.
5831 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5832 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5833 }
5834
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5835 testCases = append(testCases, testCase{
5836 protocol: protocol,
5837 name: "Resume-Client-Mismatch" + suffix,
5838 resumeSession: true,
5839 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5840 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5841 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5842 expectedVersion: sessionVers.version,
5843 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5844 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5845 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5846 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5847 },
5848 },
5849 expectedResumeVersion: resumeVers.version,
5850 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5851 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5852 })
5853 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5854
5855 testCases = append(testCases, testCase{
5856 protocol: protocol,
5857 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5858 resumeSession: true,
5859 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5860 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5861 },
5862 expectedVersion: sessionVers.version,
5863 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5864 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5865 },
5866 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5867 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5868 expectedResumeVersion: resumeVers.version,
5869 })
5870
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5871 testCases = append(testCases, testCase{
5872 protocol: protocol,
5873 testType: serverTest,
5874 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5875 resumeSession: true,
5876 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5877 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5878 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5879 expectedVersion: sessionVers.version,
5880 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5881 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5882 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5883 Bugs: ProtocolBugs{
5884 SendBothTickets: true,
5885 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5886 },
5887 expectedResumeVersion: resumeVers.version,
5888 })
5889 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5890 }
5891 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5892
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5893 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5894 testCases = append(testCases, testCase{
5895 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5896 name: "ShimTicketRewritable",
5897 resumeSession: true,
5898 config: Config{
5899 MaxVersion: VersionTLS12,
5900 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5901 Bugs: ProtocolBugs{
5902 FilterTicket: func(in []byte) ([]byte, error) {
5903 in, err := SetShimTicketVersion(in, VersionTLS12)
5904 if err != nil {
5905 return nil, err
5906 }
5907 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5908 },
5909 },
5910 },
5911 flags: []string{
5912 "-ticket-key",
5913 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5914 },
5915 })
5916
5917 // Resumptions are declined if the version does not match.
5918 testCases = append(testCases, testCase{
5919 testType: serverTest,
5920 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5921 resumeSession: true,
5922 config: Config{
5923 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5924 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5925 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5926 FilterTicket: func(in []byte) ([]byte, error) {
5927 return SetShimTicketVersion(in, VersionTLS13)
5928 },
5929 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5930 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5931 flags: []string{
5932 "-ticket-key",
5933 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5934 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5935 expectResumeRejected: true,
5936 })
5937
5938 testCases = append(testCases, testCase{
5939 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5940 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5941 resumeSession: true,
5942 config: Config{
5943 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5944 Bugs: ProtocolBugs{
5945 FilterTicket: func(in []byte) ([]byte, error) {
5946 return SetShimTicketVersion(in, VersionTLS12)
5947 },
5948 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5949 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5950 flags: []string{
5951 "-ticket-key",
5952 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5953 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5954 expectResumeRejected: true,
5955 })
5956
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5957 // Resumptions are declined if the cipher is invalid or disabled.
5958 testCases = append(testCases, testCase{
5959 testType: serverTest,
5960 name: "Resume-Server-DeclineBadCipher",
5961 resumeSession: true,
5962 config: Config{
5963 MaxVersion: VersionTLS12,
5964 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5965 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5966 FilterTicket: func(in []byte) ([]byte, error) {
5967 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5968 },
5969 },
5970 },
5971 flags: []string{
5972 "-ticket-key",
5973 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5974 },
5975 expectResumeRejected: true,
5976 })
5977
5978 testCases = append(testCases, testCase{
5979 testType: serverTest,
5980 name: "Resume-Server-DeclineBadCipher-2",
5981 resumeSession: true,
5982 config: Config{
5983 MaxVersion: VersionTLS12,
5984 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5985 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5986 FilterTicket: func(in []byte) ([]byte, error) {
5987 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5988 },
5989 },
5990 },
5991 flags: []string{
5992 "-cipher", "AES128",
5993 "-ticket-key",
5994 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5995 },
5996 expectResumeRejected: true,
5997 })
5998
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5999 // Sessions are not resumed if they do not use the preferred cipher.
6000 testCases = append(testCases, testCase{
6001 testType: serverTest,
6002 name: "Resume-Server-CipherNotPreferred",
6003 resumeSession: true,
6004 config: Config{
6005 MaxVersion: VersionTLS12,
6006 Bugs: ProtocolBugs{
6007 ExpectNewTicket: true,
6008 FilterTicket: func(in []byte) ([]byte, error) {
6009 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
6010 },
6011 },
6012 },
6013 flags: []string{
6014 "-ticket-key",
6015 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6016 },
6017 shouldFail: false,
6018 expectResumeRejected: true,
6019 })
6020
6021 // TLS 1.3 allows sessions to be resumed at a different cipher if their
6022 // PRF hashes match, but BoringSSL will always decline such resumptions.
6023 testCases = append(testCases, testCase{
6024 testType: serverTest,
6025 name: "Resume-Server-CipherNotPreferred-TLS13",
6026 resumeSession: true,
6027 config: Config{
6028 MaxVersion: VersionTLS13,
6029 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
6030 Bugs: ProtocolBugs{
6031 FilterTicket: func(in []byte) ([]byte, error) {
6032 // If the client (runner) offers ChaCha20-Poly1305 first, the
6033 // server (shim) always prefers it. Switch it to AES-GCM.
6034 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
6035 },
6036 },
6037 },
6038 flags: []string{
6039 "-ticket-key",
6040 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6041 },
6042 shouldFail: false,
6043 expectResumeRejected: true,
6044 })
6045
6046 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6047 testCases = append(testCases, testCase{
6048 testType: serverTest,
6049 name: "Resume-Server-DeclineBadCipher-TLS13",
6050 resumeSession: true,
6051 config: Config{
6052 MaxVersion: VersionTLS13,
6053 Bugs: ProtocolBugs{
6054 FilterTicket: func(in []byte) ([]byte, error) {
6055 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
6056 },
6057 },
6058 },
6059 flags: []string{
6060 "-ticket-key",
6061 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6062 },
6063 expectResumeRejected: true,
6064 })
6065
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6066 // If the client does not offer the cipher from the session, decline to
6067 // resume. Clients are forbidden from doing this, but BoringSSL selects
6068 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6069 testCases = append(testCases, testCase{
6070 testType: serverTest,
6071 name: "Resume-Server-UnofferedCipher",
6072 resumeSession: true,
6073 config: Config{
6074 MaxVersion: VersionTLS12,
6075 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6076 },
6077 resumeConfig: &Config{
6078 MaxVersion: VersionTLS12,
6079 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6080 Bugs: ProtocolBugs{
6081 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6082 },
6083 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6084 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6085 })
6086
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6087 // In TLS 1.3, clients may advertise a cipher list which does not
6088 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]6089 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
6090 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6091 testCases = append(testCases, testCase{
6092 testType: serverTest,
6093 name: "Resume-Server-UnofferedCipher-TLS13",
6094 resumeSession: true,
6095 config: Config{
6096 MaxVersion: VersionTLS13,
6097 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6098 },
6099 resumeConfig: &Config{
6100 MaxVersion: VersionTLS13,
6101 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6102 Bugs: ProtocolBugs{
6103 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6104 },
6105 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6106 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6107 })
6108
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6109 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6110 testCases = append(testCases, testCase{
6111 name: "Resume-Client-CipherMismatch",
6112 resumeSession: true,
6113 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6114 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6115 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6116 },
6117 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6118 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6119 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6120 Bugs: ProtocolBugs{
6121 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6122 },
6123 },
6124 shouldFail: true,
6125 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6126 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6127
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6128 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6129 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6130 testCases = append(testCases, testCase{
6131 name: "Resume-Client-CipherMismatch-TLS13",
6132 resumeSession: true,
6133 config: Config{
6134 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6135 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6136 },
6137 resumeConfig: &Config{
6138 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6139 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6140 },
6141 })
6142
6143 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6144 testCases = append(testCases, testCase{
6145 name: "Resume-Client-PRFMismatch-TLS13",
6146 resumeSession: true,
6147 config: Config{
6148 MaxVersion: VersionTLS13,
6149 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6150 },
6151 resumeConfig: &Config{
6152 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6153 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6154 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6155 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6156 },
6157 },
6158 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6159 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6160 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6161
6162 testCases = append(testCases, testCase{
6163 testType: serverTest,
6164 name: "Resume-Server-BinderWrongLength",
6165 resumeSession: true,
6166 config: Config{
6167 MaxVersion: VersionTLS13,
6168 Bugs: ProtocolBugs{
6169 SendShortPSKBinder: true,
6170 },
6171 },
6172 shouldFail: true,
6173 expectedLocalError: "remote error: error decrypting message",
6174 expectedError: ":DIGEST_CHECK_FAILED:",
6175 })
6176
6177 testCases = append(testCases, testCase{
6178 testType: serverTest,
6179 name: "Resume-Server-NoPSKBinder",
6180 resumeSession: true,
6181 config: Config{
6182 MaxVersion: VersionTLS13,
6183 Bugs: ProtocolBugs{
6184 SendNoPSKBinder: true,
6185 },
6186 },
6187 shouldFail: true,
6188 expectedLocalError: "remote error: error decoding message",
6189 expectedError: ":DECODE_ERROR:",
6190 })
6191
6192 testCases = append(testCases, testCase{
6193 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6194 name: "Resume-Server-ExtraPSKBinder",
6195 resumeSession: true,
6196 config: Config{
6197 MaxVersion: VersionTLS13,
6198 Bugs: ProtocolBugs{
6199 SendExtraPSKBinder: true,
6200 },
6201 },
6202 shouldFail: true,
6203 expectedLocalError: "remote error: illegal parameter",
6204 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6205 })
6206
6207 testCases = append(testCases, testCase{
6208 testType: serverTest,
6209 name: "Resume-Server-ExtraIdentityNoBinder",
6210 resumeSession: true,
6211 config: Config{
6212 MaxVersion: VersionTLS13,
6213 Bugs: ProtocolBugs{
6214 ExtraPSKIdentity: true,
6215 },
6216 },
6217 shouldFail: true,
6218 expectedLocalError: "remote error: illegal parameter",
6219 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6220 })
6221
6222 testCases = append(testCases, testCase{
6223 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6224 name: "Resume-Server-InvalidPSKBinder",
6225 resumeSession: true,
6226 config: Config{
6227 MaxVersion: VersionTLS13,
6228 Bugs: ProtocolBugs{
6229 SendInvalidPSKBinder: true,
6230 },
6231 },
6232 shouldFail: true,
6233 expectedLocalError: "remote error: error decrypting message",
6234 expectedError: ":DIGEST_CHECK_FAILED:",
6235 })
6236
6237 testCases = append(testCases, testCase{
6238 testType: serverTest,
6239 name: "Resume-Server-PSKBinderFirstExtension",
6240 resumeSession: true,
6241 config: Config{
6242 MaxVersion: VersionTLS13,
6243 Bugs: ProtocolBugs{
6244 PSKBinderFirst: true,
6245 },
6246 },
6247 shouldFail: true,
6248 expectedLocalError: "remote error: illegal parameter",
6249 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6250 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6251}
6252
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6253func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6254 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6255 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6256 testType: serverTest,
6257 name: "Renegotiate-Server-Forbidden",
6258 config: Config{
6259 MaxVersion: VersionTLS12,
6260 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6261 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6262 shouldFail: true,
6263 expectedError: ":NO_RENEGOTIATION:",
6264 expectedLocalError: "remote error: no renegotiation",
6265 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6266 // The server shouldn't echo the renegotiation extension unless
6267 // requested by the client.
6268 testCases = append(testCases, testCase{
6269 testType: serverTest,
6270 name: "Renegotiate-Server-NoExt",
6271 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6272 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6273 Bugs: ProtocolBugs{
6274 NoRenegotiationInfo: true,
6275 RequireRenegotiationInfo: true,
6276 },
6277 },
6278 shouldFail: true,
6279 expectedLocalError: "renegotiation extension missing",
6280 })
6281 // The renegotiation SCSV should be sufficient for the server to echo
6282 // the extension.
6283 testCases = append(testCases, testCase{
6284 testType: serverTest,
6285 name: "Renegotiate-Server-NoExt-SCSV",
6286 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6287 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6288 Bugs: ProtocolBugs{
6289 NoRenegotiationInfo: true,
6290 SendRenegotiationSCSV: true,
6291 RequireRenegotiationInfo: true,
6292 },
6293 },
6294 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6295 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6296 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6297 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6298 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6299 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6300 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6301 },
6302 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6303 renegotiate: 1,
6304 flags: []string{
6305 "-renegotiate-freely",
6306 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6307 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6308 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6309 })
6310 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6311 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6312 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6313 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6314 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6315 Bugs: ProtocolBugs{
6316 EmptyRenegotiationInfo: true,
6317 },
6318 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6319 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6320 shouldFail: true,
6321 expectedError: ":RENEGOTIATION_MISMATCH:",
6322 })
6323 testCases = append(testCases, testCase{
6324 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6325 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6326 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6327 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6328 Bugs: ProtocolBugs{
6329 BadRenegotiationInfo: true,
6330 },
6331 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6332 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6333 shouldFail: true,
6334 expectedError: ":RENEGOTIATION_MISMATCH:",
6335 })
6336 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6337 name: "Renegotiate-Client-Downgrade",
6338 renegotiate: 1,
6339 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6340 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6341 Bugs: ProtocolBugs{
6342 NoRenegotiationInfoAfterInitial: true,
6343 },
6344 },
6345 flags: []string{"-renegotiate-freely"},
6346 shouldFail: true,
6347 expectedError: ":RENEGOTIATION_MISMATCH:",
6348 })
6349 testCases = append(testCases, testCase{
6350 name: "Renegotiate-Client-Upgrade",
6351 renegotiate: 1,
6352 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6353 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6354 Bugs: ProtocolBugs{
6355 NoRenegotiationInfoInInitial: true,
6356 },
6357 },
6358 flags: []string{"-renegotiate-freely"},
6359 shouldFail: true,
6360 expectedError: ":RENEGOTIATION_MISMATCH:",
6361 })
6362 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6363 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6364 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6365 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6366 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6367 Bugs: ProtocolBugs{
6368 NoRenegotiationInfo: true,
6369 },
6370 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6371 flags: []string{
6372 "-renegotiate-freely",
6373 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6374 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6375 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6376 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6377
6378 // Test that the server may switch ciphers on renegotiation without
6379 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6380 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6381 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6382 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6383 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6384 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6385 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6386 },
6387 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6388 flags: []string{
6389 "-renegotiate-freely",
6390 "-expect-total-renegotiations", "1",
6391 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6392 })
6393 testCases = append(testCases, testCase{
6394 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6395 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6396 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6397 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6398 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6399 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6400 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6401 flags: []string{
6402 "-renegotiate-freely",
6403 "-expect-total-renegotiations", "1",
6404 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6405 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6406
6407 // Test that the server may not switch versions on renegotiation.
6408 testCases = append(testCases, testCase{
6409 name: "Renegotiate-Client-SwitchVersion",
6410 config: Config{
6411 MaxVersion: VersionTLS12,
6412 // Pick a cipher which exists at both versions.
6413 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6414 Bugs: ProtocolBugs{
6415 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6416 // Avoid failing early at the record layer.
6417 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6418 },
6419 },
6420 renegotiate: 1,
6421 flags: []string{
6422 "-renegotiate-freely",
6423 "-expect-total-renegotiations", "1",
6424 },
6425 shouldFail: true,
6426 expectedError: ":WRONG_SSL_VERSION:",
6427 })
6428
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6429 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6430 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6431 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6432 config: Config{
6433 MaxVersion: VersionTLS10,
6434 Bugs: ProtocolBugs{
6435 RequireSameRenegoClientVersion: true,
6436 },
6437 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6438 flags: []string{
6439 "-renegotiate-freely",
6440 "-expect-total-renegotiations", "1",
6441 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6442 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6443 testCases = append(testCases, testCase{
6444 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6445 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6446 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6447 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6448 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6449 NextProtos: []string{"foo"},
6450 },
6451 flags: []string{
6452 "-false-start",
6453 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6454 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6455 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6456 },
6457 shimWritesFirst: true,
6458 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6459
6460 // Client-side renegotiation controls.
6461 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6462 name: "Renegotiate-Client-Forbidden-1",
6463 config: Config{
6464 MaxVersion: VersionTLS12,
6465 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6466 renegotiate: 1,
6467 shouldFail: true,
6468 expectedError: ":NO_RENEGOTIATION:",
6469 expectedLocalError: "remote error: no renegotiation",
6470 })
6471 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6472 name: "Renegotiate-Client-Once-1",
6473 config: Config{
6474 MaxVersion: VersionTLS12,
6475 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6476 renegotiate: 1,
6477 flags: []string{
6478 "-renegotiate-once",
6479 "-expect-total-renegotiations", "1",
6480 },
6481 })
6482 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6483 name: "Renegotiate-Client-Freely-1",
6484 config: Config{
6485 MaxVersion: VersionTLS12,
6486 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6487 renegotiate: 1,
6488 flags: []string{
6489 "-renegotiate-freely",
6490 "-expect-total-renegotiations", "1",
6491 },
6492 })
6493 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6494 name: "Renegotiate-Client-Once-2",
6495 config: Config{
6496 MaxVersion: VersionTLS12,
6497 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6498 renegotiate: 2,
6499 flags: []string{"-renegotiate-once"},
6500 shouldFail: true,
6501 expectedError: ":NO_RENEGOTIATION:",
6502 expectedLocalError: "remote error: no renegotiation",
6503 })
6504 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6505 name: "Renegotiate-Client-Freely-2",
6506 config: Config{
6507 MaxVersion: VersionTLS12,
6508 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6509 renegotiate: 2,
6510 flags: []string{
6511 "-renegotiate-freely",
6512 "-expect-total-renegotiations", "2",
6513 },
6514 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6515 testCases = append(testCases, testCase{
6516 name: "Renegotiate-Client-NoIgnore",
6517 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6518 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6519 Bugs: ProtocolBugs{
6520 SendHelloRequestBeforeEveryAppDataRecord: true,
6521 },
6522 },
6523 shouldFail: true,
6524 expectedError: ":NO_RENEGOTIATION:",
6525 })
6526 testCases = append(testCases, testCase{
6527 name: "Renegotiate-Client-Ignore",
6528 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6529 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6530 Bugs: ProtocolBugs{
6531 SendHelloRequestBeforeEveryAppDataRecord: true,
6532 },
6533 },
6534 flags: []string{
6535 "-renegotiate-ignore",
6536 "-expect-total-renegotiations", "0",
6537 },
6538 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6539
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6540 // Renegotiation is not allowed at SSL 3.0.
6541 testCases = append(testCases, testCase{
6542 name: "Renegotiate-Client-SSL3",
6543 config: Config{
6544 MaxVersion: VersionSSL30,
6545 },
6546 renegotiate: 1,
6547 flags: []string{
6548 "-renegotiate-freely",
6549 "-expect-total-renegotiations", "1",
6550 },
6551 shouldFail: true,
6552 expectedError: ":NO_RENEGOTIATION:",
6553 expectedLocalError: "remote error: no renegotiation",
6554 })
6555
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6556 // Renegotiation is not allowed when there is an unfinished write.
6557 testCases = append(testCases, testCase{
6558 name: "Renegotiate-Client-UnfinishedWrite",
6559 config: Config{
6560 MaxVersion: VersionTLS12,
6561 },
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]6562 renegotiate: 1,
6563 readWithUnfinishedWrite: true,
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6564 flags: []string{
6565 "-async",
6566 "-renegotiate-freely",
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6567 },
6568 shouldFail: true,
6569 expectedError: ":NO_RENEGOTIATION:",
6570 // We do not successfully send the no_renegotiation alert in
6571 // this case. https://crbug.com/boringssl/130
6572 })
6573
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6574 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6575 testCases = append(testCases, testCase{
6576 name: "StrayHelloRequest",
6577 config: Config{
6578 MaxVersion: VersionTLS12,
6579 Bugs: ProtocolBugs{
6580 SendHelloRequestBeforeEveryHandshakeMessage: true,
6581 },
6582 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6583 shouldFail: true,
6584 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6585 })
6586 testCases = append(testCases, testCase{
6587 name: "StrayHelloRequest-Packed",
6588 config: Config{
6589 MaxVersion: VersionTLS12,
6590 Bugs: ProtocolBugs{
6591 PackHandshakeFlight: true,
6592 SendHelloRequestBeforeEveryHandshakeMessage: true,
6593 },
6594 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6595 shouldFail: true,
6596 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6597 })
6598
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6599 // Test renegotiation works if HelloRequest and server Finished come in
6600 // the same record.
6601 testCases = append(testCases, testCase{
6602 name: "Renegotiate-Client-Packed",
6603 config: Config{
6604 MaxVersion: VersionTLS12,
6605 Bugs: ProtocolBugs{
6606 PackHandshakeFlight: true,
6607 PackHelloRequestWithFinished: true,
6608 },
6609 },
6610 renegotiate: 1,
6611 flags: []string{
6612 "-renegotiate-freely",
6613 "-expect-total-renegotiations", "1",
6614 },
6615 })
6616
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6617 // Renegotiation is forbidden in TLS 1.3.
6618 testCases = append(testCases, testCase{
6619 name: "Renegotiate-Client-TLS13",
6620 config: Config{
6621 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6622 Bugs: ProtocolBugs{
6623 SendHelloRequestBeforeEveryAppDataRecord: true,
6624 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6625 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6626 flags: []string{
6627 "-renegotiate-freely",
6628 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6629 shouldFail: true,
6630 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6631 })
6632
6633 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6634 testCases = append(testCases, testCase{
6635 name: "StrayHelloRequest-TLS13",
6636 config: Config{
6637 MaxVersion: VersionTLS13,
6638 Bugs: ProtocolBugs{
6639 SendHelloRequestBeforeEveryHandshakeMessage: true,
6640 },
6641 },
6642 shouldFail: true,
6643 expectedError: ":UNEXPECTED_MESSAGE:",
6644 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6645
6646 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6647 // always reads as supporting it, regardless of whether it was
6648 // negotiated.
6649 testCases = append(testCases, testCase{
6650 name: "AlwaysReportRenegotiationInfo-TLS13",
6651 config: Config{
6652 MaxVersion: VersionTLS13,
6653 Bugs: ProtocolBugs{
6654 NoRenegotiationInfo: true,
6655 },
6656 },
6657 flags: []string{
6658 "-expect-secure-renegotiation",
6659 },
6660 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]6661
6662 // Certificates may not change on renegotiation.
6663 testCases = append(testCases, testCase{
6664 name: "Renegotiation-CertificateChange",
6665 config: Config{
6666 MaxVersion: VersionTLS12,
6667 Certificates: []Certificate{rsaCertificate},
6668 Bugs: ProtocolBugs{
6669 RenegotiationCertificate: &rsaChainCertificate,
6670 },
6671 },
6672 renegotiate: 1,
6673 flags: []string{"-renegotiate-freely"},
6674 shouldFail: true,
6675 expectedError: ":SERVER_CERT_CHANGED:",
6676 })
6677 testCases = append(testCases, testCase{
6678 name: "Renegotiation-CertificateChange-2",
6679 config: Config{
6680 MaxVersion: VersionTLS12,
6681 Certificates: []Certificate{rsaCertificate},
6682 Bugs: ProtocolBugs{
6683 RenegotiationCertificate: &rsa1024Certificate,
6684 },
6685 },
6686 renegotiate: 1,
6687 flags: []string{"-renegotiate-freely"},
6688 shouldFail: true,
6689 expectedError: ":SERVER_CERT_CHANGED:",
6690 })
David Benjaminbbf42462017-03-14 21:27:10 -0400[diff] [blame]6691
6692 // We do not negotiate ALPN after the initial handshake. This is
6693 // error-prone and only risks bugs in consumers.
6694 testCases = append(testCases, testCase{
6695 testType: clientTest,
6696 name: "Renegotiation-ForbidALPN",
6697 config: Config{
6698 MaxVersion: VersionTLS12,
6699 Bugs: ProtocolBugs{
6700 // Forcibly negotiate ALPN on both initial and
6701 // renegotiation handshakes. The test stack will
6702 // internally check the client does not offer
6703 // it.
6704 SendALPN: "foo",
6705 },
6706 },
6707 flags: []string{
6708 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6709 "-expect-alpn", "foo",
6710 "-renegotiate-freely",
6711 },
6712 renegotiate: 1,
6713 shouldFail: true,
6714 expectedError: ":UNEXPECTED_EXTENSION:",
6715 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6716}
6717
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6718func addDTLSReplayTests() {
6719 // Test that sequence number replays are detected.
6720 testCases = append(testCases, testCase{
6721 protocol: dtls,
6722 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6723 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6724 replayWrites: true,
6725 })
6726
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6727 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6728 // than the retransmit window.
6729 testCases = append(testCases, testCase{
6730 protocol: dtls,
6731 name: "DTLS-Replay-LargeGaps",
6732 config: Config{
6733 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6734 SequenceNumberMapping: func(in uint64) uint64 {
6735 return in * 127
6736 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6737 },
6738 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6739 messageCount: 200,
6740 replayWrites: true,
6741 })
6742
6743 // Test the incoming sequence number changing non-monotonically.
6744 testCases = append(testCases, testCase{
6745 protocol: dtls,
6746 name: "DTLS-Replay-NonMonotonic",
6747 config: Config{
6748 Bugs: ProtocolBugs{
6749 SequenceNumberMapping: func(in uint64) uint64 {
6750 return in ^ 31
6751 },
6752 },
6753 },
6754 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6755 replayWrites: true,
6756 })
6757}
6758
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6759var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6760 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6761 id signatureAlgorithm
6762 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6763}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6764 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6765 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6766 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6767 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6768 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6769 // The “P256” in the following line is not a mistake. In TLS 1.2 the
6770 // hash function doesn't have to match the curve and so the same
6771 // signature algorithm works with P-224.
6772 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6773 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6774 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6775 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6776 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6777 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6778 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6779 {"Ed25519", signatureEd25519, testCertEd25519},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6780 // Tests for key types prior to TLS 1.2.
6781 {"RSA", 0, testCertRSA},
6782 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6783}
6784
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6785const fakeSigAlg1 signatureAlgorithm = 0x2a01
6786const fakeSigAlg2 signatureAlgorithm = 0xff01
6787
6788func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6789 // Not all ciphers involve a signature. Advertise a list which gives all
6790 // versions a signing cipher.
6791 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6792 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6793 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6794 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6795 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6796 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6797 }
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6798
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6799 var allAlgorithms []signatureAlgorithm
6800 for _, alg := range testSignatureAlgorithms {
6801 if alg.id != 0 {
6802 allAlgorithms = append(allAlgorithms, alg.id)
6803 }
6804 }
6805
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6806 // Make sure each signature algorithm works. Include some fake values in
6807 // the list and ensure they're ignored.
6808 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6809 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6810 if (ver.version < VersionTLS12) != (alg.id == 0) {
6811 continue
6812 }
6813
6814 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6815 // or remove it in C.
6816 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6817 continue
6818 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6819
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6820 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6821 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6822 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6823 shouldSignFail = true
6824 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6825 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6826 // RSA-PKCS1 does not exist in TLS 1.3.
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6827 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
6828 shouldSignFail = true
6829 shouldVerifyFail = true
6830 }
6831 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
6832 // the curve has to match the hash size.
6833 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6834 shouldSignFail = true
6835 shouldVerifyFail = true
6836 }
6837
6838 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6839 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6840 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6841 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6842
6843 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6844 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6845 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6846 }
6847 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6848 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6849 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6850
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6851 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6852
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6853 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6854 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6855 config: Config{
6856 MaxVersion: ver.version,
6857 ClientAuth: RequireAnyClientCert,
6858 VerifySignatureAlgorithms: []signatureAlgorithm{
6859 fakeSigAlg1,
6860 alg.id,
6861 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6862 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6863 },
6864 flags: []string{
6865 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6866 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6867 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6868 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6869 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6870 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6871 expectedError: signError,
6872 expectedPeerSignatureAlgorithm: alg.id,
6873 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6874
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6875 testCases = append(testCases, testCase{
6876 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6877 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6878 config: Config{
6879 MaxVersion: ver.version,
6880 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6881 SignSignatureAlgorithms: []signatureAlgorithm{
6882 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6883 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6884 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6885 SkipECDSACurveCheck: shouldVerifyFail,
6886 IgnoreSignatureVersionChecks: shouldVerifyFail,
6887 // Some signature algorithms may not be advertised.
6888 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6889 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6890 },
6891 flags: []string{
6892 "-require-any-client-certificate",
6893 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6894 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6895 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6896 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6897 // Resume the session to assert the peer signature
6898 // algorithm is reported on both handshakes.
6899 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6900 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6901 expectedError: verifyError,
6902 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6903
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6904 // No signing cipher for SSL 3.0.
David Benjamin96bc12a2017-04-14 16:48:08 -0400[diff] [blame]6905 if ver.version > VersionSSL30 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6906 testCases = append(testCases, testCase{
6907 testType: serverTest,
6908 name: "ServerAuth-Sign" + suffix,
6909 config: Config{
6910 MaxVersion: ver.version,
6911 CipherSuites: signingCiphers,
6912 VerifySignatureAlgorithms: []signatureAlgorithm{
6913 fakeSigAlg1,
6914 alg.id,
6915 fakeSigAlg2,
6916 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6917 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6918 flags: []string{
6919 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6920 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6921 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6922 "-enable-ed25519",
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6923 },
6924 shouldFail: shouldSignFail,
6925 expectedError: signError,
6926 expectedPeerSignatureAlgorithm: alg.id,
6927 })
6928 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6929
6930 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6931 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6932 config: Config{
6933 MaxVersion: ver.version,
6934 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6935 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6936 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6937 alg.id,
6938 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6939 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6940 SkipECDSACurveCheck: shouldVerifyFail,
6941 IgnoreSignatureVersionChecks: shouldVerifyFail,
6942 // Some signature algorithms may not be advertised.
6943 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6944 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6945 },
6946 flags: []string{
6947 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6948 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6949 "-enable-ed25519",
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6950 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6951 // Resume the session to assert the peer signature
6952 // algorithm is reported on both handshakes.
6953 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6954 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6955 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6956 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6957
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6958 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6959 testCases = append(testCases, testCase{
6960 testType: serverTest,
6961 name: "ClientAuth-InvalidSignature" + suffix,
6962 config: Config{
6963 MaxVersion: ver.version,
6964 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6965 SignSignatureAlgorithms: []signatureAlgorithm{
6966 alg.id,
6967 },
6968 Bugs: ProtocolBugs{
6969 InvalidSignature: true,
6970 },
6971 },
6972 flags: []string{
6973 "-require-any-client-certificate",
6974 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6975 "-enable-ed25519",
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6976 },
6977 shouldFail: true,
6978 expectedError: ":BAD_SIGNATURE:",
6979 })
6980
6981 testCases = append(testCases, testCase{
6982 name: "ServerAuth-InvalidSignature" + suffix,
6983 config: Config{
6984 MaxVersion: ver.version,
6985 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6986 CipherSuites: signingCiphers,
6987 SignSignatureAlgorithms: []signatureAlgorithm{
6988 alg.id,
6989 },
6990 Bugs: ProtocolBugs{
6991 InvalidSignature: true,
6992 },
6993 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6994 flags: []string{
6995 "-enable-all-curves",
6996 "-enable-ed25519",
6997 },
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6998 shouldFail: true,
6999 expectedError: ":BAD_SIGNATURE:",
7000 })
7001 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7002
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7003 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7004 testCases = append(testCases, testCase{
7005 name: "ClientAuth-Sign-Negotiate" + suffix,
7006 config: Config{
7007 MaxVersion: ver.version,
7008 ClientAuth: RequireAnyClientCert,
7009 VerifySignatureAlgorithms: allAlgorithms,
7010 },
7011 flags: []string{
7012 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7013 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7014 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7015 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7016 "-signing-prefs", strconv.Itoa(int(alg.id)),
7017 },
7018 expectedPeerSignatureAlgorithm: alg.id,
7019 })
7020
7021 testCases = append(testCases, testCase{
7022 testType: serverTest,
7023 name: "ServerAuth-Sign-Negotiate" + suffix,
7024 config: Config{
7025 MaxVersion: ver.version,
7026 CipherSuites: signingCiphers,
7027 VerifySignatureAlgorithms: allAlgorithms,
7028 },
7029 flags: []string{
7030 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7031 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7032 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7033 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7034 "-signing-prefs", strconv.Itoa(int(alg.id)),
7035 },
7036 expectedPeerSignatureAlgorithm: alg.id,
7037 })
7038 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7039 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7040 }
7041
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7042 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7043 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7044 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7045 config: Config{
7046 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7047 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7048 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7049 signatureECDSAWithP521AndSHA512,
7050 signatureRSAPKCS1WithSHA384,
7051 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7052 },
7053 },
7054 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7055 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7056 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7057 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7058 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7059 })
7060
7061 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7062 name: "ClientAuth-SignatureType-TLS13",
7063 config: Config{
7064 ClientAuth: RequireAnyClientCert,
7065 MaxVersion: VersionTLS13,
7066 VerifySignatureAlgorithms: []signatureAlgorithm{
7067 signatureECDSAWithP521AndSHA512,
7068 signatureRSAPKCS1WithSHA384,
7069 signatureRSAPSSWithSHA384,
7070 signatureECDSAWithSHA1,
7071 },
7072 },
7073 flags: []string{
7074 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7075 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7076 },
7077 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7078 })
7079
7080 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7081 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7082 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7083 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7084 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7085 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7086 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7087 signatureECDSAWithP521AndSHA512,
7088 signatureRSAPKCS1WithSHA384,
7089 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7090 },
7091 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7092 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7093 })
7094
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7095 testCases = append(testCases, testCase{
7096 testType: serverTest,
7097 name: "ServerAuth-SignatureType-TLS13",
7098 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7099 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7100 VerifySignatureAlgorithms: []signatureAlgorithm{
7101 signatureECDSAWithP521AndSHA512,
7102 signatureRSAPKCS1WithSHA384,
7103 signatureRSAPSSWithSHA384,
7104 signatureECDSAWithSHA1,
7105 },
7106 },
7107 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7108 })
7109
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7110 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7111 testCases = append(testCases, testCase{
7112 testType: serverTest,
7113 name: "Verify-ClientAuth-SignatureType",
7114 config: Config{
7115 MaxVersion: VersionTLS12,
7116 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7117 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7118 signatureRSAPKCS1WithSHA256,
7119 },
7120 Bugs: ProtocolBugs{
7121 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7122 },
7123 },
7124 flags: []string{
7125 "-require-any-client-certificate",
7126 },
7127 shouldFail: true,
7128 expectedError: ":WRONG_SIGNATURE_TYPE:",
7129 })
7130
7131 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7132 testType: serverTest,
7133 name: "Verify-ClientAuth-SignatureType-TLS13",
7134 config: Config{
7135 MaxVersion: VersionTLS13,
7136 Certificates: []Certificate{rsaCertificate},
7137 SignSignatureAlgorithms: []signatureAlgorithm{
7138 signatureRSAPSSWithSHA256,
7139 },
7140 Bugs: ProtocolBugs{
7141 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7142 },
7143 },
7144 flags: []string{
7145 "-require-any-client-certificate",
7146 },
7147 shouldFail: true,
7148 expectedError: ":WRONG_SIGNATURE_TYPE:",
7149 })
7150
7151 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7152 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7153 config: Config{
7154 MaxVersion: VersionTLS12,
7155 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7156 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7157 signatureRSAPKCS1WithSHA256,
7158 },
7159 Bugs: ProtocolBugs{
7160 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7161 },
7162 },
7163 shouldFail: true,
7164 expectedError: ":WRONG_SIGNATURE_TYPE:",
7165 })
7166
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7167 testCases = append(testCases, testCase{
7168 name: "Verify-ServerAuth-SignatureType-TLS13",
7169 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7170 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7171 SignSignatureAlgorithms: []signatureAlgorithm{
7172 signatureRSAPSSWithSHA256,
7173 },
7174 Bugs: ProtocolBugs{
7175 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7176 },
7177 },
7178 shouldFail: true,
7179 expectedError: ":WRONG_SIGNATURE_TYPE:",
7180 })
7181
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7182 // Test that, if the list is missing, the peer falls back to SHA-1 in
7183 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7184 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7185 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7186 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7187 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7188 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7189 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7190 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7191 },
7192 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7193 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7194 },
7195 },
7196 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7197 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7198 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7199 },
7200 })
7201
7202 testCases = append(testCases, testCase{
7203 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7204 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7205 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7206 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7207 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7208 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7209 },
7210 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7211 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7212 },
7213 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7214 flags: []string{
7215 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7216 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7217 },
7218 })
7219
7220 testCases = append(testCases, testCase{
7221 name: "ClientAuth-SHA1-Fallback-ECDSA",
7222 config: Config{
7223 MaxVersion: VersionTLS12,
7224 ClientAuth: RequireAnyClientCert,
7225 VerifySignatureAlgorithms: []signatureAlgorithm{
7226 signatureECDSAWithSHA1,
7227 },
7228 Bugs: ProtocolBugs{
7229 NoSignatureAlgorithms: true,
7230 },
7231 },
7232 flags: []string{
7233 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7234 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7235 },
7236 })
7237
7238 testCases = append(testCases, testCase{
7239 testType: serverTest,
7240 name: "ServerAuth-SHA1-Fallback-ECDSA",
7241 config: Config{
7242 MaxVersion: VersionTLS12,
7243 VerifySignatureAlgorithms: []signatureAlgorithm{
7244 signatureECDSAWithSHA1,
7245 },
7246 Bugs: ProtocolBugs{
7247 NoSignatureAlgorithms: true,
7248 },
7249 },
7250 flags: []string{
7251 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7252 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7253 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7254 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7255
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7256 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7257 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7258 config: Config{
7259 MaxVersion: VersionTLS13,
7260 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7261 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7262 signatureRSAPKCS1WithSHA1,
7263 },
7264 Bugs: ProtocolBugs{
7265 NoSignatureAlgorithms: true,
7266 },
7267 },
7268 flags: []string{
7269 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7270 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7271 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7272 shouldFail: true,
7273 // An empty CertificateRequest signature algorithm list is a
7274 // syntax error in TLS 1.3.
7275 expectedError: ":DECODE_ERROR:",
7276 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7277 })
7278
7279 testCases = append(testCases, testCase{
7280 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7281 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7282 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7283 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7284 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7285 signatureRSAPKCS1WithSHA1,
7286 },
7287 Bugs: ProtocolBugs{
7288 NoSignatureAlgorithms: true,
7289 },
7290 },
7291 shouldFail: true,
7292 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7293 })
7294
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7295 // Test that hash preferences are enforced. BoringSSL does not implement
7296 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7297 testCases = append(testCases, testCase{
7298 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7299 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7300 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7301 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7302 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7303 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7304 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7305 },
7306 Bugs: ProtocolBugs{
7307 IgnorePeerSignatureAlgorithmPreferences: true,
7308 },
7309 },
7310 flags: []string{"-require-any-client-certificate"},
7311 shouldFail: true,
7312 expectedError: ":WRONG_SIGNATURE_TYPE:",
7313 })
7314
7315 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7316 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7317 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7318 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7319 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7320 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7321 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7322 },
7323 Bugs: ProtocolBugs{
7324 IgnorePeerSignatureAlgorithmPreferences: true,
7325 },
7326 },
7327 shouldFail: true,
7328 expectedError: ":WRONG_SIGNATURE_TYPE:",
7329 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7330 testCases = append(testCases, testCase{
7331 testType: serverTest,
7332 name: "ClientAuth-Enforced-TLS13",
7333 config: Config{
7334 MaxVersion: VersionTLS13,
7335 Certificates: []Certificate{rsaCertificate},
7336 SignSignatureAlgorithms: []signatureAlgorithm{
7337 signatureRSAPKCS1WithMD5,
7338 },
7339 Bugs: ProtocolBugs{
7340 IgnorePeerSignatureAlgorithmPreferences: true,
7341 IgnoreSignatureVersionChecks: true,
7342 },
7343 },
7344 flags: []string{"-require-any-client-certificate"},
7345 shouldFail: true,
7346 expectedError: ":WRONG_SIGNATURE_TYPE:",
7347 })
7348
7349 testCases = append(testCases, testCase{
7350 name: "ServerAuth-Enforced-TLS13",
7351 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7352 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7353 SignSignatureAlgorithms: []signatureAlgorithm{
7354 signatureRSAPKCS1WithMD5,
7355 },
7356 Bugs: ProtocolBugs{
7357 IgnorePeerSignatureAlgorithmPreferences: true,
7358 IgnoreSignatureVersionChecks: true,
7359 },
7360 },
7361 shouldFail: true,
7362 expectedError: ":WRONG_SIGNATURE_TYPE:",
7363 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7364
7365 // Test that the agreed upon digest respects the client preferences and
7366 // the server digests.
7367 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7368 name: "NoCommonAlgorithms-Digests",
7369 config: Config{
7370 MaxVersion: VersionTLS12,
7371 ClientAuth: RequireAnyClientCert,
7372 VerifySignatureAlgorithms: []signatureAlgorithm{
7373 signatureRSAPKCS1WithSHA512,
7374 signatureRSAPKCS1WithSHA1,
7375 },
7376 },
7377 flags: []string{
7378 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7379 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7380 "-digest-prefs", "SHA256",
7381 },
7382 shouldFail: true,
7383 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7384 })
7385 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7386 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7387 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7388 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7389 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7390 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7391 signatureRSAPKCS1WithSHA512,
7392 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7393 },
7394 },
7395 flags: []string{
7396 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7397 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7398 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7399 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7400 shouldFail: true,
7401 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7402 })
7403 testCases = append(testCases, testCase{
7404 name: "NoCommonAlgorithms-TLS13",
7405 config: Config{
7406 MaxVersion: VersionTLS13,
7407 ClientAuth: RequireAnyClientCert,
7408 VerifySignatureAlgorithms: []signatureAlgorithm{
7409 signatureRSAPSSWithSHA512,
7410 signatureRSAPSSWithSHA384,
7411 },
7412 },
7413 flags: []string{
7414 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7415 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7416 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7417 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7418 shouldFail: true,
7419 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7420 })
7421 testCases = append(testCases, testCase{
7422 name: "Agree-Digest-SHA256",
7423 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7424 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7425 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7426 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7427 signatureRSAPKCS1WithSHA1,
7428 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7429 },
7430 },
7431 flags: []string{
7432 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7433 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7434 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7435 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7436 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7437 })
7438 testCases = append(testCases, testCase{
7439 name: "Agree-Digest-SHA1",
7440 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7441 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7442 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7443 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7444 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7445 },
7446 },
7447 flags: []string{
7448 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7449 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7450 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7451 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7452 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7453 })
7454 testCases = append(testCases, testCase{
7455 name: "Agree-Digest-Default",
7456 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7457 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7458 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7459 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7460 signatureRSAPKCS1WithSHA256,
7461 signatureECDSAWithP256AndSHA256,
7462 signatureRSAPKCS1WithSHA1,
7463 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7464 },
7465 },
7466 flags: []string{
7467 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7468 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7469 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7470 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7471 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7472
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7473 // Test that the signing preference list may include extra algorithms
7474 // without negotiation problems.
7475 testCases = append(testCases, testCase{
7476 testType: serverTest,
7477 name: "FilterExtraAlgorithms",
7478 config: Config{
7479 MaxVersion: VersionTLS12,
7480 VerifySignatureAlgorithms: []signatureAlgorithm{
7481 signatureRSAPKCS1WithSHA256,
7482 },
7483 },
7484 flags: []string{
7485 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7486 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7487 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7488 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7489 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7490 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7491 },
7492 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7493 })
7494
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7495 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7496 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7497 testCases = append(testCases, testCase{
7498 name: "CheckLeafCurve",
7499 config: Config{
7500 MaxVersion: VersionTLS12,
7501 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7502 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7503 },
7504 flags: []string{"-p384-only"},
7505 shouldFail: true,
7506 expectedError: ":BAD_ECC_CERT:",
7507 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7508
7509 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7510 testCases = append(testCases, testCase{
7511 name: "CheckLeafCurve-TLS13",
7512 config: Config{
7513 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7514 Certificates: []Certificate{ecdsaP256Certificate},
7515 },
7516 flags: []string{"-p384-only"},
7517 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7518
7519 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7520 testCases = append(testCases, testCase{
7521 name: "ECDSACurveMismatch-Verify-TLS12",
7522 config: Config{
7523 MaxVersion: VersionTLS12,
7524 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7525 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7526 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7527 signatureECDSAWithP384AndSHA384,
7528 },
7529 },
7530 })
7531
7532 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7533 testCases = append(testCases, testCase{
7534 name: "ECDSACurveMismatch-Verify-TLS13",
7535 config: Config{
7536 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7537 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7538 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7539 signatureECDSAWithP384AndSHA384,
7540 },
7541 Bugs: ProtocolBugs{
7542 SkipECDSACurveCheck: true,
7543 },
7544 },
7545 shouldFail: true,
7546 expectedError: ":WRONG_SIGNATURE_TYPE:",
7547 })
7548
7549 // Signature algorithm selection in TLS 1.3 should take the curve into
7550 // account.
7551 testCases = append(testCases, testCase{
7552 testType: serverTest,
7553 name: "ECDSACurveMismatch-Sign-TLS13",
7554 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7555 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7556 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7557 signatureECDSAWithP384AndSHA384,
7558 signatureECDSAWithP256AndSHA256,
7559 },
7560 },
7561 flags: []string{
7562 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7563 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7564 },
7565 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7566 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7567
7568 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7569 // server does not attempt to sign in that case.
7570 testCases = append(testCases, testCase{
7571 testType: serverTest,
7572 name: "RSA-PSS-Large",
7573 config: Config{
7574 MaxVersion: VersionTLS13,
7575 VerifySignatureAlgorithms: []signatureAlgorithm{
7576 signatureRSAPSSWithSHA512,
7577 },
7578 },
7579 flags: []string{
7580 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7581 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7582 },
7583 shouldFail: true,
7584 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7585 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7586
7587 // Test that RSA-PSS is enabled by default for TLS 1.2.
7588 testCases = append(testCases, testCase{
7589 testType: clientTest,
7590 name: "RSA-PSS-Default-Verify",
7591 config: Config{
7592 MaxVersion: VersionTLS12,
7593 SignSignatureAlgorithms: []signatureAlgorithm{
7594 signatureRSAPSSWithSHA256,
7595 },
7596 },
7597 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7598 })
7599
7600 testCases = append(testCases, testCase{
7601 testType: serverTest,
7602 name: "RSA-PSS-Default-Sign",
7603 config: Config{
7604 MaxVersion: VersionTLS12,
7605 VerifySignatureAlgorithms: []signatureAlgorithm{
7606 signatureRSAPSSWithSHA256,
7607 },
7608 },
7609 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7610 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7611
7612 // TLS 1.1 and below has no way to advertise support for or negotiate
7613 // Ed25519's signature algorithm.
7614 testCases = append(testCases, testCase{
7615 testType: clientTest,
7616 name: "NoEd25519-TLS11-ServerAuth-Verify",
7617 config: Config{
7618 MaxVersion: VersionTLS11,
7619 Certificates: []Certificate{ed25519Certificate},
7620 Bugs: ProtocolBugs{
7621 // Sign with Ed25519 even though it is TLS 1.1.
7622 UseLegacySigningAlgorithm: signatureEd25519,
7623 },
7624 },
7625 flags: []string{"-enable-ed25519"},
7626 shouldFail: true,
7627 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7628 })
7629 testCases = append(testCases, testCase{
7630 testType: serverTest,
7631 name: "NoEd25519-TLS11-ServerAuth-Sign",
7632 config: Config{
7633 MaxVersion: VersionTLS11,
7634 },
7635 flags: []string{
7636 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7637 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7638 },
7639 shouldFail: true,
7640 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7641 })
7642 testCases = append(testCases, testCase{
7643 testType: serverTest,
7644 name: "NoEd25519-TLS11-ClientAuth-Verify",
7645 config: Config{
7646 MaxVersion: VersionTLS11,
7647 Certificates: []Certificate{ed25519Certificate},
7648 Bugs: ProtocolBugs{
7649 // Sign with Ed25519 even though it is TLS 1.1.
7650 UseLegacySigningAlgorithm: signatureEd25519,
7651 },
7652 },
7653 flags: []string{
7654 "-enable-ed25519",
7655 "-require-any-client-certificate",
7656 },
7657 shouldFail: true,
7658 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7659 })
7660 testCases = append(testCases, testCase{
7661 testType: clientTest,
7662 name: "NoEd25519-TLS11-ClientAuth-Sign",
7663 config: Config{
7664 MaxVersion: VersionTLS11,
7665 ClientAuth: RequireAnyClientCert,
7666 },
7667 flags: []string{
7668 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7669 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7670 },
7671 shouldFail: true,
7672 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7673 })
7674
7675 // Test Ed25519 is not advertised by default.
7676 testCases = append(testCases, testCase{
7677 testType: clientTest,
7678 name: "Ed25519DefaultDisable-NoAdvertise",
7679 config: Config{
7680 Certificates: []Certificate{ed25519Certificate},
7681 },
7682 shouldFail: true,
7683 expectedLocalError: "tls: no common signature algorithms",
7684 })
7685
7686 // Test Ed25519, when disabled, is not accepted if the peer ignores our
7687 // preferences.
7688 testCases = append(testCases, testCase{
7689 testType: clientTest,
7690 name: "Ed25519DefaultDisable-NoAccept",
7691 config: Config{
7692 Certificates: []Certificate{ed25519Certificate},
7693 Bugs: ProtocolBugs{
7694 IgnorePeerSignatureAlgorithmPreferences: true,
7695 },
7696 },
7697 shouldFail: true,
7698 expectedLocalError: "remote error: illegal parameter",
7699 expectedError: ":WRONG_SIGNATURE_TYPE:",
7700 })
David Benjamin71c21b42017-04-14 17:05:40 -0400[diff] [blame]7701
7702 // Test that configuring verify preferences changes what the client
7703 // advertises.
7704 testCases = append(testCases, testCase{
7705 name: "VerifyPreferences-Advertised",
7706 config: Config{
7707 Certificates: []Certificate{rsaCertificate},
7708 SignSignatureAlgorithms: []signatureAlgorithm{
7709 signatureRSAPSSWithSHA256,
7710 signatureRSAPSSWithSHA384,
7711 signatureRSAPSSWithSHA512,
7712 },
7713 },
7714 flags: []string{
7715 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7716 "-expect-peer-signature-algorithm", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7717 },
7718 })
7719
7720 // Test that the client advertises a set which the runner can find
7721 // nothing in common with.
7722 testCases = append(testCases, testCase{
7723 name: "VerifyPreferences-NoCommonAlgorithms",
7724 config: Config{
7725 Certificates: []Certificate{rsaCertificate},
7726 SignSignatureAlgorithms: []signatureAlgorithm{
7727 signatureRSAPSSWithSHA256,
7728 signatureRSAPSSWithSHA512,
7729 },
7730 },
7731 flags: []string{
7732 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7733 },
7734 shouldFail: true,
7735 expectedLocalError: "tls: no common signature algorithms",
7736 })
7737
7738 // Test that the client enforces its preferences when configured.
7739 testCases = append(testCases, testCase{
7740 name: "VerifyPreferences-Enforced",
7741 config: Config{
7742 Certificates: []Certificate{rsaCertificate},
7743 SignSignatureAlgorithms: []signatureAlgorithm{
7744 signatureRSAPSSWithSHA256,
7745 signatureRSAPSSWithSHA512,
7746 },
7747 Bugs: ProtocolBugs{
7748 IgnorePeerSignatureAlgorithmPreferences: true,
7749 },
7750 },
7751 flags: []string{
7752 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7753 },
7754 shouldFail: true,
7755 expectedLocalError: "remote error: illegal parameter",
7756 expectedError: ":WRONG_SIGNATURE_TYPE:",
7757 })
7758
7759 // Test that explicitly configuring Ed25519 is as good as changing the
7760 // boolean toggle.
7761 testCases = append(testCases, testCase{
7762 name: "VerifyPreferences-Ed25519",
7763 config: Config{
7764 Certificates: []Certificate{ed25519Certificate},
7765 },
7766 flags: []string{
7767 "-verify-prefs", strconv.Itoa(int(signatureEd25519)),
7768 },
7769 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7770}
7771
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7772// timeouts is the retransmit schedule for BoringSSL. It doubles and
7773// caps at 60 seconds. On the 13th timeout, it gives up.
7774var timeouts = []time.Duration{
7775 1 * time.Second,
7776 2 * time.Second,
7777 4 * time.Second,
7778 8 * time.Second,
7779 16 * time.Second,
7780 32 * time.Second,
7781 60 * time.Second,
7782 60 * time.Second,
7783 60 * time.Second,
7784 60 * time.Second,
7785 60 * time.Second,
7786 60 * time.Second,
7787 60 * time.Second,
7788}
7789
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7790// shortTimeouts is an alternate set of timeouts which would occur if the
7791// initial timeout duration was set to 250ms.
7792var shortTimeouts = []time.Duration{
7793 250 * time.Millisecond,
7794 500 * time.Millisecond,
7795 1 * time.Second,
7796 2 * time.Second,
7797 4 * time.Second,
7798 8 * time.Second,
7799 16 * time.Second,
7800 32 * time.Second,
7801 60 * time.Second,
7802 60 * time.Second,
7803 60 * time.Second,
7804 60 * time.Second,
7805 60 * time.Second,
7806}
7807
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7808func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7809 // These tests work by coordinating some behavior on both the shim and
7810 // the runner.
7811 //
7812 // TimeoutSchedule configures the runner to send a series of timeout
7813 // opcodes to the shim (see packetAdaptor) immediately before reading
7814 // each peer handshake flight N. The timeout opcode both simulates a
7815 // timeout in the shim and acts as a synchronization point to help the
7816 // runner bracket each handshake flight.
7817 //
7818 // We assume the shim does not read from the channel eagerly. It must
7819 // first wait until it has sent flight N and is ready to receive
7820 // handshake flight N+1. At this point, it will process the timeout
7821 // opcode. It must then immediately respond with a timeout ACK and act
7822 // as if the shim was idle for the specified amount of time.
7823 //
7824 // The runner then drops all packets received before the ACK and
7825 // continues waiting for flight N. This ordering results in one attempt
7826 // at sending flight N to be dropped. For the test to complete, the
7827 // shim must send flight N again, testing that the shim implements DTLS
7828 // retransmit on a timeout.
7829
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7830 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7831 // likely be more epochs to cross and the final message's retransmit may
7832 // be more complex.
7833
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7834 // Test that this is indeed the timeout schedule. Stress all
7835 // four patterns of handshake.
7836 for i := 1; i < len(timeouts); i++ {
7837 number := strconv.Itoa(i)
7838 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7839 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7840 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7841 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7842 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7843 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7844 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7845 },
7846 },
7847 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7848 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7849 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7850 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7851 protocol: dtls,
7852 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7853 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7854 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7855 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7856 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7857 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7858 },
7859 },
7860 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7861 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7862 })
7863 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7864
7865 // Test that exceeding the timeout schedule hits a read
7866 // timeout.
7867 testCases = append(testCases, testCase{
7868 protocol: dtls,
7869 name: "DTLS-Retransmit-Timeout",
7870 config: Config{
7871 MaxVersion: VersionTLS12,
7872 Bugs: ProtocolBugs{
7873 TimeoutSchedule: timeouts,
7874 },
7875 },
7876 resumeSession: true,
7877 flags: []string{"-async"},
7878 shouldFail: true,
7879 expectedError: ":READ_TIMEOUT_EXPIRED:",
7880 })
7881
7882 // Test that timeout handling has a fudge factor, due to API
7883 // problems.
7884 testCases = append(testCases, testCase{
7885 protocol: dtls,
7886 name: "DTLS-Retransmit-Fudge",
7887 config: Config{
7888 MaxVersion: VersionTLS12,
7889 Bugs: ProtocolBugs{
7890 TimeoutSchedule: []time.Duration{
7891 timeouts[0] - 10*time.Millisecond,
7892 },
7893 },
7894 },
7895 resumeSession: true,
7896 flags: []string{"-async"},
7897 })
7898
7899 // Test that the final Finished retransmitting isn't
7900 // duplicated if the peer badly fragments everything.
7901 testCases = append(testCases, testCase{
7902 testType: serverTest,
7903 protocol: dtls,
7904 name: "DTLS-Retransmit-Fragmented",
7905 config: Config{
7906 MaxVersion: VersionTLS12,
7907 Bugs: ProtocolBugs{
7908 TimeoutSchedule: []time.Duration{timeouts[0]},
7909 MaxHandshakeRecordLength: 2,
7910 },
7911 },
7912 flags: []string{"-async"},
7913 })
7914
7915 // Test the timeout schedule when a shorter initial timeout duration is set.
7916 testCases = append(testCases, testCase{
7917 protocol: dtls,
7918 name: "DTLS-Retransmit-Short-Client",
7919 config: Config{
7920 MaxVersion: VersionTLS12,
7921 Bugs: ProtocolBugs{
7922 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7923 },
7924 },
7925 resumeSession: true,
7926 flags: []string{
7927 "-async",
7928 "-initial-timeout-duration-ms", "250",
7929 },
7930 })
7931 testCases = append(testCases, testCase{
7932 protocol: dtls,
7933 testType: serverTest,
7934 name: "DTLS-Retransmit-Short-Server",
7935 config: Config{
7936 MaxVersion: VersionTLS12,
7937 Bugs: ProtocolBugs{
7938 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7939 },
7940 },
7941 resumeSession: true,
7942 flags: []string{
7943 "-async",
7944 "-initial-timeout-duration-ms", "250",
7945 },
7946 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7947}
7948
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7949func addExportKeyingMaterialTests() {
7950 for _, vers := range tlsVersions {
7951 if vers.version == VersionSSL30 {
7952 continue
7953 }
7954 testCases = append(testCases, testCase{
7955 name: "ExportKeyingMaterial-" + vers.name,
7956 config: Config{
7957 MaxVersion: vers.version,
7958 },
7959 exportKeyingMaterial: 1024,
7960 exportLabel: "label",
7961 exportContext: "context",
7962 useExportContext: true,
7963 })
7964 testCases = append(testCases, testCase{
7965 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7966 config: Config{
7967 MaxVersion: vers.version,
7968 },
7969 exportKeyingMaterial: 1024,
7970 })
7971 testCases = append(testCases, testCase{
7972 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7973 config: Config{
7974 MaxVersion: vers.version,
7975 },
7976 exportKeyingMaterial: 1024,
7977 useExportContext: true,
7978 })
7979 testCases = append(testCases, testCase{
7980 name: "ExportKeyingMaterial-Small-" + vers.name,
7981 config: Config{
7982 MaxVersion: vers.version,
7983 },
7984 exportKeyingMaterial: 1,
7985 exportLabel: "label",
7986 exportContext: "context",
7987 useExportContext: true,
7988 })
7989 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7990
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7991 testCases = append(testCases, testCase{
7992 name: "ExportKeyingMaterial-SSL3",
7993 config: Config{
7994 MaxVersion: VersionSSL30,
7995 },
7996 exportKeyingMaterial: 1024,
7997 exportLabel: "label",
7998 exportContext: "context",
7999 useExportContext: true,
8000 shouldFail: true,
8001 expectedError: "failed to export keying material",
8002 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]8003
8004 // Exporters work during a False Start.
8005 testCases = append(testCases, testCase{
8006 name: "ExportKeyingMaterial-FalseStart",
8007 config: Config{
8008 MaxVersion: VersionTLS12,
8009 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8010 NextProtos: []string{"foo"},
8011 Bugs: ProtocolBugs{
8012 ExpectFalseStart: true,
8013 },
8014 },
8015 flags: []string{
8016 "-false-start",
8017 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]8018 "-expect-alpn", "foo",
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]8019 },
8020 shimWritesFirst: true,
8021 exportKeyingMaterial: 1024,
8022 exportLabel: "label",
8023 exportContext: "context",
8024 useExportContext: true,
8025 })
8026
8027 // Exporters do not work in the middle of a renegotiation. Test this by
8028 // triggering the exporter after every SSL_read call and configuring the
8029 // shim to run asynchronously.
8030 testCases = append(testCases, testCase{
8031 name: "ExportKeyingMaterial-Renegotiate",
8032 config: Config{
8033 MaxVersion: VersionTLS12,
8034 },
8035 renegotiate: 1,
8036 flags: []string{
8037 "-async",
8038 "-use-exporter-between-reads",
8039 "-renegotiate-freely",
8040 "-expect-total-renegotiations", "1",
8041 },
8042 shouldFail: true,
8043 expectedError: "failed to export keying material",
8044 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]8045}
8046
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8047func addTLSUniqueTests() {
8048 for _, isClient := range []bool{false, true} {
8049 for _, isResumption := range []bool{false, true} {
8050 for _, hasEMS := range []bool{false, true} {
8051 var suffix string
8052 if isResumption {
8053 suffix = "Resume-"
8054 } else {
8055 suffix = "Full-"
8056 }
8057
8058 if hasEMS {
8059 suffix += "EMS-"
8060 } else {
8061 suffix += "NoEMS-"
8062 }
8063
8064 if isClient {
8065 suffix += "Client"
8066 } else {
8067 suffix += "Server"
8068 }
8069
8070 test := testCase{
8071 name: "TLSUnique-" + suffix,
8072 testTLSUnique: true,
8073 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8074 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8075 Bugs: ProtocolBugs{
8076 NoExtendedMasterSecret: !hasEMS,
8077 },
8078 },
8079 }
8080
8081 if isResumption {
8082 test.resumeSession = true
8083 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8084 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8085 Bugs: ProtocolBugs{
8086 NoExtendedMasterSecret: !hasEMS,
8087 },
8088 }
8089 }
8090
8091 if isResumption && !hasEMS {
8092 test.shouldFail = true
8093 test.expectedError = "failed to get tls-unique"
8094 }
8095
8096 testCases = append(testCases, test)
8097 }
8098 }
8099 }
8100}
8101
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8102func addCustomExtensionTests() {
8103 expectedContents := "custom extension"
8104 emptyString := ""
8105
8106 for _, isClient := range []bool{false, true} {
8107 suffix := "Server"
8108 flag := "-enable-server-custom-extension"
8109 testType := serverTest
8110 if isClient {
8111 suffix = "Client"
8112 flag = "-enable-client-custom-extension"
8113 testType = clientTest
8114 }
8115
8116 testCases = append(testCases, testCase{
8117 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8118 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8119 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8120 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8121 Bugs: ProtocolBugs{
8122 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8123 ExpectedCustomExtension: &expectedContents,
8124 },
8125 },
8126 flags: []string{flag},
8127 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8128 testCases = append(testCases, testCase{
8129 testType: testType,
8130 name: "CustomExtensions-" + suffix + "-TLS13",
8131 config: Config{
8132 MaxVersion: VersionTLS13,
8133 Bugs: ProtocolBugs{
8134 CustomExtension: expectedContents,
8135 ExpectedCustomExtension: &expectedContents,
8136 },
8137 },
8138 flags: []string{flag},
8139 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8140
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]8141 // 0-RTT is not currently supported with Custom Extensions.
8142 testCases = append(testCases, testCase{
8143 testType: testType,
8144 name: "CustomExtensions-" + suffix + "-EarlyData",
8145 config: Config{
8146 MaxVersion: VersionTLS13,
8147 Bugs: ProtocolBugs{
8148 CustomExtension: expectedContents,
8149 ExpectedCustomExtension: &expectedContents,
8150 },
8151 },
8152 shouldFail: true,
8153 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8154 flags: []string{flag, "-enable-early-data"},
8155 })
8156
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8157 // If the parse callback fails, the handshake should also fail.
8158 testCases = append(testCases, testCase{
8159 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8160 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8161 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8162 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8163 Bugs: ProtocolBugs{
8164 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8165 ExpectedCustomExtension: &expectedContents,
8166 },
8167 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8168 flags: []string{flag},
8169 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8170 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8171 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8172 testCases = append(testCases, testCase{
8173 testType: testType,
8174 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
8175 config: Config{
8176 MaxVersion: VersionTLS13,
8177 Bugs: ProtocolBugs{
8178 CustomExtension: expectedContents + "foo",
8179 ExpectedCustomExtension: &expectedContents,
8180 },
8181 },
8182 flags: []string{flag},
8183 shouldFail: true,
8184 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8185 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8186
8187 // If the add callback fails, the handshake should also fail.
8188 testCases = append(testCases, testCase{
8189 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8190 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8191 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8192 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8193 Bugs: ProtocolBugs{
8194 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8195 ExpectedCustomExtension: &expectedContents,
8196 },
8197 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8198 flags: []string{flag, "-custom-extension-fail-add"},
8199 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8200 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8201 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8202 testCases = append(testCases, testCase{
8203 testType: testType,
8204 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
8205 config: Config{
8206 MaxVersion: VersionTLS13,
8207 Bugs: ProtocolBugs{
8208 CustomExtension: expectedContents,
8209 ExpectedCustomExtension: &expectedContents,
8210 },
8211 },
8212 flags: []string{flag, "-custom-extension-fail-add"},
8213 shouldFail: true,
8214 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8215 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8216
8217 // If the add callback returns zero, no extension should be
8218 // added.
8219 skipCustomExtension := expectedContents
8220 if isClient {
8221 // For the case where the client skips sending the
8222 // custom extension, the server must not “echo” it.
8223 skipCustomExtension = ""
8224 }
8225 testCases = append(testCases, testCase{
8226 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8227 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8228 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8229 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8230 Bugs: ProtocolBugs{
8231 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8232 ExpectedCustomExtension: &emptyString,
8233 },
8234 },
8235 flags: []string{flag, "-custom-extension-skip"},
8236 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8237 testCases = append(testCases, testCase{
8238 testType: testType,
8239 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
8240 config: Config{
8241 MaxVersion: VersionTLS13,
8242 Bugs: ProtocolBugs{
8243 CustomExtension: skipCustomExtension,
8244 ExpectedCustomExtension: &emptyString,
8245 },
8246 },
8247 flags: []string{flag, "-custom-extension-skip"},
8248 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8249 }
8250
8251 // The custom extension add callback should not be called if the client
8252 // doesn't send the extension.
8253 testCases = append(testCases, testCase{
8254 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8255 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8256 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8257 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8258 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8259 ExpectedCustomExtension: &emptyString,
8260 },
8261 },
8262 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8263 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8264
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8265 testCases = append(testCases, testCase{
8266 testType: serverTest,
8267 name: "CustomExtensions-NotCalled-Server-TLS13",
8268 config: Config{
8269 MaxVersion: VersionTLS13,
8270 Bugs: ProtocolBugs{
8271 ExpectedCustomExtension: &emptyString,
8272 },
8273 },
8274 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8275 })
8276
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8277 // Test an unknown extension from the server.
8278 testCases = append(testCases, testCase{
8279 testType: clientTest,
8280 name: "UnknownExtension-Client",
8281 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8282 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8283 Bugs: ProtocolBugs{
8284 CustomExtension: expectedContents,
8285 },
8286 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8287 shouldFail: true,
8288 expectedError: ":UNEXPECTED_EXTENSION:",
8289 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8290 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8291 testCases = append(testCases, testCase{
8292 testType: clientTest,
8293 name: "UnknownExtension-Client-TLS13",
8294 config: Config{
8295 MaxVersion: VersionTLS13,
8296 Bugs: ProtocolBugs{
8297 CustomExtension: expectedContents,
8298 },
8299 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8300 shouldFail: true,
8301 expectedError: ":UNEXPECTED_EXTENSION:",
8302 expectedLocalError: "remote error: unsupported extension",
8303 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8304 testCases = append(testCases, testCase{
8305 testType: clientTest,
8306 name: "UnknownUnencryptedExtension-Client-TLS13",
8307 config: Config{
8308 MaxVersion: VersionTLS13,
8309 Bugs: ProtocolBugs{
8310 CustomUnencryptedExtension: expectedContents,
8311 },
8312 },
8313 shouldFail: true,
8314 expectedError: ":UNEXPECTED_EXTENSION:",
8315 // The shim must send an alert, but alerts at this point do not
8316 // get successfully decrypted by the runner.
8317 expectedLocalError: "local error: bad record MAC",
8318 })
8319 testCases = append(testCases, testCase{
8320 testType: clientTest,
8321 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8322 config: Config{
8323 MaxVersion: VersionTLS13,
8324 Bugs: ProtocolBugs{
8325 SendUnencryptedALPN: "foo",
8326 },
8327 },
8328 flags: []string{
8329 "-advertise-alpn", "\x03foo\x03bar",
8330 },
8331 shouldFail: true,
8332 expectedError: ":UNEXPECTED_EXTENSION:",
8333 // The shim must send an alert, but alerts at this point do not
8334 // get successfully decrypted by the runner.
8335 expectedLocalError: "local error: bad record MAC",
8336 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8337
8338 // Test a known but unoffered extension from the server.
8339 testCases = append(testCases, testCase{
8340 testType: clientTest,
8341 name: "UnofferedExtension-Client",
8342 config: Config{
8343 MaxVersion: VersionTLS12,
8344 Bugs: ProtocolBugs{
8345 SendALPN: "alpn",
8346 },
8347 },
8348 shouldFail: true,
8349 expectedError: ":UNEXPECTED_EXTENSION:",
8350 expectedLocalError: "remote error: unsupported extension",
8351 })
8352 testCases = append(testCases, testCase{
8353 testType: clientTest,
8354 name: "UnofferedExtension-Client-TLS13",
8355 config: Config{
8356 MaxVersion: VersionTLS13,
8357 Bugs: ProtocolBugs{
8358 SendALPN: "alpn",
8359 },
8360 },
8361 shouldFail: true,
8362 expectedError: ":UNEXPECTED_EXTENSION:",
8363 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8364 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8365}
8366
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8367func addRSAClientKeyExchangeTests() {
8368 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8369 testCases = append(testCases, testCase{
8370 testType: serverTest,
8371 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8372 config: Config{
8373 // Ensure the ClientHello version and final
8374 // version are different, to detect if the
8375 // server uses the wrong one.
8376 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8377 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8378 Bugs: ProtocolBugs{
8379 BadRSAClientKeyExchange: bad,
8380 },
8381 },
8382 shouldFail: true,
8383 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8384 })
8385 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8386
8387 // The server must compare whatever was in ClientHello.version for the
8388 // RSA premaster.
8389 testCases = append(testCases, testCase{
8390 testType: serverTest,
8391 name: "SendClientVersion-RSA",
8392 config: Config{
8393 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8394 Bugs: ProtocolBugs{
8395 SendClientVersion: 0x1234,
8396 },
8397 },
8398 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8399 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8400}
8401
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8402var testCurves = []struct {
8403 name string
8404 id CurveID
8405}{
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]8406 {"P-224", CurveP224},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8407 {"P-256", CurveP256},
8408 {"P-384", CurveP384},
8409 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8410 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8411}
8412
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8413const bogusCurve = 0x1234
8414
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8415func addCurveTests() {
8416 for _, curve := range testCurves {
8417 testCases = append(testCases, testCase{
8418 name: "CurveTest-Client-" + curve.name,
8419 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8420 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8421 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8422 CurvePreferences: []CurveID{curve.id},
8423 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8424 flags: []string{
8425 "-enable-all-curves",
8426 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8427 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8428 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8429 })
8430 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8431 name: "CurveTest-Client-" + curve.name + "-TLS13",
8432 config: Config{
8433 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8434 CurvePreferences: []CurveID{curve.id},
8435 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8436 flags: []string{
8437 "-enable-all-curves",
8438 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8439 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8440 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8441 })
8442 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8443 testType: serverTest,
8444 name: "CurveTest-Server-" + curve.name,
8445 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8446 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8447 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8448 CurvePreferences: []CurveID{curve.id},
8449 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8450 flags: []string{
8451 "-enable-all-curves",
8452 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8453 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8454 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8455 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8456 testCases = append(testCases, testCase{
8457 testType: serverTest,
8458 name: "CurveTest-Server-" + curve.name + "-TLS13",
8459 config: Config{
8460 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8461 CurvePreferences: []CurveID{curve.id},
8462 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8463 flags: []string{
8464 "-enable-all-curves",
8465 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8466 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8467 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8468 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8469 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8470
8471 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8472 testCases = append(testCases, testCase{
8473 testType: serverTest,
8474 name: "UnknownCurve",
8475 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8476 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8477 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8478 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8479 },
8480 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8481
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8482 // The server must be tolerant to bogus curves.
8483 testCases = append(testCases, testCase{
8484 testType: serverTest,
8485 name: "UnknownCurve-TLS13",
8486 config: Config{
8487 MaxVersion: VersionTLS13,
8488 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8489 },
8490 })
8491
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8492 // The server must not consider ECDHE ciphers when there are no
8493 // supported curves.
8494 testCases = append(testCases, testCase{
8495 testType: serverTest,
8496 name: "NoSupportedCurves",
8497 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8498 MaxVersion: VersionTLS12,
8499 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8500 Bugs: ProtocolBugs{
8501 NoSupportedCurves: true,
8502 },
8503 },
8504 shouldFail: true,
8505 expectedError: ":NO_SHARED_CIPHER:",
8506 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8507 testCases = append(testCases, testCase{
8508 testType: serverTest,
8509 name: "NoSupportedCurves-TLS13",
8510 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8511 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8512 Bugs: ProtocolBugs{
8513 NoSupportedCurves: true,
8514 },
8515 },
8516 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8517 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8518 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8519
8520 // The server must fall back to another cipher when there are no
8521 // supported curves.
8522 testCases = append(testCases, testCase{
8523 testType: serverTest,
8524 name: "NoCommonCurves",
8525 config: Config{
8526 MaxVersion: VersionTLS12,
8527 CipherSuites: []uint16{
8528 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8529 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8530 },
8531 CurvePreferences: []CurveID{CurveP224},
8532 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8533 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8534 })
8535
8536 // The client must reject bogus curves and disabled curves.
8537 testCases = append(testCases, testCase{
8538 name: "BadECDHECurve",
8539 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8540 MaxVersion: VersionTLS12,
8541 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8542 Bugs: ProtocolBugs{
8543 SendCurve: bogusCurve,
8544 },
8545 },
8546 shouldFail: true,
8547 expectedError: ":WRONG_CURVE:",
8548 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8549 testCases = append(testCases, testCase{
8550 name: "BadECDHECurve-TLS13",
8551 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8552 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8553 Bugs: ProtocolBugs{
8554 SendCurve: bogusCurve,
8555 },
8556 },
8557 shouldFail: true,
8558 expectedError: ":WRONG_CURVE:",
8559 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8560
8561 testCases = append(testCases, testCase{
8562 name: "UnsupportedCurve",
8563 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8564 MaxVersion: VersionTLS12,
8565 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8566 CurvePreferences: []CurveID{CurveP256},
8567 Bugs: ProtocolBugs{
8568 IgnorePeerCurvePreferences: true,
8569 },
8570 },
8571 flags: []string{"-p384-only"},
8572 shouldFail: true,
8573 expectedError: ":WRONG_CURVE:",
8574 })
8575
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8576 testCases = append(testCases, testCase{
8577 // TODO(davidben): Add a TLS 1.3 version where
8578 // HelloRetryRequest requests an unsupported curve.
8579 name: "UnsupportedCurve-ServerHello-TLS13",
8580 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8581 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8582 CurvePreferences: []CurveID{CurveP384},
8583 Bugs: ProtocolBugs{
8584 SendCurve: CurveP256,
8585 },
8586 },
8587 flags: []string{"-p384-only"},
8588 shouldFail: true,
8589 expectedError: ":WRONG_CURVE:",
8590 })
8591
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8592 // Test invalid curve points.
8593 testCases = append(testCases, testCase{
8594 name: "InvalidECDHPoint-Client",
8595 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8596 MaxVersion: VersionTLS12,
8597 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8598 CurvePreferences: []CurveID{CurveP256},
8599 Bugs: ProtocolBugs{
8600 InvalidECDHPoint: true,
8601 },
8602 },
8603 shouldFail: true,
8604 expectedError: ":INVALID_ENCODING:",
8605 })
8606 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8607 name: "InvalidECDHPoint-Client-TLS13",
8608 config: Config{
8609 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8610 CurvePreferences: []CurveID{CurveP256},
8611 Bugs: ProtocolBugs{
8612 InvalidECDHPoint: true,
8613 },
8614 },
8615 shouldFail: true,
8616 expectedError: ":INVALID_ENCODING:",
8617 })
8618 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8619 testType: serverTest,
8620 name: "InvalidECDHPoint-Server",
8621 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8622 MaxVersion: VersionTLS12,
8623 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8624 CurvePreferences: []CurveID{CurveP256},
8625 Bugs: ProtocolBugs{
8626 InvalidECDHPoint: true,
8627 },
8628 },
8629 shouldFail: true,
8630 expectedError: ":INVALID_ENCODING:",
8631 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8632 testCases = append(testCases, testCase{
8633 testType: serverTest,
8634 name: "InvalidECDHPoint-Server-TLS13",
8635 config: Config{
8636 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8637 CurvePreferences: []CurveID{CurveP256},
8638 Bugs: ProtocolBugs{
8639 InvalidECDHPoint: true,
8640 },
8641 },
8642 shouldFail: true,
8643 expectedError: ":INVALID_ENCODING:",
8644 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8645
8646 // The previous curve ID should be reported on TLS 1.2 resumption.
8647 testCases = append(testCases, testCase{
8648 name: "CurveID-Resume-Client",
8649 config: Config{
8650 MaxVersion: VersionTLS12,
8651 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8652 CurvePreferences: []CurveID{CurveX25519},
8653 },
8654 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8655 resumeSession: true,
8656 })
8657 testCases = append(testCases, testCase{
8658 testType: serverTest,
8659 name: "CurveID-Resume-Server",
8660 config: Config{
8661 MaxVersion: VersionTLS12,
8662 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8663 CurvePreferences: []CurveID{CurveX25519},
8664 },
8665 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8666 resumeSession: true,
8667 })
8668
8669 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8670 // one should be reported.
8671 testCases = append(testCases, testCase{
8672 name: "CurveID-Resume-Client-TLS13",
8673 config: Config{
8674 MaxVersion: VersionTLS13,
8675 CurvePreferences: []CurveID{CurveX25519},
8676 },
8677 resumeConfig: &Config{
8678 MaxVersion: VersionTLS13,
8679 CurvePreferences: []CurveID{CurveP256},
8680 },
8681 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]8682 "-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8683 "-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8684 },
8685 resumeSession: true,
8686 })
8687 testCases = append(testCases, testCase{
8688 testType: serverTest,
8689 name: "CurveID-Resume-Server-TLS13",
8690 config: Config{
8691 MaxVersion: VersionTLS13,
8692 CurvePreferences: []CurveID{CurveX25519},
8693 },
8694 resumeConfig: &Config{
8695 MaxVersion: VersionTLS13,
8696 CurvePreferences: []CurveID{CurveP256},
8697 },
8698 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]8699 "-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8700 "-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8701 },
8702 resumeSession: true,
8703 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8704
8705 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8706 testCases = append(testCases, testCase{
8707 name: "PointFormat-ServerHello-TLS12",
8708 config: Config{
8709 MaxVersion: VersionTLS12,
8710 Bugs: ProtocolBugs{
8711 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8712 },
8713 },
8714 })
8715 testCases = append(testCases, testCase{
8716 name: "PointFormat-EncryptedExtensions-TLS13",
8717 config: Config{
8718 MaxVersion: VersionTLS13,
8719 Bugs: ProtocolBugs{
8720 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8721 },
8722 },
8723 shouldFail: true,
8724 expectedError: ":ERROR_PARSING_EXTENSION:",
8725 })
8726
8727 // Test that we tolerate unknown point formats, as long as
8728 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8729 // check they are still functional.
8730 testCases = append(testCases, testCase{
8731 name: "PointFormat-Client-Tolerance",
8732 config: Config{
8733 MaxVersion: VersionTLS12,
8734 Bugs: ProtocolBugs{
8735 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8736 },
8737 },
8738 })
8739 testCases = append(testCases, testCase{
8740 testType: serverTest,
8741 name: "PointFormat-Server-Tolerance",
8742 config: Config{
8743 MaxVersion: VersionTLS12,
8744 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8745 Bugs: ProtocolBugs{
8746 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8747 },
8748 },
8749 })
8750
8751 // Test TLS 1.2 does not require the point format extension to be
8752 // present.
8753 testCases = append(testCases, testCase{
8754 name: "PointFormat-Client-Missing",
8755 config: Config{
8756 MaxVersion: VersionTLS12,
8757 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8758 Bugs: ProtocolBugs{
8759 SendSupportedPointFormats: []byte{},
8760 },
8761 },
8762 })
8763 testCases = append(testCases, testCase{
8764 testType: serverTest,
8765 name: "PointFormat-Server-Missing",
8766 config: Config{
8767 MaxVersion: VersionTLS12,
8768 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8769 Bugs: ProtocolBugs{
8770 SendSupportedPointFormats: []byte{},
8771 },
8772 },
8773 })
8774
8775 // If the point format extension is present, uncompressed points must be
8776 // offered. BoringSSL requires this whether or not ECDHE is used.
8777 testCases = append(testCases, testCase{
8778 name: "PointFormat-Client-MissingUncompressed",
8779 config: Config{
8780 MaxVersion: VersionTLS12,
8781 Bugs: ProtocolBugs{
8782 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8783 },
8784 },
8785 shouldFail: true,
8786 expectedError: ":ERROR_PARSING_EXTENSION:",
8787 })
8788 testCases = append(testCases, testCase{
8789 testType: serverTest,
8790 name: "PointFormat-Server-MissingUncompressed",
8791 config: Config{
8792 MaxVersion: VersionTLS12,
8793 Bugs: ProtocolBugs{
8794 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8795 },
8796 },
8797 shouldFail: true,
8798 expectedError: ":ERROR_PARSING_EXTENSION:",
8799 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8800}
8801
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8802func addTLS13RecordTests() {
8803 testCases = append(testCases, testCase{
8804 name: "TLS13-RecordPadding",
8805 config: Config{
8806 MaxVersion: VersionTLS13,
8807 MinVersion: VersionTLS13,
8808 Bugs: ProtocolBugs{
8809 RecordPadding: 10,
8810 },
8811 },
8812 })
8813
8814 testCases = append(testCases, testCase{
8815 name: "TLS13-EmptyRecords",
8816 config: Config{
8817 MaxVersion: VersionTLS13,
8818 MinVersion: VersionTLS13,
8819 Bugs: ProtocolBugs{
8820 OmitRecordContents: true,
8821 },
8822 },
8823 shouldFail: true,
8824 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8825 })
8826
8827 testCases = append(testCases, testCase{
8828 name: "TLS13-OnlyPadding",
8829 config: Config{
8830 MaxVersion: VersionTLS13,
8831 MinVersion: VersionTLS13,
8832 Bugs: ProtocolBugs{
8833 OmitRecordContents: true,
8834 RecordPadding: 10,
8835 },
8836 },
8837 shouldFail: true,
8838 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8839 })
8840
8841 testCases = append(testCases, testCase{
8842 name: "TLS13-WrongOuterRecord",
8843 config: Config{
8844 MaxVersion: VersionTLS13,
8845 MinVersion: VersionTLS13,
8846 Bugs: ProtocolBugs{
8847 OuterRecordType: recordTypeHandshake,
8848 },
8849 },
8850 shouldFail: true,
8851 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8852 })
8853}
8854
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8855func addSessionTicketTests() {
8856 testCases = append(testCases, testCase{
8857 // In TLS 1.2 and below, empty NewSessionTicket messages
8858 // mean the server changed its mind on sending a ticket.
8859 name: "SendEmptySessionTicket",
8860 config: Config{
8861 MaxVersion: VersionTLS12,
8862 Bugs: ProtocolBugs{
8863 SendEmptySessionTicket: true,
8864 },
8865 },
8866 flags: []string{"-expect-no-session"},
8867 })
8868
8869 // Test that the server ignores unknown PSK modes.
8870 testCases = append(testCases, testCase{
8871 testType: serverTest,
8872 name: "TLS13-SendUnknownModeSessionTicket-Server",
8873 config: Config{
8874 MaxVersion: VersionTLS13,
8875 Bugs: ProtocolBugs{
8876 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8877 },
8878 },
8879 resumeSession: true,
8880 expectedResumeVersion: VersionTLS13,
8881 })
8882
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8883 // Test that the server does not send session tickets with no matching key exchange mode.
8884 testCases = append(testCases, testCase{
8885 testType: serverTest,
8886 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8887 config: Config{
8888 MaxVersion: VersionTLS13,
8889 Bugs: ProtocolBugs{
8890 SendPSKKeyExchangeModes: []byte{0x1a},
8891 ExpectNoNewSessionTicket: true,
8892 },
8893 },
8894 })
8895
8896 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8897 testCases = append(testCases, testCase{
8898 testType: serverTest,
8899 name: "TLS13-SendBadKEModeSessionTicket-Server",
8900 config: Config{
8901 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8902 },
8903 resumeConfig: &Config{
8904 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8905 Bugs: ProtocolBugs{
8906 SendPSKKeyExchangeModes: []byte{0x1a},
8907 },
8908 },
8909 resumeSession: true,
8910 expectResumeRejected: true,
8911 })
8912
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8913 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8914 testCases = append(testCases, testCase{
8915 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8916 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8917 config: Config{
8918 MaxVersion: VersionTLS13,
8919 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8920 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8921 },
8922 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8923 resumeSession: true,
8924 flags: []string{
8925 "-resumption-delay", "10",
8926 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8927 })
8928
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8929 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8930 testCases = append(testCases, testCase{
8931 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8932 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8933 config: Config{
8934 MaxVersion: VersionTLS13,
8935 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8936 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8937 },
8938 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8939 resumeSession: true,
8940 shouldFail: true,
8941 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8942 })
8943
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8944 // Test that the server's ticket age skew reporting works.
8945 testCases = append(testCases, testCase{
8946 testType: serverTest,
8947 name: "TLS13-TicketAgeSkew-Forward",
8948 config: Config{
8949 MaxVersion: VersionTLS13,
8950 Bugs: ProtocolBugs{
8951 SendTicketAge: 15 * time.Second,
8952 },
8953 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8954 resumeSession: true,
8955 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8956 flags: []string{
8957 "-resumption-delay", "10",
8958 "-expect-ticket-age-skew", "5",
8959 },
8960 })
8961 testCases = append(testCases, testCase{
8962 testType: serverTest,
8963 name: "TLS13-TicketAgeSkew-Backward",
8964 config: Config{
8965 MaxVersion: VersionTLS13,
8966 Bugs: ProtocolBugs{
8967 SendTicketAge: 5 * time.Second,
8968 },
8969 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8970 resumeSession: true,
8971 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8972 flags: []string{
8973 "-resumption-delay", "10",
8974 "-expect-ticket-age-skew", "-5",
8975 },
8976 })
8977
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8978 testCases = append(testCases, testCase{
8979 testType: clientTest,
8980 name: "TLS13-SendTicketEarlyDataInfo",
8981 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8982 MaxVersion: VersionTLS13,
8983 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8984 },
8985 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8986 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8987 "-expect-early-data-info",
8988 },
8989 })
8990
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8991 // Test that 0-RTT tickets are ignored in clients unless opted in.
8992 testCases = append(testCases, testCase{
8993 testType: clientTest,
8994 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8995 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8996 MaxVersion: VersionTLS13,
8997 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8998 },
8999 })
9000
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9001 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9002 testType: clientTest,
9003 name: "TLS13-DuplicateTicketEarlyDataInfo",
9004 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]9005 MaxVersion: VersionTLS13,
9006 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9007 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9008 DuplicateTicketEarlyDataInfo: true,
9009 },
9010 },
9011 shouldFail: true,
9012 expectedError: ":DUPLICATE_EXTENSION:",
9013 expectedLocalError: "remote error: illegal parameter",
9014 })
9015
9016 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9017 testType: serverTest,
9018 name: "TLS13-ExpectTicketEarlyDataInfo",
9019 config: Config{
9020 MaxVersion: VersionTLS13,
9021 Bugs: ProtocolBugs{
9022 ExpectTicketEarlyDataInfo: true,
9023 },
9024 },
9025 flags: []string{
9026 "-enable-early-data",
9027 },
9028 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9029
9030 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
9031 // is honored.
9032 testCases = append(testCases, testCase{
9033 testType: clientTest,
9034 name: "TLS13-HonorServerSessionTicketLifetime",
9035 config: Config{
9036 MaxVersion: VersionTLS13,
9037 Bugs: ProtocolBugs{
9038 SendTicketLifetime: 20 * time.Second,
9039 },
9040 },
9041 flags: []string{
9042 "-resumption-delay", "19",
9043 },
9044 resumeSession: true,
9045 })
9046 testCases = append(testCases, testCase{
9047 testType: clientTest,
9048 name: "TLS13-HonorServerSessionTicketLifetime-2",
9049 config: Config{
9050 MaxVersion: VersionTLS13,
9051 Bugs: ProtocolBugs{
9052 SendTicketLifetime: 20 * time.Second,
9053 // The client should not offer the expired session.
9054 ExpectNoTLS13PSK: true,
9055 },
9056 },
9057 flags: []string{
9058 "-resumption-delay", "21",
9059 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]9060 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9061 expectResumeRejected: true,
9062 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9063}
9064
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9065func addChangeCipherSpecTests() {
9066 // Test missing ChangeCipherSpecs.
9067 testCases = append(testCases, testCase{
9068 name: "SkipChangeCipherSpec-Client",
9069 config: Config{
9070 MaxVersion: VersionTLS12,
9071 Bugs: ProtocolBugs{
9072 SkipChangeCipherSpec: true,
9073 },
9074 },
9075 shouldFail: true,
9076 expectedError: ":UNEXPECTED_RECORD:",
9077 })
9078 testCases = append(testCases, testCase{
9079 testType: serverTest,
9080 name: "SkipChangeCipherSpec-Server",
9081 config: Config{
9082 MaxVersion: VersionTLS12,
9083 Bugs: ProtocolBugs{
9084 SkipChangeCipherSpec: true,
9085 },
9086 },
9087 shouldFail: true,
9088 expectedError: ":UNEXPECTED_RECORD:",
9089 })
9090 testCases = append(testCases, testCase{
9091 testType: serverTest,
9092 name: "SkipChangeCipherSpec-Server-NPN",
9093 config: Config{
9094 MaxVersion: VersionTLS12,
9095 NextProtos: []string{"bar"},
9096 Bugs: ProtocolBugs{
9097 SkipChangeCipherSpec: true,
9098 },
9099 },
9100 flags: []string{
9101 "-advertise-npn", "\x03foo\x03bar\x03baz",
9102 },
9103 shouldFail: true,
9104 expectedError: ":UNEXPECTED_RECORD:",
9105 })
9106
9107 // Test synchronization between the handshake and ChangeCipherSpec.
9108 // Partial post-CCS handshake messages before ChangeCipherSpec should be
9109 // rejected. Test both with and without handshake packing to handle both
9110 // when the partial post-CCS message is in its own record and when it is
9111 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9112 for _, packed := range []bool{false, true} {
9113 var suffix string
9114 if packed {
9115 suffix = "-Packed"
9116 }
9117
9118 testCases = append(testCases, testCase{
9119 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
9120 config: Config{
9121 MaxVersion: VersionTLS12,
9122 Bugs: ProtocolBugs{
9123 FragmentAcrossChangeCipherSpec: true,
9124 PackHandshakeFlight: packed,
9125 },
9126 },
9127 shouldFail: true,
9128 expectedError: ":UNEXPECTED_RECORD:",
9129 })
9130 testCases = append(testCases, testCase{
9131 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
9132 config: Config{
9133 MaxVersion: VersionTLS12,
9134 },
9135 resumeSession: true,
9136 resumeConfig: &Config{
9137 MaxVersion: VersionTLS12,
9138 Bugs: ProtocolBugs{
9139 FragmentAcrossChangeCipherSpec: true,
9140 PackHandshakeFlight: packed,
9141 },
9142 },
9143 shouldFail: true,
9144 expectedError: ":UNEXPECTED_RECORD:",
9145 })
9146 testCases = append(testCases, testCase{
9147 testType: serverTest,
9148 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
9149 config: Config{
9150 MaxVersion: VersionTLS12,
9151 Bugs: ProtocolBugs{
9152 FragmentAcrossChangeCipherSpec: true,
9153 PackHandshakeFlight: packed,
9154 },
9155 },
9156 shouldFail: true,
9157 expectedError: ":UNEXPECTED_RECORD:",
9158 })
9159 testCases = append(testCases, testCase{
9160 testType: serverTest,
9161 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
9162 config: Config{
9163 MaxVersion: VersionTLS12,
9164 },
9165 resumeSession: true,
9166 resumeConfig: &Config{
9167 MaxVersion: VersionTLS12,
9168 Bugs: ProtocolBugs{
9169 FragmentAcrossChangeCipherSpec: true,
9170 PackHandshakeFlight: packed,
9171 },
9172 },
9173 shouldFail: true,
9174 expectedError: ":UNEXPECTED_RECORD:",
9175 })
9176 testCases = append(testCases, testCase{
9177 testType: serverTest,
9178 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
9179 config: Config{
9180 MaxVersion: VersionTLS12,
9181 NextProtos: []string{"bar"},
9182 Bugs: ProtocolBugs{
9183 FragmentAcrossChangeCipherSpec: true,
9184 PackHandshakeFlight: packed,
9185 },
9186 },
9187 flags: []string{
9188 "-advertise-npn", "\x03foo\x03bar\x03baz",
9189 },
9190 shouldFail: true,
9191 expectedError: ":UNEXPECTED_RECORD:",
9192 })
9193 }
9194
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]9195 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
9196 // messages in the handshake queue. Do this by testing the server
9197 // reading the client Finished, reversing the flight so Finished comes
9198 // first.
9199 testCases = append(testCases, testCase{
9200 protocol: dtls,
9201 testType: serverTest,
9202 name: "SendUnencryptedFinished-DTLS",
9203 config: Config{
9204 MaxVersion: VersionTLS12,
9205 Bugs: ProtocolBugs{
9206 SendUnencryptedFinished: true,
9207 ReverseHandshakeFragments: true,
9208 },
9209 },
9210 shouldFail: true,
9211 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9212 })
9213
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9214 // Test synchronization between encryption changes and the handshake in
9215 // TLS 1.3, where ChangeCipherSpec is implicit.
9216 testCases = append(testCases, testCase{
9217 name: "PartialEncryptedExtensionsWithServerHello",
9218 config: Config{
9219 MaxVersion: VersionTLS13,
9220 Bugs: ProtocolBugs{
9221 PartialEncryptedExtensionsWithServerHello: true,
9222 },
9223 },
9224 shouldFail: true,
9225 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9226 })
9227 testCases = append(testCases, testCase{
9228 testType: serverTest,
9229 name: "PartialClientFinishedWithClientHello",
9230 config: Config{
9231 MaxVersion: VersionTLS13,
9232 Bugs: ProtocolBugs{
9233 PartialClientFinishedWithClientHello: true,
9234 },
9235 },
9236 shouldFail: true,
9237 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9238 })
9239
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9240 // Test that early ChangeCipherSpecs are handled correctly.
9241 testCases = append(testCases, testCase{
9242 testType: serverTest,
9243 name: "EarlyChangeCipherSpec-server-1",
9244 config: Config{
9245 MaxVersion: VersionTLS12,
9246 Bugs: ProtocolBugs{
9247 EarlyChangeCipherSpec: 1,
9248 },
9249 },
9250 shouldFail: true,
9251 expectedError: ":UNEXPECTED_RECORD:",
9252 })
9253 testCases = append(testCases, testCase{
9254 testType: serverTest,
9255 name: "EarlyChangeCipherSpec-server-2",
9256 config: Config{
9257 MaxVersion: VersionTLS12,
9258 Bugs: ProtocolBugs{
9259 EarlyChangeCipherSpec: 2,
9260 },
9261 },
9262 shouldFail: true,
9263 expectedError: ":UNEXPECTED_RECORD:",
9264 })
9265 testCases = append(testCases, testCase{
9266 protocol: dtls,
9267 name: "StrayChangeCipherSpec",
9268 config: Config{
9269 // TODO(davidben): Once DTLS 1.3 exists, test
9270 // that stray ChangeCipherSpec messages are
9271 // rejected.
9272 MaxVersion: VersionTLS12,
9273 Bugs: ProtocolBugs{
9274 StrayChangeCipherSpec: true,
9275 },
9276 },
9277 })
9278
9279 // Test that the contents of ChangeCipherSpec are checked.
9280 testCases = append(testCases, testCase{
9281 name: "BadChangeCipherSpec-1",
9282 config: Config{
9283 MaxVersion: VersionTLS12,
9284 Bugs: ProtocolBugs{
9285 BadChangeCipherSpec: []byte{2},
9286 },
9287 },
9288 shouldFail: true,
9289 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9290 })
9291 testCases = append(testCases, testCase{
9292 name: "BadChangeCipherSpec-2",
9293 config: Config{
9294 MaxVersion: VersionTLS12,
9295 Bugs: ProtocolBugs{
9296 BadChangeCipherSpec: []byte{1, 1},
9297 },
9298 },
9299 shouldFail: true,
9300 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9301 })
9302 testCases = append(testCases, testCase{
9303 protocol: dtls,
9304 name: "BadChangeCipherSpec-DTLS-1",
9305 config: Config{
9306 MaxVersion: VersionTLS12,
9307 Bugs: ProtocolBugs{
9308 BadChangeCipherSpec: []byte{2},
9309 },
9310 },
9311 shouldFail: true,
9312 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9313 })
9314 testCases = append(testCases, testCase{
9315 protocol: dtls,
9316 name: "BadChangeCipherSpec-DTLS-2",
9317 config: Config{
9318 MaxVersion: VersionTLS12,
9319 Bugs: ProtocolBugs{
9320 BadChangeCipherSpec: []byte{1, 1},
9321 },
9322 },
9323 shouldFail: true,
9324 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9325 })
9326}
9327
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9328type perMessageTest struct {
9329 messageType uint8
9330 test testCase
9331}
9332
9333// makePerMessageTests returns a series of test templates which cover each
9334// message in the TLS handshake. These may be used with bugs like
9335// WrongMessageType to fully test a per-message bug.
9336func makePerMessageTests() []perMessageTest {
9337 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9338 for _, protocol := range []protocol{tls, dtls} {
9339 var suffix string
9340 if protocol == dtls {
9341 suffix = "-DTLS"
9342 }
9343
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9344 ret = append(ret, perMessageTest{
9345 messageType: typeClientHello,
9346 test: testCase{
9347 protocol: protocol,
9348 testType: serverTest,
9349 name: "ClientHello" + suffix,
9350 config: Config{
9351 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9352 },
9353 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9354 })
9355
9356 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9357 ret = append(ret, perMessageTest{
9358 messageType: typeHelloVerifyRequest,
9359 test: testCase{
9360 protocol: protocol,
9361 name: "HelloVerifyRequest" + suffix,
9362 config: Config{
9363 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9364 },
9365 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9366 })
9367 }
9368
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9369 ret = append(ret, perMessageTest{
9370 messageType: typeServerHello,
9371 test: testCase{
9372 protocol: protocol,
9373 name: "ServerHello" + suffix,
9374 config: Config{
9375 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9376 },
9377 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9378 })
9379
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9380 ret = append(ret, perMessageTest{
9381 messageType: typeCertificate,
9382 test: testCase{
9383 protocol: protocol,
9384 name: "ServerCertificate" + suffix,
9385 config: Config{
9386 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9387 },
9388 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9389 })
9390
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9391 ret = append(ret, perMessageTest{
9392 messageType: typeCertificateStatus,
9393 test: testCase{
9394 protocol: protocol,
9395 name: "CertificateStatus" + suffix,
9396 config: Config{
9397 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9398 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9399 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9400 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9401 })
9402
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9403 ret = append(ret, perMessageTest{
9404 messageType: typeServerKeyExchange,
9405 test: testCase{
9406 protocol: protocol,
9407 name: "ServerKeyExchange" + suffix,
9408 config: Config{
9409 MaxVersion: VersionTLS12,
9410 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9411 },
9412 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9413 })
9414
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9415 ret = append(ret, perMessageTest{
9416 messageType: typeCertificateRequest,
9417 test: testCase{
9418 protocol: protocol,
9419 name: "CertificateRequest" + suffix,
9420 config: Config{
9421 MaxVersion: VersionTLS12,
9422 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9423 },
9424 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9425 })
9426
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9427 ret = append(ret, perMessageTest{
9428 messageType: typeServerHelloDone,
9429 test: testCase{
9430 protocol: protocol,
9431 name: "ServerHelloDone" + suffix,
9432 config: Config{
9433 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9434 },
9435 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9436 })
9437
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9438 ret = append(ret, perMessageTest{
9439 messageType: typeCertificate,
9440 test: testCase{
9441 testType: serverTest,
9442 protocol: protocol,
9443 name: "ClientCertificate" + suffix,
9444 config: Config{
9445 Certificates: []Certificate{rsaCertificate},
9446 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9447 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9448 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9449 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9450 })
9451
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9452 ret = append(ret, perMessageTest{
9453 messageType: typeCertificateVerify,
9454 test: testCase{
9455 testType: serverTest,
9456 protocol: protocol,
9457 name: "CertificateVerify" + suffix,
9458 config: Config{
9459 Certificates: []Certificate{rsaCertificate},
9460 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9461 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9462 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9463 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9464 })
9465
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9466 ret = append(ret, perMessageTest{
9467 messageType: typeClientKeyExchange,
9468 test: testCase{
9469 testType: serverTest,
9470 protocol: protocol,
9471 name: "ClientKeyExchange" + suffix,
9472 config: Config{
9473 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9474 },
9475 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9476 })
9477
9478 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9479 ret = append(ret, perMessageTest{
9480 messageType: typeNextProtocol,
9481 test: testCase{
9482 testType: serverTest,
9483 protocol: protocol,
9484 name: "NextProtocol" + suffix,
9485 config: Config{
9486 MaxVersion: VersionTLS12,
9487 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9488 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9489 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9490 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9491 })
9492
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9493 ret = append(ret, perMessageTest{
9494 messageType: typeChannelID,
9495 test: testCase{
9496 testType: serverTest,
9497 protocol: protocol,
9498 name: "ChannelID" + suffix,
9499 config: Config{
9500 MaxVersion: VersionTLS12,
9501 ChannelID: channelIDKey,
9502 },
9503 flags: []string{
9504 "-expect-channel-id",
9505 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9506 },
9507 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9508 })
9509 }
9510
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9511 ret = append(ret, perMessageTest{
9512 messageType: typeFinished,
9513 test: testCase{
9514 testType: serverTest,
9515 protocol: protocol,
9516 name: "ClientFinished" + suffix,
9517 config: Config{
9518 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9519 },
9520 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9521 })
9522
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9523 ret = append(ret, perMessageTest{
9524 messageType: typeNewSessionTicket,
9525 test: testCase{
9526 protocol: protocol,
9527 name: "NewSessionTicket" + suffix,
9528 config: Config{
9529 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9530 },
9531 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9532 })
9533
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9534 ret = append(ret, perMessageTest{
9535 messageType: typeFinished,
9536 test: testCase{
9537 protocol: protocol,
9538 name: "ServerFinished" + suffix,
9539 config: Config{
9540 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9541 },
9542 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9543 })
9544
9545 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9546
9547 ret = append(ret, perMessageTest{
9548 messageType: typeClientHello,
9549 test: testCase{
9550 testType: serverTest,
9551 name: "TLS13-ClientHello",
9552 config: Config{
9553 MaxVersion: VersionTLS13,
9554 },
9555 },
9556 })
9557
9558 ret = append(ret, perMessageTest{
9559 messageType: typeServerHello,
9560 test: testCase{
9561 name: "TLS13-ServerHello",
9562 config: Config{
9563 MaxVersion: VersionTLS13,
9564 },
9565 },
9566 })
9567
9568 ret = append(ret, perMessageTest{
9569 messageType: typeEncryptedExtensions,
9570 test: testCase{
9571 name: "TLS13-EncryptedExtensions",
9572 config: Config{
9573 MaxVersion: VersionTLS13,
9574 },
9575 },
9576 })
9577
9578 ret = append(ret, perMessageTest{
9579 messageType: typeCertificateRequest,
9580 test: testCase{
9581 name: "TLS13-CertificateRequest",
9582 config: Config{
9583 MaxVersion: VersionTLS13,
9584 ClientAuth: RequireAnyClientCert,
9585 },
9586 },
9587 })
9588
9589 ret = append(ret, perMessageTest{
9590 messageType: typeCertificate,
9591 test: testCase{
9592 name: "TLS13-ServerCertificate",
9593 config: Config{
9594 MaxVersion: VersionTLS13,
9595 },
9596 },
9597 })
9598
9599 ret = append(ret, perMessageTest{
9600 messageType: typeCertificateVerify,
9601 test: testCase{
9602 name: "TLS13-ServerCertificateVerify",
9603 config: Config{
9604 MaxVersion: VersionTLS13,
9605 },
9606 },
9607 })
9608
9609 ret = append(ret, perMessageTest{
9610 messageType: typeFinished,
9611 test: testCase{
9612 name: "TLS13-ServerFinished",
9613 config: Config{
9614 MaxVersion: VersionTLS13,
9615 },
9616 },
9617 })
9618
9619 ret = append(ret, perMessageTest{
9620 messageType: typeCertificate,
9621 test: testCase{
9622 testType: serverTest,
9623 name: "TLS13-ClientCertificate",
9624 config: Config{
9625 Certificates: []Certificate{rsaCertificate},
9626 MaxVersion: VersionTLS13,
9627 },
9628 flags: []string{"-require-any-client-certificate"},
9629 },
9630 })
9631
9632 ret = append(ret, perMessageTest{
9633 messageType: typeCertificateVerify,
9634 test: testCase{
9635 testType: serverTest,
9636 name: "TLS13-ClientCertificateVerify",
9637 config: Config{
9638 Certificates: []Certificate{rsaCertificate},
9639 MaxVersion: VersionTLS13,
9640 },
9641 flags: []string{"-require-any-client-certificate"},
9642 },
9643 })
9644
9645 ret = append(ret, perMessageTest{
9646 messageType: typeFinished,
9647 test: testCase{
9648 testType: serverTest,
9649 name: "TLS13-ClientFinished",
9650 config: Config{
9651 MaxVersion: VersionTLS13,
9652 },
9653 },
9654 })
9655
9656 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9657}
9658
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9659func addWrongMessageTypeTests() {
9660 for _, t := range makePerMessageTests() {
9661 t.test.name = "WrongMessageType-" + t.test.name
9662 t.test.config.Bugs.SendWrongMessageType = t.messageType
9663 t.test.shouldFail = true
9664 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9665 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9666
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9667 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9668 // In TLS 1.3, a bad ServerHello means the client sends
9669 // an unencrypted alert while the server expects
9670 // encryption, so the alert is not readable by runner.
9671 t.test.expectedLocalError = "local error: bad record MAC"
9672 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9673
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9674 testCases = append(testCases, t.test)
9675 }
David Benjaminebacdee2017-04-08 11:00:45 -0400[diff] [blame]9676
9677 // The processing order for TLS 1.3 version negotiation is such that one
9678 // may accidentally accept a HelloRetryRequest in lieu of ServerHello in
9679 // TLS 1.2. Test that we do not do this.
9680 testCases = append(testCases, testCase{
9681 name: "SendServerHelloAsHelloRetryRequest",
9682 config: Config{
9683 MaxVersion: VersionTLS12,
9684 Bugs: ProtocolBugs{
9685 SendServerHelloAsHelloRetryRequest: true,
9686 },
9687 },
9688 shouldFail: true,
9689 expectedError: ":UNEXPECTED_MESSAGE:",
9690 expectedLocalError: "remote error: unexpected message",
9691 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9692}
9693
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9694func addTrailingMessageDataTests() {
9695 for _, t := range makePerMessageTests() {
9696 t.test.name = "TrailingMessageData-" + t.test.name
9697 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9698 t.test.shouldFail = true
9699 t.test.expectedError = ":DECODE_ERROR:"
9700 t.test.expectedLocalError = "remote error: error decoding message"
9701
9702 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9703 // In TLS 1.3, a bad ServerHello means the client sends
9704 // an unencrypted alert while the server expects
9705 // encryption, so the alert is not readable by runner.
9706 t.test.expectedLocalError = "local error: bad record MAC"
9707 }
9708
9709 if t.messageType == typeFinished {
9710 // Bad Finished messages read as the verify data having
9711 // the wrong length.
9712 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9713 t.test.expectedLocalError = "remote error: error decrypting message"
9714 }
9715
9716 testCases = append(testCases, t.test)
9717 }
9718}
9719
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9720func addTLS13HandshakeTests() {
9721 testCases = append(testCases, testCase{
9722 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9723 name: "NegotiatePSKResumption-TLS13",
9724 config: Config{
9725 MaxVersion: VersionTLS13,
9726 Bugs: ProtocolBugs{
9727 NegotiatePSKResumption: true,
9728 },
9729 },
9730 resumeSession: true,
9731 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9732 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9733 })
9734
9735 testCases = append(testCases, testCase{
9736 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9737 name: "MissingKeyShare-Client",
9738 config: Config{
9739 MaxVersion: VersionTLS13,
9740 Bugs: ProtocolBugs{
9741 MissingKeyShare: true,
9742 },
9743 },
9744 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9745 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9746 })
9747
9748 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9749 testType: serverTest,
9750 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9751 config: Config{
9752 MaxVersion: VersionTLS13,
9753 Bugs: ProtocolBugs{
9754 MissingKeyShare: true,
9755 },
9756 },
9757 shouldFail: true,
9758 expectedError: ":MISSING_KEY_SHARE:",
9759 })
9760
9761 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9762 testType: serverTest,
9763 name: "DuplicateKeyShares",
9764 config: Config{
9765 MaxVersion: VersionTLS13,
9766 Bugs: ProtocolBugs{
9767 DuplicateKeyShares: true,
9768 },
9769 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9770 shouldFail: true,
9771 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9772 })
9773
9774 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9775 testType: serverTest,
9776 name: "SkipEarlyData",
9777 config: Config{
9778 MaxVersion: VersionTLS13,
9779 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9780 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9781 },
9782 },
9783 })
9784
9785 testCases = append(testCases, testCase{
9786 testType: serverTest,
9787 name: "SkipEarlyData-OmitEarlyDataExtension",
9788 config: Config{
9789 MaxVersion: VersionTLS13,
9790 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9791 SendFakeEarlyDataLength: 4,
9792 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9793 },
9794 },
9795 shouldFail: true,
9796 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9797 })
9798
9799 testCases = append(testCases, testCase{
9800 testType: serverTest,
9801 name: "SkipEarlyData-TooMuchData",
9802 config: Config{
9803 MaxVersion: VersionTLS13,
9804 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9805 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9806 },
9807 },
9808 shouldFail: true,
9809 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9810 })
9811
9812 testCases = append(testCases, testCase{
9813 testType: serverTest,
9814 name: "SkipEarlyData-Interleaved",
9815 config: Config{
9816 MaxVersion: VersionTLS13,
9817 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9818 SendFakeEarlyDataLength: 4,
9819 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9820 },
9821 },
9822 shouldFail: true,
9823 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9824 })
9825
9826 testCases = append(testCases, testCase{
9827 testType: serverTest,
9828 name: "SkipEarlyData-EarlyDataInTLS12",
9829 config: Config{
9830 MaxVersion: VersionTLS13,
9831 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9832 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9833 },
9834 },
9835 shouldFail: true,
9836 expectedError: ":UNEXPECTED_RECORD:",
9837 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9838 })
9839
9840 testCases = append(testCases, testCase{
9841 testType: serverTest,
9842 name: "SkipEarlyData-HRR",
9843 config: Config{
9844 MaxVersion: VersionTLS13,
9845 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9846 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9847 },
9848 DefaultCurves: []CurveID{},
9849 },
9850 })
9851
9852 testCases = append(testCases, testCase{
9853 testType: serverTest,
9854 name: "SkipEarlyData-HRR-Interleaved",
9855 config: Config{
9856 MaxVersion: VersionTLS13,
9857 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9858 SendFakeEarlyDataLength: 4,
9859 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9860 },
9861 DefaultCurves: []CurveID{},
9862 },
9863 shouldFail: true,
9864 expectedError: ":UNEXPECTED_RECORD:",
9865 })
9866
9867 testCases = append(testCases, testCase{
9868 testType: serverTest,
9869 name: "SkipEarlyData-HRR-TooMuchData",
9870 config: Config{
9871 MaxVersion: VersionTLS13,
9872 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9873 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9874 },
9875 DefaultCurves: []CurveID{},
9876 },
9877 shouldFail: true,
9878 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9879 })
9880
9881 // Test that skipping early data looking for cleartext correctly
9882 // processes an alert record.
9883 testCases = append(testCases, testCase{
9884 testType: serverTest,
9885 name: "SkipEarlyData-HRR-FatalAlert",
9886 config: Config{
9887 MaxVersion: VersionTLS13,
9888 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9889 SendEarlyAlert: true,
9890 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9891 },
9892 DefaultCurves: []CurveID{},
9893 },
9894 shouldFail: true,
9895 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9896 })
9897
9898 testCases = append(testCases, testCase{
9899 testType: serverTest,
9900 name: "SkipEarlyData-SecondClientHelloEarlyData",
9901 config: Config{
9902 MaxVersion: VersionTLS13,
9903 Bugs: ProtocolBugs{
9904 SendEarlyDataOnSecondClientHello: true,
9905 },
9906 DefaultCurves: []CurveID{},
9907 },
9908 shouldFail: true,
9909 expectedLocalError: "remote error: bad record MAC",
9910 })
9911
9912 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9913 testType: clientTest,
9914 name: "EmptyEncryptedExtensions",
9915 config: Config{
9916 MaxVersion: VersionTLS13,
9917 Bugs: ProtocolBugs{
9918 EmptyEncryptedExtensions: true,
9919 },
9920 },
9921 shouldFail: true,
9922 expectedLocalError: "remote error: error decoding message",
9923 })
9924
9925 testCases = append(testCases, testCase{
9926 testType: clientTest,
9927 name: "EncryptedExtensionsWithKeyShare",
9928 config: Config{
9929 MaxVersion: VersionTLS13,
9930 Bugs: ProtocolBugs{
9931 EncryptedExtensionsWithKeyShare: true,
9932 },
9933 },
9934 shouldFail: true,
9935 expectedLocalError: "remote error: unsupported extension",
9936 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9937
9938 testCases = append(testCases, testCase{
9939 testType: serverTest,
9940 name: "SendHelloRetryRequest",
9941 config: Config{
9942 MaxVersion: VersionTLS13,
9943 // Require a HelloRetryRequest for every curve.
9944 DefaultCurves: []CurveID{},
9945 },
9946 expectedCurveID: CurveX25519,
9947 })
9948
9949 testCases = append(testCases, testCase{
9950 testType: serverTest,
9951 name: "SendHelloRetryRequest-2",
9952 config: Config{
9953 MaxVersion: VersionTLS13,
9954 DefaultCurves: []CurveID{CurveP384},
9955 },
9956 // Although the ClientHello did not predict our preferred curve,
9957 // we always select it whether it is predicted or not.
9958 expectedCurveID: CurveX25519,
9959 })
9960
9961 testCases = append(testCases, testCase{
9962 name: "UnknownCurve-HelloRetryRequest",
9963 config: Config{
9964 MaxVersion: VersionTLS13,
9965 // P-384 requires HelloRetryRequest in BoringSSL.
9966 CurvePreferences: []CurveID{CurveP384},
9967 Bugs: ProtocolBugs{
9968 SendHelloRetryRequestCurve: bogusCurve,
9969 },
9970 },
9971 shouldFail: true,
9972 expectedError: ":WRONG_CURVE:",
9973 })
9974
9975 testCases = append(testCases, testCase{
9976 name: "DisabledCurve-HelloRetryRequest",
9977 config: Config{
9978 MaxVersion: VersionTLS13,
9979 CurvePreferences: []CurveID{CurveP256},
9980 Bugs: ProtocolBugs{
9981 IgnorePeerCurvePreferences: true,
9982 },
9983 },
9984 flags: []string{"-p384-only"},
9985 shouldFail: true,
9986 expectedError: ":WRONG_CURVE:",
9987 })
9988
9989 testCases = append(testCases, testCase{
9990 name: "UnnecessaryHelloRetryRequest",
9991 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9992 MaxVersion: VersionTLS13,
9993 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9994 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9995 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9996 },
9997 },
9998 shouldFail: true,
9999 expectedError: ":WRONG_CURVE:",
10000 })
10001
10002 testCases = append(testCases, testCase{
10003 name: "SecondHelloRetryRequest",
10004 config: Config{
10005 MaxVersion: VersionTLS13,
10006 // P-384 requires HelloRetryRequest in BoringSSL.
10007 CurvePreferences: []CurveID{CurveP384},
10008 Bugs: ProtocolBugs{
10009 SecondHelloRetryRequest: true,
10010 },
10011 },
10012 shouldFail: true,
10013 expectedError: ":UNEXPECTED_MESSAGE:",
10014 })
10015
10016 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]10017 name: "HelloRetryRequest-Empty",
10018 config: Config{
10019 MaxVersion: VersionTLS13,
10020 Bugs: ProtocolBugs{
10021 AlwaysSendHelloRetryRequest: true,
10022 },
10023 },
10024 shouldFail: true,
10025 expectedError: ":DECODE_ERROR:",
10026 })
10027
10028 testCases = append(testCases, testCase{
10029 name: "HelloRetryRequest-DuplicateCurve",
10030 config: Config{
10031 MaxVersion: VersionTLS13,
10032 // P-384 requires a HelloRetryRequest against BoringSSL's default
10033 // configuration. Assert this ExpectMissingKeyShare.
10034 CurvePreferences: []CurveID{CurveP384},
10035 Bugs: ProtocolBugs{
10036 ExpectMissingKeyShare: true,
10037 DuplicateHelloRetryRequestExtensions: true,
10038 },
10039 },
10040 shouldFail: true,
10041 expectedError: ":DUPLICATE_EXTENSION:",
10042 expectedLocalError: "remote error: illegal parameter",
10043 })
10044
10045 testCases = append(testCases, testCase{
10046 name: "HelloRetryRequest-Cookie",
10047 config: Config{
10048 MaxVersion: VersionTLS13,
10049 Bugs: ProtocolBugs{
10050 SendHelloRetryRequestCookie: []byte("cookie"),
10051 },
10052 },
10053 })
10054
10055 testCases = append(testCases, testCase{
10056 name: "HelloRetryRequest-DuplicateCookie",
10057 config: Config{
10058 MaxVersion: VersionTLS13,
10059 Bugs: ProtocolBugs{
10060 SendHelloRetryRequestCookie: []byte("cookie"),
10061 DuplicateHelloRetryRequestExtensions: true,
10062 },
10063 },
10064 shouldFail: true,
10065 expectedError: ":DUPLICATE_EXTENSION:",
10066 expectedLocalError: "remote error: illegal parameter",
10067 })
10068
10069 testCases = append(testCases, testCase{
10070 name: "HelloRetryRequest-EmptyCookie",
10071 config: Config{
10072 MaxVersion: VersionTLS13,
10073 Bugs: ProtocolBugs{
10074 SendHelloRetryRequestCookie: []byte{},
10075 },
10076 },
10077 shouldFail: true,
10078 expectedError: ":DECODE_ERROR:",
10079 })
10080
10081 testCases = append(testCases, testCase{
10082 name: "HelloRetryRequest-Cookie-Curve",
10083 config: Config{
10084 MaxVersion: VersionTLS13,
10085 // P-384 requires HelloRetryRequest in BoringSSL.
10086 CurvePreferences: []CurveID{CurveP384},
10087 Bugs: ProtocolBugs{
10088 SendHelloRetryRequestCookie: []byte("cookie"),
10089 ExpectMissingKeyShare: true,
10090 },
10091 },
10092 })
10093
10094 testCases = append(testCases, testCase{
10095 name: "HelloRetryRequest-Unknown",
10096 config: Config{
10097 MaxVersion: VersionTLS13,
10098 Bugs: ProtocolBugs{
10099 CustomHelloRetryRequestExtension: "extension",
10100 },
10101 },
10102 shouldFail: true,
10103 expectedError: ":UNEXPECTED_EXTENSION:",
10104 expectedLocalError: "remote error: unsupported extension",
10105 })
10106
10107 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10108 testType: serverTest,
10109 name: "SecondClientHelloMissingKeyShare",
10110 config: Config{
10111 MaxVersion: VersionTLS13,
10112 DefaultCurves: []CurveID{},
10113 Bugs: ProtocolBugs{
10114 SecondClientHelloMissingKeyShare: true,
10115 },
10116 },
10117 shouldFail: true,
10118 expectedError: ":MISSING_KEY_SHARE:",
10119 })
10120
10121 testCases = append(testCases, testCase{
10122 testType: serverTest,
10123 name: "SecondClientHelloWrongCurve",
10124 config: Config{
10125 MaxVersion: VersionTLS13,
10126 DefaultCurves: []CurveID{},
10127 Bugs: ProtocolBugs{
10128 MisinterpretHelloRetryRequestCurve: CurveP521,
10129 },
10130 },
10131 shouldFail: true,
10132 expectedError: ":WRONG_CURVE:",
10133 })
10134
10135 testCases = append(testCases, testCase{
10136 name: "HelloRetryRequestVersionMismatch",
10137 config: Config{
10138 MaxVersion: VersionTLS13,
10139 // P-384 requires HelloRetryRequest in BoringSSL.
10140 CurvePreferences: []CurveID{CurveP384},
10141 Bugs: ProtocolBugs{
10142 SendServerHelloVersion: 0x0305,
10143 },
10144 },
10145 shouldFail: true,
10146 expectedError: ":WRONG_VERSION_NUMBER:",
10147 })
10148
10149 testCases = append(testCases, testCase{
10150 name: "HelloRetryRequestCurveMismatch",
10151 config: Config{
10152 MaxVersion: VersionTLS13,
10153 // P-384 requires HelloRetryRequest in BoringSSL.
10154 CurvePreferences: []CurveID{CurveP384},
10155 Bugs: ProtocolBugs{
10156 // Send P-384 (correct) in the HelloRetryRequest.
10157 SendHelloRetryRequestCurve: CurveP384,
10158 // But send P-256 in the ServerHello.
10159 SendCurve: CurveP256,
10160 },
10161 },
10162 shouldFail: true,
10163 expectedError: ":WRONG_CURVE:",
10164 })
10165
10166 // Test the server selecting a curve that requires a HelloRetryRequest
10167 // without sending it.
10168 testCases = append(testCases, testCase{
10169 name: "SkipHelloRetryRequest",
10170 config: Config{
10171 MaxVersion: VersionTLS13,
10172 // P-384 requires HelloRetryRequest in BoringSSL.
10173 CurvePreferences: []CurveID{CurveP384},
10174 Bugs: ProtocolBugs{
10175 SkipHelloRetryRequest: true,
10176 },
10177 },
10178 shouldFail: true,
10179 expectedError: ":WRONG_CURVE:",
10180 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]10181
10182 testCases = append(testCases, testCase{
10183 name: "TLS13-RequestContextInHandshake",
10184 config: Config{
10185 MaxVersion: VersionTLS13,
10186 MinVersion: VersionTLS13,
10187 ClientAuth: RequireAnyClientCert,
10188 Bugs: ProtocolBugs{
10189 SendRequestContext: []byte("request context"),
10190 },
10191 },
10192 flags: []string{
10193 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10194 "-key-file", path.Join(*resourceDir, rsaKeyFile),
10195 },
10196 shouldFail: true,
10197 expectedError: ":DECODE_ERROR:",
10198 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]10199
10200 testCases = append(testCases, testCase{
10201 testType: serverTest,
10202 name: "TLS13-TrailingKeyShareData",
10203 config: Config{
10204 MaxVersion: VersionTLS13,
10205 Bugs: ProtocolBugs{
10206 TrailingKeyShareData: true,
10207 },
10208 },
10209 shouldFail: true,
10210 expectedError: ":DECODE_ERROR:",
10211 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]10212
10213 testCases = append(testCases, testCase{
10214 name: "TLS13-AlwaysSelectPSKIdentity",
10215 config: Config{
10216 MaxVersion: VersionTLS13,
10217 Bugs: ProtocolBugs{
10218 AlwaysSelectPSKIdentity: true,
10219 },
10220 },
10221 shouldFail: true,
10222 expectedError: ":UNEXPECTED_EXTENSION:",
10223 })
10224
10225 testCases = append(testCases, testCase{
10226 name: "TLS13-InvalidPSKIdentity",
10227 config: Config{
10228 MaxVersion: VersionTLS13,
10229 Bugs: ProtocolBugs{
10230 SelectPSKIdentityOnResume: 1,
10231 },
10232 },
10233 resumeSession: true,
10234 shouldFail: true,
10235 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
10236 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10237
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10238 testCases = append(testCases, testCase{
10239 testType: serverTest,
10240 name: "TLS13-ExtraPSKIdentity",
10241 config: Config{
10242 MaxVersion: VersionTLS13,
10243 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]10244 ExtraPSKIdentity: true,
10245 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10246 },
10247 },
10248 resumeSession: true,
10249 })
10250
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10251 // Test that unknown NewSessionTicket extensions are tolerated.
10252 testCases = append(testCases, testCase{
10253 name: "TLS13-CustomTicketExtension",
10254 config: Config{
10255 MaxVersion: VersionTLS13,
10256 Bugs: ProtocolBugs{
10257 CustomTicketExtension: "1234",
10258 },
10259 },
10260 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10261
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10262 testCases = append(testCases, testCase{
10263 testType: clientTest,
10264 name: "TLS13-DataLessEarlyData-Reject-Client",
10265 config: Config{
10266 MaxVersion: VersionTLS13,
10267 MaxEarlyDataSize: 16384,
10268 },
10269 resumeConfig: &Config{
10270 MaxVersion: VersionTLS13,
10271 MaxEarlyDataSize: 16384,
10272 Bugs: ProtocolBugs{
10273 AlwaysRejectEarlyData: true,
10274 },
10275 },
10276 resumeSession: true,
10277 flags: []string{
10278 "-enable-early-data",
10279 "-expect-early-data-info",
10280 "-expect-reject-early-data",
10281 },
10282 })
10283
10284 testCases = append(testCases, testCase{
10285 testType: clientTest,
10286 name: "TLS13-DataLessEarlyData-HRR-Client",
10287 config: Config{
10288 MaxVersion: VersionTLS13,
10289 MaxEarlyDataSize: 16384,
10290 },
10291 resumeConfig: &Config{
10292 MaxVersion: VersionTLS13,
10293 MaxEarlyDataSize: 16384,
10294 Bugs: ProtocolBugs{
10295 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10296 },
10297 },
10298 resumeSession: true,
10299 flags: []string{
10300 "-enable-early-data",
10301 "-expect-early-data-info",
10302 "-expect-reject-early-data",
10303 },
10304 })
10305
10306 // The client must check the server does not send the early_data
10307 // extension while rejecting the session.
10308 testCases = append(testCases, testCase{
10309 testType: clientTest,
10310 name: "TLS13-EarlyDataWithoutResume-Client",
10311 config: Config{
10312 MaxVersion: VersionTLS13,
10313 MaxEarlyDataSize: 16384,
10314 },
10315 resumeConfig: &Config{
10316 MaxVersion: VersionTLS13,
10317 SessionTicketsDisabled: true,
10318 Bugs: ProtocolBugs{
10319 SendEarlyDataExtension: true,
10320 },
10321 },
10322 resumeSession: true,
10323 flags: []string{
10324 "-enable-early-data",
10325 "-expect-early-data-info",
10326 },
10327 shouldFail: true,
10328 expectedError: ":UNEXPECTED_EXTENSION:",
10329 })
10330
10331 // The client must fail with a dedicated error code if the server
10332 // responds with TLS 1.2 when offering 0-RTT.
10333 testCases = append(testCases, testCase{
10334 testType: clientTest,
10335 name: "TLS13-EarlyDataVersionDowngrade-Client",
10336 config: Config{
10337 MaxVersion: VersionTLS13,
10338 MaxEarlyDataSize: 16384,
10339 },
10340 resumeConfig: &Config{
10341 MaxVersion: VersionTLS12,
10342 },
10343 resumeSession: true,
10344 flags: []string{
10345 "-enable-early-data",
10346 "-expect-early-data-info",
10347 },
10348 shouldFail: true,
10349 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10350 })
10351
10352 // Test that the client rejects an (unsolicited) early_data extension if
10353 // the server sent an HRR.
10354 testCases = append(testCases, testCase{
10355 testType: clientTest,
10356 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10357 config: Config{
10358 MaxVersion: VersionTLS13,
10359 MaxEarlyDataSize: 16384,
10360 },
10361 resumeConfig: &Config{
10362 MaxVersion: VersionTLS13,
10363 MaxEarlyDataSize: 16384,
10364 Bugs: ProtocolBugs{
10365 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10366 SendEarlyDataExtension: true,
10367 },
10368 },
10369 resumeSession: true,
10370 flags: []string{
10371 "-enable-early-data",
10372 "-expect-early-data-info",
10373 },
10374 shouldFail: true,
10375 expectedError: ":UNEXPECTED_EXTENSION:",
10376 })
10377
10378 fooString := "foo"
10379 barString := "bar"
10380
10381 // Test that the client reports the correct ALPN after a 0-RTT reject
10382 // that changed it.
10383 testCases = append(testCases, testCase{
10384 testType: clientTest,
10385 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10386 config: Config{
10387 MaxVersion: VersionTLS13,
10388 MaxEarlyDataSize: 16384,
10389 Bugs: ProtocolBugs{
10390 ALPNProtocol: &fooString,
10391 },
10392 },
10393 resumeConfig: &Config{
10394 MaxVersion: VersionTLS13,
10395 MaxEarlyDataSize: 16384,
10396 Bugs: ProtocolBugs{
10397 ALPNProtocol: &barString,
10398 },
10399 },
10400 resumeSession: true,
10401 flags: []string{
10402 "-advertise-alpn", "\x03foo\x03bar",
10403 "-enable-early-data",
10404 "-expect-early-data-info",
10405 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10406 "-on-initial-expect-alpn", "foo",
10407 "-on-resume-expect-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10408 },
10409 })
10410
10411 // Test that the client reports the correct ALPN after a 0-RTT reject if
10412 // ALPN was omitted from the first connection.
10413 testCases = append(testCases, testCase{
10414 testType: clientTest,
10415 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10416 config: Config{
10417 MaxVersion: VersionTLS13,
10418 MaxEarlyDataSize: 16384,
10419 },
10420 resumeConfig: &Config{
10421 MaxVersion: VersionTLS13,
10422 MaxEarlyDataSize: 16384,
10423 NextProtos: []string{"foo"},
10424 },
10425 resumeSession: true,
10426 flags: []string{
10427 "-advertise-alpn", "\x03foo\x03bar",
10428 "-enable-early-data",
10429 "-expect-early-data-info",
10430 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10431 "-on-initial-expect-alpn", "",
10432 "-on-resume-expect-alpn", "foo",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10433 },
10434 })
10435
10436 // Test that the client reports the correct ALPN after a 0-RTT reject if
10437 // ALPN was omitted from the second connection.
10438 testCases = append(testCases, testCase{
10439 testType: clientTest,
10440 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10441 config: Config{
10442 MaxVersion: VersionTLS13,
10443 MaxEarlyDataSize: 16384,
10444 NextProtos: []string{"foo"},
10445 },
10446 resumeConfig: &Config{
10447 MaxVersion: VersionTLS13,
10448 MaxEarlyDataSize: 16384,
10449 },
10450 resumeSession: true,
10451 flags: []string{
10452 "-advertise-alpn", "\x03foo\x03bar",
10453 "-enable-early-data",
10454 "-expect-early-data-info",
10455 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10456 "-on-initial-expect-alpn", "foo",
10457 "-on-resume-expect-alpn", "",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10458 },
10459 })
10460
10461 // Test that the client enforces ALPN match on 0-RTT accept.
10462 testCases = append(testCases, testCase{
10463 testType: clientTest,
10464 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10465 config: Config{
10466 MaxVersion: VersionTLS13,
10467 MaxEarlyDataSize: 16384,
10468 Bugs: ProtocolBugs{
10469 ALPNProtocol: &fooString,
10470 },
10471 },
10472 resumeConfig: &Config{
10473 MaxVersion: VersionTLS13,
10474 MaxEarlyDataSize: 16384,
10475 Bugs: ProtocolBugs{
10476 AlwaysAcceptEarlyData: true,
10477 ALPNProtocol: &barString,
10478 },
10479 },
10480 resumeSession: true,
10481 flags: []string{
10482 "-advertise-alpn", "\x03foo\x03bar",
10483 "-enable-early-data",
10484 "-expect-early-data-info",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10485 "-on-initial-expect-alpn", "foo",
10486 "-on-resume-expect-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10487 },
10488 shouldFail: true,
10489 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10490 })
10491
10492 // Test that the server correctly rejects 0-RTT when the previous
10493 // session did not allow early data on resumption.
10494 testCases = append(testCases, testCase{
10495 testType: serverTest,
10496 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10497 config: Config{
10498 MaxVersion: VersionTLS13,
10499 },
10500 resumeConfig: &Config{
10501 MaxVersion: VersionTLS13,
10502 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10503 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10504 ExpectEarlyDataAccepted: false,
10505 },
10506 },
10507 resumeSession: true,
10508 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10509 "-on-resume-enable-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10510 "-expect-reject-early-data",
10511 },
10512 })
10513
10514 // Test that we reject early data where ALPN is omitted from the first
10515 // connection.
10516 testCases = append(testCases, testCase{
10517 testType: serverTest,
10518 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10519 config: Config{
10520 MaxVersion: VersionTLS13,
10521 NextProtos: []string{},
10522 },
10523 resumeConfig: &Config{
10524 MaxVersion: VersionTLS13,
10525 NextProtos: []string{"foo"},
10526 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10527 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10528 ExpectEarlyDataAccepted: false,
10529 },
10530 },
10531 resumeSession: true,
10532 flags: []string{
10533 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10534 "-on-initial-select-alpn", "",
10535 "-on-resume-select-alpn", "foo",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10536 },
10537 })
10538
10539 // Test that we reject early data where ALPN is omitted from the second
10540 // connection.
10541 testCases = append(testCases, testCase{
10542 testType: serverTest,
10543 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10544 config: Config{
10545 MaxVersion: VersionTLS13,
10546 NextProtos: []string{"foo"},
10547 },
10548 resumeConfig: &Config{
10549 MaxVersion: VersionTLS13,
10550 NextProtos: []string{},
10551 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10552 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10553 ExpectEarlyDataAccepted: false,
10554 },
10555 },
10556 resumeSession: true,
10557 flags: []string{
10558 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10559 "-on-initial-select-alpn", "foo",
10560 "-on-resume-select-alpn", "",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10561 },
10562 })
10563
10564 // Test that we reject early data with mismatched ALPN.
10565 testCases = append(testCases, testCase{
10566 testType: serverTest,
10567 name: "TLS13-EarlyData-ALPNMismatch-Server",
10568 config: Config{
10569 MaxVersion: VersionTLS13,
10570 NextProtos: []string{"foo"},
10571 },
10572 resumeConfig: &Config{
10573 MaxVersion: VersionTLS13,
10574 NextProtos: []string{"bar"},
10575 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10576 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10577 ExpectEarlyDataAccepted: false,
10578 },
10579 },
10580 resumeSession: true,
10581 flags: []string{
10582 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]10583 "-on-initial-select-alpn", "foo",
10584 "-on-resume-select-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10585 },
10586 })
10587
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10588 // Test that the client offering 0-RTT and Channel ID forbids the server
10589 // from accepting both.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10590 testCases = append(testCases, testCase{
10591 testType: clientTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10592 name: "TLS13-EarlyDataChannelID-AcceptBoth-Client",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10593 config: Config{
10594 MaxVersion: VersionTLS13,
10595 MaxEarlyDataSize: 16384,
10596 RequestChannelID: true,
10597 },
10598 resumeSession: true,
10599 expectChannelID: true,
10600 shouldFail: true,
10601 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
10602 flags: []string{
10603 "-enable-early-data",
10604 "-expect-early-data-info",
10605 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10606 },
10607 })
10608
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10609 // Test that the client offering Channel ID and 0-RTT allows the server
10610 // to decline 0-RTT.
10611 testCases = append(testCases, testCase{
10612 testType: clientTest,
10613 name: "TLS13-EarlyDataChannelID-AcceptChannelID-Client",
10614 config: Config{
10615 MaxVersion: VersionTLS13,
10616 MaxEarlyDataSize: 16384,
10617 RequestChannelID: true,
10618 Bugs: ProtocolBugs{
10619 AlwaysRejectEarlyData: true,
10620 },
10621 },
10622 resumeSession: true,
10623 expectChannelID: true,
10624 flags: []string{
10625 "-enable-early-data",
10626 "-expect-early-data-info",
10627 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10628 "-expect-reject-early-data",
10629 },
10630 })
10631
10632 // Test that the client offering Channel ID and 0-RTT allows the server
10633 // to decline Channel ID.
10634 testCases = append(testCases, testCase{
10635 testType: clientTest,
10636 name: "TLS13-EarlyDataChannelID-AcceptEarlyData-Client",
10637 config: Config{
10638 MaxVersion: VersionTLS13,
10639 MaxEarlyDataSize: 16384,
10640 },
10641 resumeSession: true,
10642 flags: []string{
10643 "-enable-early-data",
10644 "-expect-early-data-info",
10645 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10646 "-expect-accept-early-data",
10647 },
10648 })
10649
10650 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
10651 // if it would negotiate Channel ID.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10652 testCases = append(testCases, testCase{
10653 testType: serverTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10654 name: "TLS13-EarlyDataChannelID-OfferBoth-Server",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10655 config: Config{
10656 MaxVersion: VersionTLS13,
10657 ChannelID: channelIDKey,
10658 Bugs: ProtocolBugs{
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10659 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10660 ExpectEarlyDataAccepted: false,
10661 },
10662 },
10663 resumeSession: true,
10664 expectChannelID: true,
10665 flags: []string{
10666 "-enable-early-data",
10667 "-expect-reject-early-data",
10668 "-expect-channel-id",
10669 base64.StdEncoding.EncodeToString(channelIDBytes),
10670 },
10671 })
10672
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10673 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
10674 // if not offered Channel ID.
10675 testCases = append(testCases, testCase{
10676 testType: serverTest,
10677 name: "TLS13-EarlyDataChannelID-OfferEarlyData-Server",
10678 config: Config{
10679 MaxVersion: VersionTLS13,
10680 Bugs: ProtocolBugs{
10681 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10682 ExpectEarlyDataAccepted: true,
10683 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
10684 },
10685 },
10686 resumeSession: true,
10687 expectChannelID: false,
10688 flags: []string{
10689 "-enable-early-data",
10690 "-expect-accept-early-data",
10691 "-enable-channel-id",
10692 },
10693 })
10694
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10695 // Test that the server rejects 0-RTT streams without end_of_early_data.
10696 // The subsequent records should fail to decrypt.
10697 testCases = append(testCases, testCase{
10698 testType: serverTest,
10699 name: "TLS13-EarlyData-SkipEndOfEarlyData",
10700 config: Config{
10701 MaxVersion: VersionTLS13,
10702 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10703 SendEarlyData: [][]byte{{1, 2, 3, 4}},
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10704 ExpectEarlyDataAccepted: true,
10705 SkipEndOfEarlyData: true,
10706 },
10707 },
10708 resumeSession: true,
10709 flags: []string{"-enable-early-data"},
10710 shouldFail: true,
10711 expectedLocalError: "remote error: bad record MAC",
10712 expectedError: ":BAD_DECRYPT:",
10713 })
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10714
10715 testCases = append(testCases, testCase{
10716 testType: serverTest,
10717 name: "TLS13-EarlyData-UnexpectedHandshake-Server",
10718 config: Config{
10719 MaxVersion: VersionTLS13,
10720 },
10721 resumeConfig: &Config{
10722 MaxVersion: VersionTLS13,
10723 Bugs: ProtocolBugs{
10724 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10725 SendStrayEarlyHandshake: true,
10726 ExpectEarlyDataAccepted: true},
10727 },
10728 resumeSession: true,
10729 shouldFail: true,
10730 expectedError: ":UNEXPECTED_RECORD:",
10731 expectedLocalError: "remote error: unexpected message",
10732 flags: []string{
10733 "-enable-early-data",
10734 },
10735 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10736}
10737
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10738func addTLS13CipherPreferenceTests() {
10739 // Test that client preference is honored if the shim has AES hardware
10740 // and ChaCha20-Poly1305 is preferred otherwise.
10741 testCases = append(testCases, testCase{
10742 testType: serverTest,
10743 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10744 config: Config{
10745 MaxVersion: VersionTLS13,
10746 CipherSuites: []uint16{
10747 TLS_CHACHA20_POLY1305_SHA256,
10748 TLS_AES_128_GCM_SHA256,
10749 },
10750 },
10751 flags: []string{
10752 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10753 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10754 },
10755 })
10756
10757 testCases = append(testCases, testCase{
10758 testType: serverTest,
10759 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10760 config: Config{
10761 MaxVersion: VersionTLS13,
10762 CipherSuites: []uint16{
10763 TLS_AES_128_GCM_SHA256,
10764 TLS_CHACHA20_POLY1305_SHA256,
10765 },
10766 },
10767 flags: []string{
10768 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10769 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10770 },
10771 })
10772
10773 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10774 // whether it has AES hardware.
10775 testCases = append(testCases, testCase{
10776 name: "TLS13-CipherPreference-Client",
10777 config: Config{
10778 MaxVersion: VersionTLS13,
10779 // Use the client cipher order. (This is the default but
10780 // is listed to be explicit.)
10781 PreferServerCipherSuites: false,
10782 },
10783 flags: []string{
10784 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10785 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10786 },
10787 })
10788}
10789
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10790func addPeekTests() {
10791 // Test SSL_peek works, including on empty records.
10792 testCases = append(testCases, testCase{
10793 name: "Peek-Basic",
10794 sendEmptyRecords: 1,
10795 flags: []string{"-peek-then-read"},
10796 })
10797
10798 // Test SSL_peek can drive the initial handshake.
10799 testCases = append(testCases, testCase{
10800 name: "Peek-ImplicitHandshake",
10801 flags: []string{
10802 "-peek-then-read",
10803 "-implicit-handshake",
10804 },
10805 })
10806
10807 // Test SSL_peek can discover and drive a renegotiation.
10808 testCases = append(testCases, testCase{
10809 name: "Peek-Renegotiate",
10810 config: Config{
10811 MaxVersion: VersionTLS12,
10812 },
10813 renegotiate: 1,
10814 flags: []string{
10815 "-peek-then-read",
10816 "-renegotiate-freely",
10817 "-expect-total-renegotiations", "1",
10818 },
10819 })
10820
10821 // Test SSL_peek can discover a close_notify.
10822 testCases = append(testCases, testCase{
10823 name: "Peek-Shutdown",
10824 config: Config{
10825 Bugs: ProtocolBugs{
10826 ExpectCloseNotify: true,
10827 },
10828 },
10829 flags: []string{
10830 "-peek-then-read",
10831 "-check-close-notify",
10832 },
10833 })
10834
10835 // Test SSL_peek can discover an alert.
10836 testCases = append(testCases, testCase{
10837 name: "Peek-Alert",
10838 config: Config{
10839 Bugs: ProtocolBugs{
10840 SendSpuriousAlert: alertRecordOverflow,
10841 },
10842 },
10843 flags: []string{"-peek-then-read"},
10844 shouldFail: true,
10845 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10846 })
10847
10848 // Test SSL_peek can handle KeyUpdate.
10849 testCases = append(testCases, testCase{
10850 name: "Peek-KeyUpdate",
10851 config: Config{
10852 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10853 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]10854 sendKeyUpdates: 1,
10855 keyUpdateRequest: keyUpdateNotRequested,
10856 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10857 })
10858}
10859
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10860func addRecordVersionTests() {
10861 for _, ver := range tlsVersions {
10862 // Test that the record version is enforced.
10863 testCases = append(testCases, testCase{
10864 name: "CheckRecordVersion-" + ver.name,
10865 config: Config{
10866 MinVersion: ver.version,
10867 MaxVersion: ver.version,
10868 Bugs: ProtocolBugs{
10869 SendRecordVersion: 0x03ff,
10870 },
10871 },
10872 shouldFail: true,
10873 expectedError: ":WRONG_VERSION_NUMBER:",
10874 })
10875
10876 // Test that the ClientHello may use any record version, for
10877 // compatibility reasons.
10878 testCases = append(testCases, testCase{
10879 testType: serverTest,
10880 name: "LooseInitialRecordVersion-" + ver.name,
10881 config: Config{
10882 MinVersion: ver.version,
10883 MaxVersion: ver.version,
10884 Bugs: ProtocolBugs{
10885 SendInitialRecordVersion: 0x03ff,
10886 },
10887 },
10888 })
10889
10890 // Test that garbage ClientHello record versions are rejected.
10891 testCases = append(testCases, testCase{
10892 testType: serverTest,
10893 name: "GarbageInitialRecordVersion-" + ver.name,
10894 config: Config{
10895 MinVersion: ver.version,
10896 MaxVersion: ver.version,
10897 Bugs: ProtocolBugs{
10898 SendInitialRecordVersion: 0xffff,
10899 },
10900 },
10901 shouldFail: true,
10902 expectedError: ":WRONG_VERSION_NUMBER:",
10903 })
10904 }
10905}
10906
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10907func addCertificateTests() {
10908 // Test that a certificate chain with intermediate may be sent and
10909 // received as both client and server.
10910 for _, ver := range tlsVersions {
10911 testCases = append(testCases, testCase{
10912 testType: clientTest,
10913 name: "SendReceiveIntermediate-Client-" + ver.name,
10914 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10915 MinVersion: ver.version,
10916 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10917 Certificates: []Certificate{rsaChainCertificate},
10918 ClientAuth: RequireAnyClientCert,
10919 },
10920 expectPeerCertificate: &rsaChainCertificate,
10921 flags: []string{
10922 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10923 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10924 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10925 },
10926 })
10927
10928 testCases = append(testCases, testCase{
10929 testType: serverTest,
10930 name: "SendReceiveIntermediate-Server-" + ver.name,
10931 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10932 MinVersion: ver.version,
10933 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10934 Certificates: []Certificate{rsaChainCertificate},
10935 },
10936 expectPeerCertificate: &rsaChainCertificate,
10937 flags: []string{
10938 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10939 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10940 "-require-any-client-certificate",
10941 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10942 },
10943 })
10944 }
10945}
10946
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10947func addRetainOnlySHA256ClientCertTests() {
10948 for _, ver := range tlsVersions {
10949 // Test that enabling
10950 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10951 // actually requesting a client certificate is a no-op.
10952 testCases = append(testCases, testCase{
10953 testType: serverTest,
10954 name: "RetainOnlySHA256-NoCert-" + ver.name,
10955 config: Config{
10956 MinVersion: ver.version,
10957 MaxVersion: ver.version,
10958 },
10959 flags: []string{
10960 "-retain-only-sha256-client-cert-initial",
10961 "-retain-only-sha256-client-cert-resume",
10962 },
10963 resumeSession: true,
10964 })
10965
10966 // Test that when retaining only a SHA-256 certificate is
10967 // enabled, the hash appears as expected.
10968 testCases = append(testCases, testCase{
10969 testType: serverTest,
10970 name: "RetainOnlySHA256-Cert-" + ver.name,
10971 config: Config{
10972 MinVersion: ver.version,
10973 MaxVersion: ver.version,
10974 Certificates: []Certificate{rsaCertificate},
10975 },
10976 flags: []string{
10977 "-verify-peer",
10978 "-retain-only-sha256-client-cert-initial",
10979 "-retain-only-sha256-client-cert-resume",
10980 "-expect-sha256-client-cert-initial",
10981 "-expect-sha256-client-cert-resume",
10982 },
10983 resumeSession: true,
10984 })
10985
10986 // Test that when the config changes from on to off, a
10987 // resumption is rejected because the server now wants the full
10988 // certificate chain.
10989 testCases = append(testCases, testCase{
10990 testType: serverTest,
10991 name: "RetainOnlySHA256-OnOff-" + ver.name,
10992 config: Config{
10993 MinVersion: ver.version,
10994 MaxVersion: ver.version,
10995 Certificates: []Certificate{rsaCertificate},
10996 },
10997 flags: []string{
10998 "-verify-peer",
10999 "-retain-only-sha256-client-cert-initial",
11000 "-expect-sha256-client-cert-initial",
11001 },
11002 resumeSession: true,
11003 expectResumeRejected: true,
11004 })
11005
11006 // Test that when the config changes from off to on, a
11007 // resumption is rejected because the server now wants just the
11008 // hash.
11009 testCases = append(testCases, testCase{
11010 testType: serverTest,
11011 name: "RetainOnlySHA256-OffOn-" + ver.name,
11012 config: Config{
11013 MinVersion: ver.version,
11014 MaxVersion: ver.version,
11015 Certificates: []Certificate{rsaCertificate},
11016 },
11017 flags: []string{
11018 "-verify-peer",
11019 "-retain-only-sha256-client-cert-resume",
11020 "-expect-sha256-client-cert-resume",
11021 },
11022 resumeSession: true,
11023 expectResumeRejected: true,
11024 })
11025 }
11026}
11027
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11028func addECDSAKeyUsageTests() {
11029 p256 := elliptic.P256()
11030 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
11031 if err != nil {
11032 panic(err)
11033 }
11034
11035 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
11036 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
11037 if err != nil {
11038 panic(err)
11039 }
11040
11041 template := x509.Certificate{
11042 SerialNumber: serialNumber,
11043 Subject: pkix.Name{
11044 Organization: []string{"Acme Co"},
11045 },
11046 NotBefore: time.Now(),
11047 NotAfter: time.Now(),
11048
11049 // An ECC certificate with only the keyAgreement key usgae may
11050 // be used with ECDH, but not ECDSA.
11051 KeyUsage: x509.KeyUsageKeyAgreement,
11052 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
11053 BasicConstraintsValid: true,
11054 }
11055
11056 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
11057 if err != nil {
11058 panic(err)
11059 }
11060
11061 cert := Certificate{
11062 Certificate: [][]byte{derBytes},
11063 PrivateKey: priv,
11064 }
11065
11066 for _, ver := range tlsVersions {
11067 if ver.version < VersionTLS12 {
11068 continue
11069 }
11070
11071 testCases = append(testCases, testCase{
11072 testType: clientTest,
11073 name: "ECDSAKeyUsage-" + ver.name,
11074 config: Config{
11075 MinVersion: ver.version,
11076 MaxVersion: ver.version,
11077 Certificates: []Certificate{cert},
11078 },
11079 shouldFail: true,
11080 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
11081 })
11082 }
11083}
11084
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11085func addExtraHandshakeTests() {
11086 // An extra SSL_do_handshake is normally a no-op. These tests use -async
11087 // to ensure there is no transport I/O.
11088 testCases = append(testCases, testCase{
11089 testType: clientTest,
11090 name: "ExtraHandshake-Client-TLS12",
11091 config: Config{
11092 MinVersion: VersionTLS12,
11093 MaxVersion: VersionTLS12,
11094 },
11095 flags: []string{
11096 "-async",
11097 "-no-op-extra-handshake",
11098 },
11099 })
11100 testCases = append(testCases, testCase{
11101 testType: serverTest,
11102 name: "ExtraHandshake-Server-TLS12",
11103 config: Config{
11104 MinVersion: VersionTLS12,
11105 MaxVersion: VersionTLS12,
11106 },
11107 flags: []string{
11108 "-async",
11109 "-no-op-extra-handshake",
11110 },
11111 })
11112 testCases = append(testCases, testCase{
11113 testType: clientTest,
11114 name: "ExtraHandshake-Client-TLS13",
11115 config: Config{
11116 MinVersion: VersionTLS13,
11117 MaxVersion: VersionTLS13,
11118 },
11119 flags: []string{
11120 "-async",
11121 "-no-op-extra-handshake",
11122 },
11123 })
11124 testCases = append(testCases, testCase{
11125 testType: serverTest,
11126 name: "ExtraHandshake-Server-TLS13",
11127 config: Config{
11128 MinVersion: VersionTLS13,
11129 MaxVersion: VersionTLS13,
11130 },
11131 flags: []string{
11132 "-async",
11133 "-no-op-extra-handshake",
11134 },
11135 })
11136
11137 // An extra SSL_do_handshake is a no-op in server 0-RTT.
11138 testCases = append(testCases, testCase{
11139 testType: serverTest,
11140 name: "ExtraHandshake-Server-EarlyData-TLS13",
11141 config: Config{
11142 MaxVersion: VersionTLS13,
11143 MinVersion: VersionTLS13,
11144 Bugs: ProtocolBugs{
11145 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11146 ExpectEarlyDataAccepted: true,
11147 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
11148 },
11149 },
11150 messageCount: 2,
11151 resumeSession: true,
11152 flags: []string{
11153 "-async",
11154 "-enable-early-data",
11155 "-expect-accept-early-data",
11156 "-no-op-extra-handshake",
11157 },
11158 })
11159
11160 // An extra SSL_do_handshake drives the handshake to completion in False
11161 // Start. We test this by handshaking twice and asserting the False
11162 // Start does not appear to happen. See AlertBeforeFalseStartTest for
11163 // how the test works.
11164 testCases = append(testCases, testCase{
11165 testType: clientTest,
11166 name: "ExtraHandshake-FalseStart",
11167 config: Config{
11168 MaxVersion: VersionTLS12,
11169 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
11170 NextProtos: []string{"foo"},
11171 Bugs: ProtocolBugs{
11172 ExpectFalseStart: true,
11173 AlertBeforeFalseStartTest: alertAccessDenied,
11174 },
11175 },
11176 flags: []string{
11177 "-handshake-twice",
11178 "-false-start",
11179 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11180 "-expect-alpn", "foo",
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11181 },
11182 shimWritesFirst: true,
11183 shouldFail: true,
11184 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
11185 expectedLocalError: "tls: peer did not false start: EOF",
11186 })
11187}
11188
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11189func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11190 defer wg.Done()
11191
11192 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11193 var err error
11194
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11195 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11196 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
11197 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11198 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11199 if err != nil {
11200 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
11201 }
11202 break
11203 }
11204 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11205 } else if *repeatUntilFailure {
11206 for err == nil {
11207 statusChan <- statusMsg{test: test, started: true}
11208 err = runTest(test, shimPath, -1)
11209 }
11210 } else {
11211 statusChan <- statusMsg{test: test, started: true}
11212 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11213 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11214 statusChan <- statusMsg{test: test, err: err}
11215 }
11216}
11217
11218type statusMsg struct {
11219 test *testCase
11220 started bool
11221 err error
11222}
11223
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11224func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11225 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11226
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11227 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11228 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11229 if !*pipe {
11230 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]11231 var erase string
11232 for i := 0; i < lineLen; i++ {
11233 erase += "\b \b"
11234 }
11235 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11236 }
11237
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11238 if msg.started {
11239 started++
11240 } else {
11241 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11242
11243 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11244 if msg.err == errUnimplemented {
11245 if *pipe {
11246 // Print each test instead of a status line.
11247 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
11248 }
11249 unimplemented++
11250 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
11251 } else {
11252 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
11253 failed++
11254 testOutput.addResult(msg.test.name, "FAIL")
11255 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11256 } else {
11257 if *pipe {
11258 // Print each test instead of a status line.
11259 fmt.Printf("PASSED (%s)\n", msg.test.name)
11260 }
11261 testOutput.addResult(msg.test.name, "PASS")
11262 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11263 }
11264
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11265 if !*pipe {
11266 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11267 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11268 lineLen = len(line)
11269 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11270 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11271 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11272
11273 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11274}
11275
11276func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11277 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11278 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]11279 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11280
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11281 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11282 addCipherSuiteTests()
11283 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]11284 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]11285 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]11286 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]11287 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]11288 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]11289 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]11290 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]11291 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]11292 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]11293 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]11294 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]11295 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]11296 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]11297 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]11298 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]11299 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]11300 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]11301 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]11302 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]11303 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]11304 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]11305 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]11306 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]11307 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]11308 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]11309 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11310 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]11311 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11312 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]11313 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11314 addECDSAKeyUsageTests()
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11315 addExtraHandshakeTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11316
11317 var wg sync.WaitGroup
11318
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11319 statusChan := make(chan statusMsg, *numWorkers)
11320 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11321 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11322
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11323 if len(*shimConfigFile) != 0 {
11324 encoded, err := ioutil.ReadFile(*shimConfigFile)
11325 if err != nil {
11326 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
11327 os.Exit(1)
11328 }
11329
11330 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
11331 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
11332 os.Exit(1)
11333 }
11334 }
11335
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11336 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11337
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11338 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11339 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11340 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11341 }
11342
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11343 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11344 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11345 matched := true
11346 if len(*testToRun) != 0 {
11347 var err error
11348 matched, err = filepath.Match(*testToRun, testCases[i].name)
11349 if err != nil {
11350 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
11351 os.Exit(1)
11352 }
11353 }
11354
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11355 if !*includeDisabled {
11356 for pattern := range shimConfig.DisabledTests {
11357 isDisabled, err := filepath.Match(pattern, testCases[i].name)
11358 if err != nil {
11359 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
11360 os.Exit(1)
11361 }
11362
11363 if isDisabled {
11364 matched = false
11365 break
11366 }
11367 }
11368 }
11369
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11370 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11371 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11372 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11373
11374 // Only run one test if repeating until failure.
11375 if *repeatUntilFailure {
11376 break
11377 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11378 }
11379 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11380
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11381 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11382 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11383 os.Exit(1)
11384 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11385
11386 close(testChan)
11387 wg.Wait()
11388 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11389 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11390
11391 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11392
11393 if *jsonOutput != "" {
11394 if err := testOutput.writeTo(*jsonOutput); err != nil {
11395 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
11396 }
11397 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11398
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11399 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
11400 os.Exit(1)
11401 }
11402
11403 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11404 os.Exit(1)
11405 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11406}