Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 2d85062c4f269ed45d42a62fbf7f17fb2c4f63e8 / . / ssl / test / runner / runner.go
blob: 262ac288ac6fdb5700110e9596728a720e9c042a [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]68 includeDHE = flag.Bool("include-dhe", false, "If true, test DHE ciphersuites.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]69 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]70)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]71
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]72// ShimConfigurations is used with the “json” package and represents a shim
73// config file.
74type ShimConfiguration struct {
75 // DisabledTests maps from a glob-based pattern to a freeform string.
76 // The glob pattern is used to exclude tests from being run and the
77 // freeform string is unparsed but expected to explain why the test is
78 // disabled.
79 DisabledTests map[string]string
80
81 // ErrorMap maps from expected error strings to the correct error
82 // string for the shim in question. For example, it might map
83 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
84 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
85 ErrorMap map[string]string
86}
87
88var shimConfig ShimConfiguration
89
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]90type testCert int
91
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]92const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]93 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]94 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]95 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]96 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]97 testCertECDSAP256
98 testCertECDSAP384
99 testCertECDSAP521
100)
101
102const (
103 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]104 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]105 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]106 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]107 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
108 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
109 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]110)
111
112const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]113 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]114 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]115 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]116 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]117 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
118 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
119 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]120 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]121)
122
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]123var (
124 rsaCertificate Certificate
125 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]126 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]127 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]128 ecdsaP256Certificate Certificate
129 ecdsaP384Certificate Certificate
130 ecdsaP521Certificate Certificate
131)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]132
133var testCerts = []struct {
134 id testCert
135 certFile, keyFile string
136 cert *Certificate
137}{
138 {
139 id: testCertRSA,
140 certFile: rsaCertificateFile,
141 keyFile: rsaKeyFile,
142 cert: &rsaCertificate,
143 },
144 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]145 id: testCertRSA1024,
146 certFile: rsa1024CertificateFile,
147 keyFile: rsa1024KeyFile,
148 cert: &rsa1024Certificate,
149 },
150 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]151 id: testCertRSAChain,
152 certFile: rsaChainCertificateFile,
153 keyFile: rsaChainKeyFile,
154 cert: &rsaChainCertificate,
155 },
156 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]157 id: testCertECDSAP224,
158 certFile: ecdsaP224CertificateFile,
159 keyFile: ecdsaP224KeyFile,
160 cert: &ecdsaP224Certificate,
161 },
162 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]163 id: testCertECDSAP256,
164 certFile: ecdsaP256CertificateFile,
165 keyFile: ecdsaP256KeyFile,
166 cert: &ecdsaP256Certificate,
167 },
168 {
169 id: testCertECDSAP384,
170 certFile: ecdsaP384CertificateFile,
171 keyFile: ecdsaP384KeyFile,
172 cert: &ecdsaP384Certificate,
173 },
174 {
175 id: testCertECDSAP521,
176 certFile: ecdsaP521CertificateFile,
177 keyFile: ecdsaP521KeyFile,
178 cert: &ecdsaP521Certificate,
179 },
180}
181
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]182var channelIDKey *ecdsa.PrivateKey
183var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]184
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]185var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]186var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]187
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]188var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]189var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]190
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]191func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]192 for i := range testCerts {
193 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
194 if err != nil {
195 panic(err)
196 }
197 cert.OCSPStaple = testOCSPResponse
198 cert.SignedCertificateTimestampList = testSCTList
199 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]200 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]201
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]202 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]203 if err != nil {
204 panic(err)
205 }
206 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
207 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
208 panic("bad key type")
209 }
210 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
211 if err != nil {
212 panic(err)
213 }
214 if channelIDKey.Curve != elliptic.P256() {
215 panic("bad curve")
216 }
217
218 channelIDBytes = make([]byte, 64)
219 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
220 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]221}
222
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]223func getRunnerCertificate(t testCert) Certificate {
224 for _, cert := range testCerts {
225 if cert.id == t {
226 return *cert.cert
227 }
228 }
229 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]230}
231
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]232func getShimCertificate(t testCert) string {
233 for _, cert := range testCerts {
234 if cert.id == t {
235 return cert.certFile
236 }
237 }
238 panic("Unknown test certificate")
239}
240
241func getShimKey(t testCert) string {
242 for _, cert := range testCerts {
243 if cert.id == t {
244 return cert.keyFile
245 }
246 }
247 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]248}
249
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]250// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
251func encodeDERValues(values [][]byte) string {
252 var ret string
253 for i, v := range values {
254 if i > 0 {
255 ret += ","
256 }
257 ret += hex.EncodeToString(v)
258 }
259
260 return ret
261}
262
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]263type testType int
264
265const (
266 clientTest testType = iota
267 serverTest
268)
269
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]270type protocol int
271
272const (
273 tls protocol = iota
274 dtls
275)
276
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]277const (
278 alpn = 1
279 npn = 2
280)
281
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]282type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]283 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]284 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]285 name string
286 config Config
287 shouldFail bool
288 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]289 // expectedLocalError, if not empty, contains a substring that must be
290 // found in the local error.
291 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]292 // expectedVersion, if non-zero, specifies the TLS version that must be
293 // negotiated.
294 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]295 // expectedResumeVersion, if non-zero, specifies the TLS version that
296 // must be negotiated on resumption. If zero, expectedVersion is used.
297 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]298 // expectedCipher, if non-zero, specifies the TLS cipher suite that
299 // should be negotiated.
300 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]301 // expectChannelID controls whether the connection should have
302 // negotiated a Channel ID with channelIDKey.
303 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]304 // expectedNextProto controls whether the connection should
305 // negotiate a next protocol via NPN or ALPN.
306 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]307 // expectNoNextProto, if true, means that no next protocol should be
308 // negotiated.
309 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]310 // expectedNextProtoType, if non-zero, is the expected next
311 // protocol negotiation mechanism.
312 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]313 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
314 // should be negotiated. If zero, none should be negotiated.
315 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]316 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
317 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]318 // expectedSCTList, if not nil, is the expected SCT list to be received.
319 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]320 // expectedPeerSignatureAlgorithm, if not zero, is the signature
321 // algorithm that the peer should have used in the handshake.
322 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]323 // expectedCurveID, if not zero, is the curve that the handshake should
324 // have used.
325 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]326 // messageLen is the length, in bytes, of the test message that will be
327 // sent.
328 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]329 // messageCount is the number of test messages that will be sent.
330 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]331 // certFile is the path to the certificate to use for the server.
332 certFile string
333 // keyFile is the path to the private key to use for the server.
334 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]335 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]336 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]337 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]338 // resumeRenewedSession controls whether a third connection should be
339 // tested which attempts to resume the second connection's session.
340 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]341 // expectResumeRejected, if true, specifies that the attempted
342 // resumption must be rejected by the client. This is only valid for a
343 // serverTest.
344 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]345 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]346 // resumption. Unless newSessionsOnResume is set,
347 // SessionTicketKey, ServerSessionCache, and
348 // ClientSessionCache are copied from the initial connection's
349 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]350 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]351 // newSessionsOnResume, if true, will cause resumeConfig to
352 // use a different session resumption context.
353 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]354 // noSessionCache, if true, will cause the server to run without a
355 // session cache.
356 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]357 // sendPrefix sends a prefix on the socket before actually performing a
358 // handshake.
359 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]360 // shimWritesFirst controls whether the shim sends an initial "hello"
361 // message before doing a roundtrip with the runner.
362 shimWritesFirst bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]363 // shimShutsDown, if true, runs a test where the shim shuts down the
364 // connection immediately after the handshake rather than echoing
365 // messages from the runner.
366 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]367 // renegotiate indicates the number of times the connection should be
368 // renegotiated during the exchange.
369 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]370 // sendHalfHelloRequest, if true, causes the server to send half a
371 // HelloRequest when the handshake completes.
372 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]373 // renegotiateCiphers is a list of ciphersuite ids that will be
374 // switched in just before renegotiation.
375 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]376 // replayWrites, if true, configures the underlying transport
377 // to replay every write it makes in DTLS tests.
378 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]379 // damageFirstWrite, if true, configures the underlying transport to
380 // damage the final byte of the first application data write.
381 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]382 // exportKeyingMaterial, if non-zero, configures the test to exchange
383 // keying material and verify they match.
384 exportKeyingMaterial int
385 exportLabel string
386 exportContext string
387 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]388 // flags, if not empty, contains a list of command-line flags that will
389 // be passed to the shim program.
390 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]391 // testTLSUnique, if true, causes the shim to send the tls-unique value
392 // which will be compared against the expected value.
393 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]394 // sendEmptyRecords is the number of consecutive empty records to send
395 // before and after the test message.
396 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]397 // sendWarningAlerts is the number of consecutive warning alerts to send
398 // before and after the test message.
399 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]400 // sendKeyUpdates is the number of consecutive key updates to send
401 // before and after the test message.
402 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]403 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
404 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]405 // expectMessageDropped, if true, means the test message is expected to
406 // be dropped by the client rather than echoed back.
407 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]408 // expectPeerCertificate, if not nil, is the certificate chain the peer
409 // is expected to send.
410 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]411}
412
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]413var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]414
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]415func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]416 if len(data) == 0 {
417 return
418 }
419
420 protocol := "tls"
421 if test.protocol == dtls {
422 protocol = "dtls"
423 }
424
425 side := "client"
426 if test.testType == serverTest {
427 side = "server"
428 }
429
430 dir := path.Join(*transcriptDir, protocol, side)
431 if err := os.MkdirAll(dir, 0755); err != nil {
432 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
433 return
434 }
435
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]436 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]437 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
438 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
439 }
440}
441
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]442// A timeoutConn implements an idle timeout on each Read and Write operation.
443type timeoutConn struct {
444 net.Conn
445 timeout time.Duration
446}
447
448func (t *timeoutConn) Read(b []byte) (int, error) {
449 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
450 return 0, err
451 }
452 return t.Conn.Read(b)
453}
454
455func (t *timeoutConn) Write(b []byte) (int, error) {
456 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
457 return 0, err
458 }
459 return t.Conn.Write(b)
460}
461
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]462func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]463 if !test.noSessionCache {
464 if config.ClientSessionCache == nil {
465 config.ClientSessionCache = NewLRUClientSessionCache(1)
466 }
467 if config.ServerSessionCache == nil {
468 config.ServerSessionCache = NewLRUServerSessionCache(1)
469 }
470 }
471 if test.testType == clientTest {
472 if len(config.Certificates) == 0 {
473 config.Certificates = []Certificate{rsaCertificate}
474 }
475 } else {
476 // Supply a ServerName to ensure a constant session cache key,
477 // rather than falling back to net.Conn.RemoteAddr.
478 if len(config.ServerName) == 0 {
479 config.ServerName = "test"
480 }
481 }
482 if *fuzzer {
483 config.Bugs.NullAllCiphers = true
484 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]485 if *deterministic {
486 config.Time = func() time.Time { return time.Unix(1234, 1234) }
487 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]488
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]489 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]490
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]491 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]492 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
493 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]494 }
495
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]496 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]497 local, peer := "client", "server"
498 if test.testType == clientTest {
499 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]500 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]501 connDebug := &recordingConn{
502 Conn: conn,
503 isDatagram: test.protocol == dtls,
504 local: local,
505 peer: peer,
506 }
507 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]508 if *flagDebug {
509 defer connDebug.WriteTo(os.Stdout)
510 }
511 if len(*transcriptDir) != 0 {
512 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]513 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]514 }()
515 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]516
517 if config.Bugs.PacketAdaptor != nil {
518 config.Bugs.PacketAdaptor.debug = connDebug
519 }
520 }
521
522 if test.replayWrites {
523 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]524 }
525
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]526 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]527 if test.damageFirstWrite {
528 connDamage = newDamageAdaptor(conn)
529 conn = connDamage
530 }
531
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]532 if test.sendPrefix != "" {
533 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
534 return err
535 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]536 }
537
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]538 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]539 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]540 if test.protocol == dtls {
541 tlsConn = DTLSServer(conn, config)
542 } else {
543 tlsConn = Server(conn, config)
544 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]545 } else {
546 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]547 if test.protocol == dtls {
548 tlsConn = DTLSClient(conn, config)
549 } else {
550 tlsConn = Client(conn, config)
551 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]552 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]553 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]554
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]555 if err := tlsConn.Handshake(); err != nil {
556 return err
557 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]558
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]559 // TODO(davidben): move all per-connection expectations into a dedicated
560 // expectations struct that can be specified separately for the two
561 // legs.
562 expectedVersion := test.expectedVersion
563 if isResume && test.expectedResumeVersion != 0 {
564 expectedVersion = test.expectedResumeVersion
565 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]566 connState := tlsConn.ConnectionState()
567 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]568 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]569 }
570
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]571 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]572 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
573 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]574 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
575 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
576 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]577
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]578 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]579 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]580 if channelID == nil {
581 return fmt.Errorf("no channel ID negotiated")
582 }
583 if channelID.Curve != channelIDKey.Curve ||
584 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
585 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
586 return fmt.Errorf("incorrect channel ID")
587 }
588 }
589
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]590 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]591 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]592 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
593 }
594 }
595
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]596 if test.expectNoNextProto {
597 if actual := connState.NegotiatedProtocol; actual != "" {
598 return fmt.Errorf("got unexpected next proto %s", actual)
599 }
600 }
601
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]602 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]603 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]604 return fmt.Errorf("next proto type mismatch")
605 }
606 }
607
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]608 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]609 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
610 }
611
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]612 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]613 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]614 }
615
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]616 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
617 return fmt.Errorf("SCT list mismatch")
618 }
619
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]620 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
621 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]622 }
623
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]624 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
625 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
626 }
627
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]628 if test.expectPeerCertificate != nil {
629 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
630 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
631 }
632 for i, cert := range connState.PeerCertificates {
633 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
634 return fmt.Errorf("peer certificate %d did not match", i+1)
635 }
636 }
637 }
638
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]639 if test.exportKeyingMaterial > 0 {
640 actual := make([]byte, test.exportKeyingMaterial)
641 if _, err := io.ReadFull(tlsConn, actual); err != nil {
642 return err
643 }
644 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
645 if err != nil {
646 return err
647 }
648 if !bytes.Equal(actual, expected) {
649 return fmt.Errorf("keying material mismatch")
650 }
651 }
652
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]653 if test.testTLSUnique {
654 var peersValue [12]byte
655 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
656 return err
657 }
658 expected := tlsConn.ConnectionState().TLSUnique
659 if !bytes.Equal(peersValue[:], expected) {
660 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
661 }
662 }
663
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]664 if test.shimWritesFirst {
665 var buf [5]byte
666 _, err := io.ReadFull(tlsConn, buf[:])
667 if err != nil {
668 return err
669 }
670 if string(buf[:]) != "hello" {
671 return fmt.Errorf("bad initial message")
672 }
673 }
674
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]675 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]676 if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil {
David Benjamin7f0965a2016-09-30 15:14:01 -0400[diff] [blame]677 return err
678 }
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]679 }
680
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]681 for i := 0; i < test.sendEmptyRecords; i++ {
682 tlsConn.Write(nil)
683 }
684
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]685 for i := 0; i < test.sendWarningAlerts; i++ {
686 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
687 }
688
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]689 if test.sendHalfHelloRequest {
690 tlsConn.SendHalfHelloRequest()
691 }
692
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]693 if test.renegotiate > 0 {
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]694 if test.renegotiateCiphers != nil {
695 config.CipherSuites = test.renegotiateCiphers
696 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]697 for i := 0; i < test.renegotiate; i++ {
698 if err := tlsConn.Renegotiate(); err != nil {
699 return err
700 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]701 }
702 } else if test.renegotiateCiphers != nil {
703 panic("renegotiateCiphers without renegotiate")
704 }
705
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]706 if test.damageFirstWrite {
707 connDamage.setDamage(true)
708 tlsConn.Write([]byte("DAMAGED WRITE"))
709 connDamage.setDamage(false)
710 }
711
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]712 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]713 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]714 if test.protocol == dtls {
715 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
716 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]717 // Read until EOF.
718 _, err := io.Copy(ioutil.Discard, tlsConn)
719 return err
720 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]721 if messageLen == 0 {
722 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]723 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]724
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]725 messageCount := test.messageCount
726 if messageCount == 0 {
727 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]728 }
729
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]730 for j := 0; j < messageCount; j++ {
731 testMessage := make([]byte, messageLen)
732 for i := range testMessage {
733 testMessage[i] = 0x42 ^ byte(j)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]734 }
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]735 tlsConn.Write(testMessage)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]736
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]737 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]738 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]739 }
740
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]741 for i := 0; i < test.sendEmptyRecords; i++ {
742 tlsConn.Write(nil)
743 }
744
745 for i := 0; i < test.sendWarningAlerts; i++ {
746 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
747 }
748
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]749 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]750 // The shim will not respond.
751 continue
752 }
753
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]754 buf := make([]byte, len(testMessage))
755 if test.protocol == dtls {
756 bufTmp := make([]byte, len(buf)+1)
757 n, err := tlsConn.Read(bufTmp)
758 if err != nil {
759 return err
760 }
761 if n != len(buf) {
762 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
763 }
764 copy(buf, bufTmp)
765 } else {
766 _, err := io.ReadFull(tlsConn, buf)
767 if err != nil {
768 return err
769 }
770 }
771
772 for i, v := range buf {
773 if v != testMessage[i]^0xff {
774 return fmt.Errorf("bad reply contents at byte %d", i)
775 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]776 }
777 }
778
779 return nil
780}
781
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]782func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]783 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]784 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]785 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]786 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]787 valgrindArgs = append(valgrindArgs, path)
788 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]789
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]790 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]791}
792
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]793func gdbOf(path string, args ...string) *exec.Cmd {
794 xtermArgs := []string{"-e", "gdb", "--args"}
795 xtermArgs = append(xtermArgs, path)
796 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]797
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]798 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]799}
800
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]801func lldbOf(path string, args ...string) *exec.Cmd {
802 xtermArgs := []string{"-e", "lldb", "--"}
803 xtermArgs = append(xtermArgs, path)
804 xtermArgs = append(xtermArgs, args...)
805
806 return exec.Command("xterm", xtermArgs...)
807}
808
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]809var (
810 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
811 errUnimplemented = errors.New("child process does not implement needed flags")
812)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]813
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]814// accept accepts a connection from listener, unless waitChan signals a process
815// exit first.
816func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
817 type connOrError struct {
818 conn net.Conn
819 err error
820 }
821 connChan := make(chan connOrError, 1)
822 go func() {
823 conn, err := listener.Accept()
824 connChan <- connOrError{conn, err}
825 close(connChan)
826 }()
827 select {
828 case result := <-connChan:
829 return result.conn, result.err
830 case childErr := <-waitChan:
831 waitChan <- childErr
832 return nil, fmt.Errorf("child exited early: %s", childErr)
833 }
834}
835
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]836func translateExpectedError(errorStr string) string {
837 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
838 return translated
839 }
840
841 if *looseErrors {
842 return ""
843 }
844
845 return errorStr
846}
847
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]848func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]849 // Help debugging panics on the Go side.
850 defer func() {
851 if r := recover(); r != nil {
852 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
853 panic(r)
854 }
855 }()
856
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]857 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
858 panic("Error expected without shouldFail in " + test.name)
859 }
860
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]861 if test.expectResumeRejected && !test.resumeSession {
862 panic("expectResumeRejected without resumeSession in " + test.name)
863 }
864
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]865 for _, ver := range tlsVersions {
866 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
867 continue
868 }
869
870 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
871 continue
872 }
873
874 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
875 }
876
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]877 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
878 if err != nil {
879 panic(err)
880 }
881 defer func() {
882 if listener != nil {
883 listener.Close()
884 }
885 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]886
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]887 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]888 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]889 flags = append(flags, "-server")
890
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]891 flags = append(flags, "-key-file")
892 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]893 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]894 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]895 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]896 }
897
898 flags = append(flags, "-cert-file")
899 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]900 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]901 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]902 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]903 }
904 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]905
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]906 if test.protocol == dtls {
907 flags = append(flags, "-dtls")
908 }
909
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]910 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]911 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]912 resumeCount++
913 if test.resumeRenewedSession {
914 resumeCount++
915 }
916 }
917
918 if resumeCount > 0 {
919 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]920 }
921
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]922 if test.shimWritesFirst {
923 flags = append(flags, "-shim-writes-first")
924 }
925
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]926 if test.shimShutsDown {
927 flags = append(flags, "-shim-shuts-down")
928 }
929
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]930 if test.exportKeyingMaterial > 0 {
931 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
932 flags = append(flags, "-export-label", test.exportLabel)
933 flags = append(flags, "-export-context", test.exportContext)
934 if test.useExportContext {
935 flags = append(flags, "-use-export-context")
936 }
937 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]938 if test.expectResumeRejected {
939 flags = append(flags, "-expect-session-miss")
940 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]941
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]942 if test.testTLSUnique {
943 flags = append(flags, "-tls-unique")
944 }
945
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]946 flags = append(flags, test.flags...)
947
948 var shim *exec.Cmd
949 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]950 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]951 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]952 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]953 } else if *useLLDB {
954 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]955 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]956 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]957 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]958 shim.Stdin = os.Stdin
959 var stdoutBuf, stderrBuf bytes.Buffer
960 shim.Stdout = &stdoutBuf
961 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]962 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]963 shim.Env = os.Environ()
964 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]965 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]966 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]967 }
968 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
969 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]970
971 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]972 panic(err)
973 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]974 waitChan := make(chan error, 1)
975 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]976
977 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]978
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]979 if *deterministic {
980 config.Rand = &deterministicRand{}
981 }
982
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]983 conn, err := acceptOrWait(listener, waitChan)
984 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]985 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]986 conn.Close()
987 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]988
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]989 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]990 var resumeConfig Config
991 if test.resumeConfig != nil {
992 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]993 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]994 resumeConfig.SessionTicketKey = config.SessionTicketKey
995 resumeConfig.ClientSessionCache = config.ClientSessionCache
996 resumeConfig.ServerSessionCache = config.ServerSessionCache
997 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]998 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]999 } else {
1000 resumeConfig = config
1001 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1002 var connResume net.Conn
1003 connResume, err = acceptOrWait(listener, waitChan)
1004 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1005 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1006 connResume.Close()
1007 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1008 }
1009
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1010 // Close the listener now. This is to avoid hangs should the shim try to
1011 // open more connections than expected.
1012 listener.Close()
1013 listener = nil
1014
1015 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1016 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1017 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1018 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1019 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1020 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1021 case 89:
1022 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1023 case 99:
1024 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1025 }
1026 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1027
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1028 // Account for Windows line endings.
1029 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1030 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1031
1032 // Separate the errors from the shim and those from tools like
1033 // AddressSanitizer.
1034 var extraStderr string
1035 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1036 stderr = stderrParts[0]
1037 extraStderr = stderrParts[1]
1038 }
1039
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1040 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1041 expectedError := translateExpectedError(test.expectedError)
1042 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1043
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1044 localError := "none"
1045 if err != nil {
1046 localError = err.Error()
1047 }
1048 if len(test.expectedLocalError) != 0 {
1049 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1050 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1051
1052 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1053 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1054 if childErr != nil {
1055 childError = childErr.Error()
1056 }
1057
1058 var msg string
1059 switch {
1060 case failed && !test.shouldFail:
1061 msg = "unexpected failure"
1062 case !failed && test.shouldFail:
1063 msg = "unexpected success"
1064 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1065 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1066 default:
1067 panic("internal error")
1068 }
1069
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1070 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1071 }
1072
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1073 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1074 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1075 }
1076
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1077 if *useValgrind && isValgrindError {
1078 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1079 }
1080
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1081 return nil
1082}
1083
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1084type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1085 name string
1086 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1087 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1088 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1089}
1090
1091var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1092 {"SSL3", VersionSSL30, "-no-ssl3", false},
1093 {"TLS1", VersionTLS10, "-no-tls1", true},
1094 {"TLS11", VersionTLS11, "-no-tls11", false},
1095 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1096 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1097}
1098
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1099type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1100 name string
1101 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1102}
1103
1104var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1105 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1106 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1107 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1108 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1109 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1110 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1111 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1112 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1113 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1114 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1115 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1116 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1117 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1118 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1119 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1120 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1121 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1122 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1123 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1124 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1125 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1126 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1127 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1128 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1129 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1130 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1131 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1132 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1133 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1134 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1135}
1136
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1137func hasComponent(suiteName, component string) bool {
1138 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1139}
1140
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1141func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1142 return hasComponent(suiteName, "GCM") ||
1143 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1144 hasComponent(suiteName, "SHA384") ||
1145 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1146}
1147
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1148func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1149 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1150}
1151
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1152func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1153 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1154}
1155
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1156func bigFromHex(hex string) *big.Int {
1157 ret, ok := new(big.Int).SetString(hex, 16)
1158 if !ok {
1159 panic("failed to parse hex number 0x" + hex)
1160 }
1161 return ret
1162}
1163
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1164func addBasicTests() {
1165 basicTests := []testCase{
1166 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1167 name: "NoFallbackSCSV",
1168 config: Config{
1169 Bugs: ProtocolBugs{
1170 FailIfNotFallbackSCSV: true,
1171 },
1172 },
1173 shouldFail: true,
1174 expectedLocalError: "no fallback SCSV found",
1175 },
1176 {
1177 name: "SendFallbackSCSV",
1178 config: Config{
1179 Bugs: ProtocolBugs{
1180 FailIfNotFallbackSCSV: true,
1181 },
1182 },
1183 flags: []string{"-fallback-scsv"},
1184 },
1185 {
1186 name: "ClientCertificateTypes",
1187 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1188 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1189 ClientAuth: RequestClientCert,
1190 ClientCertificateTypes: []byte{
1191 CertTypeDSSSign,
1192 CertTypeRSASign,
1193 CertTypeECDSASign,
1194 },
1195 },
1196 flags: []string{
1197 "-expect-certificate-types",
1198 base64.StdEncoding.EncodeToString([]byte{
1199 CertTypeDSSSign,
1200 CertTypeRSASign,
1201 CertTypeECDSASign,
1202 }),
1203 },
1204 },
1205 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1206 name: "UnauthenticatedECDH",
1207 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1208 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1209 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1210 Bugs: ProtocolBugs{
1211 UnauthenticatedECDH: true,
1212 },
1213 },
1214 shouldFail: true,
1215 expectedError: ":UNEXPECTED_MESSAGE:",
1216 },
1217 {
1218 name: "SkipCertificateStatus",
1219 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1220 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1221 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1222 Bugs: ProtocolBugs{
1223 SkipCertificateStatus: true,
1224 },
1225 },
1226 flags: []string{
1227 "-enable-ocsp-stapling",
1228 },
1229 },
1230 {
1231 name: "SkipServerKeyExchange",
1232 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1233 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1234 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1235 Bugs: ProtocolBugs{
1236 SkipServerKeyExchange: true,
1237 },
1238 },
1239 shouldFail: true,
1240 expectedError: ":UNEXPECTED_MESSAGE:",
1241 },
1242 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1243 testType: serverTest,
1244 name: "Alert",
1245 config: Config{
1246 Bugs: ProtocolBugs{
1247 SendSpuriousAlert: alertRecordOverflow,
1248 },
1249 },
1250 shouldFail: true,
1251 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1252 },
1253 {
1254 protocol: dtls,
1255 testType: serverTest,
1256 name: "Alert-DTLS",
1257 config: Config{
1258 Bugs: ProtocolBugs{
1259 SendSpuriousAlert: alertRecordOverflow,
1260 },
1261 },
1262 shouldFail: true,
1263 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1264 },
1265 {
1266 testType: serverTest,
1267 name: "FragmentAlert",
1268 config: Config{
1269 Bugs: ProtocolBugs{
1270 FragmentAlert: true,
1271 SendSpuriousAlert: alertRecordOverflow,
1272 },
1273 },
1274 shouldFail: true,
1275 expectedError: ":BAD_ALERT:",
1276 },
1277 {
1278 protocol: dtls,
1279 testType: serverTest,
1280 name: "FragmentAlert-DTLS",
1281 config: Config{
1282 Bugs: ProtocolBugs{
1283 FragmentAlert: true,
1284 SendSpuriousAlert: alertRecordOverflow,
1285 },
1286 },
1287 shouldFail: true,
1288 expectedError: ":BAD_ALERT:",
1289 },
1290 {
1291 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1292 name: "DoubleAlert",
1293 config: Config{
1294 Bugs: ProtocolBugs{
1295 DoubleAlert: true,
1296 SendSpuriousAlert: alertRecordOverflow,
1297 },
1298 },
1299 shouldFail: true,
1300 expectedError: ":BAD_ALERT:",
1301 },
1302 {
1303 protocol: dtls,
1304 testType: serverTest,
1305 name: "DoubleAlert-DTLS",
1306 config: Config{
1307 Bugs: ProtocolBugs{
1308 DoubleAlert: true,
1309 SendSpuriousAlert: alertRecordOverflow,
1310 },
1311 },
1312 shouldFail: true,
1313 expectedError: ":BAD_ALERT:",
1314 },
1315 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1316 name: "SkipNewSessionTicket",
1317 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1318 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1319 Bugs: ProtocolBugs{
1320 SkipNewSessionTicket: true,
1321 },
1322 },
1323 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1324 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1325 },
1326 {
1327 testType: serverTest,
1328 name: "FallbackSCSV",
1329 config: Config{
1330 MaxVersion: VersionTLS11,
1331 Bugs: ProtocolBugs{
1332 SendFallbackSCSV: true,
1333 },
1334 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1335 shouldFail: true,
1336 expectedError: ":INAPPROPRIATE_FALLBACK:",
1337 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1338 },
1339 {
1340 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1341 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1342 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1343 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1344 Bugs: ProtocolBugs{
1345 SendFallbackSCSV: true,
1346 },
1347 },
1348 },
1349 {
1350 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1351 name: "FallbackSCSV-VersionMatch-TLS12",
1352 config: Config{
1353 MaxVersion: VersionTLS12,
1354 Bugs: ProtocolBugs{
1355 SendFallbackSCSV: true,
1356 },
1357 },
1358 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1359 },
1360 {
1361 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1362 name: "FragmentedClientVersion",
1363 config: Config{
1364 Bugs: ProtocolBugs{
1365 MaxHandshakeRecordLength: 1,
1366 FragmentClientVersion: true,
1367 },
1368 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1369 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1370 },
1371 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1372 testType: serverTest,
1373 name: "HttpGET",
1374 sendPrefix: "GET / HTTP/1.0\n",
1375 shouldFail: true,
1376 expectedError: ":HTTP_REQUEST:",
1377 },
1378 {
1379 testType: serverTest,
1380 name: "HttpPOST",
1381 sendPrefix: "POST / HTTP/1.0\n",
1382 shouldFail: true,
1383 expectedError: ":HTTP_REQUEST:",
1384 },
1385 {
1386 testType: serverTest,
1387 name: "HttpHEAD",
1388 sendPrefix: "HEAD / HTTP/1.0\n",
1389 shouldFail: true,
1390 expectedError: ":HTTP_REQUEST:",
1391 },
1392 {
1393 testType: serverTest,
1394 name: "HttpPUT",
1395 sendPrefix: "PUT / HTTP/1.0\n",
1396 shouldFail: true,
1397 expectedError: ":HTTP_REQUEST:",
1398 },
1399 {
1400 testType: serverTest,
1401 name: "HttpCONNECT",
1402 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1403 shouldFail: true,
1404 expectedError: ":HTTPS_PROXY_REQUEST:",
1405 },
1406 {
1407 testType: serverTest,
1408 name: "Garbage",
1409 sendPrefix: "blah",
1410 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1411 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1412 },
1413 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1414 name: "RSAEphemeralKey",
1415 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1416 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1417 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1418 Bugs: ProtocolBugs{
1419 RSAEphemeralKey: true,
1420 },
1421 },
1422 shouldFail: true,
1423 expectedError: ":UNEXPECTED_MESSAGE:",
1424 },
1425 {
1426 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1427 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1428 shouldFail: true,
1429 expectedError: ":WRONG_SSL_VERSION:",
1430 },
1431 {
1432 protocol: dtls,
1433 name: "DisableEverything-DTLS",
1434 flags: []string{"-no-tls12", "-no-tls1"},
1435 shouldFail: true,
1436 expectedError: ":WRONG_SSL_VERSION:",
1437 },
1438 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1439 protocol: dtls,
1440 testType: serverTest,
1441 name: "MTU",
1442 config: Config{
1443 Bugs: ProtocolBugs{
1444 MaxPacketLength: 256,
1445 },
1446 },
1447 flags: []string{"-mtu", "256"},
1448 },
1449 {
1450 protocol: dtls,
1451 testType: serverTest,
1452 name: "MTUExceeded",
1453 config: Config{
1454 Bugs: ProtocolBugs{
1455 MaxPacketLength: 255,
1456 },
1457 },
1458 flags: []string{"-mtu", "256"},
1459 shouldFail: true,
1460 expectedLocalError: "dtls: exceeded maximum packet length",
1461 },
1462 {
1463 name: "CertMismatchRSA",
1464 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1465 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1466 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1467 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1468 Bugs: ProtocolBugs{
1469 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1470 },
1471 },
1472 shouldFail: true,
1473 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1474 },
1475 {
1476 name: "CertMismatchECDSA",
1477 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1478 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1479 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1480 Certificates: []Certificate{rsaCertificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1481 Bugs: ProtocolBugs{
1482 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1483 },
1484 },
1485 shouldFail: true,
1486 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1487 },
1488 {
1489 name: "EmptyCertificateList",
1490 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1491 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1492 Bugs: ProtocolBugs{
1493 EmptyCertificateList: true,
1494 },
1495 },
1496 shouldFail: true,
1497 expectedError: ":DECODE_ERROR:",
1498 },
1499 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1500 name: "EmptyCertificateList-TLS13",
1501 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1502 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1503 Bugs: ProtocolBugs{
1504 EmptyCertificateList: true,
1505 },
1506 },
1507 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1508 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1509 },
1510 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1511 name: "TLSFatalBadPackets",
1512 damageFirstWrite: true,
1513 shouldFail: true,
1514 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1515 },
1516 {
1517 protocol: dtls,
1518 name: "DTLSIgnoreBadPackets",
1519 damageFirstWrite: true,
1520 },
1521 {
1522 protocol: dtls,
1523 name: "DTLSIgnoreBadPackets-Async",
1524 damageFirstWrite: true,
1525 flags: []string{"-async"},
1526 },
1527 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1528 name: "AppDataBeforeHandshake",
1529 config: Config{
1530 Bugs: ProtocolBugs{
1531 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1532 },
1533 },
1534 shouldFail: true,
1535 expectedError: ":UNEXPECTED_RECORD:",
1536 },
1537 {
1538 name: "AppDataBeforeHandshake-Empty",
1539 config: Config{
1540 Bugs: ProtocolBugs{
1541 AppDataBeforeHandshake: []byte{},
1542 },
1543 },
1544 shouldFail: true,
1545 expectedError: ":UNEXPECTED_RECORD:",
1546 },
1547 {
1548 protocol: dtls,
1549 name: "AppDataBeforeHandshake-DTLS",
1550 config: Config{
1551 Bugs: ProtocolBugs{
1552 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1553 },
1554 },
1555 shouldFail: true,
1556 expectedError: ":UNEXPECTED_RECORD:",
1557 },
1558 {
1559 protocol: dtls,
1560 name: "AppDataBeforeHandshake-DTLS-Empty",
1561 config: Config{
1562 Bugs: ProtocolBugs{
1563 AppDataBeforeHandshake: []byte{},
1564 },
1565 },
1566 shouldFail: true,
1567 expectedError: ":UNEXPECTED_RECORD:",
1568 },
1569 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1570 name: "AppDataAfterChangeCipherSpec",
1571 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1572 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1573 Bugs: ProtocolBugs{
1574 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1575 },
1576 },
1577 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1578 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1579 },
1580 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1581 name: "AppDataAfterChangeCipherSpec-Empty",
1582 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1583 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1584 Bugs: ProtocolBugs{
1585 AppDataAfterChangeCipherSpec: []byte{},
1586 },
1587 },
1588 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1589 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1590 },
1591 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1592 protocol: dtls,
1593 name: "AppDataAfterChangeCipherSpec-DTLS",
1594 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1595 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1596 Bugs: ProtocolBugs{
1597 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1598 },
1599 },
1600 // BoringSSL's DTLS implementation will drop the out-of-order
1601 // application data.
1602 },
1603 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1604 protocol: dtls,
1605 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1606 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1607 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1608 Bugs: ProtocolBugs{
1609 AppDataAfterChangeCipherSpec: []byte{},
1610 },
1611 },
1612 // BoringSSL's DTLS implementation will drop the out-of-order
1613 // application data.
1614 },
1615 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1616 name: "AlertAfterChangeCipherSpec",
1617 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1618 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1619 Bugs: ProtocolBugs{
1620 AlertAfterChangeCipherSpec: alertRecordOverflow,
1621 },
1622 },
1623 shouldFail: true,
1624 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1625 },
1626 {
1627 protocol: dtls,
1628 name: "AlertAfterChangeCipherSpec-DTLS",
1629 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1630 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1631 Bugs: ProtocolBugs{
1632 AlertAfterChangeCipherSpec: alertRecordOverflow,
1633 },
1634 },
1635 shouldFail: true,
1636 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1637 },
1638 {
1639 protocol: dtls,
1640 name: "ReorderHandshakeFragments-Small-DTLS",
1641 config: Config{
1642 Bugs: ProtocolBugs{
1643 ReorderHandshakeFragments: true,
1644 // Small enough that every handshake message is
1645 // fragmented.
1646 MaxHandshakeRecordLength: 2,
1647 },
1648 },
1649 },
1650 {
1651 protocol: dtls,
1652 name: "ReorderHandshakeFragments-Large-DTLS",
1653 config: Config{
1654 Bugs: ProtocolBugs{
1655 ReorderHandshakeFragments: true,
1656 // Large enough that no handshake message is
1657 // fragmented.
1658 MaxHandshakeRecordLength: 2048,
1659 },
1660 },
1661 },
1662 {
1663 protocol: dtls,
1664 name: "MixCompleteMessageWithFragments-DTLS",
1665 config: Config{
1666 Bugs: ProtocolBugs{
1667 ReorderHandshakeFragments: true,
1668 MixCompleteMessageWithFragments: true,
1669 MaxHandshakeRecordLength: 2,
1670 },
1671 },
1672 },
1673 {
1674 name: "SendInvalidRecordType",
1675 config: Config{
1676 Bugs: ProtocolBugs{
1677 SendInvalidRecordType: true,
1678 },
1679 },
1680 shouldFail: true,
1681 expectedError: ":UNEXPECTED_RECORD:",
1682 },
1683 {
1684 protocol: dtls,
1685 name: "SendInvalidRecordType-DTLS",
1686 config: Config{
1687 Bugs: ProtocolBugs{
1688 SendInvalidRecordType: true,
1689 },
1690 },
1691 shouldFail: true,
1692 expectedError: ":UNEXPECTED_RECORD:",
1693 },
1694 {
1695 name: "FalseStart-SkipServerSecondLeg",
1696 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1697 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1698 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1699 NextProtos: []string{"foo"},
1700 Bugs: ProtocolBugs{
1701 SkipNewSessionTicket: true,
1702 SkipChangeCipherSpec: true,
1703 SkipFinished: true,
1704 ExpectFalseStart: true,
1705 },
1706 },
1707 flags: []string{
1708 "-false-start",
1709 "-handshake-never-done",
1710 "-advertise-alpn", "\x03foo",
1711 },
1712 shimWritesFirst: true,
1713 shouldFail: true,
1714 expectedError: ":UNEXPECTED_RECORD:",
1715 },
1716 {
1717 name: "FalseStart-SkipServerSecondLeg-Implicit",
1718 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1719 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1720 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1721 NextProtos: []string{"foo"},
1722 Bugs: ProtocolBugs{
1723 SkipNewSessionTicket: true,
1724 SkipChangeCipherSpec: true,
1725 SkipFinished: true,
1726 },
1727 },
1728 flags: []string{
1729 "-implicit-handshake",
1730 "-false-start",
1731 "-handshake-never-done",
1732 "-advertise-alpn", "\x03foo",
1733 },
1734 shouldFail: true,
1735 expectedError: ":UNEXPECTED_RECORD:",
1736 },
1737 {
1738 testType: serverTest,
1739 name: "FailEarlyCallback",
1740 flags: []string{"-fail-early-callback"},
1741 shouldFail: true,
1742 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1743 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1744 },
1745 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1746 name: "FailCertCallback-Client-TLS12",
1747 config: Config{
1748 MaxVersion: VersionTLS12,
1749 ClientAuth: RequestClientCert,
1750 },
1751 flags: []string{"-fail-cert-callback"},
1752 shouldFail: true,
1753 expectedError: ":CERT_CB_ERROR:",
1754 expectedLocalError: "remote error: internal error",
1755 },
1756 {
1757 testType: serverTest,
1758 name: "FailCertCallback-Server-TLS12",
1759 config: Config{
1760 MaxVersion: VersionTLS12,
1761 },
1762 flags: []string{"-fail-cert-callback"},
1763 shouldFail: true,
1764 expectedError: ":CERT_CB_ERROR:",
1765 expectedLocalError: "remote error: internal error",
1766 },
1767 {
1768 name: "FailCertCallback-Client-TLS13",
1769 config: Config{
1770 MaxVersion: VersionTLS13,
1771 ClientAuth: RequestClientCert,
1772 },
1773 flags: []string{"-fail-cert-callback"},
1774 shouldFail: true,
1775 expectedError: ":CERT_CB_ERROR:",
1776 expectedLocalError: "remote error: internal error",
1777 },
1778 {
1779 testType: serverTest,
1780 name: "FailCertCallback-Server-TLS13",
1781 config: Config{
1782 MaxVersion: VersionTLS13,
1783 },
1784 flags: []string{"-fail-cert-callback"},
1785 shouldFail: true,
1786 expectedError: ":CERT_CB_ERROR:",
1787 expectedLocalError: "remote error: internal error",
1788 },
1789 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1790 protocol: dtls,
1791 name: "FragmentMessageTypeMismatch-DTLS",
1792 config: Config{
1793 Bugs: ProtocolBugs{
1794 MaxHandshakeRecordLength: 2,
1795 FragmentMessageTypeMismatch: true,
1796 },
1797 },
1798 shouldFail: true,
1799 expectedError: ":FRAGMENT_MISMATCH:",
1800 },
1801 {
1802 protocol: dtls,
1803 name: "FragmentMessageLengthMismatch-DTLS",
1804 config: Config{
1805 Bugs: ProtocolBugs{
1806 MaxHandshakeRecordLength: 2,
1807 FragmentMessageLengthMismatch: true,
1808 },
1809 },
1810 shouldFail: true,
1811 expectedError: ":FRAGMENT_MISMATCH:",
1812 },
1813 {
1814 protocol: dtls,
1815 name: "SplitFragments-Header-DTLS",
1816 config: Config{
1817 Bugs: ProtocolBugs{
1818 SplitFragments: 2,
1819 },
1820 },
1821 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1822 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1823 },
1824 {
1825 protocol: dtls,
1826 name: "SplitFragments-Boundary-DTLS",
1827 config: Config{
1828 Bugs: ProtocolBugs{
1829 SplitFragments: dtlsRecordHeaderLen,
1830 },
1831 },
1832 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1833 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1834 },
1835 {
1836 protocol: dtls,
1837 name: "SplitFragments-Body-DTLS",
1838 config: Config{
1839 Bugs: ProtocolBugs{
1840 SplitFragments: dtlsRecordHeaderLen + 1,
1841 },
1842 },
1843 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1844 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1845 },
1846 {
1847 protocol: dtls,
1848 name: "SendEmptyFragments-DTLS",
1849 config: Config{
1850 Bugs: ProtocolBugs{
1851 SendEmptyFragments: true,
1852 },
1853 },
1854 },
1855 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1856 name: "BadFinished-Client",
1857 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1858 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1859 Bugs: ProtocolBugs{
1860 BadFinished: true,
1861 },
1862 },
1863 shouldFail: true,
1864 expectedError: ":DIGEST_CHECK_FAILED:",
1865 },
1866 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1867 name: "BadFinished-Client-TLS13",
1868 config: Config{
1869 MaxVersion: VersionTLS13,
1870 Bugs: ProtocolBugs{
1871 BadFinished: true,
1872 },
1873 },
1874 shouldFail: true,
1875 expectedError: ":DIGEST_CHECK_FAILED:",
1876 },
1877 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1878 testType: serverTest,
1879 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1880 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1881 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1882 Bugs: ProtocolBugs{
1883 BadFinished: true,
1884 },
1885 },
1886 shouldFail: true,
1887 expectedError: ":DIGEST_CHECK_FAILED:",
1888 },
1889 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1890 testType: serverTest,
1891 name: "BadFinished-Server-TLS13",
1892 config: Config{
1893 MaxVersion: VersionTLS13,
1894 Bugs: ProtocolBugs{
1895 BadFinished: true,
1896 },
1897 },
1898 shouldFail: true,
1899 expectedError: ":DIGEST_CHECK_FAILED:",
1900 },
1901 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1902 name: "FalseStart-BadFinished",
1903 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1904 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1905 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1906 NextProtos: []string{"foo"},
1907 Bugs: ProtocolBugs{
1908 BadFinished: true,
1909 ExpectFalseStart: true,
1910 },
1911 },
1912 flags: []string{
1913 "-false-start",
1914 "-handshake-never-done",
1915 "-advertise-alpn", "\x03foo",
1916 },
1917 shimWritesFirst: true,
1918 shouldFail: true,
1919 expectedError: ":DIGEST_CHECK_FAILED:",
1920 },
1921 {
1922 name: "NoFalseStart-NoALPN",
1923 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1924 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1925 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1926 Bugs: ProtocolBugs{
1927 ExpectFalseStart: true,
1928 AlertBeforeFalseStartTest: alertAccessDenied,
1929 },
1930 },
1931 flags: []string{
1932 "-false-start",
1933 },
1934 shimWritesFirst: true,
1935 shouldFail: true,
1936 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1937 expectedLocalError: "tls: peer did not false start: EOF",
1938 },
1939 {
1940 name: "NoFalseStart-NoAEAD",
1941 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1942 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1943 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1944 NextProtos: []string{"foo"},
1945 Bugs: ProtocolBugs{
1946 ExpectFalseStart: true,
1947 AlertBeforeFalseStartTest: alertAccessDenied,
1948 },
1949 },
1950 flags: []string{
1951 "-false-start",
1952 "-advertise-alpn", "\x03foo",
1953 },
1954 shimWritesFirst: true,
1955 shouldFail: true,
1956 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1957 expectedLocalError: "tls: peer did not false start: EOF",
1958 },
1959 {
1960 name: "NoFalseStart-RSA",
1961 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1962 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1963 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1964 NextProtos: []string{"foo"},
1965 Bugs: ProtocolBugs{
1966 ExpectFalseStart: true,
1967 AlertBeforeFalseStartTest: alertAccessDenied,
1968 },
1969 },
1970 flags: []string{
1971 "-false-start",
1972 "-advertise-alpn", "\x03foo",
1973 },
1974 shimWritesFirst: true,
1975 shouldFail: true,
1976 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1977 expectedLocalError: "tls: peer did not false start: EOF",
1978 },
1979 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1980 protocol: dtls,
1981 name: "SendSplitAlert-Sync",
1982 config: Config{
1983 Bugs: ProtocolBugs{
1984 SendSplitAlert: true,
1985 },
1986 },
1987 },
1988 {
1989 protocol: dtls,
1990 name: "SendSplitAlert-Async",
1991 config: Config{
1992 Bugs: ProtocolBugs{
1993 SendSplitAlert: true,
1994 },
1995 },
1996 flags: []string{"-async"},
1997 },
1998 {
1999 protocol: dtls,
2000 name: "PackDTLSHandshake",
2001 config: Config{
2002 Bugs: ProtocolBugs{
2003 MaxHandshakeRecordLength: 2,
2004 PackHandshakeFragments: 20,
2005 PackHandshakeRecords: 200,
2006 },
2007 },
2008 },
2009 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2010 name: "SendEmptyRecords-Pass",
2011 sendEmptyRecords: 32,
2012 },
2013 {
2014 name: "SendEmptyRecords",
2015 sendEmptyRecords: 33,
2016 shouldFail: true,
2017 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2018 },
2019 {
2020 name: "SendEmptyRecords-Async",
2021 sendEmptyRecords: 33,
2022 flags: []string{"-async"},
2023 shouldFail: true,
2024 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2025 },
2026 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2027 name: "SendWarningAlerts-Pass",
2028 config: Config{
2029 MaxVersion: VersionTLS12,
2030 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2031 sendWarningAlerts: 4,
2032 },
2033 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2034 protocol: dtls,
2035 name: "SendWarningAlerts-DTLS-Pass",
2036 config: Config{
2037 MaxVersion: VersionTLS12,
2038 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2039 sendWarningAlerts: 4,
2040 },
2041 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2042 name: "SendWarningAlerts-TLS13",
2043 config: Config{
2044 MaxVersion: VersionTLS13,
2045 },
2046 sendWarningAlerts: 4,
2047 shouldFail: true,
2048 expectedError: ":BAD_ALERT:",
2049 expectedLocalError: "remote error: error decoding message",
2050 },
2051 {
2052 name: "SendWarningAlerts",
2053 config: Config{
2054 MaxVersion: VersionTLS12,
2055 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2056 sendWarningAlerts: 5,
2057 shouldFail: true,
2058 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2059 },
2060 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2061 name: "SendWarningAlerts-Async",
2062 config: Config{
2063 MaxVersion: VersionTLS12,
2064 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2065 sendWarningAlerts: 5,
2066 flags: []string{"-async"},
2067 shouldFail: true,
2068 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2069 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2070 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2071 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2072 config: Config{
2073 MaxVersion: VersionTLS13,
2074 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2075 sendKeyUpdates: 33,
2076 keyUpdateRequest: keyUpdateNotRequested,
2077 shouldFail: true,
2078 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2079 },
2080 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2081 name: "EmptySessionID",
2082 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2083 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2084 SessionTicketsDisabled: true,
2085 },
2086 noSessionCache: true,
2087 flags: []string{"-expect-no-session"},
2088 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2089 {
2090 name: "Unclean-Shutdown",
2091 config: Config{
2092 Bugs: ProtocolBugs{
2093 NoCloseNotify: true,
2094 ExpectCloseNotify: true,
2095 },
2096 },
2097 shimShutsDown: true,
2098 flags: []string{"-check-close-notify"},
2099 shouldFail: true,
2100 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2101 },
2102 {
2103 name: "Unclean-Shutdown-Ignored",
2104 config: Config{
2105 Bugs: ProtocolBugs{
2106 NoCloseNotify: true,
2107 },
2108 },
2109 shimShutsDown: true,
2110 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2111 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2112 name: "Unclean-Shutdown-Alert",
2113 config: Config{
2114 Bugs: ProtocolBugs{
2115 SendAlertOnShutdown: alertDecompressionFailure,
2116 ExpectCloseNotify: true,
2117 },
2118 },
2119 shimShutsDown: true,
2120 flags: []string{"-check-close-notify"},
2121 shouldFail: true,
2122 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2123 },
2124 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2125 name: "LargePlaintext",
2126 config: Config{
2127 Bugs: ProtocolBugs{
2128 SendLargeRecords: true,
2129 },
2130 },
2131 messageLen: maxPlaintext + 1,
2132 shouldFail: true,
2133 expectedError: ":DATA_LENGTH_TOO_LONG:",
2134 },
2135 {
2136 protocol: dtls,
2137 name: "LargePlaintext-DTLS",
2138 config: Config{
2139 Bugs: ProtocolBugs{
2140 SendLargeRecords: true,
2141 },
2142 },
2143 messageLen: maxPlaintext + 1,
2144 shouldFail: true,
2145 expectedError: ":DATA_LENGTH_TOO_LONG:",
2146 },
2147 {
2148 name: "LargeCiphertext",
2149 config: Config{
2150 Bugs: ProtocolBugs{
2151 SendLargeRecords: true,
2152 },
2153 },
2154 messageLen: maxPlaintext * 2,
2155 shouldFail: true,
2156 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2157 },
2158 {
2159 protocol: dtls,
2160 name: "LargeCiphertext-DTLS",
2161 config: Config{
2162 Bugs: ProtocolBugs{
2163 SendLargeRecords: true,
2164 },
2165 },
2166 messageLen: maxPlaintext * 2,
2167 // Unlike the other four cases, DTLS drops records which
2168 // are invalid before authentication, so the connection
2169 // does not fail.
2170 expectMessageDropped: true,
2171 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2172 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2173 name: "BadHelloRequest-1",
2174 renegotiate: 1,
2175 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2176 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2177 Bugs: ProtocolBugs{
2178 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2179 },
2180 },
2181 flags: []string{
2182 "-renegotiate-freely",
2183 "-expect-total-renegotiations", "1",
2184 },
2185 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2186 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2187 },
2188 {
2189 name: "BadHelloRequest-2",
2190 renegotiate: 1,
2191 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2192 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2193 Bugs: ProtocolBugs{
2194 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2195 },
2196 },
2197 flags: []string{
2198 "-renegotiate-freely",
2199 "-expect-total-renegotiations", "1",
2200 },
2201 shouldFail: true,
2202 expectedError: ":BAD_HELLO_REQUEST:",
2203 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2204 {
2205 testType: serverTest,
2206 name: "SupportTicketsWithSessionID",
2207 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2208 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2209 SessionTicketsDisabled: true,
2210 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2211 resumeConfig: &Config{
2212 MaxVersion: VersionTLS12,
2213 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2214 resumeSession: true,
2215 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2216 {
2217 protocol: dtls,
2218 name: "DTLS-SendExtraFinished",
2219 config: Config{
2220 Bugs: ProtocolBugs{
2221 SendExtraFinished: true,
2222 },
2223 },
2224 shouldFail: true,
2225 expectedError: ":UNEXPECTED_RECORD:",
2226 },
2227 {
2228 protocol: dtls,
2229 name: "DTLS-SendExtraFinished-Reordered",
2230 config: Config{
2231 Bugs: ProtocolBugs{
2232 MaxHandshakeRecordLength: 2,
2233 ReorderHandshakeFragments: true,
2234 SendExtraFinished: true,
2235 },
2236 },
2237 shouldFail: true,
2238 expectedError: ":UNEXPECTED_RECORD:",
2239 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2240 {
2241 testType: serverTest,
2242 name: "V2ClientHello-EmptyRecordPrefix",
2243 config: Config{
2244 // Choose a cipher suite that does not involve
2245 // elliptic curves, so no extensions are
2246 // involved.
2247 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2248 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2249 Bugs: ProtocolBugs{
2250 SendV2ClientHello: true,
2251 },
2252 },
2253 sendPrefix: string([]byte{
2254 byte(recordTypeHandshake),
2255 3, 1, // version
2256 0, 0, // length
2257 }),
2258 // A no-op empty record may not be sent before V2ClientHello.
2259 shouldFail: true,
2260 expectedError: ":WRONG_VERSION_NUMBER:",
2261 },
2262 {
2263 testType: serverTest,
2264 name: "V2ClientHello-WarningAlertPrefix",
2265 config: Config{
2266 // Choose a cipher suite that does not involve
2267 // elliptic curves, so no extensions are
2268 // involved.
2269 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2270 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2271 Bugs: ProtocolBugs{
2272 SendV2ClientHello: true,
2273 },
2274 },
2275 sendPrefix: string([]byte{
2276 byte(recordTypeAlert),
2277 3, 1, // version
2278 0, 2, // length
2279 alertLevelWarning, byte(alertDecompressionFailure),
2280 }),
2281 // A no-op warning alert may not be sent before V2ClientHello.
2282 shouldFail: true,
2283 expectedError: ":WRONG_VERSION_NUMBER:",
2284 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2285 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2286 name: "KeyUpdate-Client",
2287 config: Config{
2288 MaxVersion: VersionTLS13,
2289 },
2290 sendKeyUpdates: 1,
2291 keyUpdateRequest: keyUpdateNotRequested,
2292 },
2293 {
2294 testType: serverTest,
2295 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2296 config: Config{
2297 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2298 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2299 sendKeyUpdates: 1,
2300 keyUpdateRequest: keyUpdateNotRequested,
2301 },
2302 {
2303 name: "KeyUpdate-InvalidRequestMode",
2304 config: Config{
2305 MaxVersion: VersionTLS13,
2306 },
2307 sendKeyUpdates: 1,
2308 keyUpdateRequest: 42,
2309 shouldFail: true,
2310 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2311 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2312 {
2313 name: "SendSNIWarningAlert",
2314 config: Config{
2315 MaxVersion: VersionTLS12,
2316 Bugs: ProtocolBugs{
2317 SendSNIWarningAlert: true,
2318 },
2319 },
2320 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2321 {
2322 testType: serverTest,
2323 name: "ExtraCompressionMethods-TLS12",
2324 config: Config{
2325 MaxVersion: VersionTLS12,
2326 Bugs: ProtocolBugs{
2327 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2328 },
2329 },
2330 },
2331 {
2332 testType: serverTest,
2333 name: "ExtraCompressionMethods-TLS13",
2334 config: Config{
2335 MaxVersion: VersionTLS13,
2336 Bugs: ProtocolBugs{
2337 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2338 },
2339 },
2340 shouldFail: true,
2341 expectedError: ":INVALID_COMPRESSION_LIST:",
2342 expectedLocalError: "remote error: illegal parameter",
2343 },
2344 {
2345 testType: serverTest,
2346 name: "NoNullCompression-TLS12",
2347 config: Config{
2348 MaxVersion: VersionTLS12,
2349 Bugs: ProtocolBugs{
2350 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2351 },
2352 },
2353 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2354 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2355 expectedLocalError: "remote error: illegal parameter",
2356 },
2357 {
2358 testType: serverTest,
2359 name: "NoNullCompression-TLS13",
2360 config: Config{
2361 MaxVersion: VersionTLS13,
2362 Bugs: ProtocolBugs{
2363 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2364 },
2365 },
2366 shouldFail: true,
2367 expectedError: ":INVALID_COMPRESSION_LIST:",
2368 expectedLocalError: "remote error: illegal parameter",
2369 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2370 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2371 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2372 config: Config{
2373 MaxVersion: VersionTLS12,
2374 Bugs: ProtocolBugs{
2375 ExpectGREASE: true,
2376 },
2377 },
2378 flags: []string{"-enable-grease"},
2379 },
2380 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2381 name: "GREASE-Client-TLS13",
2382 config: Config{
2383 MaxVersion: VersionTLS13,
2384 Bugs: ProtocolBugs{
2385 ExpectGREASE: true,
2386 },
2387 },
2388 flags: []string{"-enable-grease"},
2389 },
2390 {
2391 testType: serverTest,
2392 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2393 config: Config{
2394 MaxVersion: VersionTLS13,
2395 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2396 // TLS 1.3 servers are expected to
2397 // always enable GREASE. TLS 1.3 is new,
2398 // so there is no existing ecosystem to
2399 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2400 ExpectGREASE: true,
2401 },
2402 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2403 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2404 {
2405 // Test the server so there is a large certificate as
2406 // well as application data.
2407 testType: serverTest,
2408 name: "MaxSendFragment",
2409 config: Config{
2410 Bugs: ProtocolBugs{
2411 MaxReceivePlaintext: 512,
2412 },
2413 },
2414 messageLen: 1024,
2415 flags: []string{
2416 "-max-send-fragment", "512",
2417 "-read-size", "1024",
2418 },
2419 },
2420 {
2421 // Test the server so there is a large certificate as
2422 // well as application data.
2423 testType: serverTest,
2424 name: "MaxSendFragment-TooLarge",
2425 config: Config{
2426 Bugs: ProtocolBugs{
2427 // Ensure that some of the records are
2428 // 512.
2429 MaxReceivePlaintext: 511,
2430 },
2431 },
2432 messageLen: 1024,
2433 flags: []string{
2434 "-max-send-fragment", "512",
2435 "-read-size", "1024",
2436 },
2437 shouldFail: true,
2438 expectedLocalError: "local error: record overflow",
2439 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2440 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2441 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2442
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2443 if *includeDHE {
2444 testCases = append(testCases, testCase{
2445 name: "NoFalseStart-DHE_RSA",
2446 config: Config{
2447 MaxVersion: VersionTLS12,
2448 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2449 NextProtos: []string{"foo"},
2450 Bugs: ProtocolBugs{
2451 ExpectFalseStart: true,
2452 AlertBeforeFalseStartTest: alertAccessDenied,
2453 },
2454 },
2455 flags: []string{
2456 "-false-start",
2457 "-advertise-alpn", "\x03foo",
2458 },
2459 shimWritesFirst: true,
2460 shouldFail: true,
2461 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2462 expectedLocalError: "tls: peer did not false start: EOF",
2463 })
2464 }
2465
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2466 // Test that very large messages can be received.
2467 cert := rsaCertificate
2468 for i := 0; i < 50; i++ {
2469 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2470 }
2471 testCases = append(testCases, testCase{
2472 name: "LargeMessage",
2473 config: Config{
2474 Certificates: []Certificate{cert},
2475 },
2476 })
2477 testCases = append(testCases, testCase{
2478 protocol: dtls,
2479 name: "LargeMessage-DTLS",
2480 config: Config{
2481 Certificates: []Certificate{cert},
2482 },
2483 })
2484
2485 // They are rejected if the maximum certificate chain length is capped.
2486 testCases = append(testCases, testCase{
2487 name: "LargeMessage-Reject",
2488 config: Config{
2489 Certificates: []Certificate{cert},
2490 },
2491 flags: []string{"-max-cert-list", "16384"},
2492 shouldFail: true,
2493 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2494 })
2495 testCases = append(testCases, testCase{
2496 protocol: dtls,
2497 name: "LargeMessage-Reject-DTLS",
2498 config: Config{
2499 Certificates: []Certificate{cert},
2500 },
2501 flags: []string{"-max-cert-list", "16384"},
2502 shouldFail: true,
2503 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2504 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2505}
2506
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2507func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2508 const psk = "12345"
2509 const pskIdentity = "luggage combo"
2510
2511 var prefix string
2512 if protocol == dtls {
2513 if !ver.hasDTLS {
2514 return
2515 }
2516 prefix = "D"
2517 }
2518
2519 var cert Certificate
2520 var certFile string
2521 var keyFile string
2522 if hasComponent(suite.name, "ECDSA") {
2523 cert = ecdsaP256Certificate
2524 certFile = ecdsaP256CertificateFile
2525 keyFile = ecdsaP256KeyFile
2526 } else {
2527 cert = rsaCertificate
2528 certFile = rsaCertificateFile
2529 keyFile = rsaKeyFile
2530 }
2531
2532 var flags []string
2533 if hasComponent(suite.name, "PSK") {
2534 flags = append(flags,
2535 "-psk", psk,
2536 "-psk-identity", pskIdentity)
2537 }
2538 if hasComponent(suite.name, "NULL") {
2539 // NULL ciphers must be explicitly enabled.
2540 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2541 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2542
2543 var shouldServerFail, shouldClientFail bool
2544 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2545 // BoringSSL clients accept ECDHE on SSLv3, but
2546 // a BoringSSL server will never select it
2547 // because the extension is missing.
2548 shouldServerFail = true
2549 }
2550 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2551 shouldClientFail = true
2552 shouldServerFail = true
2553 }
2554 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2555 shouldClientFail = true
2556 shouldServerFail = true
2557 }
2558 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2559 shouldClientFail = true
2560 shouldServerFail = true
2561 }
2562 if !isDTLSCipher(suite.name) && protocol == dtls {
2563 shouldClientFail = true
2564 shouldServerFail = true
2565 }
2566
2567 var sendCipherSuite uint16
2568 var expectedServerError, expectedClientError string
2569 serverCipherSuites := []uint16{suite.id}
2570 if shouldServerFail {
2571 expectedServerError = ":NO_SHARED_CIPHER:"
2572 }
2573 if shouldClientFail {
2574 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2575 // Configure the server to select ciphers as normal but
2576 // select an incompatible cipher in ServerHello.
2577 serverCipherSuites = nil
2578 sendCipherSuite = suite.id
2579 }
2580
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2581 // For cipher suites and versions where exporters are defined, verify
2582 // that they interoperate.
2583 var exportKeyingMaterial int
2584 if ver.version > VersionSSL30 {
2585 exportKeyingMaterial = 1024
2586 }
2587
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2588 testCases = append(testCases, testCase{
2589 testType: serverTest,
2590 protocol: protocol,
2591 name: prefix + ver.name + "-" + suite.name + "-server",
2592 config: Config{
2593 MinVersion: ver.version,
2594 MaxVersion: ver.version,
2595 CipherSuites: []uint16{suite.id},
2596 Certificates: []Certificate{cert},
2597 PreSharedKey: []byte(psk),
2598 PreSharedKeyIdentity: pskIdentity,
2599 Bugs: ProtocolBugs{
2600 AdvertiseAllConfiguredCiphers: true,
2601 },
2602 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2603 certFile: certFile,
2604 keyFile: keyFile,
2605 flags: flags,
2606 resumeSession: true,
2607 shouldFail: shouldServerFail,
2608 expectedError: expectedServerError,
2609 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2610 })
2611
2612 testCases = append(testCases, testCase{
2613 testType: clientTest,
2614 protocol: protocol,
2615 name: prefix + ver.name + "-" + suite.name + "-client",
2616 config: Config{
2617 MinVersion: ver.version,
2618 MaxVersion: ver.version,
2619 CipherSuites: serverCipherSuites,
2620 Certificates: []Certificate{cert},
2621 PreSharedKey: []byte(psk),
2622 PreSharedKeyIdentity: pskIdentity,
2623 Bugs: ProtocolBugs{
2624 IgnorePeerCipherPreferences: shouldClientFail,
2625 SendCipherSuite: sendCipherSuite,
2626 },
2627 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2628 flags: flags,
2629 resumeSession: true,
2630 shouldFail: shouldClientFail,
2631 expectedError: expectedClientError,
2632 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2633 })
2634
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2635 if shouldClientFail {
2636 return
2637 }
2638
2639 // Ensure the maximum record size is accepted.
2640 testCases = append(testCases, testCase{
2641 protocol: protocol,
2642 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2643 config: Config{
2644 MinVersion: ver.version,
2645 MaxVersion: ver.version,
2646 CipherSuites: []uint16{suite.id},
2647 Certificates: []Certificate{cert},
2648 PreSharedKey: []byte(psk),
2649 PreSharedKeyIdentity: pskIdentity,
2650 },
2651 flags: flags,
2652 messageLen: maxPlaintext,
2653 })
2654
2655 // Test bad records for all ciphers. Bad records are fatal in TLS
2656 // and ignored in DTLS.
2657 var shouldFail bool
2658 var expectedError string
2659 if protocol == tls {
2660 shouldFail = true
2661 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2662 }
2663
2664 testCases = append(testCases, testCase{
2665 protocol: protocol,
2666 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2667 config: Config{
2668 MinVersion: ver.version,
2669 MaxVersion: ver.version,
2670 CipherSuites: []uint16{suite.id},
2671 Certificates: []Certificate{cert},
2672 PreSharedKey: []byte(psk),
2673 PreSharedKeyIdentity: pskIdentity,
2674 },
2675 flags: flags,
2676 damageFirstWrite: true,
2677 messageLen: maxPlaintext,
2678 shouldFail: shouldFail,
2679 expectedError: expectedError,
2680 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2681}
2682
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2683func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2684 const bogusCipher = 0xfe00
2685
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2686 if *includeDHE {
2687 testCipherSuites = append(testCipherSuites, []testCipherSuite{
2688 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2689 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
2690 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
2691 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
2692 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
2693 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
2694 }...)
2695 }
2696
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2697 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2698 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2699 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2700 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2701 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2702 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2703 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2704
2705 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2706 name: "NoSharedCipher",
2707 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2708 MaxVersion: VersionTLS12,
2709 CipherSuites: []uint16{},
2710 },
2711 shouldFail: true,
2712 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2713 })
2714
2715 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2716 name: "NoSharedCipher-TLS13",
2717 config: Config{
2718 MaxVersion: VersionTLS13,
2719 CipherSuites: []uint16{},
2720 },
2721 shouldFail: true,
2722 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2723 })
2724
2725 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2726 name: "UnsupportedCipherSuite",
2727 config: Config{
2728 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2729 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2730 Bugs: ProtocolBugs{
2731 IgnorePeerCipherPreferences: true,
2732 },
2733 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2734 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2735 shouldFail: true,
2736 expectedError: ":WRONG_CIPHER_RETURNED:",
2737 })
2738
2739 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2740 name: "ServerHelloBogusCipher",
2741 config: Config{
2742 MaxVersion: VersionTLS12,
2743 Bugs: ProtocolBugs{
2744 SendCipherSuite: bogusCipher,
2745 },
2746 },
2747 shouldFail: true,
2748 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2749 })
2750 testCases = append(testCases, testCase{
2751 name: "ServerHelloBogusCipher-TLS13",
2752 config: Config{
2753 MaxVersion: VersionTLS13,
2754 Bugs: ProtocolBugs{
2755 SendCipherSuite: bogusCipher,
2756 },
2757 },
2758 shouldFail: true,
2759 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2760 })
2761
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2762 if *includeDHE {
2763 testCases = append(testCases, testCase{
2764 name: "WeakDH",
2765 config: Config{
2766 MaxVersion: VersionTLS12,
2767 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2768 Bugs: ProtocolBugs{
2769 // This is a 1023-bit prime number, generated
2770 // with:
2771 // openssl gendh 1023 | openssl asn1parse -i
2772 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
2773 },
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2774 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2775 shouldFail: true,
2776 expectedError: ":BAD_DH_P_LENGTH:",
2777 })
Adam Langleycef75832015-09-03 14:51:12 -0700[diff] [blame]2778
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2779 testCases = append(testCases, testCase{
2780 name: "SillyDH",
2781 config: Config{
2782 MaxVersion: VersionTLS12,
2783 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2784 Bugs: ProtocolBugs{
2785 // This is a 4097-bit prime number, generated
2786 // with:
2787 // openssl gendh 4097 | openssl asn1parse -i
2788 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
2789 },
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2790 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2791 shouldFail: true,
2792 expectedError: ":DH_P_TOO_LONG:",
2793 })
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2794
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2795 // This test ensures that Diffie-Hellman public values are padded with
2796 // zeros so that they're the same length as the prime. This is to avoid
2797 // hitting a bug in yaSSL.
2798 testCases = append(testCases, testCase{
2799 testType: serverTest,
2800 name: "DHPublicValuePadded",
2801 config: Config{
2802 MaxVersion: VersionTLS12,
2803 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2804 Bugs: ProtocolBugs{
2805 RequireDHPublicValueLen: (1025 + 7) / 8,
2806 },
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2807 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2808 flags: []string{"-use-sparse-dh-prime"},
2809 })
2810 }
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2811
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2812 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2813 testCases = append(testCases, testCase{
2814 testType: serverTest,
2815 name: "UnknownCipher",
2816 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2817 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2818 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2819 Bugs: ProtocolBugs{
2820 AdvertiseAllConfiguredCiphers: true,
2821 },
2822 },
2823 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2824
2825 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2826 testCases = append(testCases, testCase{
2827 testType: serverTest,
2828 name: "UnknownCipher-TLS13",
2829 config: Config{
2830 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2831 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2832 Bugs: ProtocolBugs{
2833 AdvertiseAllConfiguredCiphers: true,
2834 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2835 },
2836 })
2837
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2838 // Test empty ECDHE_PSK identity hints work as expected.
2839 testCases = append(testCases, testCase{
2840 name: "EmptyECDHEPSKHint",
2841 config: Config{
2842 MaxVersion: VersionTLS12,
2843 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2844 PreSharedKey: []byte("secret"),
2845 },
2846 flags: []string{"-psk", "secret"},
2847 })
2848
2849 // Test empty PSK identity hints work as expected, even if an explicit
2850 // ServerKeyExchange is sent.
2851 testCases = append(testCases, testCase{
2852 name: "ExplicitEmptyPSKHint",
2853 config: Config{
2854 MaxVersion: VersionTLS12,
2855 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2856 PreSharedKey: []byte("secret"),
2857 Bugs: ProtocolBugs{
2858 AlwaysSendPreSharedKeyIdentityHint: true,
2859 },
2860 },
2861 flags: []string{"-psk", "secret"},
2862 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2863}
2864
2865func addBadECDSASignatureTests() {
2866 for badR := BadValue(1); badR < NumBadValues; badR++ {
2867 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2868 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2869 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2870 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2871 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2872 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2873 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2874 Bugs: ProtocolBugs{
2875 BadECDSAR: badR,
2876 BadECDSAS: badS,
2877 },
2878 },
2879 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2880 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2881 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2882 testCases = append(testCases, testCase{
2883 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2884 config: Config{
2885 MaxVersion: VersionTLS13,
2886 Certificates: []Certificate{ecdsaP256Certificate},
2887 Bugs: ProtocolBugs{
2888 BadECDSAR: badR,
2889 BadECDSAS: badS,
2890 },
2891 },
2892 shouldFail: true,
2893 expectedError: ":BAD_SIGNATURE:",
2894 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2895 }
2896 }
2897}
2898
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2899func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2900 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2901 name: "MaxCBCPadding",
2902 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2903 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2904 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2905 Bugs: ProtocolBugs{
2906 MaxPadding: true,
2907 },
2908 },
2909 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2910 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2911 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2912 name: "BadCBCPadding",
2913 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2914 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2915 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2916 Bugs: ProtocolBugs{
2917 PaddingFirstByteBad: true,
2918 },
2919 },
2920 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2921 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2922 })
2923 // OpenSSL previously had an issue where the first byte of padding in
2924 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2925 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2926 name: "BadCBCPadding255",
2927 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2928 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2929 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2930 Bugs: ProtocolBugs{
2931 MaxPadding: true,
2932 PaddingFirstByteBadIf255: true,
2933 },
2934 },
2935 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2936 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2937 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2938 })
2939}
2940
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2941func addCBCSplittingTests() {
2942 testCases = append(testCases, testCase{
2943 name: "CBCRecordSplitting",
2944 config: Config{
2945 MaxVersion: VersionTLS10,
2946 MinVersion: VersionTLS10,
2947 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2948 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]2949 messageLen: -1, // read until EOF
2950 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2951 flags: []string{
2952 "-async",
2953 "-write-different-record-sizes",
2954 "-cbc-record-splitting",
2955 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]2956 })
2957 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2958 name: "CBCRecordSplittingPartialWrite",
2959 config: Config{
2960 MaxVersion: VersionTLS10,
2961 MinVersion: VersionTLS10,
2962 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2963 },
2964 messageLen: -1, // read until EOF
2965 flags: []string{
2966 "-async",
2967 "-write-different-record-sizes",
2968 "-cbc-record-splitting",
2969 "-partial-write",
2970 },
2971 })
2972}
2973
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2974func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2975 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2976 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]2977 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
2978 cert, err := x509.ParseCertificate(cert.Certificate[0])
2979 if err != nil {
2980 panic(err)
2981 }
2982 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2983 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]2984 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2985
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2986 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2987 testCases = append(testCases, testCase{
2988 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2989 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2990 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2991 MinVersion: ver.version,
2992 MaxVersion: ver.version,
2993 ClientAuth: RequireAnyClientCert,
2994 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2995 },
2996 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2997 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2998 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2999 },
3000 })
3001 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3002 testType: serverTest,
3003 name: ver.name + "-Server-ClientAuth-RSA",
3004 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3005 MinVersion: ver.version,
3006 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3007 Certificates: []Certificate{rsaCertificate},
3008 },
3009 flags: []string{"-require-any-client-certificate"},
3010 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3011 if ver.version != VersionSSL30 {
3012 testCases = append(testCases, testCase{
3013 testType: serverTest,
3014 name: ver.name + "-Server-ClientAuth-ECDSA",
3015 config: Config{
3016 MinVersion: ver.version,
3017 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3018 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3019 },
3020 flags: []string{"-require-any-client-certificate"},
3021 })
3022 testCases = append(testCases, testCase{
3023 testType: clientTest,
3024 name: ver.name + "-Client-ClientAuth-ECDSA",
3025 config: Config{
3026 MinVersion: ver.version,
3027 MaxVersion: ver.version,
3028 ClientAuth: RequireAnyClientCert,
3029 ClientCAs: certPool,
3030 },
3031 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3032 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3033 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3034 },
3035 })
3036 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3037
3038 testCases = append(testCases, testCase{
3039 name: "NoClientCertificate-" + ver.name,
3040 config: Config{
3041 MinVersion: ver.version,
3042 MaxVersion: ver.version,
3043 ClientAuth: RequireAnyClientCert,
3044 },
3045 shouldFail: true,
3046 expectedLocalError: "client didn't provide a certificate",
3047 })
3048
3049 testCases = append(testCases, testCase{
3050 // Even if not configured to expect a certificate, OpenSSL will
3051 // return X509_V_OK as the verify_result.
3052 testType: serverTest,
3053 name: "NoClientCertificateRequested-Server-" + ver.name,
3054 config: Config{
3055 MinVersion: ver.version,
3056 MaxVersion: ver.version,
3057 },
3058 flags: []string{
3059 "-expect-verify-result",
3060 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3061 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3062 })
3063
3064 testCases = append(testCases, testCase{
3065 // If a client certificate is not provided, OpenSSL will still
3066 // return X509_V_OK as the verify_result.
3067 testType: serverTest,
3068 name: "NoClientCertificate-Server-" + ver.name,
3069 config: Config{
3070 MinVersion: ver.version,
3071 MaxVersion: ver.version,
3072 },
3073 flags: []string{
3074 "-expect-verify-result",
3075 "-verify-peer",
3076 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3077 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3078 })
3079
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3080 certificateRequired := "remote error: certificate required"
3081 if ver.version < VersionTLS13 {
3082 // Prior to TLS 1.3, the generic handshake_failure alert
3083 // was used.
3084 certificateRequired = "remote error: handshake failure"
3085 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3086 testCases = append(testCases, testCase{
3087 testType: serverTest,
3088 name: "RequireAnyClientCertificate-" + ver.name,
3089 config: Config{
3090 MinVersion: ver.version,
3091 MaxVersion: ver.version,
3092 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3093 flags: []string{"-require-any-client-certificate"},
3094 shouldFail: true,
3095 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3096 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3097 })
3098
3099 if ver.version != VersionSSL30 {
3100 testCases = append(testCases, testCase{
3101 testType: serverTest,
3102 name: "SkipClientCertificate-" + ver.name,
3103 config: Config{
3104 MinVersion: ver.version,
3105 MaxVersion: ver.version,
3106 Bugs: ProtocolBugs{
3107 SkipClientCertificate: true,
3108 },
3109 },
3110 // Setting SSL_VERIFY_PEER allows anonymous clients.
3111 flags: []string{"-verify-peer"},
3112 shouldFail: true,
3113 expectedError: ":UNEXPECTED_MESSAGE:",
3114 })
3115 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3116
3117 testCases = append(testCases, testCase{
3118 testType: serverTest,
3119 name: ver.name + "-Server-CertReq-CA-List",
3120 config: Config{
3121 MinVersion: ver.version,
3122 MaxVersion: ver.version,
3123 Certificates: []Certificate{rsaCertificate},
3124 Bugs: ProtocolBugs{
3125 ExpectCertificateReqNames: caNames,
3126 },
3127 },
3128 flags: []string{
3129 "-require-any-client-certificate",
3130 "-use-client-ca-list", encodeDERValues(caNames),
3131 },
3132 })
3133
3134 testCases = append(testCases, testCase{
3135 testType: clientTest,
3136 name: ver.name + "-Client-CertReq-CA-List",
3137 config: Config{
3138 MinVersion: ver.version,
3139 MaxVersion: ver.version,
3140 Certificates: []Certificate{rsaCertificate},
3141 ClientAuth: RequireAnyClientCert,
3142 ClientCAs: certPool,
3143 },
3144 flags: []string{
3145 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3146 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3147 "-expect-client-ca-list", encodeDERValues(caNames),
3148 },
3149 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3150 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3151
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3152 // Client auth is only legal in certificate-based ciphers.
3153 testCases = append(testCases, testCase{
3154 testType: clientTest,
3155 name: "ClientAuth-PSK",
3156 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3157 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3158 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3159 PreSharedKey: []byte("secret"),
3160 ClientAuth: RequireAnyClientCert,
3161 },
3162 flags: []string{
3163 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3164 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3165 "-psk", "secret",
3166 },
3167 shouldFail: true,
3168 expectedError: ":UNEXPECTED_MESSAGE:",
3169 })
3170 testCases = append(testCases, testCase{
3171 testType: clientTest,
3172 name: "ClientAuth-ECDHE_PSK",
3173 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3174 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3175 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3176 PreSharedKey: []byte("secret"),
3177 ClientAuth: RequireAnyClientCert,
3178 },
3179 flags: []string{
3180 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3181 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3182 "-psk", "secret",
3183 },
3184 shouldFail: true,
3185 expectedError: ":UNEXPECTED_MESSAGE:",
3186 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3187
3188 // Regression test for a bug where the client CA list, if explicitly
3189 // set to NULL, was mis-encoded.
3190 testCases = append(testCases, testCase{
3191 testType: serverTest,
3192 name: "Null-Client-CA-List",
3193 config: Config{
3194 MaxVersion: VersionTLS12,
3195 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3196 Bugs: ProtocolBugs{
3197 ExpectCertificateReqNames: [][]byte{},
3198 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3199 },
3200 flags: []string{
3201 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3202 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3203 },
3204 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3205}
3206
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3207func addExtendedMasterSecretTests() {
3208 const expectEMSFlag = "-expect-extended-master-secret"
3209
3210 for _, with := range []bool{false, true} {
3211 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3212 if with {
3213 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3214 }
3215
3216 for _, isClient := range []bool{false, true} {
3217 suffix := "-Server"
3218 testType := serverTest
3219 if isClient {
3220 suffix = "-Client"
3221 testType = clientTest
3222 }
3223
3224 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3225 // In TLS 1.3, the extension is irrelevant and
3226 // always reports as enabled.
3227 var flags []string
3228 if with || ver.version >= VersionTLS13 {
3229 flags = []string{expectEMSFlag}
3230 }
3231
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3232 test := testCase{
3233 testType: testType,
3234 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3235 config: Config{
3236 MinVersion: ver.version,
3237 MaxVersion: ver.version,
3238 Bugs: ProtocolBugs{
3239 NoExtendedMasterSecret: !with,
3240 RequireExtendedMasterSecret: with,
3241 },
3242 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3243 flags: flags,
3244 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3245 }
3246 if test.shouldFail {
3247 test.expectedLocalError = "extended master secret required but not supported by peer"
3248 }
3249 testCases = append(testCases, test)
3250 }
3251 }
3252 }
3253
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3254 for _, isClient := range []bool{false, true} {
3255 for _, supportedInFirstConnection := range []bool{false, true} {
3256 for _, supportedInResumeConnection := range []bool{false, true} {
3257 boolToWord := func(b bool) string {
3258 if b {
3259 return "Yes"
3260 }
3261 return "No"
3262 }
3263 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3264 if isClient {
3265 suffix += "Client"
3266 } else {
3267 suffix += "Server"
3268 }
3269
3270 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3271 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3272 Bugs: ProtocolBugs{
3273 RequireExtendedMasterSecret: true,
3274 },
3275 }
3276
3277 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3278 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3279 Bugs: ProtocolBugs{
3280 NoExtendedMasterSecret: true,
3281 },
3282 }
3283
3284 test := testCase{
3285 name: "ExtendedMasterSecret-" + suffix,
3286 resumeSession: true,
3287 }
3288
3289 if !isClient {
3290 test.testType = serverTest
3291 }
3292
3293 if supportedInFirstConnection {
3294 test.config = supportedConfig
3295 } else {
3296 test.config = noSupportConfig
3297 }
3298
3299 if supportedInResumeConnection {
3300 test.resumeConfig = &supportedConfig
3301 } else {
3302 test.resumeConfig = &noSupportConfig
3303 }
3304
3305 switch suffix {
3306 case "YesToYes-Client", "YesToYes-Server":
3307 // When a session is resumed, it should
3308 // still be aware that its master
3309 // secret was generated via EMS and
3310 // thus it's safe to use tls-unique.
3311 test.flags = []string{expectEMSFlag}
3312 case "NoToYes-Server":
3313 // If an original connection did not
3314 // contain EMS, but a resumption
3315 // handshake does, then a server should
3316 // not resume the session.
3317 test.expectResumeRejected = true
3318 case "YesToNo-Server":
3319 // Resuming an EMS session without the
3320 // EMS extension should cause the
3321 // server to abort the connection.
3322 test.shouldFail = true
3323 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3324 case "NoToYes-Client":
3325 // A client should abort a connection
3326 // where the server resumed a non-EMS
3327 // session but echoed the EMS
3328 // extension.
3329 test.shouldFail = true
3330 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3331 case "YesToNo-Client":
3332 // A client should abort a connection
3333 // where the server didn't echo EMS
3334 // when the session used it.
3335 test.shouldFail = true
3336 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3337 }
3338
3339 testCases = append(testCases, test)
3340 }
3341 }
3342 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3343
3344 // Switching EMS on renegotiation is forbidden.
3345 testCases = append(testCases, testCase{
3346 name: "ExtendedMasterSecret-Renego-NoEMS",
3347 config: Config{
3348 MaxVersion: VersionTLS12,
3349 Bugs: ProtocolBugs{
3350 NoExtendedMasterSecret: true,
3351 NoExtendedMasterSecretOnRenegotiation: true,
3352 },
3353 },
3354 renegotiate: 1,
3355 flags: []string{
3356 "-renegotiate-freely",
3357 "-expect-total-renegotiations", "1",
3358 },
3359 })
3360
3361 testCases = append(testCases, testCase{
3362 name: "ExtendedMasterSecret-Renego-Upgrade",
3363 config: Config{
3364 MaxVersion: VersionTLS12,
3365 Bugs: ProtocolBugs{
3366 NoExtendedMasterSecret: true,
3367 },
3368 },
3369 renegotiate: 1,
3370 flags: []string{
3371 "-renegotiate-freely",
3372 "-expect-total-renegotiations", "1",
3373 },
3374 shouldFail: true,
3375 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3376 })
3377
3378 testCases = append(testCases, testCase{
3379 name: "ExtendedMasterSecret-Renego-Downgrade",
3380 config: Config{
3381 MaxVersion: VersionTLS12,
3382 Bugs: ProtocolBugs{
3383 NoExtendedMasterSecretOnRenegotiation: true,
3384 },
3385 },
3386 renegotiate: 1,
3387 flags: []string{
3388 "-renegotiate-freely",
3389 "-expect-total-renegotiations", "1",
3390 },
3391 shouldFail: true,
3392 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3393 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3394}
3395
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3396type stateMachineTestConfig struct {
3397 protocol protocol
3398 async bool
3399 splitHandshake, packHandshakeFlight bool
3400}
3401
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3402// Adds tests that try to cover the range of the handshake state machine, under
3403// various conditions. Some of these are redundant with other tests, but they
3404// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3405func addAllStateMachineCoverageTests() {
3406 for _, async := range []bool{false, true} {
3407 for _, protocol := range []protocol{tls, dtls} {
3408 addStateMachineCoverageTests(stateMachineTestConfig{
3409 protocol: protocol,
3410 async: async,
3411 })
3412 addStateMachineCoverageTests(stateMachineTestConfig{
3413 protocol: protocol,
3414 async: async,
3415 splitHandshake: true,
3416 })
3417 if protocol == tls {
3418 addStateMachineCoverageTests(stateMachineTestConfig{
3419 protocol: protocol,
3420 async: async,
3421 packHandshakeFlight: true,
3422 })
3423 }
3424 }
3425 }
3426}
3427
3428func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3429 var tests []testCase
3430
3431 // Basic handshake, with resumption. Client and server,
3432 // session ID and session ticket.
3433 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3434 name: "Basic-Client",
3435 config: Config{
3436 MaxVersion: VersionTLS12,
3437 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3438 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3439 // Ensure session tickets are used, not session IDs.
3440 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3441 })
3442 tests = append(tests, testCase{
3443 name: "Basic-Client-RenewTicket",
3444 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3445 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3446 Bugs: ProtocolBugs{
3447 RenewTicketOnResume: true,
3448 },
3449 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3450 flags: []string{"-expect-ticket-renewal"},
3451 resumeSession: true,
3452 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3453 })
3454 tests = append(tests, testCase{
3455 name: "Basic-Client-NoTicket",
3456 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3457 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3458 SessionTicketsDisabled: true,
3459 },
3460 resumeSession: true,
3461 })
3462 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3463 name: "Basic-Client-Implicit",
3464 config: Config{
3465 MaxVersion: VersionTLS12,
3466 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3467 flags: []string{"-implicit-handshake"},
3468 resumeSession: true,
3469 })
3470 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3471 testType: serverTest,
3472 name: "Basic-Server",
3473 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3474 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3475 Bugs: ProtocolBugs{
3476 RequireSessionTickets: true,
3477 },
3478 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3479 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3480 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3481 })
3482 tests = append(tests, testCase{
3483 testType: serverTest,
3484 name: "Basic-Server-NoTickets",
3485 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3486 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3487 SessionTicketsDisabled: true,
3488 },
3489 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3490 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3491 })
3492 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3493 testType: serverTest,
3494 name: "Basic-Server-Implicit",
3495 config: Config{
3496 MaxVersion: VersionTLS12,
3497 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3498 flags: []string{"-implicit-handshake"},
3499 resumeSession: true,
3500 })
3501 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3502 testType: serverTest,
3503 name: "Basic-Server-EarlyCallback",
3504 config: Config{
3505 MaxVersion: VersionTLS12,
3506 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3507 flags: []string{"-use-early-callback"},
3508 resumeSession: true,
3509 })
3510
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3511 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3512 if config.protocol == tls {
3513 tests = append(tests, testCase{
3514 name: "TLS13-1RTT-Client",
3515 config: Config{
3516 MaxVersion: VersionTLS13,
3517 MinVersion: VersionTLS13,
3518 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3519 resumeSession: true,
3520 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3521 })
3522
3523 tests = append(tests, testCase{
3524 testType: serverTest,
3525 name: "TLS13-1RTT-Server",
3526 config: Config{
3527 MaxVersion: VersionTLS13,
3528 MinVersion: VersionTLS13,
3529 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3530 resumeSession: true,
3531 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3532 // TLS 1.3 uses tickets, so the session should not be
3533 // cached statefully.
3534 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3535 })
3536
3537 tests = append(tests, testCase{
3538 name: "TLS13-HelloRetryRequest-Client",
3539 config: Config{
3540 MaxVersion: VersionTLS13,
3541 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3542 // P-384 requires a HelloRetryRequest against BoringSSL's default
3543 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3544 CurvePreferences: []CurveID{CurveP384},
3545 Bugs: ProtocolBugs{
3546 ExpectMissingKeyShare: true,
3547 },
3548 },
3549 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3550 resumeSession: true,
3551 })
3552
3553 tests = append(tests, testCase{
3554 testType: serverTest,
3555 name: "TLS13-HelloRetryRequest-Server",
3556 config: Config{
3557 MaxVersion: VersionTLS13,
3558 MinVersion: VersionTLS13,
3559 // Require a HelloRetryRequest for every curve.
3560 DefaultCurves: []CurveID{},
3561 },
3562 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3563 resumeSession: true,
3564 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame^]3565
3566 // TODO(svaldez): Send data on early data once implemented.
3567 tests = append(tests, testCase{
3568 testType: clientTest,
3569 name: "TLS13-EarlyData-Client",
3570 config: Config{
3571 MaxVersion: VersionTLS13,
3572 MinVersion: VersionTLS13,
3573 MaxEarlyDataSize: 16384,
3574 },
3575 resumeSession: true,
3576 flags: []string{
3577 "-enable-early-data",
3578 "-expect-early-data-info",
3579 "-expect-accept-early-data",
3580 },
3581 })
3582
3583 tests = append(tests, testCase{
3584 testType: serverTest,
3585 name: "TLS13-EarlyData-Server",
3586 config: Config{
3587 MaxVersion: VersionTLS13,
3588 MinVersion: VersionTLS13,
3589 Bugs: ProtocolBugs{
3590 SendEarlyData: [][]byte{},
3591 ExpectEarlyDataAccepted: true,
3592 },
3593 },
3594 resumeSession: true,
3595 flags: []string{
3596 "-enable-early-data",
3597 },
3598 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3599 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3600
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3601 // TLS client auth.
3602 tests = append(tests, testCase{
3603 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3604 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3605 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3606 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3607 ClientAuth: RequestClientCert,
3608 },
3609 })
3610 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3611 testType: serverTest,
3612 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3613 config: Config{
3614 MaxVersion: VersionTLS12,
3615 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3616 // Setting SSL_VERIFY_PEER allows anonymous clients.
3617 flags: []string{"-verify-peer"},
3618 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3619 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3620 tests = append(tests, testCase{
3621 testType: clientTest,
3622 name: "ClientAuth-NoCertificate-Client-SSL3",
3623 config: Config{
3624 MaxVersion: VersionSSL30,
3625 ClientAuth: RequestClientCert,
3626 },
3627 })
3628 tests = append(tests, testCase{
3629 testType: serverTest,
3630 name: "ClientAuth-NoCertificate-Server-SSL3",
3631 config: Config{
3632 MaxVersion: VersionSSL30,
3633 },
3634 // Setting SSL_VERIFY_PEER allows anonymous clients.
3635 flags: []string{"-verify-peer"},
3636 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3637 tests = append(tests, testCase{
3638 testType: clientTest,
3639 name: "ClientAuth-NoCertificate-Client-TLS13",
3640 config: Config{
3641 MaxVersion: VersionTLS13,
3642 ClientAuth: RequestClientCert,
3643 },
3644 })
3645 tests = append(tests, testCase{
3646 testType: serverTest,
3647 name: "ClientAuth-NoCertificate-Server-TLS13",
3648 config: Config{
3649 MaxVersion: VersionTLS13,
3650 },
3651 // Setting SSL_VERIFY_PEER allows anonymous clients.
3652 flags: []string{"-verify-peer"},
3653 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3654 }
3655 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3656 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3657 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3658 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3659 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3660 ClientAuth: RequireAnyClientCert,
3661 },
3662 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3663 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3664 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3665 },
3666 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3667 tests = append(tests, testCase{
3668 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3669 name: "ClientAuth-RSA-Client-TLS13",
3670 config: Config{
3671 MaxVersion: VersionTLS13,
3672 ClientAuth: RequireAnyClientCert,
3673 },
3674 flags: []string{
3675 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3676 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3677 },
3678 })
3679 tests = append(tests, testCase{
3680 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3681 name: "ClientAuth-ECDSA-Client",
3682 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3683 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3684 ClientAuth: RequireAnyClientCert,
3685 },
3686 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3687 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3688 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3689 },
3690 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3691 tests = append(tests, testCase{
3692 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3693 name: "ClientAuth-ECDSA-Client-TLS13",
3694 config: Config{
3695 MaxVersion: VersionTLS13,
3696 ClientAuth: RequireAnyClientCert,
3697 },
3698 flags: []string{
3699 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3700 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3701 },
3702 })
3703 tests = append(tests, testCase{
3704 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3705 name: "ClientAuth-NoCertificate-OldCallback",
3706 config: Config{
3707 MaxVersion: VersionTLS12,
3708 ClientAuth: RequestClientCert,
3709 },
3710 flags: []string{"-use-old-client-cert-callback"},
3711 })
3712 tests = append(tests, testCase{
3713 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3714 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3715 config: Config{
3716 MaxVersion: VersionTLS13,
3717 ClientAuth: RequestClientCert,
3718 },
3719 flags: []string{"-use-old-client-cert-callback"},
3720 })
3721 tests = append(tests, testCase{
3722 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3723 name: "ClientAuth-OldCallback",
3724 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3725 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3726 ClientAuth: RequireAnyClientCert,
3727 },
3728 flags: []string{
3729 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3730 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3731 "-use-old-client-cert-callback",
3732 },
3733 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3734 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3735 testType: clientTest,
3736 name: "ClientAuth-OldCallback-TLS13",
3737 config: Config{
3738 MaxVersion: VersionTLS13,
3739 ClientAuth: RequireAnyClientCert,
3740 },
3741 flags: []string{
3742 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3743 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3744 "-use-old-client-cert-callback",
3745 },
3746 })
3747 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3748 testType: serverTest,
3749 name: "ClientAuth-Server",
3750 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3751 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3752 Certificates: []Certificate{rsaCertificate},
3753 },
3754 flags: []string{"-require-any-client-certificate"},
3755 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3756 tests = append(tests, testCase{
3757 testType: serverTest,
3758 name: "ClientAuth-Server-TLS13",
3759 config: Config{
3760 MaxVersion: VersionTLS13,
3761 Certificates: []Certificate{rsaCertificate},
3762 },
3763 flags: []string{"-require-any-client-certificate"},
3764 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3765
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3766 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3767 tests = append(tests, testCase{
3768 testType: serverTest,
3769 name: "Basic-Server-RSA",
3770 config: Config{
3771 MaxVersion: VersionTLS12,
3772 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3773 },
3774 flags: []string{
3775 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3776 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3777 },
3778 })
3779 tests = append(tests, testCase{
3780 testType: serverTest,
3781 name: "Basic-Server-ECDHE-RSA",
3782 config: Config{
3783 MaxVersion: VersionTLS12,
3784 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3785 },
3786 flags: []string{
3787 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3788 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3789 },
3790 })
3791 tests = append(tests, testCase{
3792 testType: serverTest,
3793 name: "Basic-Server-ECDHE-ECDSA",
3794 config: Config{
3795 MaxVersion: VersionTLS12,
3796 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3797 },
3798 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3799 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3800 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3801 },
3802 })
3803
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3804 // No session ticket support; server doesn't send NewSessionTicket.
3805 tests = append(tests, testCase{
3806 name: "SessionTicketsDisabled-Client",
3807 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3808 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3809 SessionTicketsDisabled: true,
3810 },
3811 })
3812 tests = append(tests, testCase{
3813 testType: serverTest,
3814 name: "SessionTicketsDisabled-Server",
3815 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3816 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3817 SessionTicketsDisabled: true,
3818 },
3819 })
3820
3821 // Skip ServerKeyExchange in PSK key exchange if there's no
3822 // identity hint.
3823 tests = append(tests, testCase{
3824 name: "EmptyPSKHint-Client",
3825 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3826 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3827 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3828 PreSharedKey: []byte("secret"),
3829 },
3830 flags: []string{"-psk", "secret"},
3831 })
3832 tests = append(tests, testCase{
3833 testType: serverTest,
3834 name: "EmptyPSKHint-Server",
3835 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3836 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3837 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3838 PreSharedKey: []byte("secret"),
3839 },
3840 flags: []string{"-psk", "secret"},
3841 })
3842
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3843 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3844 tests = append(tests, testCase{
3845 testType: clientTest,
3846 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3847 config: Config{
3848 MaxVersion: VersionTLS12,
3849 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3850 flags: []string{
3851 "-enable-ocsp-stapling",
3852 "-expect-ocsp-response",
3853 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3854 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3855 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3856 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3857 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3858 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3859 testType: serverTest,
3860 name: "OCSPStapling-Server",
3861 config: Config{
3862 MaxVersion: VersionTLS12,
3863 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3864 expectedOCSPResponse: testOCSPResponse,
3865 flags: []string{
3866 "-ocsp-response",
3867 base64.StdEncoding.EncodeToString(testOCSPResponse),
3868 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3869 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3870 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3871 tests = append(tests, testCase{
3872 testType: clientTest,
3873 name: "OCSPStapling-Client-TLS13",
3874 config: Config{
3875 MaxVersion: VersionTLS13,
3876 },
3877 flags: []string{
3878 "-enable-ocsp-stapling",
3879 "-expect-ocsp-response",
3880 base64.StdEncoding.EncodeToString(testOCSPResponse),
3881 "-verify-peer",
3882 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3883 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3884 })
3885 tests = append(tests, testCase{
3886 testType: serverTest,
3887 name: "OCSPStapling-Server-TLS13",
3888 config: Config{
3889 MaxVersion: VersionTLS13,
3890 },
3891 expectedOCSPResponse: testOCSPResponse,
3892 flags: []string{
3893 "-ocsp-response",
3894 base64.StdEncoding.EncodeToString(testOCSPResponse),
3895 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3896 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3897 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3898
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3899 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3900 for _, vers := range tlsVersions {
3901 if config.protocol == dtls && !vers.hasDTLS {
3902 continue
3903 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3904 for _, testType := range []testType{clientTest, serverTest} {
3905 suffix := "-Client"
3906 if testType == serverTest {
3907 suffix = "-Server"
3908 }
3909 suffix += "-" + vers.name
3910
3911 flag := "-verify-peer"
3912 if testType == serverTest {
3913 flag = "-require-any-client-certificate"
3914 }
3915
3916 tests = append(tests, testCase{
3917 testType: testType,
3918 name: "CertificateVerificationSucceed" + suffix,
3919 config: Config{
3920 MaxVersion: vers.version,
3921 Certificates: []Certificate{rsaCertificate},
3922 },
3923 flags: []string{
3924 flag,
3925 "-expect-verify-result",
3926 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3927 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3928 })
3929 tests = append(tests, testCase{
3930 testType: testType,
3931 name: "CertificateVerificationFail" + suffix,
3932 config: Config{
3933 MaxVersion: vers.version,
3934 Certificates: []Certificate{rsaCertificate},
3935 },
3936 flags: []string{
3937 flag,
3938 "-verify-fail",
3939 },
3940 shouldFail: true,
3941 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
3942 })
3943 }
3944
3945 // By default, the client is in a soft fail mode where the peer
3946 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3947 tests = append(tests, testCase{
3948 testType: clientTest,
3949 name: "CertificateVerificationSoftFail-" + vers.name,
3950 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3951 MaxVersion: vers.version,
3952 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3953 },
3954 flags: []string{
3955 "-verify-fail",
3956 "-expect-verify-result",
3957 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3958 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3959 })
3960 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3961
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]3962 tests = append(tests, testCase{
3963 name: "ShimSendAlert",
3964 flags: []string{"-send-alert"},
3965 shimWritesFirst: true,
3966 shouldFail: true,
3967 expectedLocalError: "remote error: decompression failure",
3968 })
3969
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3970 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3971 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3972 name: "Renegotiate-Client",
3973 config: Config{
3974 MaxVersion: VersionTLS12,
3975 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]3976 renegotiate: 1,
3977 flags: []string{
3978 "-renegotiate-freely",
3979 "-expect-total-renegotiations", "1",
3980 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3981 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3982
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]3983 tests = append(tests, testCase{
3984 name: "SendHalfHelloRequest",
3985 config: Config{
3986 MaxVersion: VersionTLS12,
3987 Bugs: ProtocolBugs{
3988 PackHelloRequestWithFinished: config.packHandshakeFlight,
3989 },
3990 },
3991 sendHalfHelloRequest: true,
3992 flags: []string{"-renegotiate-ignore"},
3993 shouldFail: true,
3994 expectedError: ":UNEXPECTED_RECORD:",
3995 })
3996
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3997 // NPN on client and server; results in post-handshake message.
3998 tests = append(tests, testCase{
3999 name: "NPN-Client",
4000 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4001 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4002 NextProtos: []string{"foo"},
4003 },
4004 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4005 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4006 expectedNextProto: "foo",
4007 expectedNextProtoType: npn,
4008 })
4009 tests = append(tests, testCase{
4010 testType: serverTest,
4011 name: "NPN-Server",
4012 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4013 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4014 NextProtos: []string{"bar"},
4015 },
4016 flags: []string{
4017 "-advertise-npn", "\x03foo\x03bar\x03baz",
4018 "-expect-next-proto", "bar",
4019 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4020 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4021 expectedNextProto: "bar",
4022 expectedNextProtoType: npn,
4023 })
4024
4025 // TODO(davidben): Add tests for when False Start doesn't trigger.
4026
4027 // Client does False Start and negotiates NPN.
4028 tests = append(tests, testCase{
4029 name: "FalseStart",
4030 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4031 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4032 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4033 NextProtos: []string{"foo"},
4034 Bugs: ProtocolBugs{
4035 ExpectFalseStart: true,
4036 },
4037 },
4038 flags: []string{
4039 "-false-start",
4040 "-select-next-proto", "foo",
4041 },
4042 shimWritesFirst: true,
4043 resumeSession: true,
4044 })
4045
4046 // Client does False Start and negotiates ALPN.
4047 tests = append(tests, testCase{
4048 name: "FalseStart-ALPN",
4049 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4050 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4051 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4052 NextProtos: []string{"foo"},
4053 Bugs: ProtocolBugs{
4054 ExpectFalseStart: true,
4055 },
4056 },
4057 flags: []string{
4058 "-false-start",
4059 "-advertise-alpn", "\x03foo",
4060 },
4061 shimWritesFirst: true,
4062 resumeSession: true,
4063 })
4064
4065 // Client does False Start but doesn't explicitly call
4066 // SSL_connect.
4067 tests = append(tests, testCase{
4068 name: "FalseStart-Implicit",
4069 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4070 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4071 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4072 NextProtos: []string{"foo"},
4073 },
4074 flags: []string{
4075 "-implicit-handshake",
4076 "-false-start",
4077 "-advertise-alpn", "\x03foo",
4078 },
4079 })
4080
4081 // False Start without session tickets.
4082 tests = append(tests, testCase{
4083 name: "FalseStart-SessionTicketsDisabled",
4084 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4085 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4086 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4087 NextProtos: []string{"foo"},
4088 SessionTicketsDisabled: true,
4089 Bugs: ProtocolBugs{
4090 ExpectFalseStart: true,
4091 },
4092 },
4093 flags: []string{
4094 "-false-start",
4095 "-select-next-proto", "foo",
4096 },
4097 shimWritesFirst: true,
4098 })
4099
4100 // Server parses a V2ClientHello.
4101 tests = append(tests, testCase{
4102 testType: serverTest,
4103 name: "SendV2ClientHello",
4104 config: Config{
4105 // Choose a cipher suite that does not involve
4106 // elliptic curves, so no extensions are
4107 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4108 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4109 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4110 Bugs: ProtocolBugs{
4111 SendV2ClientHello: true,
4112 },
4113 },
4114 })
4115
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4116 // Test Channel ID
4117 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4118 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4119 continue
4120 }
4121 // Client sends a Channel ID.
4122 tests = append(tests, testCase{
4123 name: "ChannelID-Client-" + ver.name,
4124 config: Config{
4125 MaxVersion: ver.version,
4126 RequestChannelID: true,
4127 },
4128 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4129 resumeSession: true,
4130 expectChannelID: true,
4131 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4132
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4133 // Server accepts a Channel ID.
4134 tests = append(tests, testCase{
4135 testType: serverTest,
4136 name: "ChannelID-Server-" + ver.name,
4137 config: Config{
4138 MaxVersion: ver.version,
4139 ChannelID: channelIDKey,
4140 },
4141 flags: []string{
4142 "-expect-channel-id",
4143 base64.StdEncoding.EncodeToString(channelIDBytes),
4144 },
4145 resumeSession: true,
4146 expectChannelID: true,
4147 })
4148
4149 tests = append(tests, testCase{
4150 testType: serverTest,
4151 name: "InvalidChannelIDSignature-" + ver.name,
4152 config: Config{
4153 MaxVersion: ver.version,
4154 ChannelID: channelIDKey,
4155 Bugs: ProtocolBugs{
4156 InvalidChannelIDSignature: true,
4157 },
4158 },
4159 flags: []string{"-enable-channel-id"},
4160 shouldFail: true,
4161 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4162 })
4163 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4164
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4165 // Channel ID and NPN at the same time, to ensure their relative
4166 // ordering is correct.
4167 tests = append(tests, testCase{
4168 name: "ChannelID-NPN-Client",
4169 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4170 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4171 RequestChannelID: true,
4172 NextProtos: []string{"foo"},
4173 },
4174 flags: []string{
4175 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4176 "-select-next-proto", "foo",
4177 },
4178 resumeSession: true,
4179 expectChannelID: true,
4180 expectedNextProto: "foo",
4181 expectedNextProtoType: npn,
4182 })
4183 tests = append(tests, testCase{
4184 testType: serverTest,
4185 name: "ChannelID-NPN-Server",
4186 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4187 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4188 ChannelID: channelIDKey,
4189 NextProtos: []string{"bar"},
4190 },
4191 flags: []string{
4192 "-expect-channel-id",
4193 base64.StdEncoding.EncodeToString(channelIDBytes),
4194 "-advertise-npn", "\x03foo\x03bar\x03baz",
4195 "-expect-next-proto", "bar",
4196 },
4197 resumeSession: true,
4198 expectChannelID: true,
4199 expectedNextProto: "bar",
4200 expectedNextProtoType: npn,
4201 })
4202
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4203 // Bidirectional shutdown with the runner initiating.
4204 tests = append(tests, testCase{
4205 name: "Shutdown-Runner",
4206 config: Config{
4207 Bugs: ProtocolBugs{
4208 ExpectCloseNotify: true,
4209 },
4210 },
4211 flags: []string{"-check-close-notify"},
4212 })
4213
4214 // Bidirectional shutdown with the shim initiating. The runner,
4215 // in the meantime, sends garbage before the close_notify which
4216 // the shim must ignore.
4217 tests = append(tests, testCase{
4218 name: "Shutdown-Shim",
4219 config: Config{
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]4220 MaxVersion: VersionTLS12,
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4221 Bugs: ProtocolBugs{
4222 ExpectCloseNotify: true,
4223 },
4224 },
4225 shimShutsDown: true,
4226 sendEmptyRecords: 1,
4227 sendWarningAlerts: 1,
4228 flags: []string{"-check-close-notify"},
4229 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4230 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4231 // TODO(davidben): DTLS 1.3 will want a similar thing for
4232 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4233 tests = append(tests, testCase{
4234 name: "SkipHelloVerifyRequest",
4235 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4236 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4237 Bugs: ProtocolBugs{
4238 SkipHelloVerifyRequest: true,
4239 },
4240 },
4241 })
4242 }
4243
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4244 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4245 test.protocol = config.protocol
4246 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4247 test.name += "-DTLS"
4248 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4249 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4250 test.name += "-Async"
4251 test.flags = append(test.flags, "-async")
4252 } else {
4253 test.name += "-Sync"
4254 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4255 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4256 test.name += "-SplitHandshakeRecords"
4257 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4258 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4259 test.config.Bugs.MaxPacketLength = 256
4260 test.flags = append(test.flags, "-mtu", "256")
4261 }
4262 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4263 if config.packHandshakeFlight {
4264 test.name += "-PackHandshakeFlight"
4265 test.config.Bugs.PackHandshakeFlight = true
4266 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4267 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4268 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4269}
4270
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4271func addDDoSCallbackTests() {
4272 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4273 for _, resume := range []bool{false, true} {
4274 suffix := "Resume"
4275 if resume {
4276 suffix = "No" + suffix
4277 }
4278
4279 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4280 testType: serverTest,
4281 name: "Server-DDoS-OK-" + suffix,
4282 config: Config{
4283 MaxVersion: VersionTLS12,
4284 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4285 flags: []string{"-install-ddos-callback"},
4286 resumeSession: resume,
4287 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4288 testCases = append(testCases, testCase{
4289 testType: serverTest,
4290 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4291 config: Config{
4292 MaxVersion: VersionTLS13,
4293 },
4294 flags: []string{"-install-ddos-callback"},
4295 resumeSession: resume,
4296 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4297
4298 failFlag := "-fail-ddos-callback"
4299 if resume {
4300 failFlag = "-fail-second-ddos-callback"
4301 }
4302 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4303 testType: serverTest,
4304 name: "Server-DDoS-Reject-" + suffix,
4305 config: Config{
4306 MaxVersion: VersionTLS12,
4307 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4308 flags: []string{"-install-ddos-callback", failFlag},
4309 resumeSession: resume,
4310 shouldFail: true,
4311 expectedError: ":CONNECTION_REJECTED:",
4312 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4313 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4314 testCases = append(testCases, testCase{
4315 testType: serverTest,
4316 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4317 config: Config{
4318 MaxVersion: VersionTLS13,
4319 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4320 flags: []string{"-install-ddos-callback", failFlag},
4321 resumeSession: resume,
4322 shouldFail: true,
4323 expectedError: ":CONNECTION_REJECTED:",
4324 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4325 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4326 }
4327}
4328
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4329func addVersionNegotiationTests() {
4330 for i, shimVers := range tlsVersions {
4331 // Assemble flags to disable all newer versions on the shim.
4332 var flags []string
4333 for _, vers := range tlsVersions[i+1:] {
4334 flags = append(flags, vers.flag)
4335 }
4336
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4337 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4338 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4339 protocols := []protocol{tls}
4340 if runnerVers.hasDTLS && shimVers.hasDTLS {
4341 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4342 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4343 for _, protocol := range protocols {
4344 expectedVersion := shimVers.version
4345 if runnerVers.version < shimVers.version {
4346 expectedVersion = runnerVers.version
4347 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4348
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4349 suffix := shimVers.name + "-" + runnerVers.name
4350 if protocol == dtls {
4351 suffix += "-DTLS"
4352 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4353
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4354 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4355
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4356 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4357 clientVers := shimVers.version
4358 if clientVers > VersionTLS10 {
4359 clientVers = VersionTLS10
4360 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4361 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4362 serverVers := expectedVersion
4363 if expectedVersion >= VersionTLS13 {
4364 serverVers = VersionTLS10
4365 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4366 serverVers = versionToWire(serverVers, protocol == dtls)
4367
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4368 testCases = append(testCases, testCase{
4369 protocol: protocol,
4370 testType: clientTest,
4371 name: "VersionNegotiation-Client-" + suffix,
4372 config: Config{
4373 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4374 Bugs: ProtocolBugs{
4375 ExpectInitialRecordVersion: clientVers,
4376 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4377 },
4378 flags: flags,
4379 expectedVersion: expectedVersion,
4380 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4381 testCases = append(testCases, testCase{
4382 protocol: protocol,
4383 testType: clientTest,
4384 name: "VersionNegotiation-Client2-" + suffix,
4385 config: Config{
4386 MaxVersion: runnerVers.version,
4387 Bugs: ProtocolBugs{
4388 ExpectInitialRecordVersion: clientVers,
4389 },
4390 },
4391 flags: []string{"-max-version", shimVersFlag},
4392 expectedVersion: expectedVersion,
4393 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4394
4395 testCases = append(testCases, testCase{
4396 protocol: protocol,
4397 testType: serverTest,
4398 name: "VersionNegotiation-Server-" + suffix,
4399 config: Config{
4400 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4401 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4402 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4403 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4404 },
4405 flags: flags,
4406 expectedVersion: expectedVersion,
4407 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4408 testCases = append(testCases, testCase{
4409 protocol: protocol,
4410 testType: serverTest,
4411 name: "VersionNegotiation-Server2-" + suffix,
4412 config: Config{
4413 MaxVersion: runnerVers.version,
4414 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4415 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4416 },
4417 },
4418 flags: []string{"-max-version", shimVersFlag},
4419 expectedVersion: expectedVersion,
4420 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4421 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4422 }
4423 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4424
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4425 // Test the version extension at all versions.
4426 for _, vers := range tlsVersions {
4427 protocols := []protocol{tls}
4428 if vers.hasDTLS {
4429 protocols = append(protocols, dtls)
4430 }
4431 for _, protocol := range protocols {
4432 suffix := vers.name
4433 if protocol == dtls {
4434 suffix += "-DTLS"
4435 }
4436
4437 wireVersion := versionToWire(vers.version, protocol == dtls)
4438 testCases = append(testCases, testCase{
4439 protocol: protocol,
4440 testType: serverTest,
4441 name: "VersionNegotiationExtension-" + suffix,
4442 config: Config{
4443 Bugs: ProtocolBugs{
4444 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4445 },
4446 },
4447 expectedVersion: vers.version,
4448 })
4449 }
4450
4451 }
4452
4453 // If all versions are unknown, negotiation fails.
4454 testCases = append(testCases, testCase{
4455 testType: serverTest,
4456 name: "NoSupportedVersions",
4457 config: Config{
4458 Bugs: ProtocolBugs{
4459 SendSupportedVersions: []uint16{0x1111},
4460 },
4461 },
4462 shouldFail: true,
4463 expectedError: ":UNSUPPORTED_PROTOCOL:",
4464 })
4465 testCases = append(testCases, testCase{
4466 protocol: dtls,
4467 testType: serverTest,
4468 name: "NoSupportedVersions-DTLS",
4469 config: Config{
4470 Bugs: ProtocolBugs{
4471 SendSupportedVersions: []uint16{0x1111},
4472 },
4473 },
4474 shouldFail: true,
4475 expectedError: ":UNSUPPORTED_PROTOCOL:",
4476 })
4477
4478 testCases = append(testCases, testCase{
4479 testType: serverTest,
4480 name: "ClientHelloVersionTooHigh",
4481 config: Config{
4482 MaxVersion: VersionTLS13,
4483 Bugs: ProtocolBugs{
4484 SendClientVersion: 0x0304,
4485 OmitSupportedVersions: true,
4486 },
4487 },
4488 expectedVersion: VersionTLS12,
4489 })
4490
4491 testCases = append(testCases, testCase{
4492 testType: serverTest,
4493 name: "ConflictingVersionNegotiation",
4494 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4495 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4496 SendClientVersion: VersionTLS12,
4497 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4498 },
4499 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4500 // The extension takes precedence over the ClientHello version.
4501 expectedVersion: VersionTLS11,
4502 })
4503
4504 testCases = append(testCases, testCase{
4505 testType: serverTest,
4506 name: "ConflictingVersionNegotiation-2",
4507 config: Config{
4508 Bugs: ProtocolBugs{
4509 SendClientVersion: VersionTLS11,
4510 SendSupportedVersions: []uint16{VersionTLS12},
4511 },
4512 },
4513 // The extension takes precedence over the ClientHello version.
4514 expectedVersion: VersionTLS12,
4515 })
4516
4517 testCases = append(testCases, testCase{
4518 testType: serverTest,
4519 name: "RejectFinalTLS13",
4520 config: Config{
4521 Bugs: ProtocolBugs{
4522 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4523 },
4524 },
4525 // We currently implement a draft TLS 1.3 version. Ensure that
4526 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4527 expectedVersion: VersionTLS12,
4528 })
4529
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4530 // Test that the maximum version is selected regardless of the
4531 // client-sent order.
4532 testCases = append(testCases, testCase{
4533 testType: serverTest,
4534 name: "IgnoreClientVersionOrder",
4535 config: Config{
4536 Bugs: ProtocolBugs{
4537 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4538 },
4539 },
4540 expectedVersion: VersionTLS13,
4541 })
4542
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4543 // Test for version tolerance.
4544 testCases = append(testCases, testCase{
4545 testType: serverTest,
4546 name: "MinorVersionTolerance",
4547 config: Config{
4548 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4549 SendClientVersion: 0x03ff,
4550 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4551 },
4552 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4553 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4554 })
4555 testCases = append(testCases, testCase{
4556 testType: serverTest,
4557 name: "MajorVersionTolerance",
4558 config: Config{
4559 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4560 SendClientVersion: 0x0400,
4561 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4562 },
4563 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4564 // TLS 1.3 must be negotiated with the supported_versions
4565 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4566 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4567 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4568 testCases = append(testCases, testCase{
4569 testType: serverTest,
4570 name: "VersionTolerance-TLS13",
4571 config: Config{
4572 Bugs: ProtocolBugs{
4573 // Although TLS 1.3 does not use
4574 // ClientHello.version, it still tolerates high
4575 // values there.
4576 SendClientVersion: 0x0400,
4577 },
4578 },
4579 expectedVersion: VersionTLS13,
4580 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4581
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4582 testCases = append(testCases, testCase{
4583 protocol: dtls,
4584 testType: serverTest,
4585 name: "MinorVersionTolerance-DTLS",
4586 config: Config{
4587 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4588 SendClientVersion: 0xfe00,
4589 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4590 },
4591 },
4592 expectedVersion: VersionTLS12,
4593 })
4594 testCases = append(testCases, testCase{
4595 protocol: dtls,
4596 testType: serverTest,
4597 name: "MajorVersionTolerance-DTLS",
4598 config: Config{
4599 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4600 SendClientVersion: 0xfdff,
4601 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4602 },
4603 },
4604 expectedVersion: VersionTLS12,
4605 })
4606
4607 // Test that versions below 3.0 are rejected.
4608 testCases = append(testCases, testCase{
4609 testType: serverTest,
4610 name: "VersionTooLow",
4611 config: Config{
4612 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4613 SendClientVersion: 0x0200,
4614 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4615 },
4616 },
4617 shouldFail: true,
4618 expectedError: ":UNSUPPORTED_PROTOCOL:",
4619 })
4620 testCases = append(testCases, testCase{
4621 protocol: dtls,
4622 testType: serverTest,
4623 name: "VersionTooLow-DTLS",
4624 config: Config{
4625 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4626 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4627 },
4628 },
4629 shouldFail: true,
4630 expectedError: ":UNSUPPORTED_PROTOCOL:",
4631 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4632
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4633 testCases = append(testCases, testCase{
4634 name: "ServerBogusVersion",
4635 config: Config{
4636 Bugs: ProtocolBugs{
4637 SendServerHelloVersion: 0x1234,
4638 },
4639 },
4640 shouldFail: true,
4641 expectedError: ":UNSUPPORTED_PROTOCOL:",
4642 })
4643
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4644 // Test TLS 1.3's downgrade signal.
4645 testCases = append(testCases, testCase{
4646 name: "Downgrade-TLS12-Client",
4647 config: Config{
4648 Bugs: ProtocolBugs{
4649 NegotiateVersion: VersionTLS12,
4650 },
4651 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4652 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4653 // TODO(davidben): This test should fail once TLS 1.3 is final
4654 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4655 })
4656 testCases = append(testCases, testCase{
4657 testType: serverTest,
4658 name: "Downgrade-TLS12-Server",
4659 config: Config{
4660 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4661 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4662 },
4663 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4664 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4665 // TODO(davidben): This test should fail once TLS 1.3 is final
4666 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4667 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4668}
4669
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4670func addMinimumVersionTests() {
4671 for i, shimVers := range tlsVersions {
4672 // Assemble flags to disable all older versions on the shim.
4673 var flags []string
4674 for _, vers := range tlsVersions[:i] {
4675 flags = append(flags, vers.flag)
4676 }
4677
4678 for _, runnerVers := range tlsVersions {
4679 protocols := []protocol{tls}
4680 if runnerVers.hasDTLS && shimVers.hasDTLS {
4681 protocols = append(protocols, dtls)
4682 }
4683 for _, protocol := range protocols {
4684 suffix := shimVers.name + "-" + runnerVers.name
4685 if protocol == dtls {
4686 suffix += "-DTLS"
4687 }
4688 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4689
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4690 var expectedVersion uint16
4691 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4692 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4693 if runnerVers.version >= shimVers.version {
4694 expectedVersion = runnerVers.version
4695 } else {
4696 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4697 expectedError = ":UNSUPPORTED_PROTOCOL:"
4698 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4699 }
4700
4701 testCases = append(testCases, testCase{
4702 protocol: protocol,
4703 testType: clientTest,
4704 name: "MinimumVersion-Client-" + suffix,
4705 config: Config{
4706 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4707 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4708 // Ensure the server does not decline to
4709 // select a version (versions extension) or
4710 // cipher (some ciphers depend on versions).
4711 NegotiateVersion: runnerVers.version,
4712 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4713 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4714 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4715 flags: flags,
4716 expectedVersion: expectedVersion,
4717 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4718 expectedError: expectedError,
4719 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4720 })
4721 testCases = append(testCases, testCase{
4722 protocol: protocol,
4723 testType: clientTest,
4724 name: "MinimumVersion-Client2-" + suffix,
4725 config: Config{
4726 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4727 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4728 // Ensure the server does not decline to
4729 // select a version (versions extension) or
4730 // cipher (some ciphers depend on versions).
4731 NegotiateVersion: runnerVers.version,
4732 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4733 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4734 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4735 flags: []string{"-min-version", shimVersFlag},
4736 expectedVersion: expectedVersion,
4737 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4738 expectedError: expectedError,
4739 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4740 })
4741
4742 testCases = append(testCases, testCase{
4743 protocol: protocol,
4744 testType: serverTest,
4745 name: "MinimumVersion-Server-" + suffix,
4746 config: Config{
4747 MaxVersion: runnerVers.version,
4748 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4749 flags: flags,
4750 expectedVersion: expectedVersion,
4751 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4752 expectedError: expectedError,
4753 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4754 })
4755 testCases = append(testCases, testCase{
4756 protocol: protocol,
4757 testType: serverTest,
4758 name: "MinimumVersion-Server2-" + suffix,
4759 config: Config{
4760 MaxVersion: runnerVers.version,
4761 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4762 flags: []string{"-min-version", shimVersFlag},
4763 expectedVersion: expectedVersion,
4764 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4765 expectedError: expectedError,
4766 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4767 })
4768 }
4769 }
4770 }
4771}
4772
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4773func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4774 // TODO(davidben): Extensions, where applicable, all move their server
4775 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4776 // tests for both. Also test interaction with 0-RTT when implemented.
4777
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4778 // Repeat extensions tests all versions except SSL 3.0.
4779 for _, ver := range tlsVersions {
4780 if ver.version == VersionSSL30 {
4781 continue
4782 }
4783
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4784 // Test that duplicate extensions are rejected.
4785 testCases = append(testCases, testCase{
4786 testType: clientTest,
4787 name: "DuplicateExtensionClient-" + ver.name,
4788 config: Config{
4789 MaxVersion: ver.version,
4790 Bugs: ProtocolBugs{
4791 DuplicateExtension: true,
4792 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4793 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4794 shouldFail: true,
4795 expectedLocalError: "remote error: error decoding message",
4796 })
4797 testCases = append(testCases, testCase{
4798 testType: serverTest,
4799 name: "DuplicateExtensionServer-" + ver.name,
4800 config: Config{
4801 MaxVersion: ver.version,
4802 Bugs: ProtocolBugs{
4803 DuplicateExtension: true,
4804 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4805 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4806 shouldFail: true,
4807 expectedLocalError: "remote error: error decoding message",
4808 })
4809
4810 // Test SNI.
4811 testCases = append(testCases, testCase{
4812 testType: clientTest,
4813 name: "ServerNameExtensionClient-" + ver.name,
4814 config: Config{
4815 MaxVersion: ver.version,
4816 Bugs: ProtocolBugs{
4817 ExpectServerName: "example.com",
4818 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4819 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4820 flags: []string{"-host-name", "example.com"},
4821 })
4822 testCases = append(testCases, testCase{
4823 testType: clientTest,
4824 name: "ServerNameExtensionClientMismatch-" + ver.name,
4825 config: Config{
4826 MaxVersion: ver.version,
4827 Bugs: ProtocolBugs{
4828 ExpectServerName: "mismatch.com",
4829 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4830 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4831 flags: []string{"-host-name", "example.com"},
4832 shouldFail: true,
4833 expectedLocalError: "tls: unexpected server name",
4834 })
4835 testCases = append(testCases, testCase{
4836 testType: clientTest,
4837 name: "ServerNameExtensionClientMissing-" + ver.name,
4838 config: Config{
4839 MaxVersion: ver.version,
4840 Bugs: ProtocolBugs{
4841 ExpectServerName: "missing.com",
4842 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4843 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4844 shouldFail: true,
4845 expectedLocalError: "tls: unexpected server name",
4846 })
4847 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]4848 testType: clientTest,
4849 name: "TolerateServerNameAck-" + ver.name,
4850 config: Config{
4851 MaxVersion: ver.version,
4852 Bugs: ProtocolBugs{
4853 SendServerNameAck: true,
4854 },
4855 },
4856 flags: []string{"-host-name", "example.com"},
4857 resumeSession: true,
4858 })
4859 testCases = append(testCases, testCase{
4860 testType: clientTest,
4861 name: "UnsolicitedServerNameAck-" + ver.name,
4862 config: Config{
4863 MaxVersion: ver.version,
4864 Bugs: ProtocolBugs{
4865 SendServerNameAck: true,
4866 },
4867 },
4868 shouldFail: true,
4869 expectedError: ":UNEXPECTED_EXTENSION:",
4870 expectedLocalError: "remote error: unsupported extension",
4871 })
4872 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4873 testType: serverTest,
4874 name: "ServerNameExtensionServer-" + ver.name,
4875 config: Config{
4876 MaxVersion: ver.version,
4877 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4878 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4879 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4880 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4881 })
4882
4883 // Test ALPN.
4884 testCases = append(testCases, testCase{
4885 testType: clientTest,
4886 name: "ALPNClient-" + ver.name,
4887 config: Config{
4888 MaxVersion: ver.version,
4889 NextProtos: []string{"foo"},
4890 },
4891 flags: []string{
4892 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4893 "-expect-alpn", "foo",
4894 },
4895 expectedNextProto: "foo",
4896 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4897 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4898 })
4899 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4900 testType: clientTest,
4901 name: "ALPNClient-Mismatch-" + ver.name,
4902 config: Config{
4903 MaxVersion: ver.version,
4904 Bugs: ProtocolBugs{
4905 SendALPN: "baz",
4906 },
4907 },
4908 flags: []string{
4909 "-advertise-alpn", "\x03foo\x03bar",
4910 },
4911 shouldFail: true,
4912 expectedError: ":INVALID_ALPN_PROTOCOL:",
4913 expectedLocalError: "remote error: illegal parameter",
4914 })
4915 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4916 testType: serverTest,
4917 name: "ALPNServer-" + ver.name,
4918 config: Config{
4919 MaxVersion: ver.version,
4920 NextProtos: []string{"foo", "bar", "baz"},
4921 },
4922 flags: []string{
4923 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4924 "-select-alpn", "foo",
4925 },
4926 expectedNextProto: "foo",
4927 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4928 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4929 })
4930 testCases = append(testCases, testCase{
4931 testType: serverTest,
4932 name: "ALPNServer-Decline-" + ver.name,
4933 config: Config{
4934 MaxVersion: ver.version,
4935 NextProtos: []string{"foo", "bar", "baz"},
4936 },
4937 flags: []string{"-decline-alpn"},
4938 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4939 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4940 })
4941
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4942 // Test ALPN in async mode as well to ensure that extensions callbacks are only
4943 // called once.
4944 testCases = append(testCases, testCase{
4945 testType: serverTest,
4946 name: "ALPNServer-Async-" + ver.name,
4947 config: Config{
4948 MaxVersion: ver.version,
4949 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]4950 // Prior to TLS 1.3, exercise the asynchronous session callback.
4951 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4952 },
4953 flags: []string{
4954 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4955 "-select-alpn", "foo",
4956 "-async",
4957 },
4958 expectedNextProto: "foo",
4959 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4960 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4961 })
4962
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4963 var emptyString string
4964 testCases = append(testCases, testCase{
4965 testType: clientTest,
4966 name: "ALPNClient-EmptyProtocolName-" + ver.name,
4967 config: Config{
4968 MaxVersion: ver.version,
4969 NextProtos: []string{""},
4970 Bugs: ProtocolBugs{
4971 // A server returning an empty ALPN protocol
4972 // should be rejected.
4973 ALPNProtocol: &emptyString,
4974 },
4975 },
4976 flags: []string{
4977 "-advertise-alpn", "\x03foo",
4978 },
4979 shouldFail: true,
4980 expectedError: ":PARSE_TLSEXT:",
4981 })
4982 testCases = append(testCases, testCase{
4983 testType: serverTest,
4984 name: "ALPNServer-EmptyProtocolName-" + ver.name,
4985 config: Config{
4986 MaxVersion: ver.version,
4987 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4988 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4989 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4990 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4991 flags: []string{
4992 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]4993 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4994 shouldFail: true,
4995 expectedError: ":PARSE_TLSEXT:",
4996 })
4997
4998 // Test NPN and the interaction with ALPN.
4999 if ver.version < VersionTLS13 {
5000 // Test that the server prefers ALPN over NPN.
5001 testCases = append(testCases, testCase{
5002 testType: serverTest,
5003 name: "ALPNServer-Preferred-" + ver.name,
5004 config: Config{
5005 MaxVersion: ver.version,
5006 NextProtos: []string{"foo", "bar", "baz"},
5007 },
5008 flags: []string{
5009 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5010 "-select-alpn", "foo",
5011 "-advertise-npn", "\x03foo\x03bar\x03baz",
5012 },
5013 expectedNextProto: "foo",
5014 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5015 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5016 })
5017 testCases = append(testCases, testCase{
5018 testType: serverTest,
5019 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5020 config: Config{
5021 MaxVersion: ver.version,
5022 NextProtos: []string{"foo", "bar", "baz"},
5023 Bugs: ProtocolBugs{
5024 SwapNPNAndALPN: true,
5025 },
5026 },
5027 flags: []string{
5028 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5029 "-select-alpn", "foo",
5030 "-advertise-npn", "\x03foo\x03bar\x03baz",
5031 },
5032 expectedNextProto: "foo",
5033 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5034 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5035 })
5036
5037 // Test that negotiating both NPN and ALPN is forbidden.
5038 testCases = append(testCases, testCase{
5039 name: "NegotiateALPNAndNPN-" + ver.name,
5040 config: Config{
5041 MaxVersion: ver.version,
5042 NextProtos: []string{"foo", "bar", "baz"},
5043 Bugs: ProtocolBugs{
5044 NegotiateALPNAndNPN: true,
5045 },
5046 },
5047 flags: []string{
5048 "-advertise-alpn", "\x03foo",
5049 "-select-next-proto", "foo",
5050 },
5051 shouldFail: true,
5052 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5053 })
5054 testCases = append(testCases, testCase{
5055 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5056 config: Config{
5057 MaxVersion: ver.version,
5058 NextProtos: []string{"foo", "bar", "baz"},
5059 Bugs: ProtocolBugs{
5060 NegotiateALPNAndNPN: true,
5061 SwapNPNAndALPN: true,
5062 },
5063 },
5064 flags: []string{
5065 "-advertise-alpn", "\x03foo",
5066 "-select-next-proto", "foo",
5067 },
5068 shouldFail: true,
5069 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5070 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5071 }
5072
5073 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5074
5075 // Resume with a corrupt ticket.
5076 testCases = append(testCases, testCase{
5077 testType: serverTest,
5078 name: "CorruptTicket-" + ver.name,
5079 config: Config{
5080 MaxVersion: ver.version,
5081 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5082 FilterTicket: func(in []byte) ([]byte, error) {
5083 in[len(in)-1] ^= 1
5084 return in, nil
5085 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5086 },
5087 },
5088 resumeSession: true,
5089 expectResumeRejected: true,
5090 })
5091 // Test the ticket callback, with and without renewal.
5092 testCases = append(testCases, testCase{
5093 testType: serverTest,
5094 name: "TicketCallback-" + ver.name,
5095 config: Config{
5096 MaxVersion: ver.version,
5097 },
5098 resumeSession: true,
5099 flags: []string{"-use-ticket-callback"},
5100 })
5101 testCases = append(testCases, testCase{
5102 testType: serverTest,
5103 name: "TicketCallback-Renew-" + ver.name,
5104 config: Config{
5105 MaxVersion: ver.version,
5106 Bugs: ProtocolBugs{
5107 ExpectNewTicket: true,
5108 },
5109 },
5110 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5111 resumeSession: true,
5112 })
5113
5114 // Test that the ticket callback is only called once when everything before
5115 // it in the ClientHello is asynchronous. This corrupts the ticket so
5116 // certificate selection callbacks run.
5117 testCases = append(testCases, testCase{
5118 testType: serverTest,
5119 name: "TicketCallback-SingleCall-" + ver.name,
5120 config: Config{
5121 MaxVersion: ver.version,
5122 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5123 FilterTicket: func(in []byte) ([]byte, error) {
5124 in[len(in)-1] ^= 1
5125 return in, nil
5126 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5127 },
5128 },
5129 resumeSession: true,
5130 expectResumeRejected: true,
5131 flags: []string{
5132 "-use-ticket-callback",
5133 "-async",
5134 },
5135 })
5136
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5137 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5138 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5139 testCases = append(testCases, testCase{
5140 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5141 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5142 config: Config{
5143 MaxVersion: ver.version,
5144 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5145 EmptyTicketSessionID: true,
5146 },
5147 },
5148 resumeSession: true,
5149 })
5150 testCases = append(testCases, testCase{
5151 testType: serverTest,
5152 name: "TicketSessionIDLength-16-" + ver.name,
5153 config: Config{
5154 MaxVersion: ver.version,
5155 Bugs: ProtocolBugs{
5156 TicketSessionIDLength: 16,
5157 },
5158 },
5159 resumeSession: true,
5160 })
5161 testCases = append(testCases, testCase{
5162 testType: serverTest,
5163 name: "TicketSessionIDLength-32-" + ver.name,
5164 config: Config{
5165 MaxVersion: ver.version,
5166 Bugs: ProtocolBugs{
5167 TicketSessionIDLength: 32,
5168 },
5169 },
5170 resumeSession: true,
5171 })
5172 testCases = append(testCases, testCase{
5173 testType: serverTest,
5174 name: "TicketSessionIDLength-33-" + ver.name,
5175 config: Config{
5176 MaxVersion: ver.version,
5177 Bugs: ProtocolBugs{
5178 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5179 },
5180 },
5181 resumeSession: true,
5182 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5183 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5184 expectedError: ":DECODE_ERROR:",
5185 })
5186 }
5187
5188 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5189 // are ignored.
5190 if ver.hasDTLS {
5191 testCases = append(testCases, testCase{
5192 protocol: dtls,
5193 name: "SRTP-Client-" + ver.name,
5194 config: Config{
5195 MaxVersion: ver.version,
5196 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5197 },
5198 flags: []string{
5199 "-srtp-profiles",
5200 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5201 },
5202 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5203 })
5204 testCases = append(testCases, testCase{
5205 protocol: dtls,
5206 testType: serverTest,
5207 name: "SRTP-Server-" + ver.name,
5208 config: Config{
5209 MaxVersion: ver.version,
5210 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5211 },
5212 flags: []string{
5213 "-srtp-profiles",
5214 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5215 },
5216 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5217 })
5218 // Test that the MKI is ignored.
5219 testCases = append(testCases, testCase{
5220 protocol: dtls,
5221 testType: serverTest,
5222 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5223 config: Config{
5224 MaxVersion: ver.version,
5225 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5226 Bugs: ProtocolBugs{
5227 SRTPMasterKeyIdentifer: "bogus",
5228 },
5229 },
5230 flags: []string{
5231 "-srtp-profiles",
5232 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5233 },
5234 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5235 })
5236 // Test that SRTP isn't negotiated on the server if there were
5237 // no matching profiles.
5238 testCases = append(testCases, testCase{
5239 protocol: dtls,
5240 testType: serverTest,
5241 name: "SRTP-Server-NoMatch-" + ver.name,
5242 config: Config{
5243 MaxVersion: ver.version,
5244 SRTPProtectionProfiles: []uint16{100, 101, 102},
5245 },
5246 flags: []string{
5247 "-srtp-profiles",
5248 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5249 },
5250 expectedSRTPProtectionProfile: 0,
5251 })
5252 // Test that the server returning an invalid SRTP profile is
5253 // flagged as an error by the client.
5254 testCases = append(testCases, testCase{
5255 protocol: dtls,
5256 name: "SRTP-Client-NoMatch-" + ver.name,
5257 config: Config{
5258 MaxVersion: ver.version,
5259 Bugs: ProtocolBugs{
5260 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5261 },
5262 },
5263 flags: []string{
5264 "-srtp-profiles",
5265 "SRTP_AES128_CM_SHA1_80",
5266 },
5267 shouldFail: true,
5268 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5269 })
5270 }
5271
5272 // Test SCT list.
5273 testCases = append(testCases, testCase{
5274 name: "SignedCertificateTimestampList-Client-" + ver.name,
5275 testType: clientTest,
5276 config: Config{
5277 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5278 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5279 flags: []string{
5280 "-enable-signed-cert-timestamps",
5281 "-expect-signed-cert-timestamps",
5282 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5283 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5284 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5285 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5286
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5287 var differentSCTList []byte
5288 differentSCTList = append(differentSCTList, testSCTList...)
5289 differentSCTList[len(differentSCTList)-1] ^= 1
5290
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5291 // The SCT extension did not specify that it must only be sent on resumption as it
5292 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5293 testCases = append(testCases, testCase{
5294 name: "SendSCTListOnResume-" + ver.name,
5295 config: Config{
5296 MaxVersion: ver.version,
5297 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5298 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5299 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5300 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5301 flags: []string{
5302 "-enable-signed-cert-timestamps",
5303 "-expect-signed-cert-timestamps",
5304 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5305 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5306 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5307 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5308
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5309 testCases = append(testCases, testCase{
5310 name: "SignedCertificateTimestampList-Server-" + ver.name,
5311 testType: serverTest,
5312 config: Config{
5313 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5314 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5315 flags: []string{
5316 "-signed-cert-timestamps",
5317 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5318 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5319 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5320 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5321 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5322
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5323 emptySCTListCert := *testCerts[0].cert
5324 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5325
5326 // Test empty SCT list.
5327 testCases = append(testCases, testCase{
5328 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5329 testType: clientTest,
5330 config: Config{
5331 MaxVersion: ver.version,
5332 Certificates: []Certificate{emptySCTListCert},
5333 },
5334 flags: []string{
5335 "-enable-signed-cert-timestamps",
5336 },
5337 shouldFail: true,
5338 expectedError: ":ERROR_PARSING_EXTENSION:",
5339 })
5340
5341 emptySCTCert := *testCerts[0].cert
5342 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5343
5344 // Test empty SCT in non-empty list.
5345 testCases = append(testCases, testCase{
5346 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5347 testType: clientTest,
5348 config: Config{
5349 MaxVersion: ver.version,
5350 Certificates: []Certificate{emptySCTCert},
5351 },
5352 flags: []string{
5353 "-enable-signed-cert-timestamps",
5354 },
5355 shouldFail: true,
5356 expectedError: ":ERROR_PARSING_EXTENSION:",
5357 })
5358
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5359 // Test that certificate-related extensions are not sent unsolicited.
5360 testCases = append(testCases, testCase{
5361 testType: serverTest,
5362 name: "UnsolicitedCertificateExtensions-" + ver.name,
5363 config: Config{
5364 MaxVersion: ver.version,
5365 Bugs: ProtocolBugs{
5366 NoOCSPStapling: true,
5367 NoSignedCertificateTimestamps: true,
5368 },
5369 },
5370 flags: []string{
5371 "-ocsp-response",
5372 base64.StdEncoding.EncodeToString(testOCSPResponse),
5373 "-signed-cert-timestamps",
5374 base64.StdEncoding.EncodeToString(testSCTList),
5375 },
5376 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5377 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5378
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5379 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5380 testType: clientTest,
5381 name: "ClientHelloPadding",
5382 config: Config{
5383 Bugs: ProtocolBugs{
5384 RequireClientHelloSize: 512,
5385 },
5386 },
5387 // This hostname just needs to be long enough to push the
5388 // ClientHello into F5's danger zone between 256 and 511 bytes
5389 // long.
5390 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5391 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5392
5393 // Extensions should not function in SSL 3.0.
5394 testCases = append(testCases, testCase{
5395 testType: serverTest,
5396 name: "SSLv3Extensions-NoALPN",
5397 config: Config{
5398 MaxVersion: VersionSSL30,
5399 NextProtos: []string{"foo", "bar", "baz"},
5400 },
5401 flags: []string{
5402 "-select-alpn", "foo",
5403 },
5404 expectNoNextProto: true,
5405 })
5406
5407 // Test session tickets separately as they follow a different codepath.
5408 testCases = append(testCases, testCase{
5409 testType: serverTest,
5410 name: "SSLv3Extensions-NoTickets",
5411 config: Config{
5412 MaxVersion: VersionSSL30,
5413 Bugs: ProtocolBugs{
5414 // Historically, session tickets in SSL 3.0
5415 // failed in different ways depending on whether
5416 // the client supported renegotiation_info.
5417 NoRenegotiationInfo: true,
5418 },
5419 },
5420 resumeSession: true,
5421 })
5422 testCases = append(testCases, testCase{
5423 testType: serverTest,
5424 name: "SSLv3Extensions-NoTickets2",
5425 config: Config{
5426 MaxVersion: VersionSSL30,
5427 },
5428 resumeSession: true,
5429 })
5430
5431 // But SSL 3.0 does send and process renegotiation_info.
5432 testCases = append(testCases, testCase{
5433 testType: serverTest,
5434 name: "SSLv3Extensions-RenegotiationInfo",
5435 config: Config{
5436 MaxVersion: VersionSSL30,
5437 Bugs: ProtocolBugs{
5438 RequireRenegotiationInfo: true,
5439 },
5440 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5441 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5442 })
5443 testCases = append(testCases, testCase{
5444 testType: serverTest,
5445 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5446 config: Config{
5447 MaxVersion: VersionSSL30,
5448 Bugs: ProtocolBugs{
5449 NoRenegotiationInfo: true,
5450 SendRenegotiationSCSV: true,
5451 RequireRenegotiationInfo: true,
5452 },
5453 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5454 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5455 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5456
5457 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5458 // in ServerHello.
5459 testCases = append(testCases, testCase{
5460 name: "NPN-Forbidden-TLS13",
5461 config: Config{
5462 MaxVersion: VersionTLS13,
5463 NextProtos: []string{"foo"},
5464 Bugs: ProtocolBugs{
5465 NegotiateNPNAtAllVersions: true,
5466 },
5467 },
5468 flags: []string{"-select-next-proto", "foo"},
5469 shouldFail: true,
5470 expectedError: ":ERROR_PARSING_EXTENSION:",
5471 })
5472 testCases = append(testCases, testCase{
5473 name: "EMS-Forbidden-TLS13",
5474 config: Config{
5475 MaxVersion: VersionTLS13,
5476 Bugs: ProtocolBugs{
5477 NegotiateEMSAtAllVersions: true,
5478 },
5479 },
5480 shouldFail: true,
5481 expectedError: ":ERROR_PARSING_EXTENSION:",
5482 })
5483 testCases = append(testCases, testCase{
5484 name: "RenegotiationInfo-Forbidden-TLS13",
5485 config: Config{
5486 MaxVersion: VersionTLS13,
5487 Bugs: ProtocolBugs{
5488 NegotiateRenegotiationInfoAtAllVersions: true,
5489 },
5490 },
5491 shouldFail: true,
5492 expectedError: ":ERROR_PARSING_EXTENSION:",
5493 })
5494 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5495 name: "Ticket-Forbidden-TLS13",
5496 config: Config{
5497 MaxVersion: VersionTLS12,
5498 },
5499 resumeConfig: &Config{
5500 MaxVersion: VersionTLS13,
5501 Bugs: ProtocolBugs{
5502 AdvertiseTicketExtension: true,
5503 },
5504 },
5505 resumeSession: true,
5506 shouldFail: true,
5507 expectedError: ":ERROR_PARSING_EXTENSION:",
5508 })
5509
5510 // Test that illegal extensions in TLS 1.3 are declined by the server if
5511 // offered in ClientHello. The runner's server will fail if this occurs,
5512 // so we exercise the offering path. (EMS and Renegotiation Info are
5513 // implicit in every test.)
5514 testCases = append(testCases, testCase{
5515 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5516 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5517 config: Config{
5518 MaxVersion: VersionTLS13,
5519 NextProtos: []string{"bar"},
5520 },
5521 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5522 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5523
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5524 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5525 // tolerated.
5526 testCases = append(testCases, testCase{
5527 name: "SendOCSPResponseOnResume-TLS12",
5528 config: Config{
5529 MaxVersion: VersionTLS12,
5530 Bugs: ProtocolBugs{
5531 SendOCSPResponseOnResume: []byte("bogus"),
5532 },
5533 },
5534 flags: []string{
5535 "-enable-ocsp-stapling",
5536 "-expect-ocsp-response",
5537 base64.StdEncoding.EncodeToString(testOCSPResponse),
5538 },
5539 resumeSession: true,
5540 })
5541
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5542 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5543 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5544 config: Config{
5545 MaxVersion: VersionTLS13,
5546 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5547 SendExtensionOnCertificate: testOCSPExtension,
5548 },
5549 },
5550 shouldFail: true,
5551 expectedError: ":UNEXPECTED_EXTENSION:",
5552 })
5553
5554 testCases = append(testCases, testCase{
5555 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5556 config: Config{
5557 MaxVersion: VersionTLS13,
5558 Bugs: ProtocolBugs{
5559 SendExtensionOnCertificate: testSCTExtension,
5560 },
5561 },
5562 shouldFail: true,
5563 expectedError: ":UNEXPECTED_EXTENSION:",
5564 })
5565
5566 // Test that extensions on client certificates are never accepted.
5567 testCases = append(testCases, testCase{
5568 name: "SendExtensionOnClientCertificate-TLS13",
5569 testType: serverTest,
5570 config: Config{
5571 MaxVersion: VersionTLS13,
5572 Certificates: []Certificate{rsaCertificate},
5573 Bugs: ProtocolBugs{
5574 SendExtensionOnCertificate: testOCSPExtension,
5575 },
5576 },
5577 flags: []string{
5578 "-enable-ocsp-stapling",
5579 "-require-any-client-certificate",
5580 },
5581 shouldFail: true,
5582 expectedError: ":UNEXPECTED_EXTENSION:",
5583 })
5584
5585 testCases = append(testCases, testCase{
5586 name: "SendUnknownExtensionOnCertificate-TLS13",
5587 config: Config{
5588 MaxVersion: VersionTLS13,
5589 Bugs: ProtocolBugs{
5590 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5591 },
5592 },
5593 shouldFail: true,
5594 expectedError: ":UNEXPECTED_EXTENSION:",
5595 })
5596
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5597 var differentSCTList []byte
5598 differentSCTList = append(differentSCTList, testSCTList...)
5599 differentSCTList[len(differentSCTList)-1] ^= 1
5600
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5601 // Test that extensions on intermediates are allowed but ignored.
5602 testCases = append(testCases, testCase{
5603 name: "IgnoreExtensionsOnIntermediates-TLS13",
5604 config: Config{
5605 MaxVersion: VersionTLS13,
5606 Certificates: []Certificate{rsaChainCertificate},
5607 Bugs: ProtocolBugs{
5608 // Send different values on the intermediate. This tests
5609 // the intermediate's extensions do not override the
5610 // leaf's.
5611 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5612 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5613 },
5614 },
5615 flags: []string{
5616 "-enable-ocsp-stapling",
5617 "-expect-ocsp-response",
5618 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5619 "-enable-signed-cert-timestamps",
5620 "-expect-signed-cert-timestamps",
5621 base64.StdEncoding.EncodeToString(testSCTList),
5622 },
5623 resumeSession: true,
5624 })
5625
5626 // Test that extensions are not sent on intermediates when configured
5627 // only for a leaf.
5628 testCases = append(testCases, testCase{
5629 testType: serverTest,
5630 name: "SendNoExtensionsOnIntermediate-TLS13",
5631 config: Config{
5632 MaxVersion: VersionTLS13,
5633 Bugs: ProtocolBugs{
5634 ExpectNoExtensionsOnIntermediate: true,
5635 },
5636 },
5637 flags: []string{
5638 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5639 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5640 "-ocsp-response",
5641 base64.StdEncoding.EncodeToString(testOCSPResponse),
5642 "-signed-cert-timestamps",
5643 base64.StdEncoding.EncodeToString(testSCTList),
5644 },
5645 })
5646
5647 // Test that extensions are not sent on client certificates.
5648 testCases = append(testCases, testCase{
5649 name: "SendNoClientCertificateExtensions-TLS13",
5650 config: Config{
5651 MaxVersion: VersionTLS13,
5652 ClientAuth: RequireAnyClientCert,
5653 },
5654 flags: []string{
5655 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5656 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5657 "-ocsp-response",
5658 base64.StdEncoding.EncodeToString(testOCSPResponse),
5659 "-signed-cert-timestamps",
5660 base64.StdEncoding.EncodeToString(testSCTList),
5661 },
5662 })
5663
5664 testCases = append(testCases, testCase{
5665 name: "SendDuplicateExtensionsOnCerts-TLS13",
5666 config: Config{
5667 MaxVersion: VersionTLS13,
5668 Bugs: ProtocolBugs{
5669 SendDuplicateCertExtensions: true,
5670 },
5671 },
5672 flags: []string{
5673 "-enable-ocsp-stapling",
5674 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5675 },
5676 resumeSession: true,
5677 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5678 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5679 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5680
5681 testCases = append(testCases, testCase{
5682 name: "SignedCertificateTimestampListInvalid-Server",
5683 testType: serverTest,
5684 flags: []string{
5685 "-signed-cert-timestamps",
5686 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5687 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5688 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5689 expectedError: ":INVALID_SCT_LIST:",
5690 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5691}
5692
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5693func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5694 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5695 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5696 // SSL 3.0 does not have tickets and TLS 1.3 does not
5697 // have session IDs, so skip their cross-resumption
5698 // tests.
5699 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5700 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5701 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5702 }
5703
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5704 protocols := []protocol{tls}
5705 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5706 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5707 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5708 for _, protocol := range protocols {
5709 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5710 if protocol == dtls {
5711 suffix += "-DTLS"
5712 }
5713
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5714 if sessionVers.version == resumeVers.version {
5715 testCases = append(testCases, testCase{
5716 protocol: protocol,
5717 name: "Resume-Client" + suffix,
5718 resumeSession: true,
5719 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5720 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5721 Bugs: ProtocolBugs{
5722 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5723 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5724 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5725 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5726 expectedVersion: sessionVers.version,
5727 expectedResumeVersion: resumeVers.version,
5728 })
5729 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5730 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5731
5732 // Offering a TLS 1.3 session sends an empty session ID, so
5733 // there is no way to convince a non-lookahead client the
5734 // session was resumed. It will appear to the client that a
5735 // stray ChangeCipherSpec was sent.
5736 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5737 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5738 }
5739
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5740 testCases = append(testCases, testCase{
5741 protocol: protocol,
5742 name: "Resume-Client-Mismatch" + suffix,
5743 resumeSession: true,
5744 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5745 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5746 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5747 expectedVersion: sessionVers.version,
5748 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5749 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5750 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5751 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5752 },
5753 },
5754 expectedResumeVersion: resumeVers.version,
5755 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5756 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5757 })
5758 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5759
5760 testCases = append(testCases, testCase{
5761 protocol: protocol,
5762 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5763 resumeSession: true,
5764 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5765 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5766 },
5767 expectedVersion: sessionVers.version,
5768 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5769 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5770 },
5771 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5772 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5773 expectedResumeVersion: resumeVers.version,
5774 })
5775
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5776 testCases = append(testCases, testCase{
5777 protocol: protocol,
5778 testType: serverTest,
5779 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5780 resumeSession: true,
5781 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5782 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5783 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5784 expectedVersion: sessionVers.version,
5785 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5786 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5787 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5788 Bugs: ProtocolBugs{
5789 SendBothTickets: true,
5790 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5791 },
5792 expectedResumeVersion: resumeVers.version,
5793 })
5794 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5795 }
5796 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5797
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5798 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5799 testCases = append(testCases, testCase{
5800 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5801 name: "ShimTicketRewritable",
5802 resumeSession: true,
5803 config: Config{
5804 MaxVersion: VersionTLS12,
5805 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5806 Bugs: ProtocolBugs{
5807 FilterTicket: func(in []byte) ([]byte, error) {
5808 in, err := SetShimTicketVersion(in, VersionTLS12)
5809 if err != nil {
5810 return nil, err
5811 }
5812 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5813 },
5814 },
5815 },
5816 flags: []string{
5817 "-ticket-key",
5818 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5819 },
5820 })
5821
5822 // Resumptions are declined if the version does not match.
5823 testCases = append(testCases, testCase{
5824 testType: serverTest,
5825 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5826 resumeSession: true,
5827 config: Config{
5828 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5829 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5830 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5831 FilterTicket: func(in []byte) ([]byte, error) {
5832 return SetShimTicketVersion(in, VersionTLS13)
5833 },
5834 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5835 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5836 flags: []string{
5837 "-ticket-key",
5838 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5839 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5840 expectResumeRejected: true,
5841 })
5842
5843 testCases = append(testCases, testCase{
5844 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5845 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5846 resumeSession: true,
5847 config: Config{
5848 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5849 Bugs: ProtocolBugs{
5850 FilterTicket: func(in []byte) ([]byte, error) {
5851 return SetShimTicketVersion(in, VersionTLS12)
5852 },
5853 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5854 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5855 flags: []string{
5856 "-ticket-key",
5857 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5858 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5859 expectResumeRejected: true,
5860 })
5861
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5862 // Resumptions are declined if the cipher is invalid or disabled.
5863 testCases = append(testCases, testCase{
5864 testType: serverTest,
5865 name: "Resume-Server-DeclineBadCipher",
5866 resumeSession: true,
5867 config: Config{
5868 MaxVersion: VersionTLS12,
5869 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5870 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5871 FilterTicket: func(in []byte) ([]byte, error) {
5872 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5873 },
5874 },
5875 },
5876 flags: []string{
5877 "-ticket-key",
5878 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5879 },
5880 expectResumeRejected: true,
5881 })
5882
5883 testCases = append(testCases, testCase{
5884 testType: serverTest,
5885 name: "Resume-Server-DeclineBadCipher-2",
5886 resumeSession: true,
5887 config: Config{
5888 MaxVersion: VersionTLS12,
5889 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5890 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5891 FilterTicket: func(in []byte) ([]byte, error) {
5892 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5893 },
5894 },
5895 },
5896 flags: []string{
5897 "-cipher", "AES128",
5898 "-ticket-key",
5899 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5900 },
5901 expectResumeRejected: true,
5902 })
5903
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5904 // Sessions are not resumed if they do not use the preferred cipher.
5905 testCases = append(testCases, testCase{
5906 testType: serverTest,
5907 name: "Resume-Server-CipherNotPreferred",
5908 resumeSession: true,
5909 config: Config{
5910 MaxVersion: VersionTLS12,
5911 Bugs: ProtocolBugs{
5912 ExpectNewTicket: true,
5913 FilterTicket: func(in []byte) ([]byte, error) {
5914 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
5915 },
5916 },
5917 },
5918 flags: []string{
5919 "-ticket-key",
5920 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5921 },
5922 shouldFail: false,
5923 expectResumeRejected: true,
5924 })
5925
5926 // TLS 1.3 allows sessions to be resumed at a different cipher if their
5927 // PRF hashes match, but BoringSSL will always decline such resumptions.
5928 testCases = append(testCases, testCase{
5929 testType: serverTest,
5930 name: "Resume-Server-CipherNotPreferred-TLS13",
5931 resumeSession: true,
5932 config: Config{
5933 MaxVersion: VersionTLS13,
5934 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
5935 Bugs: ProtocolBugs{
5936 FilterTicket: func(in []byte) ([]byte, error) {
5937 // If the client (runner) offers ChaCha20-Poly1305 first, the
5938 // server (shim) always prefers it. Switch it to AES-GCM.
5939 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5940 },
5941 },
5942 },
5943 flags: []string{
5944 "-ticket-key",
5945 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5946 },
5947 shouldFail: false,
5948 expectResumeRejected: true,
5949 })
5950
5951 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5952 testCases = append(testCases, testCase{
5953 testType: serverTest,
5954 name: "Resume-Server-DeclineBadCipher-TLS13",
5955 resumeSession: true,
5956 config: Config{
5957 MaxVersion: VersionTLS13,
5958 Bugs: ProtocolBugs{
5959 FilterTicket: func(in []byte) ([]byte, error) {
5960 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5961 },
5962 },
5963 },
5964 flags: []string{
5965 "-ticket-key",
5966 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5967 },
5968 expectResumeRejected: true,
5969 })
5970
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5971 // If the client does not offer the cipher from the session, decline to
5972 // resume. Clients are forbidden from doing this, but BoringSSL selects
5973 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5974 testCases = append(testCases, testCase{
5975 testType: serverTest,
5976 name: "Resume-Server-UnofferedCipher",
5977 resumeSession: true,
5978 config: Config{
5979 MaxVersion: VersionTLS12,
5980 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5981 },
5982 resumeConfig: &Config{
5983 MaxVersion: VersionTLS12,
5984 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5985 Bugs: ProtocolBugs{
5986 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5987 },
5988 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5989 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5990 })
5991
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5992 // In TLS 1.3, clients may advertise a cipher list which does not
5993 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame^]5994 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
5995 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5996 testCases = append(testCases, testCase{
5997 testType: serverTest,
5998 name: "Resume-Server-UnofferedCipher-TLS13",
5999 resumeSession: true,
6000 config: Config{
6001 MaxVersion: VersionTLS13,
6002 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6003 },
6004 resumeConfig: &Config{
6005 MaxVersion: VersionTLS13,
6006 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6007 Bugs: ProtocolBugs{
6008 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6009 },
6010 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6011 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6012 })
6013
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6014 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6015 testCases = append(testCases, testCase{
6016 name: "Resume-Client-CipherMismatch",
6017 resumeSession: true,
6018 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6019 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6020 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6021 },
6022 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6023 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6024 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6025 Bugs: ProtocolBugs{
6026 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6027 },
6028 },
6029 shouldFail: true,
6030 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6031 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6032
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6033 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6034 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6035 testCases = append(testCases, testCase{
6036 name: "Resume-Client-CipherMismatch-TLS13",
6037 resumeSession: true,
6038 config: Config{
6039 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6040 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6041 },
6042 resumeConfig: &Config{
6043 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6044 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6045 },
6046 })
6047
6048 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6049 testCases = append(testCases, testCase{
6050 name: "Resume-Client-PRFMismatch-TLS13",
6051 resumeSession: true,
6052 config: Config{
6053 MaxVersion: VersionTLS13,
6054 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6055 },
6056 resumeConfig: &Config{
6057 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6058 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6059 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6060 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6061 },
6062 },
6063 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6064 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6065 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6066
6067 testCases = append(testCases, testCase{
6068 testType: serverTest,
6069 name: "Resume-Server-BinderWrongLength",
6070 resumeSession: true,
6071 config: Config{
6072 MaxVersion: VersionTLS13,
6073 Bugs: ProtocolBugs{
6074 SendShortPSKBinder: true,
6075 },
6076 },
6077 shouldFail: true,
6078 expectedLocalError: "remote error: error decrypting message",
6079 expectedError: ":DIGEST_CHECK_FAILED:",
6080 })
6081
6082 testCases = append(testCases, testCase{
6083 testType: serverTest,
6084 name: "Resume-Server-NoPSKBinder",
6085 resumeSession: true,
6086 config: Config{
6087 MaxVersion: VersionTLS13,
6088 Bugs: ProtocolBugs{
6089 SendNoPSKBinder: true,
6090 },
6091 },
6092 shouldFail: true,
6093 expectedLocalError: "remote error: error decoding message",
6094 expectedError: ":DECODE_ERROR:",
6095 })
6096
6097 testCases = append(testCases, testCase{
6098 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6099 name: "Resume-Server-ExtraPSKBinder",
6100 resumeSession: true,
6101 config: Config{
6102 MaxVersion: VersionTLS13,
6103 Bugs: ProtocolBugs{
6104 SendExtraPSKBinder: true,
6105 },
6106 },
6107 shouldFail: true,
6108 expectedLocalError: "remote error: illegal parameter",
6109 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6110 })
6111
6112 testCases = append(testCases, testCase{
6113 testType: serverTest,
6114 name: "Resume-Server-ExtraIdentityNoBinder",
6115 resumeSession: true,
6116 config: Config{
6117 MaxVersion: VersionTLS13,
6118 Bugs: ProtocolBugs{
6119 ExtraPSKIdentity: true,
6120 },
6121 },
6122 shouldFail: true,
6123 expectedLocalError: "remote error: illegal parameter",
6124 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6125 })
6126
6127 testCases = append(testCases, testCase{
6128 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6129 name: "Resume-Server-InvalidPSKBinder",
6130 resumeSession: true,
6131 config: Config{
6132 MaxVersion: VersionTLS13,
6133 Bugs: ProtocolBugs{
6134 SendInvalidPSKBinder: true,
6135 },
6136 },
6137 shouldFail: true,
6138 expectedLocalError: "remote error: error decrypting message",
6139 expectedError: ":DIGEST_CHECK_FAILED:",
6140 })
6141
6142 testCases = append(testCases, testCase{
6143 testType: serverTest,
6144 name: "Resume-Server-PSKBinderFirstExtension",
6145 resumeSession: true,
6146 config: Config{
6147 MaxVersion: VersionTLS13,
6148 Bugs: ProtocolBugs{
6149 PSKBinderFirst: true,
6150 },
6151 },
6152 shouldFail: true,
6153 expectedLocalError: "remote error: illegal parameter",
6154 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6155 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6156}
6157
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6158func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6159 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6160 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6161 testType: serverTest,
6162 name: "Renegotiate-Server-Forbidden",
6163 config: Config{
6164 MaxVersion: VersionTLS12,
6165 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6166 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6167 shouldFail: true,
6168 expectedError: ":NO_RENEGOTIATION:",
6169 expectedLocalError: "remote error: no renegotiation",
6170 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6171 // The server shouldn't echo the renegotiation extension unless
6172 // requested by the client.
6173 testCases = append(testCases, testCase{
6174 testType: serverTest,
6175 name: "Renegotiate-Server-NoExt",
6176 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6177 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6178 Bugs: ProtocolBugs{
6179 NoRenegotiationInfo: true,
6180 RequireRenegotiationInfo: true,
6181 },
6182 },
6183 shouldFail: true,
6184 expectedLocalError: "renegotiation extension missing",
6185 })
6186 // The renegotiation SCSV should be sufficient for the server to echo
6187 // the extension.
6188 testCases = append(testCases, testCase{
6189 testType: serverTest,
6190 name: "Renegotiate-Server-NoExt-SCSV",
6191 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6192 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6193 Bugs: ProtocolBugs{
6194 NoRenegotiationInfo: true,
6195 SendRenegotiationSCSV: true,
6196 RequireRenegotiationInfo: true,
6197 },
6198 },
6199 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6200 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6201 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6202 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6203 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6204 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6205 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6206 },
6207 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6208 renegotiate: 1,
6209 flags: []string{
6210 "-renegotiate-freely",
6211 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6212 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6213 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6214 })
6215 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6216 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6217 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6218 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6219 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6220 Bugs: ProtocolBugs{
6221 EmptyRenegotiationInfo: true,
6222 },
6223 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6224 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6225 shouldFail: true,
6226 expectedError: ":RENEGOTIATION_MISMATCH:",
6227 })
6228 testCases = append(testCases, testCase{
6229 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6230 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6231 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6232 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6233 Bugs: ProtocolBugs{
6234 BadRenegotiationInfo: true,
6235 },
6236 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6237 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6238 shouldFail: true,
6239 expectedError: ":RENEGOTIATION_MISMATCH:",
6240 })
6241 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6242 name: "Renegotiate-Client-Downgrade",
6243 renegotiate: 1,
6244 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6245 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6246 Bugs: ProtocolBugs{
6247 NoRenegotiationInfoAfterInitial: true,
6248 },
6249 },
6250 flags: []string{"-renegotiate-freely"},
6251 shouldFail: true,
6252 expectedError: ":RENEGOTIATION_MISMATCH:",
6253 })
6254 testCases = append(testCases, testCase{
6255 name: "Renegotiate-Client-Upgrade",
6256 renegotiate: 1,
6257 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6258 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6259 Bugs: ProtocolBugs{
6260 NoRenegotiationInfoInInitial: true,
6261 },
6262 },
6263 flags: []string{"-renegotiate-freely"},
6264 shouldFail: true,
6265 expectedError: ":RENEGOTIATION_MISMATCH:",
6266 })
6267 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6268 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6269 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6270 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6271 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6272 Bugs: ProtocolBugs{
6273 NoRenegotiationInfo: true,
6274 },
6275 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6276 flags: []string{
6277 "-renegotiate-freely",
6278 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6279 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6280 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6281 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6282
6283 // Test that the server may switch ciphers on renegotiation without
6284 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6285 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6286 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6287 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6288 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6289 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6290 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6291 },
6292 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6293 flags: []string{
6294 "-renegotiate-freely",
6295 "-expect-total-renegotiations", "1",
6296 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6297 })
6298 testCases = append(testCases, testCase{
6299 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6300 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6301 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6302 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6303 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6304 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6305 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6306 flags: []string{
6307 "-renegotiate-freely",
6308 "-expect-total-renegotiations", "1",
6309 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6310 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6311
6312 // Test that the server may not switch versions on renegotiation.
6313 testCases = append(testCases, testCase{
6314 name: "Renegotiate-Client-SwitchVersion",
6315 config: Config{
6316 MaxVersion: VersionTLS12,
6317 // Pick a cipher which exists at both versions.
6318 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6319 Bugs: ProtocolBugs{
6320 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6321 // Avoid failing early at the record layer.
6322 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6323 },
6324 },
6325 renegotiate: 1,
6326 flags: []string{
6327 "-renegotiate-freely",
6328 "-expect-total-renegotiations", "1",
6329 },
6330 shouldFail: true,
6331 expectedError: ":WRONG_SSL_VERSION:",
6332 })
6333
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6334 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6335 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6336 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6337 config: Config{
6338 MaxVersion: VersionTLS10,
6339 Bugs: ProtocolBugs{
6340 RequireSameRenegoClientVersion: true,
6341 },
6342 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6343 flags: []string{
6344 "-renegotiate-freely",
6345 "-expect-total-renegotiations", "1",
6346 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6347 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6348 testCases = append(testCases, testCase{
6349 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6350 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6351 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6352 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6353 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6354 NextProtos: []string{"foo"},
6355 },
6356 flags: []string{
6357 "-false-start",
6358 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6359 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6360 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6361 },
6362 shimWritesFirst: true,
6363 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6364
6365 // Client-side renegotiation controls.
6366 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6367 name: "Renegotiate-Client-Forbidden-1",
6368 config: Config{
6369 MaxVersion: VersionTLS12,
6370 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6371 renegotiate: 1,
6372 shouldFail: true,
6373 expectedError: ":NO_RENEGOTIATION:",
6374 expectedLocalError: "remote error: no renegotiation",
6375 })
6376 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6377 name: "Renegotiate-Client-Once-1",
6378 config: Config{
6379 MaxVersion: VersionTLS12,
6380 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6381 renegotiate: 1,
6382 flags: []string{
6383 "-renegotiate-once",
6384 "-expect-total-renegotiations", "1",
6385 },
6386 })
6387 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6388 name: "Renegotiate-Client-Freely-1",
6389 config: Config{
6390 MaxVersion: VersionTLS12,
6391 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6392 renegotiate: 1,
6393 flags: []string{
6394 "-renegotiate-freely",
6395 "-expect-total-renegotiations", "1",
6396 },
6397 })
6398 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6399 name: "Renegotiate-Client-Once-2",
6400 config: Config{
6401 MaxVersion: VersionTLS12,
6402 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6403 renegotiate: 2,
6404 flags: []string{"-renegotiate-once"},
6405 shouldFail: true,
6406 expectedError: ":NO_RENEGOTIATION:",
6407 expectedLocalError: "remote error: no renegotiation",
6408 })
6409 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6410 name: "Renegotiate-Client-Freely-2",
6411 config: Config{
6412 MaxVersion: VersionTLS12,
6413 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6414 renegotiate: 2,
6415 flags: []string{
6416 "-renegotiate-freely",
6417 "-expect-total-renegotiations", "2",
6418 },
6419 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6420 testCases = append(testCases, testCase{
6421 name: "Renegotiate-Client-NoIgnore",
6422 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6423 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6424 Bugs: ProtocolBugs{
6425 SendHelloRequestBeforeEveryAppDataRecord: true,
6426 },
6427 },
6428 shouldFail: true,
6429 expectedError: ":NO_RENEGOTIATION:",
6430 })
6431 testCases = append(testCases, testCase{
6432 name: "Renegotiate-Client-Ignore",
6433 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6434 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6435 Bugs: ProtocolBugs{
6436 SendHelloRequestBeforeEveryAppDataRecord: true,
6437 },
6438 },
6439 flags: []string{
6440 "-renegotiate-ignore",
6441 "-expect-total-renegotiations", "0",
6442 },
6443 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6444
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6445 // Renegotiation is not allowed at SSL 3.0.
6446 testCases = append(testCases, testCase{
6447 name: "Renegotiate-Client-SSL3",
6448 config: Config{
6449 MaxVersion: VersionSSL30,
6450 },
6451 renegotiate: 1,
6452 flags: []string{
6453 "-renegotiate-freely",
6454 "-expect-total-renegotiations", "1",
6455 },
6456 shouldFail: true,
6457 expectedError: ":NO_RENEGOTIATION:",
6458 expectedLocalError: "remote error: no renegotiation",
6459 })
6460
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6461 // Renegotiation is not allowed when there is an unfinished write.
6462 testCases = append(testCases, testCase{
6463 name: "Renegotiate-Client-UnfinishedWrite",
6464 config: Config{
6465 MaxVersion: VersionTLS12,
6466 },
6467 renegotiate: 1,
6468 flags: []string{
6469 "-async",
6470 "-renegotiate-freely",
6471 "-read-with-unfinished-write",
6472 },
6473 shouldFail: true,
6474 expectedError: ":NO_RENEGOTIATION:",
6475 // We do not successfully send the no_renegotiation alert in
6476 // this case. https://crbug.com/boringssl/130
6477 })
6478
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6479 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6480 testCases = append(testCases, testCase{
6481 name: "StrayHelloRequest",
6482 config: Config{
6483 MaxVersion: VersionTLS12,
6484 Bugs: ProtocolBugs{
6485 SendHelloRequestBeforeEveryHandshakeMessage: true,
6486 },
6487 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6488 shouldFail: true,
6489 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6490 })
6491 testCases = append(testCases, testCase{
6492 name: "StrayHelloRequest-Packed",
6493 config: Config{
6494 MaxVersion: VersionTLS12,
6495 Bugs: ProtocolBugs{
6496 PackHandshakeFlight: true,
6497 SendHelloRequestBeforeEveryHandshakeMessage: true,
6498 },
6499 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6500 shouldFail: true,
6501 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6502 })
6503
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6504 // Test renegotiation works if HelloRequest and server Finished come in
6505 // the same record.
6506 testCases = append(testCases, testCase{
6507 name: "Renegotiate-Client-Packed",
6508 config: Config{
6509 MaxVersion: VersionTLS12,
6510 Bugs: ProtocolBugs{
6511 PackHandshakeFlight: true,
6512 PackHelloRequestWithFinished: true,
6513 },
6514 },
6515 renegotiate: 1,
6516 flags: []string{
6517 "-renegotiate-freely",
6518 "-expect-total-renegotiations", "1",
6519 },
6520 })
6521
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6522 // Renegotiation is forbidden in TLS 1.3.
6523 testCases = append(testCases, testCase{
6524 name: "Renegotiate-Client-TLS13",
6525 config: Config{
6526 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6527 Bugs: ProtocolBugs{
6528 SendHelloRequestBeforeEveryAppDataRecord: true,
6529 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6530 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6531 flags: []string{
6532 "-renegotiate-freely",
6533 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6534 shouldFail: true,
6535 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6536 })
6537
6538 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6539 testCases = append(testCases, testCase{
6540 name: "StrayHelloRequest-TLS13",
6541 config: Config{
6542 MaxVersion: VersionTLS13,
6543 Bugs: ProtocolBugs{
6544 SendHelloRequestBeforeEveryHandshakeMessage: true,
6545 },
6546 },
6547 shouldFail: true,
6548 expectedError: ":UNEXPECTED_MESSAGE:",
6549 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6550
6551 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6552 // always reads as supporting it, regardless of whether it was
6553 // negotiated.
6554 testCases = append(testCases, testCase{
6555 name: "AlwaysReportRenegotiationInfo-TLS13",
6556 config: Config{
6557 MaxVersion: VersionTLS13,
6558 Bugs: ProtocolBugs{
6559 NoRenegotiationInfo: true,
6560 },
6561 },
6562 flags: []string{
6563 "-expect-secure-renegotiation",
6564 },
6565 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]6566
6567 // Certificates may not change on renegotiation.
6568 testCases = append(testCases, testCase{
6569 name: "Renegotiation-CertificateChange",
6570 config: Config{
6571 MaxVersion: VersionTLS12,
6572 Certificates: []Certificate{rsaCertificate},
6573 Bugs: ProtocolBugs{
6574 RenegotiationCertificate: &rsaChainCertificate,
6575 },
6576 },
6577 renegotiate: 1,
6578 flags: []string{"-renegotiate-freely"},
6579 shouldFail: true,
6580 expectedError: ":SERVER_CERT_CHANGED:",
6581 })
6582 testCases = append(testCases, testCase{
6583 name: "Renegotiation-CertificateChange-2",
6584 config: Config{
6585 MaxVersion: VersionTLS12,
6586 Certificates: []Certificate{rsaCertificate},
6587 Bugs: ProtocolBugs{
6588 RenegotiationCertificate: &rsa1024Certificate,
6589 },
6590 },
6591 renegotiate: 1,
6592 flags: []string{"-renegotiate-freely"},
6593 shouldFail: true,
6594 expectedError: ":SERVER_CERT_CHANGED:",
6595 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6596}
6597
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6598func addDTLSReplayTests() {
6599 // Test that sequence number replays are detected.
6600 testCases = append(testCases, testCase{
6601 protocol: dtls,
6602 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6603 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6604 replayWrites: true,
6605 })
6606
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6607 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6608 // than the retransmit window.
6609 testCases = append(testCases, testCase{
6610 protocol: dtls,
6611 name: "DTLS-Replay-LargeGaps",
6612 config: Config{
6613 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6614 SequenceNumberMapping: func(in uint64) uint64 {
6615 return in * 127
6616 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6617 },
6618 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6619 messageCount: 200,
6620 replayWrites: true,
6621 })
6622
6623 // Test the incoming sequence number changing non-monotonically.
6624 testCases = append(testCases, testCase{
6625 protocol: dtls,
6626 name: "DTLS-Replay-NonMonotonic",
6627 config: Config{
6628 Bugs: ProtocolBugs{
6629 SequenceNumberMapping: func(in uint64) uint64 {
6630 return in ^ 31
6631 },
6632 },
6633 },
6634 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6635 replayWrites: true,
6636 })
6637}
6638
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6639var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6640 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6641 id signatureAlgorithm
6642 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6643}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6644 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6645 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6646 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6647 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6648 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6649 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6650 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6651 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6652 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6653 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6654 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6655 // Tests for key types prior to TLS 1.2.
6656 {"RSA", 0, testCertRSA},
6657 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6658}
6659
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6660const fakeSigAlg1 signatureAlgorithm = 0x2a01
6661const fakeSigAlg2 signatureAlgorithm = 0xff01
6662
6663func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6664 // Not all ciphers involve a signature. Advertise a list which gives all
6665 // versions a signing cipher.
6666 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6667 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6668 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6669 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6670 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6671 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6672 }
6673 if *includeDHE {
6674 signingCiphers = append(signingCiphers, TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6675 }
6676
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6677 var allAlgorithms []signatureAlgorithm
6678 for _, alg := range testSignatureAlgorithms {
6679 if alg.id != 0 {
6680 allAlgorithms = append(allAlgorithms, alg.id)
6681 }
6682 }
6683
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6684 // Make sure each signature algorithm works. Include some fake values in
6685 // the list and ensure they're ignored.
6686 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6687 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6688 if (ver.version < VersionTLS12) != (alg.id == 0) {
6689 continue
6690 }
6691
6692 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6693 // or remove it in C.
6694 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6695 continue
6696 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6697
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6698 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6699 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6700 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6701 shouldSignFail = true
6702 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6703 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6704 // RSA-PKCS1 does not exist in TLS 1.3.
6705 if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6706 shouldSignFail = true
6707 shouldVerifyFail = true
6708 }
6709
6710 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6711 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6712 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6713 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6714
6715 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6716 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6717 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6718 }
6719 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6720 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6721 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6722
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6723 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6724
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6725 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6726 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6727 config: Config{
6728 MaxVersion: ver.version,
6729 ClientAuth: RequireAnyClientCert,
6730 VerifySignatureAlgorithms: []signatureAlgorithm{
6731 fakeSigAlg1,
6732 alg.id,
6733 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6734 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6735 },
6736 flags: []string{
6737 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6738 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6739 "-enable-all-curves",
6740 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6741 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6742 expectedError: signError,
6743 expectedPeerSignatureAlgorithm: alg.id,
6744 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6745
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6746 testCases = append(testCases, testCase{
6747 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6748 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6749 config: Config{
6750 MaxVersion: ver.version,
6751 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6752 SignSignatureAlgorithms: []signatureAlgorithm{
6753 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6754 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6755 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6756 SkipECDSACurveCheck: shouldVerifyFail,
6757 IgnoreSignatureVersionChecks: shouldVerifyFail,
6758 // Some signature algorithms may not be advertised.
6759 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6760 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6761 },
6762 flags: []string{
6763 "-require-any-client-certificate",
6764 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6765 "-enable-all-curves",
6766 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6767 // Resume the session to assert the peer signature
6768 // algorithm is reported on both handshakes.
6769 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6770 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6771 expectedError: verifyError,
6772 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6773
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6774 // No signing cipher for SSL 3.0.
6775 if *includeDHE || ver.version > VersionSSL30 {
6776 testCases = append(testCases, testCase{
6777 testType: serverTest,
6778 name: "ServerAuth-Sign" + suffix,
6779 config: Config{
6780 MaxVersion: ver.version,
6781 CipherSuites: signingCiphers,
6782 VerifySignatureAlgorithms: []signatureAlgorithm{
6783 fakeSigAlg1,
6784 alg.id,
6785 fakeSigAlg2,
6786 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6787 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6788 flags: []string{
6789 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6790 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6791 "-enable-all-curves",
6792 },
6793 shouldFail: shouldSignFail,
6794 expectedError: signError,
6795 expectedPeerSignatureAlgorithm: alg.id,
6796 })
6797 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6798
6799 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6800 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6801 config: Config{
6802 MaxVersion: ver.version,
6803 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6804 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6805 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6806 alg.id,
6807 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6808 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6809 SkipECDSACurveCheck: shouldVerifyFail,
6810 IgnoreSignatureVersionChecks: shouldVerifyFail,
6811 // Some signature algorithms may not be advertised.
6812 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6813 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6814 },
6815 flags: []string{
6816 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6817 "-enable-all-curves",
6818 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6819 // Resume the session to assert the peer signature
6820 // algorithm is reported on both handshakes.
6821 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6822 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6823 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6824 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6825
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6826 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6827 testCases = append(testCases, testCase{
6828 testType: serverTest,
6829 name: "ClientAuth-InvalidSignature" + suffix,
6830 config: Config{
6831 MaxVersion: ver.version,
6832 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6833 SignSignatureAlgorithms: []signatureAlgorithm{
6834 alg.id,
6835 },
6836 Bugs: ProtocolBugs{
6837 InvalidSignature: true,
6838 },
6839 },
6840 flags: []string{
6841 "-require-any-client-certificate",
6842 "-enable-all-curves",
6843 },
6844 shouldFail: true,
6845 expectedError: ":BAD_SIGNATURE:",
6846 })
6847
6848 testCases = append(testCases, testCase{
6849 name: "ServerAuth-InvalidSignature" + suffix,
6850 config: Config{
6851 MaxVersion: ver.version,
6852 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6853 CipherSuites: signingCiphers,
6854 SignSignatureAlgorithms: []signatureAlgorithm{
6855 alg.id,
6856 },
6857 Bugs: ProtocolBugs{
6858 InvalidSignature: true,
6859 },
6860 },
6861 flags: []string{"-enable-all-curves"},
6862 shouldFail: true,
6863 expectedError: ":BAD_SIGNATURE:",
6864 })
6865 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6866
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6867 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6868 testCases = append(testCases, testCase{
6869 name: "ClientAuth-Sign-Negotiate" + suffix,
6870 config: Config{
6871 MaxVersion: ver.version,
6872 ClientAuth: RequireAnyClientCert,
6873 VerifySignatureAlgorithms: allAlgorithms,
6874 },
6875 flags: []string{
6876 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6877 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6878 "-enable-all-curves",
6879 "-signing-prefs", strconv.Itoa(int(alg.id)),
6880 },
6881 expectedPeerSignatureAlgorithm: alg.id,
6882 })
6883
6884 testCases = append(testCases, testCase{
6885 testType: serverTest,
6886 name: "ServerAuth-Sign-Negotiate" + suffix,
6887 config: Config{
6888 MaxVersion: ver.version,
6889 CipherSuites: signingCiphers,
6890 VerifySignatureAlgorithms: allAlgorithms,
6891 },
6892 flags: []string{
6893 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6894 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6895 "-enable-all-curves",
6896 "-signing-prefs", strconv.Itoa(int(alg.id)),
6897 },
6898 expectedPeerSignatureAlgorithm: alg.id,
6899 })
6900 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6901 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6902 }
6903
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6904 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6905 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6906 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6907 config: Config{
6908 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6909 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6910 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6911 signatureECDSAWithP521AndSHA512,
6912 signatureRSAPKCS1WithSHA384,
6913 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6914 },
6915 },
6916 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]6917 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6918 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6919 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6920 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6921 })
6922
6923 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6924 name: "ClientAuth-SignatureType-TLS13",
6925 config: Config{
6926 ClientAuth: RequireAnyClientCert,
6927 MaxVersion: VersionTLS13,
6928 VerifySignatureAlgorithms: []signatureAlgorithm{
6929 signatureECDSAWithP521AndSHA512,
6930 signatureRSAPKCS1WithSHA384,
6931 signatureRSAPSSWithSHA384,
6932 signatureECDSAWithSHA1,
6933 },
6934 },
6935 flags: []string{
6936 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6937 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6938 },
6939 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6940 })
6941
6942 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6943 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6944 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6945 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6946 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6947 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6948 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6949 signatureECDSAWithP521AndSHA512,
6950 signatureRSAPKCS1WithSHA384,
6951 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6952 },
6953 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6954 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6955 })
6956
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6957 testCases = append(testCases, testCase{
6958 testType: serverTest,
6959 name: "ServerAuth-SignatureType-TLS13",
6960 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6961 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6962 VerifySignatureAlgorithms: []signatureAlgorithm{
6963 signatureECDSAWithP521AndSHA512,
6964 signatureRSAPKCS1WithSHA384,
6965 signatureRSAPSSWithSHA384,
6966 signatureECDSAWithSHA1,
6967 },
6968 },
6969 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6970 })
6971
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6972 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6973 testCases = append(testCases, testCase{
6974 testType: serverTest,
6975 name: "Verify-ClientAuth-SignatureType",
6976 config: Config{
6977 MaxVersion: VersionTLS12,
6978 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6979 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6980 signatureRSAPKCS1WithSHA256,
6981 },
6982 Bugs: ProtocolBugs{
6983 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6984 },
6985 },
6986 flags: []string{
6987 "-require-any-client-certificate",
6988 },
6989 shouldFail: true,
6990 expectedError: ":WRONG_SIGNATURE_TYPE:",
6991 })
6992
6993 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6994 testType: serverTest,
6995 name: "Verify-ClientAuth-SignatureType-TLS13",
6996 config: Config{
6997 MaxVersion: VersionTLS13,
6998 Certificates: []Certificate{rsaCertificate},
6999 SignSignatureAlgorithms: []signatureAlgorithm{
7000 signatureRSAPSSWithSHA256,
7001 },
7002 Bugs: ProtocolBugs{
7003 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7004 },
7005 },
7006 flags: []string{
7007 "-require-any-client-certificate",
7008 },
7009 shouldFail: true,
7010 expectedError: ":WRONG_SIGNATURE_TYPE:",
7011 })
7012
7013 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7014 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7015 config: Config{
7016 MaxVersion: VersionTLS12,
7017 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7018 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7019 signatureRSAPKCS1WithSHA256,
7020 },
7021 Bugs: ProtocolBugs{
7022 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7023 },
7024 },
7025 shouldFail: true,
7026 expectedError: ":WRONG_SIGNATURE_TYPE:",
7027 })
7028
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7029 testCases = append(testCases, testCase{
7030 name: "Verify-ServerAuth-SignatureType-TLS13",
7031 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7032 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7033 SignSignatureAlgorithms: []signatureAlgorithm{
7034 signatureRSAPSSWithSHA256,
7035 },
7036 Bugs: ProtocolBugs{
7037 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7038 },
7039 },
7040 shouldFail: true,
7041 expectedError: ":WRONG_SIGNATURE_TYPE:",
7042 })
7043
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7044 // Test that, if the list is missing, the peer falls back to SHA-1 in
7045 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7046 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7047 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7048 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7049 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7050 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7051 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7052 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7053 },
7054 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7055 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7056 },
7057 },
7058 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7059 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7060 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7061 },
7062 })
7063
7064 testCases = append(testCases, testCase{
7065 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7066 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7067 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7068 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7069 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7070 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7071 },
7072 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7073 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7074 },
7075 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7076 flags: []string{
7077 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7078 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7079 },
7080 })
7081
7082 testCases = append(testCases, testCase{
7083 name: "ClientAuth-SHA1-Fallback-ECDSA",
7084 config: Config{
7085 MaxVersion: VersionTLS12,
7086 ClientAuth: RequireAnyClientCert,
7087 VerifySignatureAlgorithms: []signatureAlgorithm{
7088 signatureECDSAWithSHA1,
7089 },
7090 Bugs: ProtocolBugs{
7091 NoSignatureAlgorithms: true,
7092 },
7093 },
7094 flags: []string{
7095 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7096 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7097 },
7098 })
7099
7100 testCases = append(testCases, testCase{
7101 testType: serverTest,
7102 name: "ServerAuth-SHA1-Fallback-ECDSA",
7103 config: Config{
7104 MaxVersion: VersionTLS12,
7105 VerifySignatureAlgorithms: []signatureAlgorithm{
7106 signatureECDSAWithSHA1,
7107 },
7108 Bugs: ProtocolBugs{
7109 NoSignatureAlgorithms: true,
7110 },
7111 },
7112 flags: []string{
7113 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7114 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7115 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7116 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7117
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7118 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7119 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7120 config: Config{
7121 MaxVersion: VersionTLS13,
7122 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7123 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7124 signatureRSAPKCS1WithSHA1,
7125 },
7126 Bugs: ProtocolBugs{
7127 NoSignatureAlgorithms: true,
7128 },
7129 },
7130 flags: []string{
7131 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7132 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7133 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7134 shouldFail: true,
7135 // An empty CertificateRequest signature algorithm list is a
7136 // syntax error in TLS 1.3.
7137 expectedError: ":DECODE_ERROR:",
7138 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7139 })
7140
7141 testCases = append(testCases, testCase{
7142 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7143 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7144 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7145 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7146 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7147 signatureRSAPKCS1WithSHA1,
7148 },
7149 Bugs: ProtocolBugs{
7150 NoSignatureAlgorithms: true,
7151 },
7152 },
7153 shouldFail: true,
7154 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7155 })
7156
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7157 // Test that hash preferences are enforced. BoringSSL does not implement
7158 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7159 testCases = append(testCases, testCase{
7160 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7161 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7162 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7163 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7164 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7165 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7166 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7167 },
7168 Bugs: ProtocolBugs{
7169 IgnorePeerSignatureAlgorithmPreferences: true,
7170 },
7171 },
7172 flags: []string{"-require-any-client-certificate"},
7173 shouldFail: true,
7174 expectedError: ":WRONG_SIGNATURE_TYPE:",
7175 })
7176
7177 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7178 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7179 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7180 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7181 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7182 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7183 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7184 },
7185 Bugs: ProtocolBugs{
7186 IgnorePeerSignatureAlgorithmPreferences: true,
7187 },
7188 },
7189 shouldFail: true,
7190 expectedError: ":WRONG_SIGNATURE_TYPE:",
7191 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7192 testCases = append(testCases, testCase{
7193 testType: serverTest,
7194 name: "ClientAuth-Enforced-TLS13",
7195 config: Config{
7196 MaxVersion: VersionTLS13,
7197 Certificates: []Certificate{rsaCertificate},
7198 SignSignatureAlgorithms: []signatureAlgorithm{
7199 signatureRSAPKCS1WithMD5,
7200 },
7201 Bugs: ProtocolBugs{
7202 IgnorePeerSignatureAlgorithmPreferences: true,
7203 IgnoreSignatureVersionChecks: true,
7204 },
7205 },
7206 flags: []string{"-require-any-client-certificate"},
7207 shouldFail: true,
7208 expectedError: ":WRONG_SIGNATURE_TYPE:",
7209 })
7210
7211 testCases = append(testCases, testCase{
7212 name: "ServerAuth-Enforced-TLS13",
7213 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7214 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7215 SignSignatureAlgorithms: []signatureAlgorithm{
7216 signatureRSAPKCS1WithMD5,
7217 },
7218 Bugs: ProtocolBugs{
7219 IgnorePeerSignatureAlgorithmPreferences: true,
7220 IgnoreSignatureVersionChecks: true,
7221 },
7222 },
7223 shouldFail: true,
7224 expectedError: ":WRONG_SIGNATURE_TYPE:",
7225 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7226
7227 // Test that the agreed upon digest respects the client preferences and
7228 // the server digests.
7229 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7230 name: "NoCommonAlgorithms-Digests",
7231 config: Config{
7232 MaxVersion: VersionTLS12,
7233 ClientAuth: RequireAnyClientCert,
7234 VerifySignatureAlgorithms: []signatureAlgorithm{
7235 signatureRSAPKCS1WithSHA512,
7236 signatureRSAPKCS1WithSHA1,
7237 },
7238 },
7239 flags: []string{
7240 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7241 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7242 "-digest-prefs", "SHA256",
7243 },
7244 shouldFail: true,
7245 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7246 })
7247 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7248 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7249 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7250 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7251 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7252 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7253 signatureRSAPKCS1WithSHA512,
7254 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7255 },
7256 },
7257 flags: []string{
7258 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7259 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7260 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7261 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7262 shouldFail: true,
7263 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7264 })
7265 testCases = append(testCases, testCase{
7266 name: "NoCommonAlgorithms-TLS13",
7267 config: Config{
7268 MaxVersion: VersionTLS13,
7269 ClientAuth: RequireAnyClientCert,
7270 VerifySignatureAlgorithms: []signatureAlgorithm{
7271 signatureRSAPSSWithSHA512,
7272 signatureRSAPSSWithSHA384,
7273 },
7274 },
7275 flags: []string{
7276 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7277 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7278 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7279 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7280 shouldFail: true,
7281 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7282 })
7283 testCases = append(testCases, testCase{
7284 name: "Agree-Digest-SHA256",
7285 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7286 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7287 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7288 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7289 signatureRSAPKCS1WithSHA1,
7290 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7291 },
7292 },
7293 flags: []string{
7294 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7295 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7296 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7297 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7298 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7299 })
7300 testCases = append(testCases, testCase{
7301 name: "Agree-Digest-SHA1",
7302 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7303 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7304 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7305 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7306 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7307 },
7308 },
7309 flags: []string{
7310 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7311 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7312 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7313 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7314 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7315 })
7316 testCases = append(testCases, testCase{
7317 name: "Agree-Digest-Default",
7318 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7319 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7320 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7321 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7322 signatureRSAPKCS1WithSHA256,
7323 signatureECDSAWithP256AndSHA256,
7324 signatureRSAPKCS1WithSHA1,
7325 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7326 },
7327 },
7328 flags: []string{
7329 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7330 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7331 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7332 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7333 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7334
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7335 // Test that the signing preference list may include extra algorithms
7336 // without negotiation problems.
7337 testCases = append(testCases, testCase{
7338 testType: serverTest,
7339 name: "FilterExtraAlgorithms",
7340 config: Config{
7341 MaxVersion: VersionTLS12,
7342 VerifySignatureAlgorithms: []signatureAlgorithm{
7343 signatureRSAPKCS1WithSHA256,
7344 },
7345 },
7346 flags: []string{
7347 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7348 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7349 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7350 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7351 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7352 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7353 },
7354 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7355 })
7356
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7357 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7358 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7359 testCases = append(testCases, testCase{
7360 name: "CheckLeafCurve",
7361 config: Config{
7362 MaxVersion: VersionTLS12,
7363 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7364 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7365 },
7366 flags: []string{"-p384-only"},
7367 shouldFail: true,
7368 expectedError: ":BAD_ECC_CERT:",
7369 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7370
7371 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7372 testCases = append(testCases, testCase{
7373 name: "CheckLeafCurve-TLS13",
7374 config: Config{
7375 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7376 Certificates: []Certificate{ecdsaP256Certificate},
7377 },
7378 flags: []string{"-p384-only"},
7379 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7380
7381 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7382 testCases = append(testCases, testCase{
7383 name: "ECDSACurveMismatch-Verify-TLS12",
7384 config: Config{
7385 MaxVersion: VersionTLS12,
7386 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7387 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7388 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7389 signatureECDSAWithP384AndSHA384,
7390 },
7391 },
7392 })
7393
7394 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7395 testCases = append(testCases, testCase{
7396 name: "ECDSACurveMismatch-Verify-TLS13",
7397 config: Config{
7398 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7399 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7400 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7401 signatureECDSAWithP384AndSHA384,
7402 },
7403 Bugs: ProtocolBugs{
7404 SkipECDSACurveCheck: true,
7405 },
7406 },
7407 shouldFail: true,
7408 expectedError: ":WRONG_SIGNATURE_TYPE:",
7409 })
7410
7411 // Signature algorithm selection in TLS 1.3 should take the curve into
7412 // account.
7413 testCases = append(testCases, testCase{
7414 testType: serverTest,
7415 name: "ECDSACurveMismatch-Sign-TLS13",
7416 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7417 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7418 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7419 signatureECDSAWithP384AndSHA384,
7420 signatureECDSAWithP256AndSHA256,
7421 },
7422 },
7423 flags: []string{
7424 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7425 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7426 },
7427 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7428 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7429
7430 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7431 // server does not attempt to sign in that case.
7432 testCases = append(testCases, testCase{
7433 testType: serverTest,
7434 name: "RSA-PSS-Large",
7435 config: Config{
7436 MaxVersion: VersionTLS13,
7437 VerifySignatureAlgorithms: []signatureAlgorithm{
7438 signatureRSAPSSWithSHA512,
7439 },
7440 },
7441 flags: []string{
7442 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7443 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7444 },
7445 shouldFail: true,
7446 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7447 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7448
7449 // Test that RSA-PSS is enabled by default for TLS 1.2.
7450 testCases = append(testCases, testCase{
7451 testType: clientTest,
7452 name: "RSA-PSS-Default-Verify",
7453 config: Config{
7454 MaxVersion: VersionTLS12,
7455 SignSignatureAlgorithms: []signatureAlgorithm{
7456 signatureRSAPSSWithSHA256,
7457 },
7458 },
7459 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7460 })
7461
7462 testCases = append(testCases, testCase{
7463 testType: serverTest,
7464 name: "RSA-PSS-Default-Sign",
7465 config: Config{
7466 MaxVersion: VersionTLS12,
7467 VerifySignatureAlgorithms: []signatureAlgorithm{
7468 signatureRSAPSSWithSHA256,
7469 },
7470 },
7471 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7472 })
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]7473
7474 // A server certificate with a P-224 key will only work up to TLS 1.2
7475 // and we only test it with BoringSSL acting as a server because that's
7476 // all Alphabet requires with it.
7477 testCases = append(testCases, testCase{
7478 testType: serverTest,
7479 name: "P224-Server",
7480 config: Config{
7481 VerifySignatureAlgorithms: []signatureAlgorithm{
7482 // TLS 1.2 does not require that the curve
7483 // match the hash, thus P-256 with SHA-256 is
7484 // the same signature algorithm value as P-224
7485 // with SHA-256.
7486 signatureECDSAWithP256AndSHA256,
7487 },
7488 // P-256 must be offered as well because ECDHE requires
7489 // it.
7490 CurvePreferences: []CurveID{CurveP224, CurveP256},
7491 },
7492 flags: []string{
7493 "-max-version", strconv.Itoa(VersionTLS12),
7494 "-cert-file", path.Join(*resourceDir, ecdsaP224CertificateFile),
7495 "-key-file", path.Join(*resourceDir, ecdsaP224KeyFile),
7496 },
7497 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7498}
7499
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7500// timeouts is the retransmit schedule for BoringSSL. It doubles and
7501// caps at 60 seconds. On the 13th timeout, it gives up.
7502var timeouts = []time.Duration{
7503 1 * time.Second,
7504 2 * time.Second,
7505 4 * time.Second,
7506 8 * time.Second,
7507 16 * time.Second,
7508 32 * time.Second,
7509 60 * time.Second,
7510 60 * time.Second,
7511 60 * time.Second,
7512 60 * time.Second,
7513 60 * time.Second,
7514 60 * time.Second,
7515 60 * time.Second,
7516}
7517
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7518// shortTimeouts is an alternate set of timeouts which would occur if the
7519// initial timeout duration was set to 250ms.
7520var shortTimeouts = []time.Duration{
7521 250 * time.Millisecond,
7522 500 * time.Millisecond,
7523 1 * time.Second,
7524 2 * time.Second,
7525 4 * time.Second,
7526 8 * time.Second,
7527 16 * time.Second,
7528 32 * time.Second,
7529 60 * time.Second,
7530 60 * time.Second,
7531 60 * time.Second,
7532 60 * time.Second,
7533 60 * time.Second,
7534}
7535
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7536func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7537 // These tests work by coordinating some behavior on both the shim and
7538 // the runner.
7539 //
7540 // TimeoutSchedule configures the runner to send a series of timeout
7541 // opcodes to the shim (see packetAdaptor) immediately before reading
7542 // each peer handshake flight N. The timeout opcode both simulates a
7543 // timeout in the shim and acts as a synchronization point to help the
7544 // runner bracket each handshake flight.
7545 //
7546 // We assume the shim does not read from the channel eagerly. It must
7547 // first wait until it has sent flight N and is ready to receive
7548 // handshake flight N+1. At this point, it will process the timeout
7549 // opcode. It must then immediately respond with a timeout ACK and act
7550 // as if the shim was idle for the specified amount of time.
7551 //
7552 // The runner then drops all packets received before the ACK and
7553 // continues waiting for flight N. This ordering results in one attempt
7554 // at sending flight N to be dropped. For the test to complete, the
7555 // shim must send flight N again, testing that the shim implements DTLS
7556 // retransmit on a timeout.
7557
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7558 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7559 // likely be more epochs to cross and the final message's retransmit may
7560 // be more complex.
7561
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7562 // Test that this is indeed the timeout schedule. Stress all
7563 // four patterns of handshake.
7564 for i := 1; i < len(timeouts); i++ {
7565 number := strconv.Itoa(i)
7566 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7567 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7568 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7569 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7570 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7571 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7572 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7573 },
7574 },
7575 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7576 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7577 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7578 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7579 protocol: dtls,
7580 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7581 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7582 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7583 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7584 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7585 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7586 },
7587 },
7588 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7589 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7590 })
7591 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7592
7593 // Test that exceeding the timeout schedule hits a read
7594 // timeout.
7595 testCases = append(testCases, testCase{
7596 protocol: dtls,
7597 name: "DTLS-Retransmit-Timeout",
7598 config: Config{
7599 MaxVersion: VersionTLS12,
7600 Bugs: ProtocolBugs{
7601 TimeoutSchedule: timeouts,
7602 },
7603 },
7604 resumeSession: true,
7605 flags: []string{"-async"},
7606 shouldFail: true,
7607 expectedError: ":READ_TIMEOUT_EXPIRED:",
7608 })
7609
7610 // Test that timeout handling has a fudge factor, due to API
7611 // problems.
7612 testCases = append(testCases, testCase{
7613 protocol: dtls,
7614 name: "DTLS-Retransmit-Fudge",
7615 config: Config{
7616 MaxVersion: VersionTLS12,
7617 Bugs: ProtocolBugs{
7618 TimeoutSchedule: []time.Duration{
7619 timeouts[0] - 10*time.Millisecond,
7620 },
7621 },
7622 },
7623 resumeSession: true,
7624 flags: []string{"-async"},
7625 })
7626
7627 // Test that the final Finished retransmitting isn't
7628 // duplicated if the peer badly fragments everything.
7629 testCases = append(testCases, testCase{
7630 testType: serverTest,
7631 protocol: dtls,
7632 name: "DTLS-Retransmit-Fragmented",
7633 config: Config{
7634 MaxVersion: VersionTLS12,
7635 Bugs: ProtocolBugs{
7636 TimeoutSchedule: []time.Duration{timeouts[0]},
7637 MaxHandshakeRecordLength: 2,
7638 },
7639 },
7640 flags: []string{"-async"},
7641 })
7642
7643 // Test the timeout schedule when a shorter initial timeout duration is set.
7644 testCases = append(testCases, testCase{
7645 protocol: dtls,
7646 name: "DTLS-Retransmit-Short-Client",
7647 config: Config{
7648 MaxVersion: VersionTLS12,
7649 Bugs: ProtocolBugs{
7650 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7651 },
7652 },
7653 resumeSession: true,
7654 flags: []string{
7655 "-async",
7656 "-initial-timeout-duration-ms", "250",
7657 },
7658 })
7659 testCases = append(testCases, testCase{
7660 protocol: dtls,
7661 testType: serverTest,
7662 name: "DTLS-Retransmit-Short-Server",
7663 config: Config{
7664 MaxVersion: VersionTLS12,
7665 Bugs: ProtocolBugs{
7666 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7667 },
7668 },
7669 resumeSession: true,
7670 flags: []string{
7671 "-async",
7672 "-initial-timeout-duration-ms", "250",
7673 },
7674 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7675}
7676
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7677func addExportKeyingMaterialTests() {
7678 for _, vers := range tlsVersions {
7679 if vers.version == VersionSSL30 {
7680 continue
7681 }
7682 testCases = append(testCases, testCase{
7683 name: "ExportKeyingMaterial-" + vers.name,
7684 config: Config{
7685 MaxVersion: vers.version,
7686 },
7687 exportKeyingMaterial: 1024,
7688 exportLabel: "label",
7689 exportContext: "context",
7690 useExportContext: true,
7691 })
7692 testCases = append(testCases, testCase{
7693 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7694 config: Config{
7695 MaxVersion: vers.version,
7696 },
7697 exportKeyingMaterial: 1024,
7698 })
7699 testCases = append(testCases, testCase{
7700 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7701 config: Config{
7702 MaxVersion: vers.version,
7703 },
7704 exportKeyingMaterial: 1024,
7705 useExportContext: true,
7706 })
7707 testCases = append(testCases, testCase{
7708 name: "ExportKeyingMaterial-Small-" + vers.name,
7709 config: Config{
7710 MaxVersion: vers.version,
7711 },
7712 exportKeyingMaterial: 1,
7713 exportLabel: "label",
7714 exportContext: "context",
7715 useExportContext: true,
7716 })
7717 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7718
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7719 testCases = append(testCases, testCase{
7720 name: "ExportKeyingMaterial-SSL3",
7721 config: Config{
7722 MaxVersion: VersionSSL30,
7723 },
7724 exportKeyingMaterial: 1024,
7725 exportLabel: "label",
7726 exportContext: "context",
7727 useExportContext: true,
7728 shouldFail: true,
7729 expectedError: "failed to export keying material",
7730 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7731
7732 // Exporters work during a False Start.
7733 testCases = append(testCases, testCase{
7734 name: "ExportKeyingMaterial-FalseStart",
7735 config: Config{
7736 MaxVersion: VersionTLS12,
7737 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7738 NextProtos: []string{"foo"},
7739 Bugs: ProtocolBugs{
7740 ExpectFalseStart: true,
7741 },
7742 },
7743 flags: []string{
7744 "-false-start",
7745 "-advertise-alpn", "\x03foo",
7746 },
7747 shimWritesFirst: true,
7748 exportKeyingMaterial: 1024,
7749 exportLabel: "label",
7750 exportContext: "context",
7751 useExportContext: true,
7752 })
7753
7754 // Exporters do not work in the middle of a renegotiation. Test this by
7755 // triggering the exporter after every SSL_read call and configuring the
7756 // shim to run asynchronously.
7757 testCases = append(testCases, testCase{
7758 name: "ExportKeyingMaterial-Renegotiate",
7759 config: Config{
7760 MaxVersion: VersionTLS12,
7761 },
7762 renegotiate: 1,
7763 flags: []string{
7764 "-async",
7765 "-use-exporter-between-reads",
7766 "-renegotiate-freely",
7767 "-expect-total-renegotiations", "1",
7768 },
7769 shouldFail: true,
7770 expectedError: "failed to export keying material",
7771 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7772}
7773
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7774func addTLSUniqueTests() {
7775 for _, isClient := range []bool{false, true} {
7776 for _, isResumption := range []bool{false, true} {
7777 for _, hasEMS := range []bool{false, true} {
7778 var suffix string
7779 if isResumption {
7780 suffix = "Resume-"
7781 } else {
7782 suffix = "Full-"
7783 }
7784
7785 if hasEMS {
7786 suffix += "EMS-"
7787 } else {
7788 suffix += "NoEMS-"
7789 }
7790
7791 if isClient {
7792 suffix += "Client"
7793 } else {
7794 suffix += "Server"
7795 }
7796
7797 test := testCase{
7798 name: "TLSUnique-" + suffix,
7799 testTLSUnique: true,
7800 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7801 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7802 Bugs: ProtocolBugs{
7803 NoExtendedMasterSecret: !hasEMS,
7804 },
7805 },
7806 }
7807
7808 if isResumption {
7809 test.resumeSession = true
7810 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7811 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7812 Bugs: ProtocolBugs{
7813 NoExtendedMasterSecret: !hasEMS,
7814 },
7815 }
7816 }
7817
7818 if isResumption && !hasEMS {
7819 test.shouldFail = true
7820 test.expectedError = "failed to get tls-unique"
7821 }
7822
7823 testCases = append(testCases, test)
7824 }
7825 }
7826 }
7827}
7828
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7829func addCustomExtensionTests() {
7830 expectedContents := "custom extension"
7831 emptyString := ""
7832
7833 for _, isClient := range []bool{false, true} {
7834 suffix := "Server"
7835 flag := "-enable-server-custom-extension"
7836 testType := serverTest
7837 if isClient {
7838 suffix = "Client"
7839 flag = "-enable-client-custom-extension"
7840 testType = clientTest
7841 }
7842
7843 testCases = append(testCases, testCase{
7844 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7845 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7846 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7847 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7848 Bugs: ProtocolBugs{
7849 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7850 ExpectedCustomExtension: &expectedContents,
7851 },
7852 },
7853 flags: []string{flag},
7854 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7855 testCases = append(testCases, testCase{
7856 testType: testType,
7857 name: "CustomExtensions-" + suffix + "-TLS13",
7858 config: Config{
7859 MaxVersion: VersionTLS13,
7860 Bugs: ProtocolBugs{
7861 CustomExtension: expectedContents,
7862 ExpectedCustomExtension: &expectedContents,
7863 },
7864 },
7865 flags: []string{flag},
7866 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7867
7868 // If the parse callback fails, the handshake should also fail.
7869 testCases = append(testCases, testCase{
7870 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7871 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7872 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7873 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7874 Bugs: ProtocolBugs{
7875 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7876 ExpectedCustomExtension: &expectedContents,
7877 },
7878 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7879 flags: []string{flag},
7880 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7881 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7882 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7883 testCases = append(testCases, testCase{
7884 testType: testType,
7885 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
7886 config: Config{
7887 MaxVersion: VersionTLS13,
7888 Bugs: ProtocolBugs{
7889 CustomExtension: expectedContents + "foo",
7890 ExpectedCustomExtension: &expectedContents,
7891 },
7892 },
7893 flags: []string{flag},
7894 shouldFail: true,
7895 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7896 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7897
7898 // If the add callback fails, the handshake should also fail.
7899 testCases = append(testCases, testCase{
7900 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7901 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7902 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7903 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7904 Bugs: ProtocolBugs{
7905 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7906 ExpectedCustomExtension: &expectedContents,
7907 },
7908 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7909 flags: []string{flag, "-custom-extension-fail-add"},
7910 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7911 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7912 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7913 testCases = append(testCases, testCase{
7914 testType: testType,
7915 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
7916 config: Config{
7917 MaxVersion: VersionTLS13,
7918 Bugs: ProtocolBugs{
7919 CustomExtension: expectedContents,
7920 ExpectedCustomExtension: &expectedContents,
7921 },
7922 },
7923 flags: []string{flag, "-custom-extension-fail-add"},
7924 shouldFail: true,
7925 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7926 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7927
7928 // If the add callback returns zero, no extension should be
7929 // added.
7930 skipCustomExtension := expectedContents
7931 if isClient {
7932 // For the case where the client skips sending the
7933 // custom extension, the server must not “echo” it.
7934 skipCustomExtension = ""
7935 }
7936 testCases = append(testCases, testCase{
7937 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7938 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7939 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7940 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7941 Bugs: ProtocolBugs{
7942 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7943 ExpectedCustomExtension: &emptyString,
7944 },
7945 },
7946 flags: []string{flag, "-custom-extension-skip"},
7947 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7948 testCases = append(testCases, testCase{
7949 testType: testType,
7950 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
7951 config: Config{
7952 MaxVersion: VersionTLS13,
7953 Bugs: ProtocolBugs{
7954 CustomExtension: skipCustomExtension,
7955 ExpectedCustomExtension: &emptyString,
7956 },
7957 },
7958 flags: []string{flag, "-custom-extension-skip"},
7959 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7960 }
7961
7962 // The custom extension add callback should not be called if the client
7963 // doesn't send the extension.
7964 testCases = append(testCases, testCase{
7965 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7966 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7967 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7968 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7969 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7970 ExpectedCustomExtension: &emptyString,
7971 },
7972 },
7973 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7974 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7975
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7976 testCases = append(testCases, testCase{
7977 testType: serverTest,
7978 name: "CustomExtensions-NotCalled-Server-TLS13",
7979 config: Config{
7980 MaxVersion: VersionTLS13,
7981 Bugs: ProtocolBugs{
7982 ExpectedCustomExtension: &emptyString,
7983 },
7984 },
7985 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7986 })
7987
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7988 // Test an unknown extension from the server.
7989 testCases = append(testCases, testCase{
7990 testType: clientTest,
7991 name: "UnknownExtension-Client",
7992 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7993 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7994 Bugs: ProtocolBugs{
7995 CustomExtension: expectedContents,
7996 },
7997 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7998 shouldFail: true,
7999 expectedError: ":UNEXPECTED_EXTENSION:",
8000 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8001 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8002 testCases = append(testCases, testCase{
8003 testType: clientTest,
8004 name: "UnknownExtension-Client-TLS13",
8005 config: Config{
8006 MaxVersion: VersionTLS13,
8007 Bugs: ProtocolBugs{
8008 CustomExtension: expectedContents,
8009 },
8010 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8011 shouldFail: true,
8012 expectedError: ":UNEXPECTED_EXTENSION:",
8013 expectedLocalError: "remote error: unsupported extension",
8014 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8015 testCases = append(testCases, testCase{
8016 testType: clientTest,
8017 name: "UnknownUnencryptedExtension-Client-TLS13",
8018 config: Config{
8019 MaxVersion: VersionTLS13,
8020 Bugs: ProtocolBugs{
8021 CustomUnencryptedExtension: expectedContents,
8022 },
8023 },
8024 shouldFail: true,
8025 expectedError: ":UNEXPECTED_EXTENSION:",
8026 // The shim must send an alert, but alerts at this point do not
8027 // get successfully decrypted by the runner.
8028 expectedLocalError: "local error: bad record MAC",
8029 })
8030 testCases = append(testCases, testCase{
8031 testType: clientTest,
8032 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8033 config: Config{
8034 MaxVersion: VersionTLS13,
8035 Bugs: ProtocolBugs{
8036 SendUnencryptedALPN: "foo",
8037 },
8038 },
8039 flags: []string{
8040 "-advertise-alpn", "\x03foo\x03bar",
8041 },
8042 shouldFail: true,
8043 expectedError: ":UNEXPECTED_EXTENSION:",
8044 // The shim must send an alert, but alerts at this point do not
8045 // get successfully decrypted by the runner.
8046 expectedLocalError: "local error: bad record MAC",
8047 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8048
8049 // Test a known but unoffered extension from the server.
8050 testCases = append(testCases, testCase{
8051 testType: clientTest,
8052 name: "UnofferedExtension-Client",
8053 config: Config{
8054 MaxVersion: VersionTLS12,
8055 Bugs: ProtocolBugs{
8056 SendALPN: "alpn",
8057 },
8058 },
8059 shouldFail: true,
8060 expectedError: ":UNEXPECTED_EXTENSION:",
8061 expectedLocalError: "remote error: unsupported extension",
8062 })
8063 testCases = append(testCases, testCase{
8064 testType: clientTest,
8065 name: "UnofferedExtension-Client-TLS13",
8066 config: Config{
8067 MaxVersion: VersionTLS13,
8068 Bugs: ProtocolBugs{
8069 SendALPN: "alpn",
8070 },
8071 },
8072 shouldFail: true,
8073 expectedError: ":UNEXPECTED_EXTENSION:",
8074 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8075 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8076}
8077
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8078func addRSAClientKeyExchangeTests() {
8079 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8080 testCases = append(testCases, testCase{
8081 testType: serverTest,
8082 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8083 config: Config{
8084 // Ensure the ClientHello version and final
8085 // version are different, to detect if the
8086 // server uses the wrong one.
8087 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8088 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8089 Bugs: ProtocolBugs{
8090 BadRSAClientKeyExchange: bad,
8091 },
8092 },
8093 shouldFail: true,
8094 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8095 })
8096 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8097
8098 // The server must compare whatever was in ClientHello.version for the
8099 // RSA premaster.
8100 testCases = append(testCases, testCase{
8101 testType: serverTest,
8102 name: "SendClientVersion-RSA",
8103 config: Config{
8104 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8105 Bugs: ProtocolBugs{
8106 SendClientVersion: 0x1234,
8107 },
8108 },
8109 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8110 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8111}
8112
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8113var testCurves = []struct {
8114 name string
8115 id CurveID
8116}{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8117 {"P-256", CurveP256},
8118 {"P-384", CurveP384},
8119 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8120 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8121}
8122
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8123const bogusCurve = 0x1234
8124
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8125func addCurveTests() {
8126 for _, curve := range testCurves {
8127 testCases = append(testCases, testCase{
8128 name: "CurveTest-Client-" + curve.name,
8129 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8130 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8131 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8132 CurvePreferences: []CurveID{curve.id},
8133 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8134 flags: []string{
8135 "-enable-all-curves",
8136 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8137 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8138 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8139 })
8140 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8141 name: "CurveTest-Client-" + curve.name + "-TLS13",
8142 config: Config{
8143 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8144 CurvePreferences: []CurveID{curve.id},
8145 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8146 flags: []string{
8147 "-enable-all-curves",
8148 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8149 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8150 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8151 })
8152 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8153 testType: serverTest,
8154 name: "CurveTest-Server-" + curve.name,
8155 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8156 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8157 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8158 CurvePreferences: []CurveID{curve.id},
8159 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8160 flags: []string{
8161 "-enable-all-curves",
8162 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8163 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8164 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8165 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8166 testCases = append(testCases, testCase{
8167 testType: serverTest,
8168 name: "CurveTest-Server-" + curve.name + "-TLS13",
8169 config: Config{
8170 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8171 CurvePreferences: []CurveID{curve.id},
8172 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8173 flags: []string{
8174 "-enable-all-curves",
8175 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8176 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8177 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8178 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8179 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8180
8181 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8182 testCases = append(testCases, testCase{
8183 testType: serverTest,
8184 name: "UnknownCurve",
8185 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8186 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8187 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8188 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8189 },
8190 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8191
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8192 // The server must be tolerant to bogus curves.
8193 testCases = append(testCases, testCase{
8194 testType: serverTest,
8195 name: "UnknownCurve-TLS13",
8196 config: Config{
8197 MaxVersion: VersionTLS13,
8198 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8199 },
8200 })
8201
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8202 // The server must not consider ECDHE ciphers when there are no
8203 // supported curves.
8204 testCases = append(testCases, testCase{
8205 testType: serverTest,
8206 name: "NoSupportedCurves",
8207 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8208 MaxVersion: VersionTLS12,
8209 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8210 Bugs: ProtocolBugs{
8211 NoSupportedCurves: true,
8212 },
8213 },
8214 shouldFail: true,
8215 expectedError: ":NO_SHARED_CIPHER:",
8216 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8217 testCases = append(testCases, testCase{
8218 testType: serverTest,
8219 name: "NoSupportedCurves-TLS13",
8220 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8221 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8222 Bugs: ProtocolBugs{
8223 NoSupportedCurves: true,
8224 },
8225 },
8226 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8227 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8228 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8229
8230 // The server must fall back to another cipher when there are no
8231 // supported curves.
8232 testCases = append(testCases, testCase{
8233 testType: serverTest,
8234 name: "NoCommonCurves",
8235 config: Config{
8236 MaxVersion: VersionTLS12,
8237 CipherSuites: []uint16{
8238 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8239 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8240 },
8241 CurvePreferences: []CurveID{CurveP224},
8242 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8243 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8244 })
8245
8246 // The client must reject bogus curves and disabled curves.
8247 testCases = append(testCases, testCase{
8248 name: "BadECDHECurve",
8249 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8250 MaxVersion: VersionTLS12,
8251 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8252 Bugs: ProtocolBugs{
8253 SendCurve: bogusCurve,
8254 },
8255 },
8256 shouldFail: true,
8257 expectedError: ":WRONG_CURVE:",
8258 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8259 testCases = append(testCases, testCase{
8260 name: "BadECDHECurve-TLS13",
8261 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8262 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8263 Bugs: ProtocolBugs{
8264 SendCurve: bogusCurve,
8265 },
8266 },
8267 shouldFail: true,
8268 expectedError: ":WRONG_CURVE:",
8269 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8270
8271 testCases = append(testCases, testCase{
8272 name: "UnsupportedCurve",
8273 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8274 MaxVersion: VersionTLS12,
8275 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8276 CurvePreferences: []CurveID{CurveP256},
8277 Bugs: ProtocolBugs{
8278 IgnorePeerCurvePreferences: true,
8279 },
8280 },
8281 flags: []string{"-p384-only"},
8282 shouldFail: true,
8283 expectedError: ":WRONG_CURVE:",
8284 })
8285
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8286 testCases = append(testCases, testCase{
8287 // TODO(davidben): Add a TLS 1.3 version where
8288 // HelloRetryRequest requests an unsupported curve.
8289 name: "UnsupportedCurve-ServerHello-TLS13",
8290 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8291 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8292 CurvePreferences: []CurveID{CurveP384},
8293 Bugs: ProtocolBugs{
8294 SendCurve: CurveP256,
8295 },
8296 },
8297 flags: []string{"-p384-only"},
8298 shouldFail: true,
8299 expectedError: ":WRONG_CURVE:",
8300 })
8301
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8302 // Test invalid curve points.
8303 testCases = append(testCases, testCase{
8304 name: "InvalidECDHPoint-Client",
8305 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8306 MaxVersion: VersionTLS12,
8307 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8308 CurvePreferences: []CurveID{CurveP256},
8309 Bugs: ProtocolBugs{
8310 InvalidECDHPoint: true,
8311 },
8312 },
8313 shouldFail: true,
8314 expectedError: ":INVALID_ENCODING:",
8315 })
8316 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8317 name: "InvalidECDHPoint-Client-TLS13",
8318 config: Config{
8319 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8320 CurvePreferences: []CurveID{CurveP256},
8321 Bugs: ProtocolBugs{
8322 InvalidECDHPoint: true,
8323 },
8324 },
8325 shouldFail: true,
8326 expectedError: ":INVALID_ENCODING:",
8327 })
8328 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8329 testType: serverTest,
8330 name: "InvalidECDHPoint-Server",
8331 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8332 MaxVersion: VersionTLS12,
8333 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8334 CurvePreferences: []CurveID{CurveP256},
8335 Bugs: ProtocolBugs{
8336 InvalidECDHPoint: true,
8337 },
8338 },
8339 shouldFail: true,
8340 expectedError: ":INVALID_ENCODING:",
8341 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8342 testCases = append(testCases, testCase{
8343 testType: serverTest,
8344 name: "InvalidECDHPoint-Server-TLS13",
8345 config: Config{
8346 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8347 CurvePreferences: []CurveID{CurveP256},
8348 Bugs: ProtocolBugs{
8349 InvalidECDHPoint: true,
8350 },
8351 },
8352 shouldFail: true,
8353 expectedError: ":INVALID_ENCODING:",
8354 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8355
8356 // The previous curve ID should be reported on TLS 1.2 resumption.
8357 testCases = append(testCases, testCase{
8358 name: "CurveID-Resume-Client",
8359 config: Config{
8360 MaxVersion: VersionTLS12,
8361 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8362 CurvePreferences: []CurveID{CurveX25519},
8363 },
8364 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8365 resumeSession: true,
8366 })
8367 testCases = append(testCases, testCase{
8368 testType: serverTest,
8369 name: "CurveID-Resume-Server",
8370 config: Config{
8371 MaxVersion: VersionTLS12,
8372 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8373 CurvePreferences: []CurveID{CurveX25519},
8374 },
8375 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8376 resumeSession: true,
8377 })
8378
8379 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8380 // one should be reported.
8381 testCases = append(testCases, testCase{
8382 name: "CurveID-Resume-Client-TLS13",
8383 config: Config{
8384 MaxVersion: VersionTLS13,
8385 CurvePreferences: []CurveID{CurveX25519},
8386 },
8387 resumeConfig: &Config{
8388 MaxVersion: VersionTLS13,
8389 CurvePreferences: []CurveID{CurveP256},
8390 },
8391 flags: []string{
8392 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8393 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8394 },
8395 resumeSession: true,
8396 })
8397 testCases = append(testCases, testCase{
8398 testType: serverTest,
8399 name: "CurveID-Resume-Server-TLS13",
8400 config: Config{
8401 MaxVersion: VersionTLS13,
8402 CurvePreferences: []CurveID{CurveX25519},
8403 },
8404 resumeConfig: &Config{
8405 MaxVersion: VersionTLS13,
8406 CurvePreferences: []CurveID{CurveP256},
8407 },
8408 flags: []string{
8409 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8410 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8411 },
8412 resumeSession: true,
8413 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8414
8415 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8416 testCases = append(testCases, testCase{
8417 name: "PointFormat-ServerHello-TLS12",
8418 config: Config{
8419 MaxVersion: VersionTLS12,
8420 Bugs: ProtocolBugs{
8421 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8422 },
8423 },
8424 })
8425 testCases = append(testCases, testCase{
8426 name: "PointFormat-EncryptedExtensions-TLS13",
8427 config: Config{
8428 MaxVersion: VersionTLS13,
8429 Bugs: ProtocolBugs{
8430 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8431 },
8432 },
8433 shouldFail: true,
8434 expectedError: ":ERROR_PARSING_EXTENSION:",
8435 })
8436
8437 // Test that we tolerate unknown point formats, as long as
8438 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8439 // check they are still functional.
8440 testCases = append(testCases, testCase{
8441 name: "PointFormat-Client-Tolerance",
8442 config: Config{
8443 MaxVersion: VersionTLS12,
8444 Bugs: ProtocolBugs{
8445 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8446 },
8447 },
8448 })
8449 testCases = append(testCases, testCase{
8450 testType: serverTest,
8451 name: "PointFormat-Server-Tolerance",
8452 config: Config{
8453 MaxVersion: VersionTLS12,
8454 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8455 Bugs: ProtocolBugs{
8456 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8457 },
8458 },
8459 })
8460
8461 // Test TLS 1.2 does not require the point format extension to be
8462 // present.
8463 testCases = append(testCases, testCase{
8464 name: "PointFormat-Client-Missing",
8465 config: Config{
8466 MaxVersion: VersionTLS12,
8467 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8468 Bugs: ProtocolBugs{
8469 SendSupportedPointFormats: []byte{},
8470 },
8471 },
8472 })
8473 testCases = append(testCases, testCase{
8474 testType: serverTest,
8475 name: "PointFormat-Server-Missing",
8476 config: Config{
8477 MaxVersion: VersionTLS12,
8478 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8479 Bugs: ProtocolBugs{
8480 SendSupportedPointFormats: []byte{},
8481 },
8482 },
8483 })
8484
8485 // If the point format extension is present, uncompressed points must be
8486 // offered. BoringSSL requires this whether or not ECDHE is used.
8487 testCases = append(testCases, testCase{
8488 name: "PointFormat-Client-MissingUncompressed",
8489 config: Config{
8490 MaxVersion: VersionTLS12,
8491 Bugs: ProtocolBugs{
8492 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8493 },
8494 },
8495 shouldFail: true,
8496 expectedError: ":ERROR_PARSING_EXTENSION:",
8497 })
8498 testCases = append(testCases, testCase{
8499 testType: serverTest,
8500 name: "PointFormat-Server-MissingUncompressed",
8501 config: Config{
8502 MaxVersion: VersionTLS12,
8503 Bugs: ProtocolBugs{
8504 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8505 },
8506 },
8507 shouldFail: true,
8508 expectedError: ":ERROR_PARSING_EXTENSION:",
8509 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8510}
8511
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8512func addTLS13RecordTests() {
8513 testCases = append(testCases, testCase{
8514 name: "TLS13-RecordPadding",
8515 config: Config{
8516 MaxVersion: VersionTLS13,
8517 MinVersion: VersionTLS13,
8518 Bugs: ProtocolBugs{
8519 RecordPadding: 10,
8520 },
8521 },
8522 })
8523
8524 testCases = append(testCases, testCase{
8525 name: "TLS13-EmptyRecords",
8526 config: Config{
8527 MaxVersion: VersionTLS13,
8528 MinVersion: VersionTLS13,
8529 Bugs: ProtocolBugs{
8530 OmitRecordContents: true,
8531 },
8532 },
8533 shouldFail: true,
8534 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8535 })
8536
8537 testCases = append(testCases, testCase{
8538 name: "TLS13-OnlyPadding",
8539 config: Config{
8540 MaxVersion: VersionTLS13,
8541 MinVersion: VersionTLS13,
8542 Bugs: ProtocolBugs{
8543 OmitRecordContents: true,
8544 RecordPadding: 10,
8545 },
8546 },
8547 shouldFail: true,
8548 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8549 })
8550
8551 testCases = append(testCases, testCase{
8552 name: "TLS13-WrongOuterRecord",
8553 config: Config{
8554 MaxVersion: VersionTLS13,
8555 MinVersion: VersionTLS13,
8556 Bugs: ProtocolBugs{
8557 OuterRecordType: recordTypeHandshake,
8558 },
8559 },
8560 shouldFail: true,
8561 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8562 })
8563}
8564
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8565func addSessionTicketTests() {
8566 testCases = append(testCases, testCase{
8567 // In TLS 1.2 and below, empty NewSessionTicket messages
8568 // mean the server changed its mind on sending a ticket.
8569 name: "SendEmptySessionTicket",
8570 config: Config{
8571 MaxVersion: VersionTLS12,
8572 Bugs: ProtocolBugs{
8573 SendEmptySessionTicket: true,
8574 },
8575 },
8576 flags: []string{"-expect-no-session"},
8577 })
8578
8579 // Test that the server ignores unknown PSK modes.
8580 testCases = append(testCases, testCase{
8581 testType: serverTest,
8582 name: "TLS13-SendUnknownModeSessionTicket-Server",
8583 config: Config{
8584 MaxVersion: VersionTLS13,
8585 Bugs: ProtocolBugs{
8586 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8587 },
8588 },
8589 resumeSession: true,
8590 expectedResumeVersion: VersionTLS13,
8591 })
8592
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8593 // Test that the server does not send session tickets with no matching key exchange mode.
8594 testCases = append(testCases, testCase{
8595 testType: serverTest,
8596 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8597 config: Config{
8598 MaxVersion: VersionTLS13,
8599 Bugs: ProtocolBugs{
8600 SendPSKKeyExchangeModes: []byte{0x1a},
8601 ExpectNoNewSessionTicket: true,
8602 },
8603 },
8604 })
8605
8606 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8607 testCases = append(testCases, testCase{
8608 testType: serverTest,
8609 name: "TLS13-SendBadKEModeSessionTicket-Server",
8610 config: Config{
8611 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8612 },
8613 resumeConfig: &Config{
8614 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8615 Bugs: ProtocolBugs{
8616 SendPSKKeyExchangeModes: []byte{0x1a},
8617 },
8618 },
8619 resumeSession: true,
8620 expectResumeRejected: true,
8621 })
8622
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8623 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8624 testCases = append(testCases, testCase{
8625 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8626 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8627 config: Config{
8628 MaxVersion: VersionTLS13,
8629 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8630 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8631 },
8632 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8633 resumeSession: true,
8634 flags: []string{
8635 "-resumption-delay", "10",
8636 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8637 })
8638
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8639 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8640 testCases = append(testCases, testCase{
8641 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8642 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8643 config: Config{
8644 MaxVersion: VersionTLS13,
8645 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8646 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8647 },
8648 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8649 resumeSession: true,
8650 shouldFail: true,
8651 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8652 })
8653
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8654 // Test that the server's ticket age skew reporting works.
8655 testCases = append(testCases, testCase{
8656 testType: serverTest,
8657 name: "TLS13-TicketAgeSkew-Forward",
8658 config: Config{
8659 MaxVersion: VersionTLS13,
8660 Bugs: ProtocolBugs{
8661 SendTicketAge: 15 * time.Second,
8662 },
8663 },
8664 resumeSession: true,
8665 flags: []string{
8666 "-resumption-delay", "10",
8667 "-expect-ticket-age-skew", "5",
8668 },
8669 })
8670 testCases = append(testCases, testCase{
8671 testType: serverTest,
8672 name: "TLS13-TicketAgeSkew-Backward",
8673 config: Config{
8674 MaxVersion: VersionTLS13,
8675 Bugs: ProtocolBugs{
8676 SendTicketAge: 5 * time.Second,
8677 },
8678 },
8679 resumeSession: true,
8680 flags: []string{
8681 "-resumption-delay", "10",
8682 "-expect-ticket-age-skew", "-5",
8683 },
8684 })
8685
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8686 testCases = append(testCases, testCase{
8687 testType: clientTest,
8688 name: "TLS13-SendTicketEarlyDataInfo",
8689 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8690 MaxVersion: VersionTLS13,
8691 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8692 },
8693 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8694 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8695 "-expect-early-data-info",
8696 },
8697 })
8698
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8699 // Test that 0-RTT tickets are ignored in clients unless opted in.
8700 testCases = append(testCases, testCase{
8701 testType: clientTest,
8702 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8703 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8704 MaxVersion: VersionTLS13,
8705 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8706 },
8707 })
8708
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8709 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8710 testType: clientTest,
8711 name: "TLS13-DuplicateTicketEarlyDataInfo",
8712 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8713 MaxVersion: VersionTLS13,
8714 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8715 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8716 DuplicateTicketEarlyDataInfo: true,
8717 },
8718 },
8719 shouldFail: true,
8720 expectedError: ":DUPLICATE_EXTENSION:",
8721 expectedLocalError: "remote error: illegal parameter",
8722 })
8723
8724 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8725 testType: serverTest,
8726 name: "TLS13-ExpectTicketEarlyDataInfo",
8727 config: Config{
8728 MaxVersion: VersionTLS13,
8729 Bugs: ProtocolBugs{
8730 ExpectTicketEarlyDataInfo: true,
8731 },
8732 },
8733 flags: []string{
8734 "-enable-early-data",
8735 },
8736 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]8737
8738 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
8739 // is honored.
8740 testCases = append(testCases, testCase{
8741 testType: clientTest,
8742 name: "TLS13-HonorServerSessionTicketLifetime",
8743 config: Config{
8744 MaxVersion: VersionTLS13,
8745 Bugs: ProtocolBugs{
8746 SendTicketLifetime: 20 * time.Second,
8747 },
8748 },
8749 flags: []string{
8750 "-resumption-delay", "19",
8751 },
8752 resumeSession: true,
8753 })
8754 testCases = append(testCases, testCase{
8755 testType: clientTest,
8756 name: "TLS13-HonorServerSessionTicketLifetime-2",
8757 config: Config{
8758 MaxVersion: VersionTLS13,
8759 Bugs: ProtocolBugs{
8760 SendTicketLifetime: 20 * time.Second,
8761 // The client should not offer the expired session.
8762 ExpectNoTLS13PSK: true,
8763 },
8764 },
8765 flags: []string{
8766 "-resumption-delay", "21",
8767 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]8768 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]8769 expectResumeRejected: true,
8770 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8771}
8772
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8773func addChangeCipherSpecTests() {
8774 // Test missing ChangeCipherSpecs.
8775 testCases = append(testCases, testCase{
8776 name: "SkipChangeCipherSpec-Client",
8777 config: Config{
8778 MaxVersion: VersionTLS12,
8779 Bugs: ProtocolBugs{
8780 SkipChangeCipherSpec: true,
8781 },
8782 },
8783 shouldFail: true,
8784 expectedError: ":UNEXPECTED_RECORD:",
8785 })
8786 testCases = append(testCases, testCase{
8787 testType: serverTest,
8788 name: "SkipChangeCipherSpec-Server",
8789 config: Config{
8790 MaxVersion: VersionTLS12,
8791 Bugs: ProtocolBugs{
8792 SkipChangeCipherSpec: true,
8793 },
8794 },
8795 shouldFail: true,
8796 expectedError: ":UNEXPECTED_RECORD:",
8797 })
8798 testCases = append(testCases, testCase{
8799 testType: serverTest,
8800 name: "SkipChangeCipherSpec-Server-NPN",
8801 config: Config{
8802 MaxVersion: VersionTLS12,
8803 NextProtos: []string{"bar"},
8804 Bugs: ProtocolBugs{
8805 SkipChangeCipherSpec: true,
8806 },
8807 },
8808 flags: []string{
8809 "-advertise-npn", "\x03foo\x03bar\x03baz",
8810 },
8811 shouldFail: true,
8812 expectedError: ":UNEXPECTED_RECORD:",
8813 })
8814
8815 // Test synchronization between the handshake and ChangeCipherSpec.
8816 // Partial post-CCS handshake messages before ChangeCipherSpec should be
8817 // rejected. Test both with and without handshake packing to handle both
8818 // when the partial post-CCS message is in its own record and when it is
8819 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8820 for _, packed := range []bool{false, true} {
8821 var suffix string
8822 if packed {
8823 suffix = "-Packed"
8824 }
8825
8826 testCases = append(testCases, testCase{
8827 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
8828 config: Config{
8829 MaxVersion: VersionTLS12,
8830 Bugs: ProtocolBugs{
8831 FragmentAcrossChangeCipherSpec: true,
8832 PackHandshakeFlight: packed,
8833 },
8834 },
8835 shouldFail: true,
8836 expectedError: ":UNEXPECTED_RECORD:",
8837 })
8838 testCases = append(testCases, testCase{
8839 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
8840 config: Config{
8841 MaxVersion: VersionTLS12,
8842 },
8843 resumeSession: true,
8844 resumeConfig: &Config{
8845 MaxVersion: VersionTLS12,
8846 Bugs: ProtocolBugs{
8847 FragmentAcrossChangeCipherSpec: true,
8848 PackHandshakeFlight: packed,
8849 },
8850 },
8851 shouldFail: true,
8852 expectedError: ":UNEXPECTED_RECORD:",
8853 })
8854 testCases = append(testCases, testCase{
8855 testType: serverTest,
8856 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
8857 config: Config{
8858 MaxVersion: VersionTLS12,
8859 Bugs: ProtocolBugs{
8860 FragmentAcrossChangeCipherSpec: true,
8861 PackHandshakeFlight: packed,
8862 },
8863 },
8864 shouldFail: true,
8865 expectedError: ":UNEXPECTED_RECORD:",
8866 })
8867 testCases = append(testCases, testCase{
8868 testType: serverTest,
8869 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
8870 config: Config{
8871 MaxVersion: VersionTLS12,
8872 },
8873 resumeSession: true,
8874 resumeConfig: &Config{
8875 MaxVersion: VersionTLS12,
8876 Bugs: ProtocolBugs{
8877 FragmentAcrossChangeCipherSpec: true,
8878 PackHandshakeFlight: packed,
8879 },
8880 },
8881 shouldFail: true,
8882 expectedError: ":UNEXPECTED_RECORD:",
8883 })
8884 testCases = append(testCases, testCase{
8885 testType: serverTest,
8886 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
8887 config: Config{
8888 MaxVersion: VersionTLS12,
8889 NextProtos: []string{"bar"},
8890 Bugs: ProtocolBugs{
8891 FragmentAcrossChangeCipherSpec: true,
8892 PackHandshakeFlight: packed,
8893 },
8894 },
8895 flags: []string{
8896 "-advertise-npn", "\x03foo\x03bar\x03baz",
8897 },
8898 shouldFail: true,
8899 expectedError: ":UNEXPECTED_RECORD:",
8900 })
8901 }
8902
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]8903 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
8904 // messages in the handshake queue. Do this by testing the server
8905 // reading the client Finished, reversing the flight so Finished comes
8906 // first.
8907 testCases = append(testCases, testCase{
8908 protocol: dtls,
8909 testType: serverTest,
8910 name: "SendUnencryptedFinished-DTLS",
8911 config: Config{
8912 MaxVersion: VersionTLS12,
8913 Bugs: ProtocolBugs{
8914 SendUnencryptedFinished: true,
8915 ReverseHandshakeFragments: true,
8916 },
8917 },
8918 shouldFail: true,
8919 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8920 })
8921
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8922 // Test synchronization between encryption changes and the handshake in
8923 // TLS 1.3, where ChangeCipherSpec is implicit.
8924 testCases = append(testCases, testCase{
8925 name: "PartialEncryptedExtensionsWithServerHello",
8926 config: Config{
8927 MaxVersion: VersionTLS13,
8928 Bugs: ProtocolBugs{
8929 PartialEncryptedExtensionsWithServerHello: true,
8930 },
8931 },
8932 shouldFail: true,
8933 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8934 })
8935 testCases = append(testCases, testCase{
8936 testType: serverTest,
8937 name: "PartialClientFinishedWithClientHello",
8938 config: Config{
8939 MaxVersion: VersionTLS13,
8940 Bugs: ProtocolBugs{
8941 PartialClientFinishedWithClientHello: true,
8942 },
8943 },
8944 shouldFail: true,
8945 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8946 })
8947
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8948 // Test that early ChangeCipherSpecs are handled correctly.
8949 testCases = append(testCases, testCase{
8950 testType: serverTest,
8951 name: "EarlyChangeCipherSpec-server-1",
8952 config: Config{
8953 MaxVersion: VersionTLS12,
8954 Bugs: ProtocolBugs{
8955 EarlyChangeCipherSpec: 1,
8956 },
8957 },
8958 shouldFail: true,
8959 expectedError: ":UNEXPECTED_RECORD:",
8960 })
8961 testCases = append(testCases, testCase{
8962 testType: serverTest,
8963 name: "EarlyChangeCipherSpec-server-2",
8964 config: Config{
8965 MaxVersion: VersionTLS12,
8966 Bugs: ProtocolBugs{
8967 EarlyChangeCipherSpec: 2,
8968 },
8969 },
8970 shouldFail: true,
8971 expectedError: ":UNEXPECTED_RECORD:",
8972 })
8973 testCases = append(testCases, testCase{
8974 protocol: dtls,
8975 name: "StrayChangeCipherSpec",
8976 config: Config{
8977 // TODO(davidben): Once DTLS 1.3 exists, test
8978 // that stray ChangeCipherSpec messages are
8979 // rejected.
8980 MaxVersion: VersionTLS12,
8981 Bugs: ProtocolBugs{
8982 StrayChangeCipherSpec: true,
8983 },
8984 },
8985 })
8986
8987 // Test that the contents of ChangeCipherSpec are checked.
8988 testCases = append(testCases, testCase{
8989 name: "BadChangeCipherSpec-1",
8990 config: Config{
8991 MaxVersion: VersionTLS12,
8992 Bugs: ProtocolBugs{
8993 BadChangeCipherSpec: []byte{2},
8994 },
8995 },
8996 shouldFail: true,
8997 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8998 })
8999 testCases = append(testCases, testCase{
9000 name: "BadChangeCipherSpec-2",
9001 config: Config{
9002 MaxVersion: VersionTLS12,
9003 Bugs: ProtocolBugs{
9004 BadChangeCipherSpec: []byte{1, 1},
9005 },
9006 },
9007 shouldFail: true,
9008 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9009 })
9010 testCases = append(testCases, testCase{
9011 protocol: dtls,
9012 name: "BadChangeCipherSpec-DTLS-1",
9013 config: Config{
9014 MaxVersion: VersionTLS12,
9015 Bugs: ProtocolBugs{
9016 BadChangeCipherSpec: []byte{2},
9017 },
9018 },
9019 shouldFail: true,
9020 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9021 })
9022 testCases = append(testCases, testCase{
9023 protocol: dtls,
9024 name: "BadChangeCipherSpec-DTLS-2",
9025 config: Config{
9026 MaxVersion: VersionTLS12,
9027 Bugs: ProtocolBugs{
9028 BadChangeCipherSpec: []byte{1, 1},
9029 },
9030 },
9031 shouldFail: true,
9032 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9033 })
9034}
9035
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9036type perMessageTest struct {
9037 messageType uint8
9038 test testCase
9039}
9040
9041// makePerMessageTests returns a series of test templates which cover each
9042// message in the TLS handshake. These may be used with bugs like
9043// WrongMessageType to fully test a per-message bug.
9044func makePerMessageTests() []perMessageTest {
9045 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9046 for _, protocol := range []protocol{tls, dtls} {
9047 var suffix string
9048 if protocol == dtls {
9049 suffix = "-DTLS"
9050 }
9051
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9052 ret = append(ret, perMessageTest{
9053 messageType: typeClientHello,
9054 test: testCase{
9055 protocol: protocol,
9056 testType: serverTest,
9057 name: "ClientHello" + suffix,
9058 config: Config{
9059 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9060 },
9061 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9062 })
9063
9064 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9065 ret = append(ret, perMessageTest{
9066 messageType: typeHelloVerifyRequest,
9067 test: testCase{
9068 protocol: protocol,
9069 name: "HelloVerifyRequest" + suffix,
9070 config: Config{
9071 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9072 },
9073 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9074 })
9075 }
9076
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9077 ret = append(ret, perMessageTest{
9078 messageType: typeServerHello,
9079 test: testCase{
9080 protocol: protocol,
9081 name: "ServerHello" + suffix,
9082 config: Config{
9083 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9084 },
9085 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9086 })
9087
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9088 ret = append(ret, perMessageTest{
9089 messageType: typeCertificate,
9090 test: testCase{
9091 protocol: protocol,
9092 name: "ServerCertificate" + suffix,
9093 config: Config{
9094 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9095 },
9096 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9097 })
9098
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9099 ret = append(ret, perMessageTest{
9100 messageType: typeCertificateStatus,
9101 test: testCase{
9102 protocol: protocol,
9103 name: "CertificateStatus" + suffix,
9104 config: Config{
9105 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9106 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9107 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9108 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9109 })
9110
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9111 ret = append(ret, perMessageTest{
9112 messageType: typeServerKeyExchange,
9113 test: testCase{
9114 protocol: protocol,
9115 name: "ServerKeyExchange" + suffix,
9116 config: Config{
9117 MaxVersion: VersionTLS12,
9118 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9119 },
9120 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9121 })
9122
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9123 ret = append(ret, perMessageTest{
9124 messageType: typeCertificateRequest,
9125 test: testCase{
9126 protocol: protocol,
9127 name: "CertificateRequest" + suffix,
9128 config: Config{
9129 MaxVersion: VersionTLS12,
9130 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9131 },
9132 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9133 })
9134
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9135 ret = append(ret, perMessageTest{
9136 messageType: typeServerHelloDone,
9137 test: testCase{
9138 protocol: protocol,
9139 name: "ServerHelloDone" + suffix,
9140 config: Config{
9141 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9142 },
9143 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9144 })
9145
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9146 ret = append(ret, perMessageTest{
9147 messageType: typeCertificate,
9148 test: testCase{
9149 testType: serverTest,
9150 protocol: protocol,
9151 name: "ClientCertificate" + suffix,
9152 config: Config{
9153 Certificates: []Certificate{rsaCertificate},
9154 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9155 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9156 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9157 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9158 })
9159
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9160 ret = append(ret, perMessageTest{
9161 messageType: typeCertificateVerify,
9162 test: testCase{
9163 testType: serverTest,
9164 protocol: protocol,
9165 name: "CertificateVerify" + suffix,
9166 config: Config{
9167 Certificates: []Certificate{rsaCertificate},
9168 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9169 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9170 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9171 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9172 })
9173
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9174 ret = append(ret, perMessageTest{
9175 messageType: typeClientKeyExchange,
9176 test: testCase{
9177 testType: serverTest,
9178 protocol: protocol,
9179 name: "ClientKeyExchange" + suffix,
9180 config: Config{
9181 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9182 },
9183 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9184 })
9185
9186 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9187 ret = append(ret, perMessageTest{
9188 messageType: typeNextProtocol,
9189 test: testCase{
9190 testType: serverTest,
9191 protocol: protocol,
9192 name: "NextProtocol" + suffix,
9193 config: Config{
9194 MaxVersion: VersionTLS12,
9195 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9196 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9197 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9198 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9199 })
9200
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9201 ret = append(ret, perMessageTest{
9202 messageType: typeChannelID,
9203 test: testCase{
9204 testType: serverTest,
9205 protocol: protocol,
9206 name: "ChannelID" + suffix,
9207 config: Config{
9208 MaxVersion: VersionTLS12,
9209 ChannelID: channelIDKey,
9210 },
9211 flags: []string{
9212 "-expect-channel-id",
9213 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9214 },
9215 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9216 })
9217 }
9218
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9219 ret = append(ret, perMessageTest{
9220 messageType: typeFinished,
9221 test: testCase{
9222 testType: serverTest,
9223 protocol: protocol,
9224 name: "ClientFinished" + suffix,
9225 config: Config{
9226 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9227 },
9228 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9229 })
9230
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9231 ret = append(ret, perMessageTest{
9232 messageType: typeNewSessionTicket,
9233 test: testCase{
9234 protocol: protocol,
9235 name: "NewSessionTicket" + suffix,
9236 config: Config{
9237 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9238 },
9239 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9240 })
9241
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9242 ret = append(ret, perMessageTest{
9243 messageType: typeFinished,
9244 test: testCase{
9245 protocol: protocol,
9246 name: "ServerFinished" + suffix,
9247 config: Config{
9248 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9249 },
9250 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9251 })
9252
9253 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9254
9255 ret = append(ret, perMessageTest{
9256 messageType: typeClientHello,
9257 test: testCase{
9258 testType: serverTest,
9259 name: "TLS13-ClientHello",
9260 config: Config{
9261 MaxVersion: VersionTLS13,
9262 },
9263 },
9264 })
9265
9266 ret = append(ret, perMessageTest{
9267 messageType: typeServerHello,
9268 test: testCase{
9269 name: "TLS13-ServerHello",
9270 config: Config{
9271 MaxVersion: VersionTLS13,
9272 },
9273 },
9274 })
9275
9276 ret = append(ret, perMessageTest{
9277 messageType: typeEncryptedExtensions,
9278 test: testCase{
9279 name: "TLS13-EncryptedExtensions",
9280 config: Config{
9281 MaxVersion: VersionTLS13,
9282 },
9283 },
9284 })
9285
9286 ret = append(ret, perMessageTest{
9287 messageType: typeCertificateRequest,
9288 test: testCase{
9289 name: "TLS13-CertificateRequest",
9290 config: Config{
9291 MaxVersion: VersionTLS13,
9292 ClientAuth: RequireAnyClientCert,
9293 },
9294 },
9295 })
9296
9297 ret = append(ret, perMessageTest{
9298 messageType: typeCertificate,
9299 test: testCase{
9300 name: "TLS13-ServerCertificate",
9301 config: Config{
9302 MaxVersion: VersionTLS13,
9303 },
9304 },
9305 })
9306
9307 ret = append(ret, perMessageTest{
9308 messageType: typeCertificateVerify,
9309 test: testCase{
9310 name: "TLS13-ServerCertificateVerify",
9311 config: Config{
9312 MaxVersion: VersionTLS13,
9313 },
9314 },
9315 })
9316
9317 ret = append(ret, perMessageTest{
9318 messageType: typeFinished,
9319 test: testCase{
9320 name: "TLS13-ServerFinished",
9321 config: Config{
9322 MaxVersion: VersionTLS13,
9323 },
9324 },
9325 })
9326
9327 ret = append(ret, perMessageTest{
9328 messageType: typeCertificate,
9329 test: testCase{
9330 testType: serverTest,
9331 name: "TLS13-ClientCertificate",
9332 config: Config{
9333 Certificates: []Certificate{rsaCertificate},
9334 MaxVersion: VersionTLS13,
9335 },
9336 flags: []string{"-require-any-client-certificate"},
9337 },
9338 })
9339
9340 ret = append(ret, perMessageTest{
9341 messageType: typeCertificateVerify,
9342 test: testCase{
9343 testType: serverTest,
9344 name: "TLS13-ClientCertificateVerify",
9345 config: Config{
9346 Certificates: []Certificate{rsaCertificate},
9347 MaxVersion: VersionTLS13,
9348 },
9349 flags: []string{"-require-any-client-certificate"},
9350 },
9351 })
9352
9353 ret = append(ret, perMessageTest{
9354 messageType: typeFinished,
9355 test: testCase{
9356 testType: serverTest,
9357 name: "TLS13-ClientFinished",
9358 config: Config{
9359 MaxVersion: VersionTLS13,
9360 },
9361 },
9362 })
9363
9364 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9365}
9366
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9367func addWrongMessageTypeTests() {
9368 for _, t := range makePerMessageTests() {
9369 t.test.name = "WrongMessageType-" + t.test.name
9370 t.test.config.Bugs.SendWrongMessageType = t.messageType
9371 t.test.shouldFail = true
9372 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9373 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9374
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9375 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9376 // In TLS 1.3, a bad ServerHello means the client sends
9377 // an unencrypted alert while the server expects
9378 // encryption, so the alert is not readable by runner.
9379 t.test.expectedLocalError = "local error: bad record MAC"
9380 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9381
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9382 testCases = append(testCases, t.test)
9383 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9384}
9385
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9386func addTrailingMessageDataTests() {
9387 for _, t := range makePerMessageTests() {
9388 t.test.name = "TrailingMessageData-" + t.test.name
9389 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9390 t.test.shouldFail = true
9391 t.test.expectedError = ":DECODE_ERROR:"
9392 t.test.expectedLocalError = "remote error: error decoding message"
9393
9394 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9395 // In TLS 1.3, a bad ServerHello means the client sends
9396 // an unencrypted alert while the server expects
9397 // encryption, so the alert is not readable by runner.
9398 t.test.expectedLocalError = "local error: bad record MAC"
9399 }
9400
9401 if t.messageType == typeFinished {
9402 // Bad Finished messages read as the verify data having
9403 // the wrong length.
9404 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9405 t.test.expectedLocalError = "remote error: error decrypting message"
9406 }
9407
9408 testCases = append(testCases, t.test)
9409 }
9410}
9411
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9412func addTLS13HandshakeTests() {
9413 testCases = append(testCases, testCase{
9414 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9415 name: "NegotiatePSKResumption-TLS13",
9416 config: Config{
9417 MaxVersion: VersionTLS13,
9418 Bugs: ProtocolBugs{
9419 NegotiatePSKResumption: true,
9420 },
9421 },
9422 resumeSession: true,
9423 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9424 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9425 })
9426
9427 testCases = append(testCases, testCase{
9428 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9429 name: "MissingKeyShare-Client",
9430 config: Config{
9431 MaxVersion: VersionTLS13,
9432 Bugs: ProtocolBugs{
9433 MissingKeyShare: true,
9434 },
9435 },
9436 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9437 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9438 })
9439
9440 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9441 testType: serverTest,
9442 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9443 config: Config{
9444 MaxVersion: VersionTLS13,
9445 Bugs: ProtocolBugs{
9446 MissingKeyShare: true,
9447 },
9448 },
9449 shouldFail: true,
9450 expectedError: ":MISSING_KEY_SHARE:",
9451 })
9452
9453 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9454 testType: serverTest,
9455 name: "DuplicateKeyShares",
9456 config: Config{
9457 MaxVersion: VersionTLS13,
9458 Bugs: ProtocolBugs{
9459 DuplicateKeyShares: true,
9460 },
9461 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9462 shouldFail: true,
9463 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9464 })
9465
9466 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9467 testType: serverTest,
9468 name: "SkipEarlyData",
9469 config: Config{
9470 MaxVersion: VersionTLS13,
9471 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9472 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9473 },
9474 },
9475 })
9476
9477 testCases = append(testCases, testCase{
9478 testType: serverTest,
9479 name: "SkipEarlyData-OmitEarlyDataExtension",
9480 config: Config{
9481 MaxVersion: VersionTLS13,
9482 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9483 SendFakeEarlyDataLength: 4,
9484 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9485 },
9486 },
9487 shouldFail: true,
9488 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9489 })
9490
9491 testCases = append(testCases, testCase{
9492 testType: serverTest,
9493 name: "SkipEarlyData-TooMuchData",
9494 config: Config{
9495 MaxVersion: VersionTLS13,
9496 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9497 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9498 },
9499 },
9500 shouldFail: true,
9501 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9502 })
9503
9504 testCases = append(testCases, testCase{
9505 testType: serverTest,
9506 name: "SkipEarlyData-Interleaved",
9507 config: Config{
9508 MaxVersion: VersionTLS13,
9509 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9510 SendFakeEarlyDataLength: 4,
9511 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9512 },
9513 },
9514 shouldFail: true,
9515 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9516 })
9517
9518 testCases = append(testCases, testCase{
9519 testType: serverTest,
9520 name: "SkipEarlyData-EarlyDataInTLS12",
9521 config: Config{
9522 MaxVersion: VersionTLS13,
9523 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9524 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9525 },
9526 },
9527 shouldFail: true,
9528 expectedError: ":UNEXPECTED_RECORD:",
9529 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9530 })
9531
9532 testCases = append(testCases, testCase{
9533 testType: serverTest,
9534 name: "SkipEarlyData-HRR",
9535 config: Config{
9536 MaxVersion: VersionTLS13,
9537 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9538 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9539 },
9540 DefaultCurves: []CurveID{},
9541 },
9542 })
9543
9544 testCases = append(testCases, testCase{
9545 testType: serverTest,
9546 name: "SkipEarlyData-HRR-Interleaved",
9547 config: Config{
9548 MaxVersion: VersionTLS13,
9549 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9550 SendFakeEarlyDataLength: 4,
9551 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9552 },
9553 DefaultCurves: []CurveID{},
9554 },
9555 shouldFail: true,
9556 expectedError: ":UNEXPECTED_RECORD:",
9557 })
9558
9559 testCases = append(testCases, testCase{
9560 testType: serverTest,
9561 name: "SkipEarlyData-HRR-TooMuchData",
9562 config: Config{
9563 MaxVersion: VersionTLS13,
9564 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9565 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9566 },
9567 DefaultCurves: []CurveID{},
9568 },
9569 shouldFail: true,
9570 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9571 })
9572
9573 // Test that skipping early data looking for cleartext correctly
9574 // processes an alert record.
9575 testCases = append(testCases, testCase{
9576 testType: serverTest,
9577 name: "SkipEarlyData-HRR-FatalAlert",
9578 config: Config{
9579 MaxVersion: VersionTLS13,
9580 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9581 SendEarlyAlert: true,
9582 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9583 },
9584 DefaultCurves: []CurveID{},
9585 },
9586 shouldFail: true,
9587 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9588 })
9589
9590 testCases = append(testCases, testCase{
9591 testType: serverTest,
9592 name: "SkipEarlyData-SecondClientHelloEarlyData",
9593 config: Config{
9594 MaxVersion: VersionTLS13,
9595 Bugs: ProtocolBugs{
9596 SendEarlyDataOnSecondClientHello: true,
9597 },
9598 DefaultCurves: []CurveID{},
9599 },
9600 shouldFail: true,
9601 expectedLocalError: "remote error: bad record MAC",
9602 })
9603
9604 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9605 testType: clientTest,
9606 name: "EmptyEncryptedExtensions",
9607 config: Config{
9608 MaxVersion: VersionTLS13,
9609 Bugs: ProtocolBugs{
9610 EmptyEncryptedExtensions: true,
9611 },
9612 },
9613 shouldFail: true,
9614 expectedLocalError: "remote error: error decoding message",
9615 })
9616
9617 testCases = append(testCases, testCase{
9618 testType: clientTest,
9619 name: "EncryptedExtensionsWithKeyShare",
9620 config: Config{
9621 MaxVersion: VersionTLS13,
9622 Bugs: ProtocolBugs{
9623 EncryptedExtensionsWithKeyShare: true,
9624 },
9625 },
9626 shouldFail: true,
9627 expectedLocalError: "remote error: unsupported extension",
9628 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9629
9630 testCases = append(testCases, testCase{
9631 testType: serverTest,
9632 name: "SendHelloRetryRequest",
9633 config: Config{
9634 MaxVersion: VersionTLS13,
9635 // Require a HelloRetryRequest for every curve.
9636 DefaultCurves: []CurveID{},
9637 },
9638 expectedCurveID: CurveX25519,
9639 })
9640
9641 testCases = append(testCases, testCase{
9642 testType: serverTest,
9643 name: "SendHelloRetryRequest-2",
9644 config: Config{
9645 MaxVersion: VersionTLS13,
9646 DefaultCurves: []CurveID{CurveP384},
9647 },
9648 // Although the ClientHello did not predict our preferred curve,
9649 // we always select it whether it is predicted or not.
9650 expectedCurveID: CurveX25519,
9651 })
9652
9653 testCases = append(testCases, testCase{
9654 name: "UnknownCurve-HelloRetryRequest",
9655 config: Config{
9656 MaxVersion: VersionTLS13,
9657 // P-384 requires HelloRetryRequest in BoringSSL.
9658 CurvePreferences: []CurveID{CurveP384},
9659 Bugs: ProtocolBugs{
9660 SendHelloRetryRequestCurve: bogusCurve,
9661 },
9662 },
9663 shouldFail: true,
9664 expectedError: ":WRONG_CURVE:",
9665 })
9666
9667 testCases = append(testCases, testCase{
9668 name: "DisabledCurve-HelloRetryRequest",
9669 config: Config{
9670 MaxVersion: VersionTLS13,
9671 CurvePreferences: []CurveID{CurveP256},
9672 Bugs: ProtocolBugs{
9673 IgnorePeerCurvePreferences: true,
9674 },
9675 },
9676 flags: []string{"-p384-only"},
9677 shouldFail: true,
9678 expectedError: ":WRONG_CURVE:",
9679 })
9680
9681 testCases = append(testCases, testCase{
9682 name: "UnnecessaryHelloRetryRequest",
9683 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9684 MaxVersion: VersionTLS13,
9685 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9686 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9687 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9688 },
9689 },
9690 shouldFail: true,
9691 expectedError: ":WRONG_CURVE:",
9692 })
9693
9694 testCases = append(testCases, testCase{
9695 name: "SecondHelloRetryRequest",
9696 config: Config{
9697 MaxVersion: VersionTLS13,
9698 // P-384 requires HelloRetryRequest in BoringSSL.
9699 CurvePreferences: []CurveID{CurveP384},
9700 Bugs: ProtocolBugs{
9701 SecondHelloRetryRequest: true,
9702 },
9703 },
9704 shouldFail: true,
9705 expectedError: ":UNEXPECTED_MESSAGE:",
9706 })
9707
9708 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9709 name: "HelloRetryRequest-Empty",
9710 config: Config{
9711 MaxVersion: VersionTLS13,
9712 Bugs: ProtocolBugs{
9713 AlwaysSendHelloRetryRequest: true,
9714 },
9715 },
9716 shouldFail: true,
9717 expectedError: ":DECODE_ERROR:",
9718 })
9719
9720 testCases = append(testCases, testCase{
9721 name: "HelloRetryRequest-DuplicateCurve",
9722 config: Config{
9723 MaxVersion: VersionTLS13,
9724 // P-384 requires a HelloRetryRequest against BoringSSL's default
9725 // configuration. Assert this ExpectMissingKeyShare.
9726 CurvePreferences: []CurveID{CurveP384},
9727 Bugs: ProtocolBugs{
9728 ExpectMissingKeyShare: true,
9729 DuplicateHelloRetryRequestExtensions: true,
9730 },
9731 },
9732 shouldFail: true,
9733 expectedError: ":DUPLICATE_EXTENSION:",
9734 expectedLocalError: "remote error: illegal parameter",
9735 })
9736
9737 testCases = append(testCases, testCase{
9738 name: "HelloRetryRequest-Cookie",
9739 config: Config{
9740 MaxVersion: VersionTLS13,
9741 Bugs: ProtocolBugs{
9742 SendHelloRetryRequestCookie: []byte("cookie"),
9743 },
9744 },
9745 })
9746
9747 testCases = append(testCases, testCase{
9748 name: "HelloRetryRequest-DuplicateCookie",
9749 config: Config{
9750 MaxVersion: VersionTLS13,
9751 Bugs: ProtocolBugs{
9752 SendHelloRetryRequestCookie: []byte("cookie"),
9753 DuplicateHelloRetryRequestExtensions: true,
9754 },
9755 },
9756 shouldFail: true,
9757 expectedError: ":DUPLICATE_EXTENSION:",
9758 expectedLocalError: "remote error: illegal parameter",
9759 })
9760
9761 testCases = append(testCases, testCase{
9762 name: "HelloRetryRequest-EmptyCookie",
9763 config: Config{
9764 MaxVersion: VersionTLS13,
9765 Bugs: ProtocolBugs{
9766 SendHelloRetryRequestCookie: []byte{},
9767 },
9768 },
9769 shouldFail: true,
9770 expectedError: ":DECODE_ERROR:",
9771 })
9772
9773 testCases = append(testCases, testCase{
9774 name: "HelloRetryRequest-Cookie-Curve",
9775 config: Config{
9776 MaxVersion: VersionTLS13,
9777 // P-384 requires HelloRetryRequest in BoringSSL.
9778 CurvePreferences: []CurveID{CurveP384},
9779 Bugs: ProtocolBugs{
9780 SendHelloRetryRequestCookie: []byte("cookie"),
9781 ExpectMissingKeyShare: true,
9782 },
9783 },
9784 })
9785
9786 testCases = append(testCases, testCase{
9787 name: "HelloRetryRequest-Unknown",
9788 config: Config{
9789 MaxVersion: VersionTLS13,
9790 Bugs: ProtocolBugs{
9791 CustomHelloRetryRequestExtension: "extension",
9792 },
9793 },
9794 shouldFail: true,
9795 expectedError: ":UNEXPECTED_EXTENSION:",
9796 expectedLocalError: "remote error: unsupported extension",
9797 })
9798
9799 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9800 testType: serverTest,
9801 name: "SecondClientHelloMissingKeyShare",
9802 config: Config{
9803 MaxVersion: VersionTLS13,
9804 DefaultCurves: []CurveID{},
9805 Bugs: ProtocolBugs{
9806 SecondClientHelloMissingKeyShare: true,
9807 },
9808 },
9809 shouldFail: true,
9810 expectedError: ":MISSING_KEY_SHARE:",
9811 })
9812
9813 testCases = append(testCases, testCase{
9814 testType: serverTest,
9815 name: "SecondClientHelloWrongCurve",
9816 config: Config{
9817 MaxVersion: VersionTLS13,
9818 DefaultCurves: []CurveID{},
9819 Bugs: ProtocolBugs{
9820 MisinterpretHelloRetryRequestCurve: CurveP521,
9821 },
9822 },
9823 shouldFail: true,
9824 expectedError: ":WRONG_CURVE:",
9825 })
9826
9827 testCases = append(testCases, testCase{
9828 name: "HelloRetryRequestVersionMismatch",
9829 config: Config{
9830 MaxVersion: VersionTLS13,
9831 // P-384 requires HelloRetryRequest in BoringSSL.
9832 CurvePreferences: []CurveID{CurveP384},
9833 Bugs: ProtocolBugs{
9834 SendServerHelloVersion: 0x0305,
9835 },
9836 },
9837 shouldFail: true,
9838 expectedError: ":WRONG_VERSION_NUMBER:",
9839 })
9840
9841 testCases = append(testCases, testCase{
9842 name: "HelloRetryRequestCurveMismatch",
9843 config: Config{
9844 MaxVersion: VersionTLS13,
9845 // P-384 requires HelloRetryRequest in BoringSSL.
9846 CurvePreferences: []CurveID{CurveP384},
9847 Bugs: ProtocolBugs{
9848 // Send P-384 (correct) in the HelloRetryRequest.
9849 SendHelloRetryRequestCurve: CurveP384,
9850 // But send P-256 in the ServerHello.
9851 SendCurve: CurveP256,
9852 },
9853 },
9854 shouldFail: true,
9855 expectedError: ":WRONG_CURVE:",
9856 })
9857
9858 // Test the server selecting a curve that requires a HelloRetryRequest
9859 // without sending it.
9860 testCases = append(testCases, testCase{
9861 name: "SkipHelloRetryRequest",
9862 config: Config{
9863 MaxVersion: VersionTLS13,
9864 // P-384 requires HelloRetryRequest in BoringSSL.
9865 CurvePreferences: []CurveID{CurveP384},
9866 Bugs: ProtocolBugs{
9867 SkipHelloRetryRequest: true,
9868 },
9869 },
9870 shouldFail: true,
9871 expectedError: ":WRONG_CURVE:",
9872 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]9873
9874 testCases = append(testCases, testCase{
9875 name: "TLS13-RequestContextInHandshake",
9876 config: Config{
9877 MaxVersion: VersionTLS13,
9878 MinVersion: VersionTLS13,
9879 ClientAuth: RequireAnyClientCert,
9880 Bugs: ProtocolBugs{
9881 SendRequestContext: []byte("request context"),
9882 },
9883 },
9884 flags: []string{
9885 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9886 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9887 },
9888 shouldFail: true,
9889 expectedError: ":DECODE_ERROR:",
9890 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9891
9892 testCases = append(testCases, testCase{
9893 testType: serverTest,
9894 name: "TLS13-TrailingKeyShareData",
9895 config: Config{
9896 MaxVersion: VersionTLS13,
9897 Bugs: ProtocolBugs{
9898 TrailingKeyShareData: true,
9899 },
9900 },
9901 shouldFail: true,
9902 expectedError: ":DECODE_ERROR:",
9903 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]9904
9905 testCases = append(testCases, testCase{
9906 name: "TLS13-AlwaysSelectPSKIdentity",
9907 config: Config{
9908 MaxVersion: VersionTLS13,
9909 Bugs: ProtocolBugs{
9910 AlwaysSelectPSKIdentity: true,
9911 },
9912 },
9913 shouldFail: true,
9914 expectedError: ":UNEXPECTED_EXTENSION:",
9915 })
9916
9917 testCases = append(testCases, testCase{
9918 name: "TLS13-InvalidPSKIdentity",
9919 config: Config{
9920 MaxVersion: VersionTLS13,
9921 Bugs: ProtocolBugs{
9922 SelectPSKIdentityOnResume: 1,
9923 },
9924 },
9925 resumeSession: true,
9926 shouldFail: true,
9927 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
9928 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9929
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9930 testCases = append(testCases, testCase{
9931 testType: serverTest,
9932 name: "TLS13-ExtraPSKIdentity",
9933 config: Config{
9934 MaxVersion: VersionTLS13,
9935 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]9936 ExtraPSKIdentity: true,
9937 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9938 },
9939 },
9940 resumeSession: true,
9941 })
9942
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9943 // Test that unknown NewSessionTicket extensions are tolerated.
9944 testCases = append(testCases, testCase{
9945 name: "TLS13-CustomTicketExtension",
9946 config: Config{
9947 MaxVersion: VersionTLS13,
9948 Bugs: ProtocolBugs{
9949 CustomTicketExtension: "1234",
9950 },
9951 },
9952 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame^]9953
9954 // Test that we accept data-less early data.
9955 testCases = append(testCases, testCase{
9956 testType: serverTest,
9957 name: "TLS13-DataLessEarlyData-Server",
9958 config: Config{
9959 MaxVersion: VersionTLS13,
9960 Bugs: ProtocolBugs{
9961 SendEarlyData: [][]byte{},
9962 ExpectEarlyDataAccepted: true,
9963 },
9964 },
9965 resumeSession: true,
9966 flags: []string{
9967 "-enable-early-data",
9968 "-expect-accept-early-data",
9969 },
9970 })
9971
9972 testCases = append(testCases, testCase{
9973 testType: clientTest,
9974 name: "TLS13-DataLessEarlyData-Client",
9975 config: Config{
9976 MaxVersion: VersionTLS13,
9977 MaxEarlyDataSize: 16384,
9978 },
9979 resumeSession: true,
9980 flags: []string{
9981 "-enable-early-data",
9982 "-expect-early-data-info",
9983 "-expect-accept-early-data",
9984 },
9985 })
9986
9987 testCases = append(testCases, testCase{
9988 testType: clientTest,
9989 name: "TLS13-DataLessEarlyData-Reject-Client",
9990 config: Config{
9991 MaxVersion: VersionTLS13,
9992 MaxEarlyDataSize: 16384,
9993 },
9994 resumeConfig: &Config{
9995 MaxVersion: VersionTLS13,
9996 MaxEarlyDataSize: 16384,
9997 Bugs: ProtocolBugs{
9998 AlwaysRejectEarlyData: true,
9999 },
10000 },
10001 resumeSession: true,
10002 flags: []string{
10003 "-enable-early-data",
10004 "-expect-early-data-info",
10005 "-expect-reject-early-data",
10006 },
10007 })
10008
10009 testCases = append(testCases, testCase{
10010 testType: clientTest,
10011 name: "TLS13-DataLessEarlyData-HRR-Client",
10012 config: Config{
10013 MaxVersion: VersionTLS13,
10014 MaxEarlyDataSize: 16384,
10015 },
10016 resumeConfig: &Config{
10017 MaxVersion: VersionTLS13,
10018 MaxEarlyDataSize: 16384,
10019 Bugs: ProtocolBugs{
10020 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10021 },
10022 },
10023 resumeSession: true,
10024 flags: []string{
10025 "-enable-early-data",
10026 "-expect-early-data-info",
10027 "-expect-reject-early-data",
10028 },
10029 })
10030
10031 // The client must check the server does not send the early_data
10032 // extension while rejecting the session.
10033 testCases = append(testCases, testCase{
10034 testType: clientTest,
10035 name: "TLS13-EarlyDataWithoutResume-Client",
10036 config: Config{
10037 MaxVersion: VersionTLS13,
10038 MaxEarlyDataSize: 16384,
10039 },
10040 resumeConfig: &Config{
10041 MaxVersion: VersionTLS13,
10042 SessionTicketsDisabled: true,
10043 Bugs: ProtocolBugs{
10044 SendEarlyDataExtension: true,
10045 },
10046 },
10047 resumeSession: true,
10048 flags: []string{
10049 "-enable-early-data",
10050 "-expect-early-data-info",
10051 },
10052 shouldFail: true,
10053 expectedError: ":UNEXPECTED_EXTENSION:",
10054 })
10055
10056 // The client must fail with a dedicated error code if the server
10057 // responds with TLS 1.2 when offering 0-RTT.
10058 testCases = append(testCases, testCase{
10059 testType: clientTest,
10060 name: "TLS13-EarlyDataVersionDowngrade-Client",
10061 config: Config{
10062 MaxVersion: VersionTLS13,
10063 MaxEarlyDataSize: 16384,
10064 },
10065 resumeConfig: &Config{
10066 MaxVersion: VersionTLS12,
10067 },
10068 resumeSession: true,
10069 flags: []string{
10070 "-enable-early-data",
10071 "-expect-early-data-info",
10072 },
10073 shouldFail: true,
10074 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10075 })
10076
10077 // Test that the client rejects an (unsolicited) early_data extension if
10078 // the server sent an HRR.
10079 testCases = append(testCases, testCase{
10080 testType: clientTest,
10081 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10082 config: Config{
10083 MaxVersion: VersionTLS13,
10084 MaxEarlyDataSize: 16384,
10085 },
10086 resumeConfig: &Config{
10087 MaxVersion: VersionTLS13,
10088 MaxEarlyDataSize: 16384,
10089 Bugs: ProtocolBugs{
10090 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10091 SendEarlyDataExtension: true,
10092 },
10093 },
10094 resumeSession: true,
10095 flags: []string{
10096 "-enable-early-data",
10097 "-expect-early-data-info",
10098 },
10099 shouldFail: true,
10100 expectedError: ":UNEXPECTED_EXTENSION:",
10101 })
10102
10103 fooString := "foo"
10104 barString := "bar"
10105
10106 // Test that the client reports the correct ALPN after a 0-RTT reject
10107 // that changed it.
10108 testCases = append(testCases, testCase{
10109 testType: clientTest,
10110 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10111 config: Config{
10112 MaxVersion: VersionTLS13,
10113 MaxEarlyDataSize: 16384,
10114 Bugs: ProtocolBugs{
10115 ALPNProtocol: &fooString,
10116 },
10117 },
10118 resumeConfig: &Config{
10119 MaxVersion: VersionTLS13,
10120 MaxEarlyDataSize: 16384,
10121 Bugs: ProtocolBugs{
10122 ALPNProtocol: &barString,
10123 },
10124 },
10125 resumeSession: true,
10126 flags: []string{
10127 "-advertise-alpn", "\x03foo\x03bar",
10128 "-enable-early-data",
10129 "-expect-early-data-info",
10130 "-expect-reject-early-data",
10131 "-expect-alpn", "foo",
10132 "-expect-resume-alpn", "bar",
10133 },
10134 })
10135
10136 // Test that the client reports the correct ALPN after a 0-RTT reject if
10137 // ALPN was omitted from the first connection.
10138 testCases = append(testCases, testCase{
10139 testType: clientTest,
10140 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10141 config: Config{
10142 MaxVersion: VersionTLS13,
10143 MaxEarlyDataSize: 16384,
10144 },
10145 resumeConfig: &Config{
10146 MaxVersion: VersionTLS13,
10147 MaxEarlyDataSize: 16384,
10148 NextProtos: []string{"foo"},
10149 },
10150 resumeSession: true,
10151 flags: []string{
10152 "-advertise-alpn", "\x03foo\x03bar",
10153 "-enable-early-data",
10154 "-expect-early-data-info",
10155 "-expect-reject-early-data",
10156 "-expect-no-alpn",
10157 "-expect-resume-alpn", "foo",
10158 },
10159 })
10160
10161 // Test that the client reports the correct ALPN after a 0-RTT reject if
10162 // ALPN was omitted from the second connection.
10163 testCases = append(testCases, testCase{
10164 testType: clientTest,
10165 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10166 config: Config{
10167 MaxVersion: VersionTLS13,
10168 MaxEarlyDataSize: 16384,
10169 NextProtos: []string{"foo"},
10170 },
10171 resumeConfig: &Config{
10172 MaxVersion: VersionTLS13,
10173 MaxEarlyDataSize: 16384,
10174 },
10175 resumeSession: true,
10176 flags: []string{
10177 "-advertise-alpn", "\x03foo\x03bar",
10178 "-enable-early-data",
10179 "-expect-early-data-info",
10180 "-expect-reject-early-data",
10181 "-expect-alpn", "foo",
10182 "-expect-no-resume-alpn",
10183 },
10184 })
10185
10186 // Test that the client enforces ALPN match on 0-RTT accept.
10187 testCases = append(testCases, testCase{
10188 testType: clientTest,
10189 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10190 config: Config{
10191 MaxVersion: VersionTLS13,
10192 MaxEarlyDataSize: 16384,
10193 Bugs: ProtocolBugs{
10194 ALPNProtocol: &fooString,
10195 },
10196 },
10197 resumeConfig: &Config{
10198 MaxVersion: VersionTLS13,
10199 MaxEarlyDataSize: 16384,
10200 Bugs: ProtocolBugs{
10201 AlwaysAcceptEarlyData: true,
10202 ALPNProtocol: &barString,
10203 },
10204 },
10205 resumeSession: true,
10206 flags: []string{
10207 "-advertise-alpn", "\x03foo\x03bar",
10208 "-enable-early-data",
10209 "-expect-early-data-info",
10210 },
10211 shouldFail: true,
10212 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10213 })
10214
10215 // Test that the server correctly rejects 0-RTT when the previous
10216 // session did not allow early data on resumption.
10217 testCases = append(testCases, testCase{
10218 testType: serverTest,
10219 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10220 config: Config{
10221 MaxVersion: VersionTLS13,
10222 },
10223 resumeConfig: &Config{
10224 MaxVersion: VersionTLS13,
10225 Bugs: ProtocolBugs{
10226 SendEarlyData: [][]byte{{}},
10227 ExpectEarlyDataAccepted: false,
10228 },
10229 },
10230 resumeSession: true,
10231 flags: []string{
10232 "-enable-resume-early-data",
10233 "-expect-reject-early-data",
10234 },
10235 })
10236
10237 // Test that we reject early data where ALPN is omitted from the first
10238 // connection.
10239 testCases = append(testCases, testCase{
10240 testType: serverTest,
10241 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10242 config: Config{
10243 MaxVersion: VersionTLS13,
10244 NextProtos: []string{},
10245 },
10246 resumeConfig: &Config{
10247 MaxVersion: VersionTLS13,
10248 NextProtos: []string{"foo"},
10249 Bugs: ProtocolBugs{
10250 SendEarlyData: [][]byte{{}},
10251 ExpectEarlyDataAccepted: false,
10252 },
10253 },
10254 resumeSession: true,
10255 flags: []string{
10256 "-enable-early-data",
10257 "-select-alpn", "",
10258 "-select-resume-alpn", "foo",
10259 },
10260 })
10261
10262 // Test that we reject early data where ALPN is omitted from the second
10263 // connection.
10264 testCases = append(testCases, testCase{
10265 testType: serverTest,
10266 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10267 config: Config{
10268 MaxVersion: VersionTLS13,
10269 NextProtos: []string{"foo"},
10270 },
10271 resumeConfig: &Config{
10272 MaxVersion: VersionTLS13,
10273 NextProtos: []string{},
10274 Bugs: ProtocolBugs{
10275 SendEarlyData: [][]byte{{}},
10276 ExpectEarlyDataAccepted: false,
10277 },
10278 },
10279 resumeSession: true,
10280 flags: []string{
10281 "-enable-early-data",
10282 "-select-alpn", "foo",
10283 "-select-resume-alpn", "",
10284 },
10285 })
10286
10287 // Test that we reject early data with mismatched ALPN.
10288 testCases = append(testCases, testCase{
10289 testType: serverTest,
10290 name: "TLS13-EarlyData-ALPNMismatch-Server",
10291 config: Config{
10292 MaxVersion: VersionTLS13,
10293 NextProtos: []string{"foo"},
10294 },
10295 resumeConfig: &Config{
10296 MaxVersion: VersionTLS13,
10297 NextProtos: []string{"bar"},
10298 Bugs: ProtocolBugs{
10299 SendEarlyData: [][]byte{{}},
10300 ExpectEarlyDataAccepted: false,
10301 },
10302 },
10303 resumeSession: true,
10304 flags: []string{
10305 "-enable-early-data",
10306 "-select-alpn", "foo",
10307 "-select-resume-alpn", "bar",
10308 },
10309 })
10310
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10311}
10312
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10313func addTLS13CipherPreferenceTests() {
10314 // Test that client preference is honored if the shim has AES hardware
10315 // and ChaCha20-Poly1305 is preferred otherwise.
10316 testCases = append(testCases, testCase{
10317 testType: serverTest,
10318 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10319 config: Config{
10320 MaxVersion: VersionTLS13,
10321 CipherSuites: []uint16{
10322 TLS_CHACHA20_POLY1305_SHA256,
10323 TLS_AES_128_GCM_SHA256,
10324 },
10325 },
10326 flags: []string{
10327 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10328 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10329 },
10330 })
10331
10332 testCases = append(testCases, testCase{
10333 testType: serverTest,
10334 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10335 config: Config{
10336 MaxVersion: VersionTLS13,
10337 CipherSuites: []uint16{
10338 TLS_AES_128_GCM_SHA256,
10339 TLS_CHACHA20_POLY1305_SHA256,
10340 },
10341 },
10342 flags: []string{
10343 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10344 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10345 },
10346 })
10347
10348 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10349 // whether it has AES hardware.
10350 testCases = append(testCases, testCase{
10351 name: "TLS13-CipherPreference-Client",
10352 config: Config{
10353 MaxVersion: VersionTLS13,
10354 // Use the client cipher order. (This is the default but
10355 // is listed to be explicit.)
10356 PreferServerCipherSuites: false,
10357 },
10358 flags: []string{
10359 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10360 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10361 },
10362 })
10363}
10364
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10365func addPeekTests() {
10366 // Test SSL_peek works, including on empty records.
10367 testCases = append(testCases, testCase{
10368 name: "Peek-Basic",
10369 sendEmptyRecords: 1,
10370 flags: []string{"-peek-then-read"},
10371 })
10372
10373 // Test SSL_peek can drive the initial handshake.
10374 testCases = append(testCases, testCase{
10375 name: "Peek-ImplicitHandshake",
10376 flags: []string{
10377 "-peek-then-read",
10378 "-implicit-handshake",
10379 },
10380 })
10381
10382 // Test SSL_peek can discover and drive a renegotiation.
10383 testCases = append(testCases, testCase{
10384 name: "Peek-Renegotiate",
10385 config: Config{
10386 MaxVersion: VersionTLS12,
10387 },
10388 renegotiate: 1,
10389 flags: []string{
10390 "-peek-then-read",
10391 "-renegotiate-freely",
10392 "-expect-total-renegotiations", "1",
10393 },
10394 })
10395
10396 // Test SSL_peek can discover a close_notify.
10397 testCases = append(testCases, testCase{
10398 name: "Peek-Shutdown",
10399 config: Config{
10400 Bugs: ProtocolBugs{
10401 ExpectCloseNotify: true,
10402 },
10403 },
10404 flags: []string{
10405 "-peek-then-read",
10406 "-check-close-notify",
10407 },
10408 })
10409
10410 // Test SSL_peek can discover an alert.
10411 testCases = append(testCases, testCase{
10412 name: "Peek-Alert",
10413 config: Config{
10414 Bugs: ProtocolBugs{
10415 SendSpuriousAlert: alertRecordOverflow,
10416 },
10417 },
10418 flags: []string{"-peek-then-read"},
10419 shouldFail: true,
10420 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10421 })
10422
10423 // Test SSL_peek can handle KeyUpdate.
10424 testCases = append(testCases, testCase{
10425 name: "Peek-KeyUpdate",
10426 config: Config{
10427 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10428 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]10429 sendKeyUpdates: 1,
10430 keyUpdateRequest: keyUpdateNotRequested,
10431 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10432 })
10433}
10434
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10435func addRecordVersionTests() {
10436 for _, ver := range tlsVersions {
10437 // Test that the record version is enforced.
10438 testCases = append(testCases, testCase{
10439 name: "CheckRecordVersion-" + ver.name,
10440 config: Config{
10441 MinVersion: ver.version,
10442 MaxVersion: ver.version,
10443 Bugs: ProtocolBugs{
10444 SendRecordVersion: 0x03ff,
10445 },
10446 },
10447 shouldFail: true,
10448 expectedError: ":WRONG_VERSION_NUMBER:",
10449 })
10450
10451 // Test that the ClientHello may use any record version, for
10452 // compatibility reasons.
10453 testCases = append(testCases, testCase{
10454 testType: serverTest,
10455 name: "LooseInitialRecordVersion-" + ver.name,
10456 config: Config{
10457 MinVersion: ver.version,
10458 MaxVersion: ver.version,
10459 Bugs: ProtocolBugs{
10460 SendInitialRecordVersion: 0x03ff,
10461 },
10462 },
10463 })
10464
10465 // Test that garbage ClientHello record versions are rejected.
10466 testCases = append(testCases, testCase{
10467 testType: serverTest,
10468 name: "GarbageInitialRecordVersion-" + ver.name,
10469 config: Config{
10470 MinVersion: ver.version,
10471 MaxVersion: ver.version,
10472 Bugs: ProtocolBugs{
10473 SendInitialRecordVersion: 0xffff,
10474 },
10475 },
10476 shouldFail: true,
10477 expectedError: ":WRONG_VERSION_NUMBER:",
10478 })
10479 }
10480}
10481
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10482func addCertificateTests() {
10483 // Test that a certificate chain with intermediate may be sent and
10484 // received as both client and server.
10485 for _, ver := range tlsVersions {
10486 testCases = append(testCases, testCase{
10487 testType: clientTest,
10488 name: "SendReceiveIntermediate-Client-" + ver.name,
10489 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10490 MinVersion: ver.version,
10491 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10492 Certificates: []Certificate{rsaChainCertificate},
10493 ClientAuth: RequireAnyClientCert,
10494 },
10495 expectPeerCertificate: &rsaChainCertificate,
10496 flags: []string{
10497 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10498 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10499 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10500 },
10501 })
10502
10503 testCases = append(testCases, testCase{
10504 testType: serverTest,
10505 name: "SendReceiveIntermediate-Server-" + ver.name,
10506 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10507 MinVersion: ver.version,
10508 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10509 Certificates: []Certificate{rsaChainCertificate},
10510 },
10511 expectPeerCertificate: &rsaChainCertificate,
10512 flags: []string{
10513 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10514 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10515 "-require-any-client-certificate",
10516 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10517 },
10518 })
10519 }
10520}
10521
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10522func addRetainOnlySHA256ClientCertTests() {
10523 for _, ver := range tlsVersions {
10524 // Test that enabling
10525 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10526 // actually requesting a client certificate is a no-op.
10527 testCases = append(testCases, testCase{
10528 testType: serverTest,
10529 name: "RetainOnlySHA256-NoCert-" + ver.name,
10530 config: Config{
10531 MinVersion: ver.version,
10532 MaxVersion: ver.version,
10533 },
10534 flags: []string{
10535 "-retain-only-sha256-client-cert-initial",
10536 "-retain-only-sha256-client-cert-resume",
10537 },
10538 resumeSession: true,
10539 })
10540
10541 // Test that when retaining only a SHA-256 certificate is
10542 // enabled, the hash appears as expected.
10543 testCases = append(testCases, testCase{
10544 testType: serverTest,
10545 name: "RetainOnlySHA256-Cert-" + ver.name,
10546 config: Config{
10547 MinVersion: ver.version,
10548 MaxVersion: ver.version,
10549 Certificates: []Certificate{rsaCertificate},
10550 },
10551 flags: []string{
10552 "-verify-peer",
10553 "-retain-only-sha256-client-cert-initial",
10554 "-retain-only-sha256-client-cert-resume",
10555 "-expect-sha256-client-cert-initial",
10556 "-expect-sha256-client-cert-resume",
10557 },
10558 resumeSession: true,
10559 })
10560
10561 // Test that when the config changes from on to off, a
10562 // resumption is rejected because the server now wants the full
10563 // certificate chain.
10564 testCases = append(testCases, testCase{
10565 testType: serverTest,
10566 name: "RetainOnlySHA256-OnOff-" + ver.name,
10567 config: Config{
10568 MinVersion: ver.version,
10569 MaxVersion: ver.version,
10570 Certificates: []Certificate{rsaCertificate},
10571 },
10572 flags: []string{
10573 "-verify-peer",
10574 "-retain-only-sha256-client-cert-initial",
10575 "-expect-sha256-client-cert-initial",
10576 },
10577 resumeSession: true,
10578 expectResumeRejected: true,
10579 })
10580
10581 // Test that when the config changes from off to on, a
10582 // resumption is rejected because the server now wants just the
10583 // hash.
10584 testCases = append(testCases, testCase{
10585 testType: serverTest,
10586 name: "RetainOnlySHA256-OffOn-" + ver.name,
10587 config: Config{
10588 MinVersion: ver.version,
10589 MaxVersion: ver.version,
10590 Certificates: []Certificate{rsaCertificate},
10591 },
10592 flags: []string{
10593 "-verify-peer",
10594 "-retain-only-sha256-client-cert-resume",
10595 "-expect-sha256-client-cert-resume",
10596 },
10597 resumeSession: true,
10598 expectResumeRejected: true,
10599 })
10600 }
10601}
10602
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10603func addECDSAKeyUsageTests() {
10604 p256 := elliptic.P256()
10605 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
10606 if err != nil {
10607 panic(err)
10608 }
10609
10610 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
10611 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
10612 if err != nil {
10613 panic(err)
10614 }
10615
10616 template := x509.Certificate{
10617 SerialNumber: serialNumber,
10618 Subject: pkix.Name{
10619 Organization: []string{"Acme Co"},
10620 },
10621 NotBefore: time.Now(),
10622 NotAfter: time.Now(),
10623
10624 // An ECC certificate with only the keyAgreement key usgae may
10625 // be used with ECDH, but not ECDSA.
10626 KeyUsage: x509.KeyUsageKeyAgreement,
10627 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
10628 BasicConstraintsValid: true,
10629 }
10630
10631 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
10632 if err != nil {
10633 panic(err)
10634 }
10635
10636 cert := Certificate{
10637 Certificate: [][]byte{derBytes},
10638 PrivateKey: priv,
10639 }
10640
10641 for _, ver := range tlsVersions {
10642 if ver.version < VersionTLS12 {
10643 continue
10644 }
10645
10646 testCases = append(testCases, testCase{
10647 testType: clientTest,
10648 name: "ECDSAKeyUsage-" + ver.name,
10649 config: Config{
10650 MinVersion: ver.version,
10651 MaxVersion: ver.version,
10652 Certificates: []Certificate{cert},
10653 },
10654 shouldFail: true,
10655 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
10656 })
10657 }
10658}
10659
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10660func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10661 defer wg.Done()
10662
10663 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10664 var err error
10665
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10666 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10667 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
10668 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10669 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10670 if err != nil {
10671 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
10672 }
10673 break
10674 }
10675 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10676 } else if *repeatUntilFailure {
10677 for err == nil {
10678 statusChan <- statusMsg{test: test, started: true}
10679 err = runTest(test, shimPath, -1)
10680 }
10681 } else {
10682 statusChan <- statusMsg{test: test, started: true}
10683 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10684 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10685 statusChan <- statusMsg{test: test, err: err}
10686 }
10687}
10688
10689type statusMsg struct {
10690 test *testCase
10691 started bool
10692 err error
10693}
10694
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10695func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10696 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10697
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10698 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10699 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10700 if !*pipe {
10701 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]10702 var erase string
10703 for i := 0; i < lineLen; i++ {
10704 erase += "\b \b"
10705 }
10706 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10707 }
10708
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10709 if msg.started {
10710 started++
10711 } else {
10712 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10713
10714 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10715 if msg.err == errUnimplemented {
10716 if *pipe {
10717 // Print each test instead of a status line.
10718 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
10719 }
10720 unimplemented++
10721 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
10722 } else {
10723 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
10724 failed++
10725 testOutput.addResult(msg.test.name, "FAIL")
10726 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10727 } else {
10728 if *pipe {
10729 // Print each test instead of a status line.
10730 fmt.Printf("PASSED (%s)\n", msg.test.name)
10731 }
10732 testOutput.addResult(msg.test.name, "PASS")
10733 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10734 }
10735
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10736 if !*pipe {
10737 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10738 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10739 lineLen = len(line)
10740 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10741 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10742 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10743
10744 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10745}
10746
10747func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10748 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10749 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]10750 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10751
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10752 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10753 addCipherSuiteTests()
10754 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]10755 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]10756 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]10757 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]10758 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]10759 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]10760 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]10761 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]10762 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]10763 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]10764 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]10765 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]10766 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]10767 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]10768 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]10769 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]10770 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]10771 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]10772 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]10773 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]10774 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]10775 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]10776 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10777 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]10778 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10779 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10780 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10781 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10782 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10783 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10784 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10785 addECDSAKeyUsageTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10786
10787 var wg sync.WaitGroup
10788
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10789 statusChan := make(chan statusMsg, *numWorkers)
10790 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10791 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10792
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10793 if len(*shimConfigFile) != 0 {
10794 encoded, err := ioutil.ReadFile(*shimConfigFile)
10795 if err != nil {
10796 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
10797 os.Exit(1)
10798 }
10799
10800 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
10801 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
10802 os.Exit(1)
10803 }
10804 }
10805
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10806 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10807
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10808 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10809 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10810 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10811 }
10812
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10813 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10814 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10815 matched := true
10816 if len(*testToRun) != 0 {
10817 var err error
10818 matched, err = filepath.Match(*testToRun, testCases[i].name)
10819 if err != nil {
10820 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
10821 os.Exit(1)
10822 }
10823 }
10824
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10825 if !*includeDisabled {
10826 for pattern := range shimConfig.DisabledTests {
10827 isDisabled, err := filepath.Match(pattern, testCases[i].name)
10828 if err != nil {
10829 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
10830 os.Exit(1)
10831 }
10832
10833 if isDisabled {
10834 matched = false
10835 break
10836 }
10837 }
10838 }
10839
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10840 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10841 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10842 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10843
10844 // Only run one test if repeating until failure.
10845 if *repeatUntilFailure {
10846 break
10847 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10848 }
10849 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10850
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10851 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10852 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10853 os.Exit(1)
10854 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10855
10856 close(testChan)
10857 wg.Wait()
10858 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10859 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10860
10861 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10862
10863 if *jsonOutput != "" {
10864 if err := testOutput.writeTo(*jsonOutput); err != nil {
10865 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
10866 }
10867 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10868
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10869 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
10870 os.Exit(1)
10871 }
10872
10873 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10874 os.Exit(1)
10875 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10876}