Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / c1966801205f644bba603aa7ba61b604996cf9f4 / . / ssl / test / runner / runner.go
blob: 2da0bc5104fadf5b1cb0f36a32b2496b7a60cefb [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]68 includeDHE = flag.Bool("include-dhe", false, "If true, test DHE ciphersuites.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]69 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]70)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]71
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]72// ShimConfigurations is used with the “json” package and represents a shim
73// config file.
74type ShimConfiguration struct {
75 // DisabledTests maps from a glob-based pattern to a freeform string.
76 // The glob pattern is used to exclude tests from being run and the
77 // freeform string is unparsed but expected to explain why the test is
78 // disabled.
79 DisabledTests map[string]string
80
81 // ErrorMap maps from expected error strings to the correct error
82 // string for the shim in question. For example, it might map
83 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
84 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
85 ErrorMap map[string]string
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]86
87 // HalfRTTTickets is the number of half-RTT tickets the client should
88 // expect before half-RTT data when testing 0-RTT.
89 HalfRTTTickets int
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]90}
91
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]92// Setup shimConfig defaults aligning with BoringSSL.
93var shimConfig ShimConfiguration = ShimConfiguration{
94 HalfRTTTickets: 2,
95}
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]96
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]97type testCert int
98
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]99const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]100 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]101 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]102 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]103 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]104 testCertECDSAP256
105 testCertECDSAP384
106 testCertECDSAP521
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]107 testCertEd25519
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]108)
109
110const (
111 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]112 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]113 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]114 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]115 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
116 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
117 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]118 ed25519CertificateFile = "ed25519_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]119)
120
121const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]122 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]123 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]124 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]125 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]126 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
127 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
128 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]129 ed25519KeyFile = "ed25519_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]130 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]131)
132
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]133var (
134 rsaCertificate Certificate
135 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]136 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]137 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]138 ecdsaP256Certificate Certificate
139 ecdsaP384Certificate Certificate
140 ecdsaP521Certificate Certificate
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]141 ed25519Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]142)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]143
144var testCerts = []struct {
145 id testCert
146 certFile, keyFile string
147 cert *Certificate
148}{
149 {
150 id: testCertRSA,
151 certFile: rsaCertificateFile,
152 keyFile: rsaKeyFile,
153 cert: &rsaCertificate,
154 },
155 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]156 id: testCertRSA1024,
157 certFile: rsa1024CertificateFile,
158 keyFile: rsa1024KeyFile,
159 cert: &rsa1024Certificate,
160 },
161 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]162 id: testCertRSAChain,
163 certFile: rsaChainCertificateFile,
164 keyFile: rsaChainKeyFile,
165 cert: &rsaChainCertificate,
166 },
167 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]168 id: testCertECDSAP224,
169 certFile: ecdsaP224CertificateFile,
170 keyFile: ecdsaP224KeyFile,
171 cert: &ecdsaP224Certificate,
172 },
173 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]174 id: testCertECDSAP256,
175 certFile: ecdsaP256CertificateFile,
176 keyFile: ecdsaP256KeyFile,
177 cert: &ecdsaP256Certificate,
178 },
179 {
180 id: testCertECDSAP384,
181 certFile: ecdsaP384CertificateFile,
182 keyFile: ecdsaP384KeyFile,
183 cert: &ecdsaP384Certificate,
184 },
185 {
186 id: testCertECDSAP521,
187 certFile: ecdsaP521CertificateFile,
188 keyFile: ecdsaP521KeyFile,
189 cert: &ecdsaP521Certificate,
190 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]191 {
192 id: testCertEd25519,
193 certFile: ed25519CertificateFile,
194 keyFile: ed25519KeyFile,
195 cert: &ed25519Certificate,
196 },
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]197}
198
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]199var channelIDKey *ecdsa.PrivateKey
200var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]201
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]202var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]203var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]204
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]205var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]206var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]207
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]208func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]209 for i := range testCerts {
210 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
211 if err != nil {
212 panic(err)
213 }
214 cert.OCSPStaple = testOCSPResponse
215 cert.SignedCertificateTimestampList = testSCTList
216 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]217 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]218
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]219 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]220 if err != nil {
221 panic(err)
222 }
223 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
224 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
225 panic("bad key type")
226 }
227 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
228 if err != nil {
229 panic(err)
230 }
231 if channelIDKey.Curve != elliptic.P256() {
232 panic("bad curve")
233 }
234
235 channelIDBytes = make([]byte, 64)
236 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
237 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]238}
239
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]240func getRunnerCertificate(t testCert) Certificate {
241 for _, cert := range testCerts {
242 if cert.id == t {
243 return *cert.cert
244 }
245 }
246 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]247}
248
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]249func getShimCertificate(t testCert) string {
250 for _, cert := range testCerts {
251 if cert.id == t {
252 return cert.certFile
253 }
254 }
255 panic("Unknown test certificate")
256}
257
258func getShimKey(t testCert) string {
259 for _, cert := range testCerts {
260 if cert.id == t {
261 return cert.keyFile
262 }
263 }
264 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]265}
266
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]267// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
268func encodeDERValues(values [][]byte) string {
269 var ret string
270 for i, v := range values {
271 if i > 0 {
272 ret += ","
273 }
274 ret += hex.EncodeToString(v)
275 }
276
277 return ret
278}
279
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]280type testType int
281
282const (
283 clientTest testType = iota
284 serverTest
285)
286
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]287type protocol int
288
289const (
290 tls protocol = iota
291 dtls
292)
293
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]294const (
295 alpn = 1
296 npn = 2
297)
298
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]299type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]300 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]301 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]302 name string
303 config Config
304 shouldFail bool
305 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]306 // expectedLocalError, if not empty, contains a substring that must be
307 // found in the local error.
308 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]309 // expectedVersion, if non-zero, specifies the TLS version that must be
310 // negotiated.
311 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]312 // expectedResumeVersion, if non-zero, specifies the TLS version that
313 // must be negotiated on resumption. If zero, expectedVersion is used.
314 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]315 // expectedCipher, if non-zero, specifies the TLS cipher suite that
316 // should be negotiated.
317 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]318 // expectChannelID controls whether the connection should have
319 // negotiated a Channel ID with channelIDKey.
320 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]321 // expectedNextProto controls whether the connection should
322 // negotiate a next protocol via NPN or ALPN.
323 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]324 // expectNoNextProto, if true, means that no next protocol should be
325 // negotiated.
326 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]327 // expectedNextProtoType, if non-zero, is the expected next
328 // protocol negotiation mechanism.
329 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]330 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
331 // should be negotiated. If zero, none should be negotiated.
332 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]333 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
334 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]335 // expectedSCTList, if not nil, is the expected SCT list to be received.
336 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]337 // expectedPeerSignatureAlgorithm, if not zero, is the signature
338 // algorithm that the peer should have used in the handshake.
339 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]340 // expectedCurveID, if not zero, is the curve that the handshake should
341 // have used.
342 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]343 // messageLen is the length, in bytes, of the test message that will be
344 // sent.
345 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]346 // messageCount is the number of test messages that will be sent.
347 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]348 // certFile is the path to the certificate to use for the server.
349 certFile string
350 // keyFile is the path to the private key to use for the server.
351 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]352 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]353 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]354 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]355 // resumeRenewedSession controls whether a third connection should be
356 // tested which attempts to resume the second connection's session.
357 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]358 // expectResumeRejected, if true, specifies that the attempted
359 // resumption must be rejected by the client. This is only valid for a
360 // serverTest.
361 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]362 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]363 // resumption. Unless newSessionsOnResume is set,
364 // SessionTicketKey, ServerSessionCache, and
365 // ClientSessionCache are copied from the initial connection's
366 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]367 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]368 // newSessionsOnResume, if true, will cause resumeConfig to
369 // use a different session resumption context.
370 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]371 // noSessionCache, if true, will cause the server to run without a
372 // session cache.
373 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]374 // sendPrefix sends a prefix on the socket before actually performing a
375 // handshake.
376 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]377 // shimWritesFirst controls whether the shim sends an initial "hello"
378 // message before doing a roundtrip with the runner.
379 shimWritesFirst bool
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]380 // readWithUnfinishedWrite behaves like shimWritesFirst, but the shim
381 // does not complete the write until responding to the first runner
382 // message.
383 readWithUnfinishedWrite bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]384 // shimShutsDown, if true, runs a test where the shim shuts down the
385 // connection immediately after the handshake rather than echoing
386 // messages from the runner.
387 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]388 // renegotiate indicates the number of times the connection should be
389 // renegotiated during the exchange.
390 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]391 // sendHalfHelloRequest, if true, causes the server to send half a
392 // HelloRequest when the handshake completes.
393 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]394 // renegotiateCiphers is a list of ciphersuite ids that will be
395 // switched in just before renegotiation.
396 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]397 // replayWrites, if true, configures the underlying transport
398 // to replay every write it makes in DTLS tests.
399 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]400 // damageFirstWrite, if true, configures the underlying transport to
401 // damage the final byte of the first application data write.
402 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]403 // exportKeyingMaterial, if non-zero, configures the test to exchange
404 // keying material and verify they match.
405 exportKeyingMaterial int
406 exportLabel string
407 exportContext string
408 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]409 // flags, if not empty, contains a list of command-line flags that will
410 // be passed to the shim program.
411 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]412 // testTLSUnique, if true, causes the shim to send the tls-unique value
413 // which will be compared against the expected value.
414 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]415 // sendEmptyRecords is the number of consecutive empty records to send
416 // before and after the test message.
417 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]418 // sendWarningAlerts is the number of consecutive warning alerts to send
419 // before and after the test message.
420 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]421 // sendKeyUpdates is the number of consecutive key updates to send
422 // before and after the test message.
423 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]424 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
425 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]426 // expectMessageDropped, if true, means the test message is expected to
427 // be dropped by the client rather than echoed back.
428 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]429 // expectPeerCertificate, if not nil, is the certificate chain the peer
430 // is expected to send.
431 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]432}
433
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]434var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]435
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]436func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]437 if len(data) == 0 {
438 return
439 }
440
441 protocol := "tls"
442 if test.protocol == dtls {
443 protocol = "dtls"
444 }
445
446 side := "client"
447 if test.testType == serverTest {
448 side = "server"
449 }
450
451 dir := path.Join(*transcriptDir, protocol, side)
452 if err := os.MkdirAll(dir, 0755); err != nil {
453 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
454 return
455 }
456
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]457 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]458 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
459 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
460 }
461}
462
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]463// A timeoutConn implements an idle timeout on each Read and Write operation.
464type timeoutConn struct {
465 net.Conn
466 timeout time.Duration
467}
468
469func (t *timeoutConn) Read(b []byte) (int, error) {
470 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
471 return 0, err
472 }
473 return t.Conn.Read(b)
474}
475
476func (t *timeoutConn) Write(b []byte) (int, error) {
477 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
478 return 0, err
479 }
480 return t.Conn.Write(b)
481}
482
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]483func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]484 if !test.noSessionCache {
485 if config.ClientSessionCache == nil {
486 config.ClientSessionCache = NewLRUClientSessionCache(1)
487 }
488 if config.ServerSessionCache == nil {
489 config.ServerSessionCache = NewLRUServerSessionCache(1)
490 }
491 }
492 if test.testType == clientTest {
493 if len(config.Certificates) == 0 {
494 config.Certificates = []Certificate{rsaCertificate}
495 }
496 } else {
497 // Supply a ServerName to ensure a constant session cache key,
498 // rather than falling back to net.Conn.RemoteAddr.
499 if len(config.ServerName) == 0 {
500 config.ServerName = "test"
501 }
502 }
503 if *fuzzer {
504 config.Bugs.NullAllCiphers = true
505 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]506 if *deterministic {
507 config.Time = func() time.Time { return time.Unix(1234, 1234) }
508 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]509
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]510 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]511
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]512 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]513 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
514 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]515 }
516
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]517 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]518 local, peer := "client", "server"
519 if test.testType == clientTest {
520 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]521 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]522 connDebug := &recordingConn{
523 Conn: conn,
524 isDatagram: test.protocol == dtls,
525 local: local,
526 peer: peer,
527 }
528 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]529 if *flagDebug {
530 defer connDebug.WriteTo(os.Stdout)
531 }
532 if len(*transcriptDir) != 0 {
533 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]534 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]535 }()
536 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]537
538 if config.Bugs.PacketAdaptor != nil {
539 config.Bugs.PacketAdaptor.debug = connDebug
540 }
541 }
542
543 if test.replayWrites {
544 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]545 }
546
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]547 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]548 if test.damageFirstWrite {
549 connDamage = newDamageAdaptor(conn)
550 conn = connDamage
551 }
552
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]553 if test.sendPrefix != "" {
554 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
555 return err
556 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]557 }
558
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]559 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]560 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]561 if test.protocol == dtls {
562 tlsConn = DTLSServer(conn, config)
563 } else {
564 tlsConn = Server(conn, config)
565 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]566 } else {
567 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]568 if test.protocol == dtls {
569 tlsConn = DTLSClient(conn, config)
570 } else {
571 tlsConn = Client(conn, config)
572 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]573 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]574 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]575
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]576 if err := tlsConn.Handshake(); err != nil {
577 return err
578 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]579
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]580 // TODO(davidben): move all per-connection expectations into a dedicated
581 // expectations struct that can be specified separately for the two
582 // legs.
583 expectedVersion := test.expectedVersion
584 if isResume && test.expectedResumeVersion != 0 {
585 expectedVersion = test.expectedResumeVersion
586 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]587 connState := tlsConn.ConnectionState()
588 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]589 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]590 }
591
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]592 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]593 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
594 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]595 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
596 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
597 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]598
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]599 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]600 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]601 if channelID == nil {
602 return fmt.Errorf("no channel ID negotiated")
603 }
604 if channelID.Curve != channelIDKey.Curve ||
605 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
606 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
607 return fmt.Errorf("incorrect channel ID")
608 }
609 }
610
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]611 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]612 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]613 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
614 }
615 }
616
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]617 if test.expectNoNextProto {
618 if actual := connState.NegotiatedProtocol; actual != "" {
619 return fmt.Errorf("got unexpected next proto %s", actual)
620 }
621 }
622
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]623 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]624 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]625 return fmt.Errorf("next proto type mismatch")
626 }
627 }
628
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]629 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]630 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
631 }
632
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]633 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]634 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]635 }
636
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]637 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
638 return fmt.Errorf("SCT list mismatch")
639 }
640
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]641 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
642 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]643 }
644
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]645 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
646 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
647 }
648
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]649 if test.expectPeerCertificate != nil {
650 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
651 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
652 }
653 for i, cert := range connState.PeerCertificates {
654 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
655 return fmt.Errorf("peer certificate %d did not match", i+1)
656 }
657 }
658 }
659
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]660 if test.exportKeyingMaterial > 0 {
661 actual := make([]byte, test.exportKeyingMaterial)
662 if _, err := io.ReadFull(tlsConn, actual); err != nil {
663 return err
664 }
665 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
666 if err != nil {
667 return err
668 }
669 if !bytes.Equal(actual, expected) {
670 return fmt.Errorf("keying material mismatch")
671 }
672 }
673
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]674 if test.testTLSUnique {
675 var peersValue [12]byte
676 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
677 return err
678 }
679 expected := tlsConn.ConnectionState().TLSUnique
680 if !bytes.Equal(peersValue[:], expected) {
681 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
682 }
683 }
684
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]685 if test.sendHalfHelloRequest {
686 tlsConn.SendHalfHelloRequest()
687 }
688
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]689 shimPrefixPending := test.shimWritesFirst || test.readWithUnfinishedWrite
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]690 if test.renegotiate > 0 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]691 // If readWithUnfinishedWrite is set, the shim prefix will be
692 // available later.
693 if shimPrefixPending && !test.readWithUnfinishedWrite {
694 var buf [5]byte
695 _, err := io.ReadFull(tlsConn, buf[:])
696 if err != nil {
697 return err
698 }
699 if string(buf[:]) != "hello" {
700 return fmt.Errorf("bad initial message")
701 }
702 shimPrefixPending = false
703 }
704
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]705 if test.renegotiateCiphers != nil {
706 config.CipherSuites = test.renegotiateCiphers
707 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]708 for i := 0; i < test.renegotiate; i++ {
709 if err := tlsConn.Renegotiate(); err != nil {
710 return err
711 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]712 }
713 } else if test.renegotiateCiphers != nil {
714 panic("renegotiateCiphers without renegotiate")
715 }
716
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]717 if test.damageFirstWrite {
718 connDamage.setDamage(true)
719 tlsConn.Write([]byte("DAMAGED WRITE"))
720 connDamage.setDamage(false)
721 }
722
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]723 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]724 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]725 if test.protocol == dtls {
726 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
727 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]728 // Read until EOF.
729 _, err := io.Copy(ioutil.Discard, tlsConn)
730 return err
731 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]732 if messageLen == 0 {
733 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]734 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]735
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]736 messageCount := test.messageCount
737 if messageCount == 0 {
738 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]739 }
740
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]741 for j := 0; j < messageCount; j++ {
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]742 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]743 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]744 }
745
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]746 for i := 0; i < test.sendEmptyRecords; i++ {
747 tlsConn.Write(nil)
748 }
749
750 for i := 0; i < test.sendWarningAlerts; i++ {
751 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
752 }
753
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]754 testMessage := make([]byte, messageLen)
755 for i := range testMessage {
756 testMessage[i] = 0x42 ^ byte(j)
757 }
758 tlsConn.Write(testMessage)
759
760 // Consume the shim prefix if needed.
761 if shimPrefixPending {
762 var buf [5]byte
763 _, err := io.ReadFull(tlsConn, buf[:])
764 if err != nil {
765 return err
766 }
767 if string(buf[:]) != "hello" {
768 return fmt.Errorf("bad initial message")
769 }
770 shimPrefixPending = false
771 }
772
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]773 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]774 // The shim will not respond.
775 continue
776 }
777
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]778 // Process the KeyUpdate ACK. However many KeyUpdates the runner
779 // sends, the shim should respond only once.
780 if test.sendKeyUpdates > 0 && test.keyUpdateRequest == keyUpdateRequested {
781 if err := tlsConn.ReadKeyUpdateACK(); err != nil {
782 return err
783 }
784 }
785
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]786 buf := make([]byte, len(testMessage))
787 if test.protocol == dtls {
788 bufTmp := make([]byte, len(buf)+1)
789 n, err := tlsConn.Read(bufTmp)
790 if err != nil {
791 return err
792 }
793 if n != len(buf) {
794 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
795 }
796 copy(buf, bufTmp)
797 } else {
798 _, err := io.ReadFull(tlsConn, buf)
799 if err != nil {
800 return err
801 }
802 }
803
804 for i, v := range buf {
805 if v != testMessage[i]^0xff {
806 return fmt.Errorf("bad reply contents at byte %d", i)
807 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]808 }
809 }
810
811 return nil
812}
813
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]814func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]815 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]816 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]817 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]818 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]819 valgrindArgs = append(valgrindArgs, path)
820 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]821
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]822 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]823}
824
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]825func gdbOf(path string, args ...string) *exec.Cmd {
826 xtermArgs := []string{"-e", "gdb", "--args"}
827 xtermArgs = append(xtermArgs, path)
828 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]829
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]830 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]831}
832
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]833func lldbOf(path string, args ...string) *exec.Cmd {
834 xtermArgs := []string{"-e", "lldb", "--"}
835 xtermArgs = append(xtermArgs, path)
836 xtermArgs = append(xtermArgs, args...)
837
838 return exec.Command("xterm", xtermArgs...)
839}
840
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]841var (
842 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
843 errUnimplemented = errors.New("child process does not implement needed flags")
844)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]845
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]846// accept accepts a connection from listener, unless waitChan signals a process
847// exit first.
848func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
849 type connOrError struct {
850 conn net.Conn
851 err error
852 }
853 connChan := make(chan connOrError, 1)
854 go func() {
855 conn, err := listener.Accept()
856 connChan <- connOrError{conn, err}
857 close(connChan)
858 }()
859 select {
860 case result := <-connChan:
861 return result.conn, result.err
862 case childErr := <-waitChan:
863 waitChan <- childErr
864 return nil, fmt.Errorf("child exited early: %s", childErr)
865 }
866}
867
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]868func translateExpectedError(errorStr string) string {
869 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
870 return translated
871 }
872
873 if *looseErrors {
874 return ""
875 }
876
877 return errorStr
878}
879
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]880func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]881 // Help debugging panics on the Go side.
882 defer func() {
883 if r := recover(); r != nil {
884 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
885 panic(r)
886 }
887 }()
888
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]889 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
890 panic("Error expected without shouldFail in " + test.name)
891 }
892
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]893 if test.expectResumeRejected && !test.resumeSession {
894 panic("expectResumeRejected without resumeSession in " + test.name)
895 }
896
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]897 for _, ver := range tlsVersions {
898 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
899 continue
900 }
901
902 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
903 continue
904 }
905
906 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
907 }
908
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]909 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
910 if err != nil {
911 panic(err)
912 }
913 defer func() {
914 if listener != nil {
915 listener.Close()
916 }
917 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]918
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]919 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]920 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]921 flags = append(flags, "-server")
922
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]923 flags = append(flags, "-key-file")
924 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]925 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]926 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]927 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]928 }
929
930 flags = append(flags, "-cert-file")
931 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]932 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]933 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]934 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]935 }
936 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]937
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]938 if test.protocol == dtls {
939 flags = append(flags, "-dtls")
940 }
941
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]942 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]943 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]944 resumeCount++
945 if test.resumeRenewedSession {
946 resumeCount++
947 }
948 }
949
950 if resumeCount > 0 {
951 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]952 }
953
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]954 if test.shimWritesFirst {
955 flags = append(flags, "-shim-writes-first")
956 }
957
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]958 if test.readWithUnfinishedWrite {
959 flags = append(flags, "-read-with-unfinished-write")
960 }
961
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]962 if test.shimShutsDown {
963 flags = append(flags, "-shim-shuts-down")
964 }
965
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]966 if test.exportKeyingMaterial > 0 {
967 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
968 flags = append(flags, "-export-label", test.exportLabel)
969 flags = append(flags, "-export-context", test.exportContext)
970 if test.useExportContext {
971 flags = append(flags, "-use-export-context")
972 }
973 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]974 if test.expectResumeRejected {
975 flags = append(flags, "-expect-session-miss")
976 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]977
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]978 if test.testTLSUnique {
979 flags = append(flags, "-tls-unique")
980 }
981
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]982 flags = append(flags, test.flags...)
983
984 var shim *exec.Cmd
985 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]986 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]987 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]988 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]989 } else if *useLLDB {
990 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]991 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]992 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]993 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]994 shim.Stdin = os.Stdin
995 var stdoutBuf, stderrBuf bytes.Buffer
996 shim.Stdout = &stdoutBuf
997 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]998 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]999 shim.Env = os.Environ()
1000 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1001 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]1002 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1003 }
1004 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
1005 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1006
1007 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1008 panic(err)
1009 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1010 waitChan := make(chan error, 1)
1011 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1012
1013 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1014
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]1015 if *deterministic {
1016 config.Rand = &deterministicRand{}
1017 }
1018
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1019 conn, err := acceptOrWait(listener, waitChan)
1020 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1021 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1022 conn.Close()
1023 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]1024
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]1025 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1026 var resumeConfig Config
1027 if test.resumeConfig != nil {
1028 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]1029 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1030 resumeConfig.SessionTicketKey = config.SessionTicketKey
1031 resumeConfig.ClientSessionCache = config.ClientSessionCache
1032 resumeConfig.ServerSessionCache = config.ServerSessionCache
1033 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]1034 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1035 } else {
1036 resumeConfig = config
1037 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1038 var connResume net.Conn
1039 connResume, err = acceptOrWait(listener, waitChan)
1040 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1041 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1042 connResume.Close()
1043 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1044 }
1045
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1046 // Close the listener now. This is to avoid hangs should the shim try to
1047 // open more connections than expected.
1048 listener.Close()
1049 listener = nil
1050
1051 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1052 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1053 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1054 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1055 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1056 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1057 case 89:
1058 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1059 case 99:
1060 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1061 }
1062 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1063
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1064 // Account for Windows line endings.
1065 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1066 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1067
1068 // Separate the errors from the shim and those from tools like
1069 // AddressSanitizer.
1070 var extraStderr string
1071 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1072 stderr = stderrParts[0]
1073 extraStderr = stderrParts[1]
1074 }
1075
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1076 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1077 expectedError := translateExpectedError(test.expectedError)
1078 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1079
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1080 localError := "none"
1081 if err != nil {
1082 localError = err.Error()
1083 }
1084 if len(test.expectedLocalError) != 0 {
1085 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1086 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1087
1088 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1089 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1090 if childErr != nil {
1091 childError = childErr.Error()
1092 }
1093
1094 var msg string
1095 switch {
1096 case failed && !test.shouldFail:
1097 msg = "unexpected failure"
1098 case !failed && test.shouldFail:
1099 msg = "unexpected success"
1100 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1101 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1102 default:
1103 panic("internal error")
1104 }
1105
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1106 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1107 }
1108
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1109 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1110 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1111 }
1112
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1113 if *useValgrind && isValgrindError {
1114 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1115 }
1116
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1117 return nil
1118}
1119
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1120type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1121 name string
1122 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1123 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1124 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1125}
1126
1127var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1128 {"SSL3", VersionSSL30, "-no-ssl3", false},
1129 {"TLS1", VersionTLS10, "-no-tls1", true},
1130 {"TLS11", VersionTLS11, "-no-tls11", false},
1131 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1132 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1133}
1134
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1135type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1136 name string
1137 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1138}
1139
1140var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1141 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1142 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1143 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1144 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1145 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1146 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1147 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1148 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1149 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1150 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1151 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1152 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1153 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1154 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1155 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1156 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1157 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1158 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1159 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1160 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1161 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1162 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1163 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1164 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1165 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1166 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1167 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1168 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1169 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1170 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1171}
1172
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1173func hasComponent(suiteName, component string) bool {
1174 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1175}
1176
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1177func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1178 return hasComponent(suiteName, "GCM") ||
1179 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1180 hasComponent(suiteName, "SHA384") ||
1181 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1182}
1183
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1184func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1185 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1186}
1187
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1188func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1189 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1190}
1191
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1192func bigFromHex(hex string) *big.Int {
1193 ret, ok := new(big.Int).SetString(hex, 16)
1194 if !ok {
1195 panic("failed to parse hex number 0x" + hex)
1196 }
1197 return ret
1198}
1199
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1200func addBasicTests() {
1201 basicTests := []testCase{
1202 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1203 name: "NoFallbackSCSV",
1204 config: Config{
1205 Bugs: ProtocolBugs{
1206 FailIfNotFallbackSCSV: true,
1207 },
1208 },
1209 shouldFail: true,
1210 expectedLocalError: "no fallback SCSV found",
1211 },
1212 {
1213 name: "SendFallbackSCSV",
1214 config: Config{
1215 Bugs: ProtocolBugs{
1216 FailIfNotFallbackSCSV: true,
1217 },
1218 },
1219 flags: []string{"-fallback-scsv"},
1220 },
1221 {
1222 name: "ClientCertificateTypes",
1223 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1224 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1225 ClientAuth: RequestClientCert,
1226 ClientCertificateTypes: []byte{
1227 CertTypeDSSSign,
1228 CertTypeRSASign,
1229 CertTypeECDSASign,
1230 },
1231 },
1232 flags: []string{
1233 "-expect-certificate-types",
1234 base64.StdEncoding.EncodeToString([]byte{
1235 CertTypeDSSSign,
1236 CertTypeRSASign,
1237 CertTypeECDSASign,
1238 }),
1239 },
1240 },
1241 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1242 name: "UnauthenticatedECDH",
1243 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1244 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1245 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1246 Bugs: ProtocolBugs{
1247 UnauthenticatedECDH: true,
1248 },
1249 },
1250 shouldFail: true,
1251 expectedError: ":UNEXPECTED_MESSAGE:",
1252 },
1253 {
1254 name: "SkipCertificateStatus",
1255 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1256 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1257 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1258 Bugs: ProtocolBugs{
1259 SkipCertificateStatus: true,
1260 },
1261 },
1262 flags: []string{
1263 "-enable-ocsp-stapling",
1264 },
1265 },
1266 {
1267 name: "SkipServerKeyExchange",
1268 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1269 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1270 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1271 Bugs: ProtocolBugs{
1272 SkipServerKeyExchange: true,
1273 },
1274 },
1275 shouldFail: true,
1276 expectedError: ":UNEXPECTED_MESSAGE:",
1277 },
1278 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1279 testType: serverTest,
1280 name: "Alert",
1281 config: Config{
1282 Bugs: ProtocolBugs{
1283 SendSpuriousAlert: alertRecordOverflow,
1284 },
1285 },
1286 shouldFail: true,
1287 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1288 },
1289 {
1290 protocol: dtls,
1291 testType: serverTest,
1292 name: "Alert-DTLS",
1293 config: Config{
1294 Bugs: ProtocolBugs{
1295 SendSpuriousAlert: alertRecordOverflow,
1296 },
1297 },
1298 shouldFail: true,
1299 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1300 },
1301 {
1302 testType: serverTest,
1303 name: "FragmentAlert",
1304 config: Config{
1305 Bugs: ProtocolBugs{
1306 FragmentAlert: true,
1307 SendSpuriousAlert: alertRecordOverflow,
1308 },
1309 },
1310 shouldFail: true,
1311 expectedError: ":BAD_ALERT:",
1312 },
1313 {
1314 protocol: dtls,
1315 testType: serverTest,
1316 name: "FragmentAlert-DTLS",
1317 config: Config{
1318 Bugs: ProtocolBugs{
1319 FragmentAlert: true,
1320 SendSpuriousAlert: alertRecordOverflow,
1321 },
1322 },
1323 shouldFail: true,
1324 expectedError: ":BAD_ALERT:",
1325 },
1326 {
1327 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1328 name: "DoubleAlert",
1329 config: Config{
1330 Bugs: ProtocolBugs{
1331 DoubleAlert: true,
1332 SendSpuriousAlert: alertRecordOverflow,
1333 },
1334 },
1335 shouldFail: true,
1336 expectedError: ":BAD_ALERT:",
1337 },
1338 {
1339 protocol: dtls,
1340 testType: serverTest,
1341 name: "DoubleAlert-DTLS",
1342 config: Config{
1343 Bugs: ProtocolBugs{
1344 DoubleAlert: true,
1345 SendSpuriousAlert: alertRecordOverflow,
1346 },
1347 },
1348 shouldFail: true,
1349 expectedError: ":BAD_ALERT:",
1350 },
1351 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1352 name: "SkipNewSessionTicket",
1353 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1354 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1355 Bugs: ProtocolBugs{
1356 SkipNewSessionTicket: true,
1357 },
1358 },
1359 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1360 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1361 },
1362 {
1363 testType: serverTest,
1364 name: "FallbackSCSV",
1365 config: Config{
1366 MaxVersion: VersionTLS11,
1367 Bugs: ProtocolBugs{
1368 SendFallbackSCSV: true,
1369 },
1370 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1371 shouldFail: true,
1372 expectedError: ":INAPPROPRIATE_FALLBACK:",
1373 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1374 },
1375 {
1376 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1377 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1378 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1379 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1380 Bugs: ProtocolBugs{
1381 SendFallbackSCSV: true,
1382 },
1383 },
1384 },
1385 {
1386 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1387 name: "FallbackSCSV-VersionMatch-TLS12",
1388 config: Config{
1389 MaxVersion: VersionTLS12,
1390 Bugs: ProtocolBugs{
1391 SendFallbackSCSV: true,
1392 },
1393 },
1394 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1395 },
1396 {
1397 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1398 name: "FragmentedClientVersion",
1399 config: Config{
1400 Bugs: ProtocolBugs{
1401 MaxHandshakeRecordLength: 1,
1402 FragmentClientVersion: true,
1403 },
1404 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1405 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1406 },
1407 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1408 testType: serverTest,
1409 name: "HttpGET",
1410 sendPrefix: "GET / HTTP/1.0\n",
1411 shouldFail: true,
1412 expectedError: ":HTTP_REQUEST:",
1413 },
1414 {
1415 testType: serverTest,
1416 name: "HttpPOST",
1417 sendPrefix: "POST / HTTP/1.0\n",
1418 shouldFail: true,
1419 expectedError: ":HTTP_REQUEST:",
1420 },
1421 {
1422 testType: serverTest,
1423 name: "HttpHEAD",
1424 sendPrefix: "HEAD / HTTP/1.0\n",
1425 shouldFail: true,
1426 expectedError: ":HTTP_REQUEST:",
1427 },
1428 {
1429 testType: serverTest,
1430 name: "HttpPUT",
1431 sendPrefix: "PUT / HTTP/1.0\n",
1432 shouldFail: true,
1433 expectedError: ":HTTP_REQUEST:",
1434 },
1435 {
1436 testType: serverTest,
1437 name: "HttpCONNECT",
1438 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1439 shouldFail: true,
1440 expectedError: ":HTTPS_PROXY_REQUEST:",
1441 },
1442 {
1443 testType: serverTest,
1444 name: "Garbage",
1445 sendPrefix: "blah",
1446 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1447 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1448 },
1449 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1450 name: "RSAEphemeralKey",
1451 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1452 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1453 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1454 Bugs: ProtocolBugs{
1455 RSAEphemeralKey: true,
1456 },
1457 },
1458 shouldFail: true,
1459 expectedError: ":UNEXPECTED_MESSAGE:",
1460 },
1461 {
1462 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1463 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1464 shouldFail: true,
1465 expectedError: ":WRONG_SSL_VERSION:",
1466 },
1467 {
1468 protocol: dtls,
1469 name: "DisableEverything-DTLS",
1470 flags: []string{"-no-tls12", "-no-tls1"},
1471 shouldFail: true,
1472 expectedError: ":WRONG_SSL_VERSION:",
1473 },
1474 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1475 protocol: dtls,
1476 testType: serverTest,
1477 name: "MTU",
1478 config: Config{
1479 Bugs: ProtocolBugs{
1480 MaxPacketLength: 256,
1481 },
1482 },
1483 flags: []string{"-mtu", "256"},
1484 },
1485 {
1486 protocol: dtls,
1487 testType: serverTest,
1488 name: "MTUExceeded",
1489 config: Config{
1490 Bugs: ProtocolBugs{
1491 MaxPacketLength: 255,
1492 },
1493 },
1494 flags: []string{"-mtu", "256"},
1495 shouldFail: true,
1496 expectedLocalError: "dtls: exceeded maximum packet length",
1497 },
1498 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1499 name: "EmptyCertificateList",
1500 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1501 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1502 Bugs: ProtocolBugs{
1503 EmptyCertificateList: true,
1504 },
1505 },
1506 shouldFail: true,
1507 expectedError: ":DECODE_ERROR:",
1508 },
1509 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1510 name: "EmptyCertificateList-TLS13",
1511 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1512 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1513 Bugs: ProtocolBugs{
1514 EmptyCertificateList: true,
1515 },
1516 },
1517 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1518 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1519 },
1520 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1521 name: "TLSFatalBadPackets",
1522 damageFirstWrite: true,
1523 shouldFail: true,
1524 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1525 },
1526 {
1527 protocol: dtls,
1528 name: "DTLSIgnoreBadPackets",
1529 damageFirstWrite: true,
1530 },
1531 {
1532 protocol: dtls,
1533 name: "DTLSIgnoreBadPackets-Async",
1534 damageFirstWrite: true,
1535 flags: []string{"-async"},
1536 },
1537 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1538 name: "AppDataBeforeHandshake",
1539 config: Config{
1540 Bugs: ProtocolBugs{
1541 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1542 },
1543 },
1544 shouldFail: true,
1545 expectedError: ":UNEXPECTED_RECORD:",
1546 },
1547 {
1548 name: "AppDataBeforeHandshake-Empty",
1549 config: Config{
1550 Bugs: ProtocolBugs{
1551 AppDataBeforeHandshake: []byte{},
1552 },
1553 },
1554 shouldFail: true,
1555 expectedError: ":UNEXPECTED_RECORD:",
1556 },
1557 {
1558 protocol: dtls,
1559 name: "AppDataBeforeHandshake-DTLS",
1560 config: Config{
1561 Bugs: ProtocolBugs{
1562 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1563 },
1564 },
1565 shouldFail: true,
1566 expectedError: ":UNEXPECTED_RECORD:",
1567 },
1568 {
1569 protocol: dtls,
1570 name: "AppDataBeforeHandshake-DTLS-Empty",
1571 config: Config{
1572 Bugs: ProtocolBugs{
1573 AppDataBeforeHandshake: []byte{},
1574 },
1575 },
1576 shouldFail: true,
1577 expectedError: ":UNEXPECTED_RECORD:",
1578 },
1579 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1580 name: "AppDataAfterChangeCipherSpec",
1581 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1582 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1583 Bugs: ProtocolBugs{
1584 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1585 },
1586 },
1587 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1588 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1589 },
1590 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1591 name: "AppDataAfterChangeCipherSpec-Empty",
1592 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1593 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1594 Bugs: ProtocolBugs{
1595 AppDataAfterChangeCipherSpec: []byte{},
1596 },
1597 },
1598 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1599 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1600 },
1601 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1602 protocol: dtls,
1603 name: "AppDataAfterChangeCipherSpec-DTLS",
1604 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1605 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1606 Bugs: ProtocolBugs{
1607 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1608 },
1609 },
1610 // BoringSSL's DTLS implementation will drop the out-of-order
1611 // application data.
1612 },
1613 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1614 protocol: dtls,
1615 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1616 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1617 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1618 Bugs: ProtocolBugs{
1619 AppDataAfterChangeCipherSpec: []byte{},
1620 },
1621 },
1622 // BoringSSL's DTLS implementation will drop the out-of-order
1623 // application data.
1624 },
1625 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1626 name: "AlertAfterChangeCipherSpec",
1627 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1628 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1629 Bugs: ProtocolBugs{
1630 AlertAfterChangeCipherSpec: alertRecordOverflow,
1631 },
1632 },
1633 shouldFail: true,
1634 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1635 },
1636 {
1637 protocol: dtls,
1638 name: "AlertAfterChangeCipherSpec-DTLS",
1639 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1640 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1641 Bugs: ProtocolBugs{
1642 AlertAfterChangeCipherSpec: alertRecordOverflow,
1643 },
1644 },
1645 shouldFail: true,
1646 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1647 },
1648 {
1649 protocol: dtls,
1650 name: "ReorderHandshakeFragments-Small-DTLS",
1651 config: Config{
1652 Bugs: ProtocolBugs{
1653 ReorderHandshakeFragments: true,
1654 // Small enough that every handshake message is
1655 // fragmented.
1656 MaxHandshakeRecordLength: 2,
1657 },
1658 },
1659 },
1660 {
1661 protocol: dtls,
1662 name: "ReorderHandshakeFragments-Large-DTLS",
1663 config: Config{
1664 Bugs: ProtocolBugs{
1665 ReorderHandshakeFragments: true,
1666 // Large enough that no handshake message is
1667 // fragmented.
1668 MaxHandshakeRecordLength: 2048,
1669 },
1670 },
1671 },
1672 {
1673 protocol: dtls,
1674 name: "MixCompleteMessageWithFragments-DTLS",
1675 config: Config{
1676 Bugs: ProtocolBugs{
1677 ReorderHandshakeFragments: true,
1678 MixCompleteMessageWithFragments: true,
1679 MaxHandshakeRecordLength: 2,
1680 },
1681 },
1682 },
1683 {
1684 name: "SendInvalidRecordType",
1685 config: Config{
1686 Bugs: ProtocolBugs{
1687 SendInvalidRecordType: true,
1688 },
1689 },
1690 shouldFail: true,
1691 expectedError: ":UNEXPECTED_RECORD:",
1692 },
1693 {
1694 protocol: dtls,
1695 name: "SendInvalidRecordType-DTLS",
1696 config: Config{
1697 Bugs: ProtocolBugs{
1698 SendInvalidRecordType: true,
1699 },
1700 },
1701 shouldFail: true,
1702 expectedError: ":UNEXPECTED_RECORD:",
1703 },
1704 {
1705 name: "FalseStart-SkipServerSecondLeg",
1706 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1707 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1708 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1709 NextProtos: []string{"foo"},
1710 Bugs: ProtocolBugs{
1711 SkipNewSessionTicket: true,
1712 SkipChangeCipherSpec: true,
1713 SkipFinished: true,
1714 ExpectFalseStart: true,
1715 },
1716 },
1717 flags: []string{
1718 "-false-start",
1719 "-handshake-never-done",
1720 "-advertise-alpn", "\x03foo",
1721 },
1722 shimWritesFirst: true,
1723 shouldFail: true,
1724 expectedError: ":UNEXPECTED_RECORD:",
1725 },
1726 {
1727 name: "FalseStart-SkipServerSecondLeg-Implicit",
1728 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1729 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1730 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1731 NextProtos: []string{"foo"},
1732 Bugs: ProtocolBugs{
1733 SkipNewSessionTicket: true,
1734 SkipChangeCipherSpec: true,
1735 SkipFinished: true,
1736 },
1737 },
1738 flags: []string{
1739 "-implicit-handshake",
1740 "-false-start",
1741 "-handshake-never-done",
1742 "-advertise-alpn", "\x03foo",
1743 },
1744 shouldFail: true,
1745 expectedError: ":UNEXPECTED_RECORD:",
1746 },
1747 {
1748 testType: serverTest,
1749 name: "FailEarlyCallback",
1750 flags: []string{"-fail-early-callback"},
1751 shouldFail: true,
1752 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1753 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1754 },
1755 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1756 name: "FailCertCallback-Client-TLS12",
1757 config: Config{
1758 MaxVersion: VersionTLS12,
1759 ClientAuth: RequestClientCert,
1760 },
1761 flags: []string{"-fail-cert-callback"},
1762 shouldFail: true,
1763 expectedError: ":CERT_CB_ERROR:",
1764 expectedLocalError: "remote error: internal error",
1765 },
1766 {
1767 testType: serverTest,
1768 name: "FailCertCallback-Server-TLS12",
1769 config: Config{
1770 MaxVersion: VersionTLS12,
1771 },
1772 flags: []string{"-fail-cert-callback"},
1773 shouldFail: true,
1774 expectedError: ":CERT_CB_ERROR:",
1775 expectedLocalError: "remote error: internal error",
1776 },
1777 {
1778 name: "FailCertCallback-Client-TLS13",
1779 config: Config{
1780 MaxVersion: VersionTLS13,
1781 ClientAuth: RequestClientCert,
1782 },
1783 flags: []string{"-fail-cert-callback"},
1784 shouldFail: true,
1785 expectedError: ":CERT_CB_ERROR:",
1786 expectedLocalError: "remote error: internal error",
1787 },
1788 {
1789 testType: serverTest,
1790 name: "FailCertCallback-Server-TLS13",
1791 config: Config{
1792 MaxVersion: VersionTLS13,
1793 },
1794 flags: []string{"-fail-cert-callback"},
1795 shouldFail: true,
1796 expectedError: ":CERT_CB_ERROR:",
1797 expectedLocalError: "remote error: internal error",
1798 },
1799 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1800 protocol: dtls,
1801 name: "FragmentMessageTypeMismatch-DTLS",
1802 config: Config{
1803 Bugs: ProtocolBugs{
1804 MaxHandshakeRecordLength: 2,
1805 FragmentMessageTypeMismatch: true,
1806 },
1807 },
1808 shouldFail: true,
1809 expectedError: ":FRAGMENT_MISMATCH:",
1810 },
1811 {
1812 protocol: dtls,
1813 name: "FragmentMessageLengthMismatch-DTLS",
1814 config: Config{
1815 Bugs: ProtocolBugs{
1816 MaxHandshakeRecordLength: 2,
1817 FragmentMessageLengthMismatch: true,
1818 },
1819 },
1820 shouldFail: true,
1821 expectedError: ":FRAGMENT_MISMATCH:",
1822 },
1823 {
1824 protocol: dtls,
1825 name: "SplitFragments-Header-DTLS",
1826 config: Config{
1827 Bugs: ProtocolBugs{
1828 SplitFragments: 2,
1829 },
1830 },
1831 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1832 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1833 },
1834 {
1835 protocol: dtls,
1836 name: "SplitFragments-Boundary-DTLS",
1837 config: Config{
1838 Bugs: ProtocolBugs{
1839 SplitFragments: dtlsRecordHeaderLen,
1840 },
1841 },
1842 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1843 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1844 },
1845 {
1846 protocol: dtls,
1847 name: "SplitFragments-Body-DTLS",
1848 config: Config{
1849 Bugs: ProtocolBugs{
1850 SplitFragments: dtlsRecordHeaderLen + 1,
1851 },
1852 },
1853 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1854 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1855 },
1856 {
1857 protocol: dtls,
1858 name: "SendEmptyFragments-DTLS",
1859 config: Config{
1860 Bugs: ProtocolBugs{
1861 SendEmptyFragments: true,
1862 },
1863 },
1864 },
1865 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1866 name: "BadFinished-Client",
1867 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1868 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1869 Bugs: ProtocolBugs{
1870 BadFinished: true,
1871 },
1872 },
1873 shouldFail: true,
1874 expectedError: ":DIGEST_CHECK_FAILED:",
1875 },
1876 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1877 name: "BadFinished-Client-TLS13",
1878 config: Config{
1879 MaxVersion: VersionTLS13,
1880 Bugs: ProtocolBugs{
1881 BadFinished: true,
1882 },
1883 },
1884 shouldFail: true,
1885 expectedError: ":DIGEST_CHECK_FAILED:",
1886 },
1887 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1888 testType: serverTest,
1889 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1890 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1891 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1892 Bugs: ProtocolBugs{
1893 BadFinished: true,
1894 },
1895 },
1896 shouldFail: true,
1897 expectedError: ":DIGEST_CHECK_FAILED:",
1898 },
1899 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1900 testType: serverTest,
1901 name: "BadFinished-Server-TLS13",
1902 config: Config{
1903 MaxVersion: VersionTLS13,
1904 Bugs: ProtocolBugs{
1905 BadFinished: true,
1906 },
1907 },
1908 shouldFail: true,
1909 expectedError: ":DIGEST_CHECK_FAILED:",
1910 },
1911 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1912 name: "FalseStart-BadFinished",
1913 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1914 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1915 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1916 NextProtos: []string{"foo"},
1917 Bugs: ProtocolBugs{
1918 BadFinished: true,
1919 ExpectFalseStart: true,
1920 },
1921 },
1922 flags: []string{
1923 "-false-start",
1924 "-handshake-never-done",
1925 "-advertise-alpn", "\x03foo",
1926 },
1927 shimWritesFirst: true,
1928 shouldFail: true,
1929 expectedError: ":DIGEST_CHECK_FAILED:",
1930 },
1931 {
1932 name: "NoFalseStart-NoALPN",
1933 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1934 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1935 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1936 Bugs: ProtocolBugs{
1937 ExpectFalseStart: true,
1938 AlertBeforeFalseStartTest: alertAccessDenied,
1939 },
1940 },
1941 flags: []string{
1942 "-false-start",
1943 },
1944 shimWritesFirst: true,
1945 shouldFail: true,
1946 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1947 expectedLocalError: "tls: peer did not false start: EOF",
1948 },
1949 {
1950 name: "NoFalseStart-NoAEAD",
1951 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1952 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1953 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1954 NextProtos: []string{"foo"},
1955 Bugs: ProtocolBugs{
1956 ExpectFalseStart: true,
1957 AlertBeforeFalseStartTest: alertAccessDenied,
1958 },
1959 },
1960 flags: []string{
1961 "-false-start",
1962 "-advertise-alpn", "\x03foo",
1963 },
1964 shimWritesFirst: true,
1965 shouldFail: true,
1966 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1967 expectedLocalError: "tls: peer did not false start: EOF",
1968 },
1969 {
1970 name: "NoFalseStart-RSA",
1971 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1972 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1973 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1974 NextProtos: []string{"foo"},
1975 Bugs: ProtocolBugs{
1976 ExpectFalseStart: true,
1977 AlertBeforeFalseStartTest: alertAccessDenied,
1978 },
1979 },
1980 flags: []string{
1981 "-false-start",
1982 "-advertise-alpn", "\x03foo",
1983 },
1984 shimWritesFirst: true,
1985 shouldFail: true,
1986 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1987 expectedLocalError: "tls: peer did not false start: EOF",
1988 },
1989 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1990 protocol: dtls,
1991 name: "SendSplitAlert-Sync",
1992 config: Config{
1993 Bugs: ProtocolBugs{
1994 SendSplitAlert: true,
1995 },
1996 },
1997 },
1998 {
1999 protocol: dtls,
2000 name: "SendSplitAlert-Async",
2001 config: Config{
2002 Bugs: ProtocolBugs{
2003 SendSplitAlert: true,
2004 },
2005 },
2006 flags: []string{"-async"},
2007 },
2008 {
2009 protocol: dtls,
2010 name: "PackDTLSHandshake",
2011 config: Config{
2012 Bugs: ProtocolBugs{
2013 MaxHandshakeRecordLength: 2,
2014 PackHandshakeFragments: 20,
2015 PackHandshakeRecords: 200,
2016 },
2017 },
2018 },
2019 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2020 name: "SendEmptyRecords-Pass",
2021 sendEmptyRecords: 32,
2022 },
2023 {
2024 name: "SendEmptyRecords",
2025 sendEmptyRecords: 33,
2026 shouldFail: true,
2027 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2028 },
2029 {
2030 name: "SendEmptyRecords-Async",
2031 sendEmptyRecords: 33,
2032 flags: []string{"-async"},
2033 shouldFail: true,
2034 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2035 },
2036 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2037 name: "SendWarningAlerts-Pass",
2038 config: Config{
2039 MaxVersion: VersionTLS12,
2040 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2041 sendWarningAlerts: 4,
2042 },
2043 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2044 protocol: dtls,
2045 name: "SendWarningAlerts-DTLS-Pass",
2046 config: Config{
2047 MaxVersion: VersionTLS12,
2048 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2049 sendWarningAlerts: 4,
2050 },
2051 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2052 name: "SendWarningAlerts-TLS13",
2053 config: Config{
2054 MaxVersion: VersionTLS13,
2055 },
2056 sendWarningAlerts: 4,
2057 shouldFail: true,
2058 expectedError: ":BAD_ALERT:",
2059 expectedLocalError: "remote error: error decoding message",
2060 },
2061 {
2062 name: "SendWarningAlerts",
2063 config: Config{
2064 MaxVersion: VersionTLS12,
2065 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2066 sendWarningAlerts: 5,
2067 shouldFail: true,
2068 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2069 },
2070 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2071 name: "SendWarningAlerts-Async",
2072 config: Config{
2073 MaxVersion: VersionTLS12,
2074 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2075 sendWarningAlerts: 5,
2076 flags: []string{"-async"},
2077 shouldFail: true,
2078 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2079 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2080 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2081 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2082 config: Config{
2083 MaxVersion: VersionTLS13,
2084 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2085 sendKeyUpdates: 33,
2086 keyUpdateRequest: keyUpdateNotRequested,
2087 shouldFail: true,
2088 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2089 },
2090 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2091 name: "EmptySessionID",
2092 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2093 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2094 SessionTicketsDisabled: true,
2095 },
2096 noSessionCache: true,
2097 flags: []string{"-expect-no-session"},
2098 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2099 {
2100 name: "Unclean-Shutdown",
2101 config: Config{
2102 Bugs: ProtocolBugs{
2103 NoCloseNotify: true,
2104 ExpectCloseNotify: true,
2105 },
2106 },
2107 shimShutsDown: true,
2108 flags: []string{"-check-close-notify"},
2109 shouldFail: true,
2110 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2111 },
2112 {
2113 name: "Unclean-Shutdown-Ignored",
2114 config: Config{
2115 Bugs: ProtocolBugs{
2116 NoCloseNotify: true,
2117 },
2118 },
2119 shimShutsDown: true,
2120 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2121 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2122 name: "Unclean-Shutdown-Alert",
2123 config: Config{
2124 Bugs: ProtocolBugs{
2125 SendAlertOnShutdown: alertDecompressionFailure,
2126 ExpectCloseNotify: true,
2127 },
2128 },
2129 shimShutsDown: true,
2130 flags: []string{"-check-close-notify"},
2131 shouldFail: true,
2132 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2133 },
2134 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2135 name: "LargePlaintext",
2136 config: Config{
2137 Bugs: ProtocolBugs{
2138 SendLargeRecords: true,
2139 },
2140 },
2141 messageLen: maxPlaintext + 1,
2142 shouldFail: true,
2143 expectedError: ":DATA_LENGTH_TOO_LONG:",
2144 },
2145 {
2146 protocol: dtls,
2147 name: "LargePlaintext-DTLS",
2148 config: Config{
2149 Bugs: ProtocolBugs{
2150 SendLargeRecords: true,
2151 },
2152 },
2153 messageLen: maxPlaintext + 1,
2154 shouldFail: true,
2155 expectedError: ":DATA_LENGTH_TOO_LONG:",
2156 },
2157 {
2158 name: "LargeCiphertext",
2159 config: Config{
2160 Bugs: ProtocolBugs{
2161 SendLargeRecords: true,
2162 },
2163 },
2164 messageLen: maxPlaintext * 2,
2165 shouldFail: true,
2166 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2167 },
2168 {
2169 protocol: dtls,
2170 name: "LargeCiphertext-DTLS",
2171 config: Config{
2172 Bugs: ProtocolBugs{
2173 SendLargeRecords: true,
2174 },
2175 },
2176 messageLen: maxPlaintext * 2,
2177 // Unlike the other four cases, DTLS drops records which
2178 // are invalid before authentication, so the connection
2179 // does not fail.
2180 expectMessageDropped: true,
2181 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2182 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2183 name: "BadHelloRequest-1",
2184 renegotiate: 1,
2185 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2186 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2187 Bugs: ProtocolBugs{
2188 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2189 },
2190 },
2191 flags: []string{
2192 "-renegotiate-freely",
2193 "-expect-total-renegotiations", "1",
2194 },
2195 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2196 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2197 },
2198 {
2199 name: "BadHelloRequest-2",
2200 renegotiate: 1,
2201 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2202 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2203 Bugs: ProtocolBugs{
2204 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2205 },
2206 },
2207 flags: []string{
2208 "-renegotiate-freely",
2209 "-expect-total-renegotiations", "1",
2210 },
2211 shouldFail: true,
2212 expectedError: ":BAD_HELLO_REQUEST:",
2213 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2214 {
2215 testType: serverTest,
2216 name: "SupportTicketsWithSessionID",
2217 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2218 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2219 SessionTicketsDisabled: true,
2220 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2221 resumeConfig: &Config{
2222 MaxVersion: VersionTLS12,
2223 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2224 resumeSession: true,
2225 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2226 {
2227 protocol: dtls,
2228 name: "DTLS-SendExtraFinished",
2229 config: Config{
2230 Bugs: ProtocolBugs{
2231 SendExtraFinished: true,
2232 },
2233 },
2234 shouldFail: true,
2235 expectedError: ":UNEXPECTED_RECORD:",
2236 },
2237 {
2238 protocol: dtls,
2239 name: "DTLS-SendExtraFinished-Reordered",
2240 config: Config{
2241 Bugs: ProtocolBugs{
2242 MaxHandshakeRecordLength: 2,
2243 ReorderHandshakeFragments: true,
2244 SendExtraFinished: true,
2245 },
2246 },
2247 shouldFail: true,
2248 expectedError: ":UNEXPECTED_RECORD:",
2249 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2250 {
2251 testType: serverTest,
2252 name: "V2ClientHello-EmptyRecordPrefix",
2253 config: Config{
2254 // Choose a cipher suite that does not involve
2255 // elliptic curves, so no extensions are
2256 // involved.
2257 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2258 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2259 Bugs: ProtocolBugs{
2260 SendV2ClientHello: true,
2261 },
2262 },
2263 sendPrefix: string([]byte{
2264 byte(recordTypeHandshake),
2265 3, 1, // version
2266 0, 0, // length
2267 }),
2268 // A no-op empty record may not be sent before V2ClientHello.
2269 shouldFail: true,
2270 expectedError: ":WRONG_VERSION_NUMBER:",
2271 },
2272 {
2273 testType: serverTest,
2274 name: "V2ClientHello-WarningAlertPrefix",
2275 config: Config{
2276 // Choose a cipher suite that does not involve
2277 // elliptic curves, so no extensions are
2278 // involved.
2279 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2280 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2281 Bugs: ProtocolBugs{
2282 SendV2ClientHello: true,
2283 },
2284 },
2285 sendPrefix: string([]byte{
2286 byte(recordTypeAlert),
2287 3, 1, // version
2288 0, 2, // length
2289 alertLevelWarning, byte(alertDecompressionFailure),
2290 }),
2291 // A no-op warning alert may not be sent before V2ClientHello.
2292 shouldFail: true,
2293 expectedError: ":WRONG_VERSION_NUMBER:",
2294 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2295 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2296 name: "KeyUpdate-Client",
2297 config: Config{
2298 MaxVersion: VersionTLS13,
2299 },
2300 sendKeyUpdates: 1,
2301 keyUpdateRequest: keyUpdateNotRequested,
2302 },
2303 {
2304 testType: serverTest,
2305 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2306 config: Config{
2307 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2308 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2309 sendKeyUpdates: 1,
2310 keyUpdateRequest: keyUpdateNotRequested,
2311 },
2312 {
2313 name: "KeyUpdate-InvalidRequestMode",
2314 config: Config{
2315 MaxVersion: VersionTLS13,
2316 },
2317 sendKeyUpdates: 1,
2318 keyUpdateRequest: 42,
2319 shouldFail: true,
2320 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2321 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2322 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]2323 // Test that KeyUpdates are acknowledged properly.
2324 name: "KeyUpdate-RequestACK",
2325 config: Config{
2326 MaxVersion: VersionTLS13,
2327 Bugs: ProtocolBugs{
2328 RejectUnsolicitedKeyUpdate: true,
2329 },
2330 },
2331 // Test the shim receiving many KeyUpdates in a row.
2332 sendKeyUpdates: 5,
2333 messageCount: 5,
2334 keyUpdateRequest: keyUpdateRequested,
2335 },
2336 {
2337 // Test that KeyUpdates are acknowledged properly if the
2338 // peer's KeyUpdate is discovered while a write is
2339 // pending.
2340 name: "KeyUpdate-RequestACK-UnfinishedWrite",
2341 config: Config{
2342 MaxVersion: VersionTLS13,
2343 Bugs: ProtocolBugs{
2344 RejectUnsolicitedKeyUpdate: true,
2345 },
2346 },
2347 // Test the shim receiving many KeyUpdates in a row.
2348 sendKeyUpdates: 5,
2349 messageCount: 5,
2350 keyUpdateRequest: keyUpdateRequested,
2351 readWithUnfinishedWrite: true,
2352 flags: []string{"-async"},
2353 },
2354 {
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2355 name: "SendSNIWarningAlert",
2356 config: Config{
2357 MaxVersion: VersionTLS12,
2358 Bugs: ProtocolBugs{
2359 SendSNIWarningAlert: true,
2360 },
2361 },
2362 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2363 {
2364 testType: serverTest,
2365 name: "ExtraCompressionMethods-TLS12",
2366 config: Config{
2367 MaxVersion: VersionTLS12,
2368 Bugs: ProtocolBugs{
2369 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2370 },
2371 },
2372 },
2373 {
2374 testType: serverTest,
2375 name: "ExtraCompressionMethods-TLS13",
2376 config: Config{
2377 MaxVersion: VersionTLS13,
2378 Bugs: ProtocolBugs{
2379 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2380 },
2381 },
2382 shouldFail: true,
2383 expectedError: ":INVALID_COMPRESSION_LIST:",
2384 expectedLocalError: "remote error: illegal parameter",
2385 },
2386 {
2387 testType: serverTest,
2388 name: "NoNullCompression-TLS12",
2389 config: Config{
2390 MaxVersion: VersionTLS12,
2391 Bugs: ProtocolBugs{
2392 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2393 },
2394 },
2395 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2396 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2397 expectedLocalError: "remote error: illegal parameter",
2398 },
2399 {
2400 testType: serverTest,
2401 name: "NoNullCompression-TLS13",
2402 config: Config{
2403 MaxVersion: VersionTLS13,
2404 Bugs: ProtocolBugs{
2405 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2406 },
2407 },
2408 shouldFail: true,
2409 expectedError: ":INVALID_COMPRESSION_LIST:",
2410 expectedLocalError: "remote error: illegal parameter",
2411 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2412 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2413 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2414 config: Config{
2415 MaxVersion: VersionTLS12,
2416 Bugs: ProtocolBugs{
2417 ExpectGREASE: true,
2418 },
2419 },
2420 flags: []string{"-enable-grease"},
2421 },
2422 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2423 name: "GREASE-Client-TLS13",
2424 config: Config{
2425 MaxVersion: VersionTLS13,
2426 Bugs: ProtocolBugs{
2427 ExpectGREASE: true,
2428 },
2429 },
2430 flags: []string{"-enable-grease"},
2431 },
2432 {
2433 testType: serverTest,
2434 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2435 config: Config{
2436 MaxVersion: VersionTLS13,
2437 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2438 // TLS 1.3 servers are expected to
2439 // always enable GREASE. TLS 1.3 is new,
2440 // so there is no existing ecosystem to
2441 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2442 ExpectGREASE: true,
2443 },
2444 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2445 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2446 {
2447 // Test the server so there is a large certificate as
2448 // well as application data.
2449 testType: serverTest,
2450 name: "MaxSendFragment",
2451 config: Config{
2452 Bugs: ProtocolBugs{
2453 MaxReceivePlaintext: 512,
2454 },
2455 },
2456 messageLen: 1024,
2457 flags: []string{
2458 "-max-send-fragment", "512",
2459 "-read-size", "1024",
2460 },
2461 },
2462 {
2463 // Test the server so there is a large certificate as
2464 // well as application data.
2465 testType: serverTest,
2466 name: "MaxSendFragment-TooLarge",
2467 config: Config{
2468 Bugs: ProtocolBugs{
2469 // Ensure that some of the records are
2470 // 512.
2471 MaxReceivePlaintext: 511,
2472 },
2473 },
2474 messageLen: 1024,
2475 flags: []string{
2476 "-max-send-fragment", "512",
2477 "-read-size", "1024",
2478 },
2479 shouldFail: true,
2480 expectedLocalError: "local error: record overflow",
2481 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2482 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2483 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2484
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2485 if *includeDHE {
2486 testCases = append(testCases, testCase{
2487 name: "NoFalseStart-DHE_RSA",
2488 config: Config{
2489 MaxVersion: VersionTLS12,
2490 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2491 NextProtos: []string{"foo"},
2492 Bugs: ProtocolBugs{
2493 ExpectFalseStart: true,
2494 AlertBeforeFalseStartTest: alertAccessDenied,
2495 },
2496 },
2497 flags: []string{
2498 "-false-start",
2499 "-advertise-alpn", "\x03foo",
2500 },
2501 shimWritesFirst: true,
2502 shouldFail: true,
2503 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2504 expectedLocalError: "tls: peer did not false start: EOF",
2505 })
2506 }
2507
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2508 // Test that very large messages can be received.
2509 cert := rsaCertificate
2510 for i := 0; i < 50; i++ {
2511 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2512 }
2513 testCases = append(testCases, testCase{
2514 name: "LargeMessage",
2515 config: Config{
2516 Certificates: []Certificate{cert},
2517 },
2518 })
2519 testCases = append(testCases, testCase{
2520 protocol: dtls,
2521 name: "LargeMessage-DTLS",
2522 config: Config{
2523 Certificates: []Certificate{cert},
2524 },
2525 })
2526
2527 // They are rejected if the maximum certificate chain length is capped.
2528 testCases = append(testCases, testCase{
2529 name: "LargeMessage-Reject",
2530 config: Config{
2531 Certificates: []Certificate{cert},
2532 },
2533 flags: []string{"-max-cert-list", "16384"},
2534 shouldFail: true,
2535 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2536 })
2537 testCases = append(testCases, testCase{
2538 protocol: dtls,
2539 name: "LargeMessage-Reject-DTLS",
2540 config: Config{
2541 Certificates: []Certificate{cert},
2542 },
2543 flags: []string{"-max-cert-list", "16384"},
2544 shouldFail: true,
2545 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2546 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2547}
2548
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2549func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2550 const psk = "12345"
2551 const pskIdentity = "luggage combo"
2552
2553 var prefix string
2554 if protocol == dtls {
2555 if !ver.hasDTLS {
2556 return
2557 }
2558 prefix = "D"
2559 }
2560
2561 var cert Certificate
2562 var certFile string
2563 var keyFile string
2564 if hasComponent(suite.name, "ECDSA") {
2565 cert = ecdsaP256Certificate
2566 certFile = ecdsaP256CertificateFile
2567 keyFile = ecdsaP256KeyFile
2568 } else {
2569 cert = rsaCertificate
2570 certFile = rsaCertificateFile
2571 keyFile = rsaKeyFile
2572 }
2573
2574 var flags []string
2575 if hasComponent(suite.name, "PSK") {
2576 flags = append(flags,
2577 "-psk", psk,
2578 "-psk-identity", pskIdentity)
2579 }
2580 if hasComponent(suite.name, "NULL") {
2581 // NULL ciphers must be explicitly enabled.
2582 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2583 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2584
2585 var shouldServerFail, shouldClientFail bool
2586 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2587 // BoringSSL clients accept ECDHE on SSLv3, but
2588 // a BoringSSL server will never select it
2589 // because the extension is missing.
2590 shouldServerFail = true
2591 }
2592 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2593 shouldClientFail = true
2594 shouldServerFail = true
2595 }
2596 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2597 shouldClientFail = true
2598 shouldServerFail = true
2599 }
2600 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2601 shouldClientFail = true
2602 shouldServerFail = true
2603 }
2604 if !isDTLSCipher(suite.name) && protocol == dtls {
2605 shouldClientFail = true
2606 shouldServerFail = true
2607 }
2608
2609 var sendCipherSuite uint16
2610 var expectedServerError, expectedClientError string
2611 serverCipherSuites := []uint16{suite.id}
2612 if shouldServerFail {
2613 expectedServerError = ":NO_SHARED_CIPHER:"
2614 }
2615 if shouldClientFail {
2616 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2617 // Configure the server to select ciphers as normal but
2618 // select an incompatible cipher in ServerHello.
2619 serverCipherSuites = nil
2620 sendCipherSuite = suite.id
2621 }
2622
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2623 // For cipher suites and versions where exporters are defined, verify
2624 // that they interoperate.
2625 var exportKeyingMaterial int
2626 if ver.version > VersionSSL30 {
2627 exportKeyingMaterial = 1024
2628 }
2629
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2630 testCases = append(testCases, testCase{
2631 testType: serverTest,
2632 protocol: protocol,
2633 name: prefix + ver.name + "-" + suite.name + "-server",
2634 config: Config{
2635 MinVersion: ver.version,
2636 MaxVersion: ver.version,
2637 CipherSuites: []uint16{suite.id},
2638 Certificates: []Certificate{cert},
2639 PreSharedKey: []byte(psk),
2640 PreSharedKeyIdentity: pskIdentity,
2641 Bugs: ProtocolBugs{
2642 AdvertiseAllConfiguredCiphers: true,
2643 },
2644 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2645 certFile: certFile,
2646 keyFile: keyFile,
2647 flags: flags,
2648 resumeSession: true,
2649 shouldFail: shouldServerFail,
2650 expectedError: expectedServerError,
2651 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2652 })
2653
2654 testCases = append(testCases, testCase{
2655 testType: clientTest,
2656 protocol: protocol,
2657 name: prefix + ver.name + "-" + suite.name + "-client",
2658 config: Config{
2659 MinVersion: ver.version,
2660 MaxVersion: ver.version,
2661 CipherSuites: serverCipherSuites,
2662 Certificates: []Certificate{cert},
2663 PreSharedKey: []byte(psk),
2664 PreSharedKeyIdentity: pskIdentity,
2665 Bugs: ProtocolBugs{
2666 IgnorePeerCipherPreferences: shouldClientFail,
2667 SendCipherSuite: sendCipherSuite,
2668 },
2669 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2670 flags: flags,
2671 resumeSession: true,
2672 shouldFail: shouldClientFail,
2673 expectedError: expectedClientError,
2674 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2675 })
2676
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2677 if shouldClientFail {
2678 return
2679 }
2680
2681 // Ensure the maximum record size is accepted.
2682 testCases = append(testCases, testCase{
2683 protocol: protocol,
2684 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2685 config: Config{
2686 MinVersion: ver.version,
2687 MaxVersion: ver.version,
2688 CipherSuites: []uint16{suite.id},
2689 Certificates: []Certificate{cert},
2690 PreSharedKey: []byte(psk),
2691 PreSharedKeyIdentity: pskIdentity,
2692 },
2693 flags: flags,
2694 messageLen: maxPlaintext,
2695 })
2696
2697 // Test bad records for all ciphers. Bad records are fatal in TLS
2698 // and ignored in DTLS.
2699 var shouldFail bool
2700 var expectedError string
2701 if protocol == tls {
2702 shouldFail = true
2703 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2704 }
2705
2706 testCases = append(testCases, testCase{
2707 protocol: protocol,
2708 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2709 config: Config{
2710 MinVersion: ver.version,
2711 MaxVersion: ver.version,
2712 CipherSuites: []uint16{suite.id},
2713 Certificates: []Certificate{cert},
2714 PreSharedKey: []byte(psk),
2715 PreSharedKeyIdentity: pskIdentity,
2716 },
2717 flags: flags,
2718 damageFirstWrite: true,
2719 messageLen: maxPlaintext,
2720 shouldFail: shouldFail,
2721 expectedError: expectedError,
2722 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2723}
2724
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2725func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2726 const bogusCipher = 0xfe00
2727
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2728 if *includeDHE {
2729 testCipherSuites = append(testCipherSuites, []testCipherSuite{
2730 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2731 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
2732 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
2733 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
2734 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
2735 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
2736 }...)
2737 }
2738
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2739 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2740 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2741 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2742 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2743 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2744 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2745 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2746
2747 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2748 name: "NoSharedCipher",
2749 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2750 MaxVersion: VersionTLS12,
2751 CipherSuites: []uint16{},
2752 },
2753 shouldFail: true,
2754 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2755 })
2756
2757 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2758 name: "NoSharedCipher-TLS13",
2759 config: Config{
2760 MaxVersion: VersionTLS13,
2761 CipherSuites: []uint16{},
2762 },
2763 shouldFail: true,
2764 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2765 })
2766
2767 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2768 name: "UnsupportedCipherSuite",
2769 config: Config{
2770 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2771 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2772 Bugs: ProtocolBugs{
2773 IgnorePeerCipherPreferences: true,
2774 },
2775 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2776 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2777 shouldFail: true,
2778 expectedError: ":WRONG_CIPHER_RETURNED:",
2779 })
2780
2781 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2782 name: "ServerHelloBogusCipher",
2783 config: Config{
2784 MaxVersion: VersionTLS12,
2785 Bugs: ProtocolBugs{
2786 SendCipherSuite: bogusCipher,
2787 },
2788 },
2789 shouldFail: true,
2790 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2791 })
2792 testCases = append(testCases, testCase{
2793 name: "ServerHelloBogusCipher-TLS13",
2794 config: Config{
2795 MaxVersion: VersionTLS13,
2796 Bugs: ProtocolBugs{
2797 SendCipherSuite: bogusCipher,
2798 },
2799 },
2800 shouldFail: true,
2801 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2802 })
2803
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2804 if *includeDHE {
2805 testCases = append(testCases, testCase{
2806 name: "WeakDH",
2807 config: Config{
2808 MaxVersion: VersionTLS12,
2809 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2810 Bugs: ProtocolBugs{
2811 // This is a 1023-bit prime number, generated
2812 // with:
2813 // openssl gendh 1023 | openssl asn1parse -i
2814 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
2815 },
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2816 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2817 shouldFail: true,
2818 expectedError: ":BAD_DH_P_LENGTH:",
2819 })
Adam Langleycef75832015-09-03 14:51:12 -0700[diff] [blame]2820
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2821 testCases = append(testCases, testCase{
2822 name: "SillyDH",
2823 config: Config{
2824 MaxVersion: VersionTLS12,
2825 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2826 Bugs: ProtocolBugs{
2827 // This is a 4097-bit prime number, generated
2828 // with:
2829 // openssl gendh 4097 | openssl asn1parse -i
2830 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
2831 },
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2832 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2833 shouldFail: true,
2834 expectedError: ":DH_P_TOO_LONG:",
2835 })
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2836
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2837 // This test ensures that Diffie-Hellman public values are padded with
2838 // zeros so that they're the same length as the prime. This is to avoid
2839 // hitting a bug in yaSSL.
2840 testCases = append(testCases, testCase{
2841 testType: serverTest,
2842 name: "DHPublicValuePadded",
2843 config: Config{
2844 MaxVersion: VersionTLS12,
2845 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2846 Bugs: ProtocolBugs{
2847 RequireDHPublicValueLen: (1025 + 7) / 8,
2848 },
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2849 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2850 flags: []string{"-use-sparse-dh-prime"},
2851 })
2852 }
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2853
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2854 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2855 testCases = append(testCases, testCase{
2856 testType: serverTest,
2857 name: "UnknownCipher",
2858 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2859 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2860 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2861 Bugs: ProtocolBugs{
2862 AdvertiseAllConfiguredCiphers: true,
2863 },
2864 },
2865 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2866
2867 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2868 testCases = append(testCases, testCase{
2869 testType: serverTest,
2870 name: "UnknownCipher-TLS13",
2871 config: Config{
2872 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2873 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2874 Bugs: ProtocolBugs{
2875 AdvertiseAllConfiguredCiphers: true,
2876 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2877 },
2878 })
2879
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2880 // Test empty ECDHE_PSK identity hints work as expected.
2881 testCases = append(testCases, testCase{
2882 name: "EmptyECDHEPSKHint",
2883 config: Config{
2884 MaxVersion: VersionTLS12,
2885 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2886 PreSharedKey: []byte("secret"),
2887 },
2888 flags: []string{"-psk", "secret"},
2889 })
2890
2891 // Test empty PSK identity hints work as expected, even if an explicit
2892 // ServerKeyExchange is sent.
2893 testCases = append(testCases, testCase{
2894 name: "ExplicitEmptyPSKHint",
2895 config: Config{
2896 MaxVersion: VersionTLS12,
2897 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2898 PreSharedKey: []byte("secret"),
2899 Bugs: ProtocolBugs{
2900 AlwaysSendPreSharedKeyIdentityHint: true,
2901 },
2902 },
2903 flags: []string{"-psk", "secret"},
2904 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]2905
2906 // Test that clients enforce that the server-sent certificate and cipher
2907 // suite match in TLS 1.2.
2908 testCases = append(testCases, testCase{
2909 name: "CertificateCipherMismatch-RSA",
2910 config: Config{
2911 MaxVersion: VersionTLS12,
2912 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2913 Certificates: []Certificate{rsaCertificate},
2914 Bugs: ProtocolBugs{
2915 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2916 },
2917 },
2918 shouldFail: true,
2919 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2920 })
2921 testCases = append(testCases, testCase{
2922 name: "CertificateCipherMismatch-ECDSA",
2923 config: Config{
2924 MaxVersion: VersionTLS12,
2925 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2926 Certificates: []Certificate{ecdsaP256Certificate},
2927 Bugs: ProtocolBugs{
2928 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2929 },
2930 },
2931 shouldFail: true,
2932 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2933 })
2934 testCases = append(testCases, testCase{
2935 name: "CertificateCipherMismatch-Ed25519",
2936 config: Config{
2937 MaxVersion: VersionTLS12,
2938 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2939 Certificates: []Certificate{ed25519Certificate},
2940 Bugs: ProtocolBugs{
2941 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2942 },
2943 },
2944 shouldFail: true,
2945 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2946 })
2947
2948 // Test that servers decline to select a cipher suite which is
2949 // inconsistent with their configured certificate.
2950 testCases = append(testCases, testCase{
2951 testType: serverTest,
2952 name: "ServerCipherFilter-RSA",
2953 config: Config{
2954 MaxVersion: VersionTLS12,
2955 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2956 },
2957 flags: []string{
2958 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2959 "-key-file", path.Join(*resourceDir, rsaKeyFile),
2960 },
2961 shouldFail: true,
2962 expectedError: ":NO_SHARED_CIPHER:",
2963 })
2964 testCases = append(testCases, testCase{
2965 testType: serverTest,
2966 name: "ServerCipherFilter-ECDSA",
2967 config: Config{
2968 MaxVersion: VersionTLS12,
2969 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2970 },
2971 flags: []string{
2972 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2973 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
2974 },
2975 shouldFail: true,
2976 expectedError: ":NO_SHARED_CIPHER:",
2977 })
2978 testCases = append(testCases, testCase{
2979 testType: serverTest,
2980 name: "ServerCipherFilter-Ed25519",
2981 config: Config{
2982 MaxVersion: VersionTLS12,
2983 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2984 },
2985 flags: []string{
2986 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
2987 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
2988 },
2989 shouldFail: true,
2990 expectedError: ":NO_SHARED_CIPHER:",
2991 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2992}
2993
2994func addBadECDSASignatureTests() {
2995 for badR := BadValue(1); badR < NumBadValues; badR++ {
2996 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2997 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2998 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2999 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]3000 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3001 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3002 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3003 Bugs: ProtocolBugs{
3004 BadECDSAR: badR,
3005 BadECDSAS: badS,
3006 },
3007 },
3008 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]3009 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3010 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]3011 testCases = append(testCases, testCase{
3012 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
3013 config: Config{
3014 MaxVersion: VersionTLS13,
3015 Certificates: []Certificate{ecdsaP256Certificate},
3016 Bugs: ProtocolBugs{
3017 BadECDSAR: badR,
3018 BadECDSAS: badS,
3019 },
3020 },
3021 shouldFail: true,
3022 expectedError: ":BAD_SIGNATURE:",
3023 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3024 }
3025 }
3026}
3027
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3028func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]3029 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3030 name: "MaxCBCPadding",
3031 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3032 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3033 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3034 Bugs: ProtocolBugs{
3035 MaxPadding: true,
3036 },
3037 },
3038 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
3039 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]3040 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3041 name: "BadCBCPadding",
3042 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3043 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3044 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3045 Bugs: ProtocolBugs{
3046 PaddingFirstByteBad: true,
3047 },
3048 },
3049 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]3050 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3051 })
3052 // OpenSSL previously had an issue where the first byte of padding in
3053 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]3054 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3055 name: "BadCBCPadding255",
3056 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3057 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3058 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3059 Bugs: ProtocolBugs{
3060 MaxPadding: true,
3061 PaddingFirstByteBadIf255: true,
3062 },
3063 },
3064 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
3065 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]3066 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3067 })
3068}
3069
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3070func addCBCSplittingTests() {
3071 testCases = append(testCases, testCase{
3072 name: "CBCRecordSplitting",
3073 config: Config{
3074 MaxVersion: VersionTLS10,
3075 MinVersion: VersionTLS10,
3076 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3077 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]3078 messageLen: -1, // read until EOF
3079 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3080 flags: []string{
3081 "-async",
3082 "-write-different-record-sizes",
3083 "-cbc-record-splitting",
3084 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]3085 })
3086 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3087 name: "CBCRecordSplittingPartialWrite",
3088 config: Config{
3089 MaxVersion: VersionTLS10,
3090 MinVersion: VersionTLS10,
3091 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3092 },
3093 messageLen: -1, // read until EOF
3094 flags: []string{
3095 "-async",
3096 "-write-different-record-sizes",
3097 "-cbc-record-splitting",
3098 "-partial-write",
3099 },
3100 })
3101}
3102
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3103func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3104 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3105 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3106 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3107 cert, err := x509.ParseCertificate(cert.Certificate[0])
3108 if err != nil {
3109 panic(err)
3110 }
3111 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3112 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3113 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3114
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3115 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3116 testCases = append(testCases, testCase{
3117 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3118 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3119 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3120 MinVersion: ver.version,
3121 MaxVersion: ver.version,
3122 ClientAuth: RequireAnyClientCert,
3123 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3124 },
3125 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3126 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3127 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3128 },
3129 })
3130 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3131 testType: serverTest,
3132 name: ver.name + "-Server-ClientAuth-RSA",
3133 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3134 MinVersion: ver.version,
3135 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3136 Certificates: []Certificate{rsaCertificate},
3137 },
3138 flags: []string{"-require-any-client-certificate"},
3139 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3140 if ver.version != VersionSSL30 {
3141 testCases = append(testCases, testCase{
3142 testType: serverTest,
3143 name: ver.name + "-Server-ClientAuth-ECDSA",
3144 config: Config{
3145 MinVersion: ver.version,
3146 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3147 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3148 },
3149 flags: []string{"-require-any-client-certificate"},
3150 })
3151 testCases = append(testCases, testCase{
3152 testType: clientTest,
3153 name: ver.name + "-Client-ClientAuth-ECDSA",
3154 config: Config{
3155 MinVersion: ver.version,
3156 MaxVersion: ver.version,
3157 ClientAuth: RequireAnyClientCert,
3158 ClientCAs: certPool,
3159 },
3160 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3161 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3162 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3163 },
3164 })
3165 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3166
3167 testCases = append(testCases, testCase{
3168 name: "NoClientCertificate-" + ver.name,
3169 config: Config{
3170 MinVersion: ver.version,
3171 MaxVersion: ver.version,
3172 ClientAuth: RequireAnyClientCert,
3173 },
3174 shouldFail: true,
3175 expectedLocalError: "client didn't provide a certificate",
3176 })
3177
3178 testCases = append(testCases, testCase{
3179 // Even if not configured to expect a certificate, OpenSSL will
3180 // return X509_V_OK as the verify_result.
3181 testType: serverTest,
3182 name: "NoClientCertificateRequested-Server-" + ver.name,
3183 config: Config{
3184 MinVersion: ver.version,
3185 MaxVersion: ver.version,
3186 },
3187 flags: []string{
3188 "-expect-verify-result",
3189 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3190 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3191 })
3192
3193 testCases = append(testCases, testCase{
3194 // If a client certificate is not provided, OpenSSL will still
3195 // return X509_V_OK as the verify_result.
3196 testType: serverTest,
3197 name: "NoClientCertificate-Server-" + ver.name,
3198 config: Config{
3199 MinVersion: ver.version,
3200 MaxVersion: ver.version,
3201 },
3202 flags: []string{
3203 "-expect-verify-result",
3204 "-verify-peer",
3205 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3206 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3207 })
3208
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3209 certificateRequired := "remote error: certificate required"
3210 if ver.version < VersionTLS13 {
3211 // Prior to TLS 1.3, the generic handshake_failure alert
3212 // was used.
3213 certificateRequired = "remote error: handshake failure"
3214 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3215 testCases = append(testCases, testCase{
3216 testType: serverTest,
3217 name: "RequireAnyClientCertificate-" + ver.name,
3218 config: Config{
3219 MinVersion: ver.version,
3220 MaxVersion: ver.version,
3221 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3222 flags: []string{"-require-any-client-certificate"},
3223 shouldFail: true,
3224 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3225 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3226 })
3227
3228 if ver.version != VersionSSL30 {
3229 testCases = append(testCases, testCase{
3230 testType: serverTest,
3231 name: "SkipClientCertificate-" + ver.name,
3232 config: Config{
3233 MinVersion: ver.version,
3234 MaxVersion: ver.version,
3235 Bugs: ProtocolBugs{
3236 SkipClientCertificate: true,
3237 },
3238 },
3239 // Setting SSL_VERIFY_PEER allows anonymous clients.
3240 flags: []string{"-verify-peer"},
3241 shouldFail: true,
3242 expectedError: ":UNEXPECTED_MESSAGE:",
3243 })
3244 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3245
3246 testCases = append(testCases, testCase{
3247 testType: serverTest,
3248 name: ver.name + "-Server-CertReq-CA-List",
3249 config: Config{
3250 MinVersion: ver.version,
3251 MaxVersion: ver.version,
3252 Certificates: []Certificate{rsaCertificate},
3253 Bugs: ProtocolBugs{
3254 ExpectCertificateReqNames: caNames,
3255 },
3256 },
3257 flags: []string{
3258 "-require-any-client-certificate",
3259 "-use-client-ca-list", encodeDERValues(caNames),
3260 },
3261 })
3262
3263 testCases = append(testCases, testCase{
3264 testType: clientTest,
3265 name: ver.name + "-Client-CertReq-CA-List",
3266 config: Config{
3267 MinVersion: ver.version,
3268 MaxVersion: ver.version,
3269 Certificates: []Certificate{rsaCertificate},
3270 ClientAuth: RequireAnyClientCert,
3271 ClientCAs: certPool,
3272 },
3273 flags: []string{
3274 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3275 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3276 "-expect-client-ca-list", encodeDERValues(caNames),
3277 },
3278 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3279 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3280
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3281 // Client auth is only legal in certificate-based ciphers.
3282 testCases = append(testCases, testCase{
3283 testType: clientTest,
3284 name: "ClientAuth-PSK",
3285 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3286 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3287 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3288 PreSharedKey: []byte("secret"),
3289 ClientAuth: RequireAnyClientCert,
3290 },
3291 flags: []string{
3292 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3293 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3294 "-psk", "secret",
3295 },
3296 shouldFail: true,
3297 expectedError: ":UNEXPECTED_MESSAGE:",
3298 })
3299 testCases = append(testCases, testCase{
3300 testType: clientTest,
3301 name: "ClientAuth-ECDHE_PSK",
3302 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3303 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3304 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3305 PreSharedKey: []byte("secret"),
3306 ClientAuth: RequireAnyClientCert,
3307 },
3308 flags: []string{
3309 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3310 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3311 "-psk", "secret",
3312 },
3313 shouldFail: true,
3314 expectedError: ":UNEXPECTED_MESSAGE:",
3315 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3316
3317 // Regression test for a bug where the client CA list, if explicitly
3318 // set to NULL, was mis-encoded.
3319 testCases = append(testCases, testCase{
3320 testType: serverTest,
3321 name: "Null-Client-CA-List",
3322 config: Config{
3323 MaxVersion: VersionTLS12,
3324 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3325 Bugs: ProtocolBugs{
3326 ExpectCertificateReqNames: [][]byte{},
3327 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3328 },
3329 flags: []string{
3330 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3331 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3332 },
3333 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3334}
3335
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3336func addExtendedMasterSecretTests() {
3337 const expectEMSFlag = "-expect-extended-master-secret"
3338
3339 for _, with := range []bool{false, true} {
3340 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3341 if with {
3342 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3343 }
3344
3345 for _, isClient := range []bool{false, true} {
3346 suffix := "-Server"
3347 testType := serverTest
3348 if isClient {
3349 suffix = "-Client"
3350 testType = clientTest
3351 }
3352
3353 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3354 // In TLS 1.3, the extension is irrelevant and
3355 // always reports as enabled.
3356 var flags []string
3357 if with || ver.version >= VersionTLS13 {
3358 flags = []string{expectEMSFlag}
3359 }
3360
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3361 test := testCase{
3362 testType: testType,
3363 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3364 config: Config{
3365 MinVersion: ver.version,
3366 MaxVersion: ver.version,
3367 Bugs: ProtocolBugs{
3368 NoExtendedMasterSecret: !with,
3369 RequireExtendedMasterSecret: with,
3370 },
3371 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3372 flags: flags,
3373 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3374 }
3375 if test.shouldFail {
3376 test.expectedLocalError = "extended master secret required but not supported by peer"
3377 }
3378 testCases = append(testCases, test)
3379 }
3380 }
3381 }
3382
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3383 for _, isClient := range []bool{false, true} {
3384 for _, supportedInFirstConnection := range []bool{false, true} {
3385 for _, supportedInResumeConnection := range []bool{false, true} {
3386 boolToWord := func(b bool) string {
3387 if b {
3388 return "Yes"
3389 }
3390 return "No"
3391 }
3392 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3393 if isClient {
3394 suffix += "Client"
3395 } else {
3396 suffix += "Server"
3397 }
3398
3399 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3400 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3401 Bugs: ProtocolBugs{
3402 RequireExtendedMasterSecret: true,
3403 },
3404 }
3405
3406 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3407 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3408 Bugs: ProtocolBugs{
3409 NoExtendedMasterSecret: true,
3410 },
3411 }
3412
3413 test := testCase{
3414 name: "ExtendedMasterSecret-" + suffix,
3415 resumeSession: true,
3416 }
3417
3418 if !isClient {
3419 test.testType = serverTest
3420 }
3421
3422 if supportedInFirstConnection {
3423 test.config = supportedConfig
3424 } else {
3425 test.config = noSupportConfig
3426 }
3427
3428 if supportedInResumeConnection {
3429 test.resumeConfig = &supportedConfig
3430 } else {
3431 test.resumeConfig = &noSupportConfig
3432 }
3433
3434 switch suffix {
3435 case "YesToYes-Client", "YesToYes-Server":
3436 // When a session is resumed, it should
3437 // still be aware that its master
3438 // secret was generated via EMS and
3439 // thus it's safe to use tls-unique.
3440 test.flags = []string{expectEMSFlag}
3441 case "NoToYes-Server":
3442 // If an original connection did not
3443 // contain EMS, but a resumption
3444 // handshake does, then a server should
3445 // not resume the session.
3446 test.expectResumeRejected = true
3447 case "YesToNo-Server":
3448 // Resuming an EMS session without the
3449 // EMS extension should cause the
3450 // server to abort the connection.
3451 test.shouldFail = true
3452 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3453 case "NoToYes-Client":
3454 // A client should abort a connection
3455 // where the server resumed a non-EMS
3456 // session but echoed the EMS
3457 // extension.
3458 test.shouldFail = true
3459 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3460 case "YesToNo-Client":
3461 // A client should abort a connection
3462 // where the server didn't echo EMS
3463 // when the session used it.
3464 test.shouldFail = true
3465 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3466 }
3467
3468 testCases = append(testCases, test)
3469 }
3470 }
3471 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3472
3473 // Switching EMS on renegotiation is forbidden.
3474 testCases = append(testCases, testCase{
3475 name: "ExtendedMasterSecret-Renego-NoEMS",
3476 config: Config{
3477 MaxVersion: VersionTLS12,
3478 Bugs: ProtocolBugs{
3479 NoExtendedMasterSecret: true,
3480 NoExtendedMasterSecretOnRenegotiation: true,
3481 },
3482 },
3483 renegotiate: 1,
3484 flags: []string{
3485 "-renegotiate-freely",
3486 "-expect-total-renegotiations", "1",
3487 },
3488 })
3489
3490 testCases = append(testCases, testCase{
3491 name: "ExtendedMasterSecret-Renego-Upgrade",
3492 config: Config{
3493 MaxVersion: VersionTLS12,
3494 Bugs: ProtocolBugs{
3495 NoExtendedMasterSecret: true,
3496 },
3497 },
3498 renegotiate: 1,
3499 flags: []string{
3500 "-renegotiate-freely",
3501 "-expect-total-renegotiations", "1",
3502 },
3503 shouldFail: true,
3504 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3505 })
3506
3507 testCases = append(testCases, testCase{
3508 name: "ExtendedMasterSecret-Renego-Downgrade",
3509 config: Config{
3510 MaxVersion: VersionTLS12,
3511 Bugs: ProtocolBugs{
3512 NoExtendedMasterSecretOnRenegotiation: true,
3513 },
3514 },
3515 renegotiate: 1,
3516 flags: []string{
3517 "-renegotiate-freely",
3518 "-expect-total-renegotiations", "1",
3519 },
3520 shouldFail: true,
3521 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3522 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3523}
3524
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3525type stateMachineTestConfig struct {
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3526 protocol protocol
3527 async bool
3528 splitHandshake bool
3529 packHandshakeFlight bool
3530 implicitHandshake bool
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3531}
3532
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3533// Adds tests that try to cover the range of the handshake state machine, under
3534// various conditions. Some of these are redundant with other tests, but they
3535// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3536func addAllStateMachineCoverageTests() {
3537 for _, async := range []bool{false, true} {
3538 for _, protocol := range []protocol{tls, dtls} {
3539 addStateMachineCoverageTests(stateMachineTestConfig{
3540 protocol: protocol,
3541 async: async,
3542 })
3543 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3544 protocol: protocol,
3545 async: async,
3546 implicitHandshake: true,
3547 })
3548 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3549 protocol: protocol,
3550 async: async,
3551 splitHandshake: true,
3552 })
3553 if protocol == tls {
3554 addStateMachineCoverageTests(stateMachineTestConfig{
3555 protocol: protocol,
3556 async: async,
3557 packHandshakeFlight: true,
3558 })
3559 }
3560 }
3561 }
3562}
3563
3564func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3565 var tests []testCase
3566
3567 // Basic handshake, with resumption. Client and server,
3568 // session ID and session ticket.
3569 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3570 name: "Basic-Client",
3571 config: Config{
3572 MaxVersion: VersionTLS12,
3573 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3574 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3575 // Ensure session tickets are used, not session IDs.
3576 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3577 })
3578 tests = append(tests, testCase{
3579 name: "Basic-Client-RenewTicket",
3580 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3581 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3582 Bugs: ProtocolBugs{
3583 RenewTicketOnResume: true,
3584 },
3585 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3586 flags: []string{"-expect-ticket-renewal"},
3587 resumeSession: true,
3588 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3589 })
3590 tests = append(tests, testCase{
3591 name: "Basic-Client-NoTicket",
3592 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3593 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3594 SessionTicketsDisabled: true,
3595 },
3596 resumeSession: true,
3597 })
3598 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3599 testType: serverTest,
3600 name: "Basic-Server",
3601 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3602 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3603 Bugs: ProtocolBugs{
3604 RequireSessionTickets: true,
3605 },
3606 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3607 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3608 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3609 })
3610 tests = append(tests, testCase{
3611 testType: serverTest,
3612 name: "Basic-Server-NoTickets",
3613 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3614 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3615 SessionTicketsDisabled: true,
3616 },
3617 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3618 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3619 })
3620 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3621 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3622 name: "Basic-Server-EarlyCallback",
3623 config: Config{
3624 MaxVersion: VersionTLS12,
3625 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3626 flags: []string{"-use-early-callback"},
3627 resumeSession: true,
3628 })
3629
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3630 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3631 if config.protocol == tls {
3632 tests = append(tests, testCase{
3633 name: "TLS13-1RTT-Client",
3634 config: Config{
3635 MaxVersion: VersionTLS13,
3636 MinVersion: VersionTLS13,
3637 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3638 resumeSession: true,
3639 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3640 })
3641
3642 tests = append(tests, testCase{
3643 testType: serverTest,
3644 name: "TLS13-1RTT-Server",
3645 config: Config{
3646 MaxVersion: VersionTLS13,
3647 MinVersion: VersionTLS13,
3648 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3649 resumeSession: true,
3650 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3651 // TLS 1.3 uses tickets, so the session should not be
3652 // cached statefully.
3653 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3654 })
3655
3656 tests = append(tests, testCase{
3657 name: "TLS13-HelloRetryRequest-Client",
3658 config: Config{
3659 MaxVersion: VersionTLS13,
3660 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3661 // P-384 requires a HelloRetryRequest against BoringSSL's default
3662 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3663 CurvePreferences: []CurveID{CurveP384},
3664 Bugs: ProtocolBugs{
3665 ExpectMissingKeyShare: true,
3666 },
3667 },
3668 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3669 resumeSession: true,
3670 })
3671
3672 tests = append(tests, testCase{
3673 testType: serverTest,
3674 name: "TLS13-HelloRetryRequest-Server",
3675 config: Config{
3676 MaxVersion: VersionTLS13,
3677 MinVersion: VersionTLS13,
3678 // Require a HelloRetryRequest for every curve.
3679 DefaultCurves: []CurveID{},
3680 },
3681 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3682 resumeSession: true,
3683 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3684
3685 // TODO(svaldez): Send data on early data once implemented.
3686 tests = append(tests, testCase{
3687 testType: clientTest,
3688 name: "TLS13-EarlyData-Client",
3689 config: Config{
3690 MaxVersion: VersionTLS13,
3691 MinVersion: VersionTLS13,
3692 MaxEarlyDataSize: 16384,
3693 },
3694 resumeSession: true,
3695 flags: []string{
3696 "-enable-early-data",
3697 "-expect-early-data-info",
3698 "-expect-accept-early-data",
3699 },
3700 })
3701
3702 tests = append(tests, testCase{
3703 testType: serverTest,
3704 name: "TLS13-EarlyData-Server",
3705 config: Config{
3706 MaxVersion: VersionTLS13,
3707 MinVersion: VersionTLS13,
3708 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3709 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3710 ExpectEarlyDataAccepted: true,
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3711 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3712 },
3713 },
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3714 messageCount: 2,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3715 resumeSession: true,
3716 flags: []string{
3717 "-enable-early-data",
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3718 "-expect-accept-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3719 },
3720 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3721 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3722
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3723 // TLS client auth.
3724 tests = append(tests, testCase{
3725 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3726 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3727 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3728 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3729 ClientAuth: RequestClientCert,
3730 },
3731 })
3732 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3733 testType: serverTest,
3734 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3735 config: Config{
3736 MaxVersion: VersionTLS12,
3737 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3738 // Setting SSL_VERIFY_PEER allows anonymous clients.
3739 flags: []string{"-verify-peer"},
3740 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3741 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3742 tests = append(tests, testCase{
3743 testType: clientTest,
3744 name: "ClientAuth-NoCertificate-Client-SSL3",
3745 config: Config{
3746 MaxVersion: VersionSSL30,
3747 ClientAuth: RequestClientCert,
3748 },
3749 })
3750 tests = append(tests, testCase{
3751 testType: serverTest,
3752 name: "ClientAuth-NoCertificate-Server-SSL3",
3753 config: Config{
3754 MaxVersion: VersionSSL30,
3755 },
3756 // Setting SSL_VERIFY_PEER allows anonymous clients.
3757 flags: []string{"-verify-peer"},
3758 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3759 tests = append(tests, testCase{
3760 testType: clientTest,
3761 name: "ClientAuth-NoCertificate-Client-TLS13",
3762 config: Config{
3763 MaxVersion: VersionTLS13,
3764 ClientAuth: RequestClientCert,
3765 },
3766 })
3767 tests = append(tests, testCase{
3768 testType: serverTest,
3769 name: "ClientAuth-NoCertificate-Server-TLS13",
3770 config: Config{
3771 MaxVersion: VersionTLS13,
3772 },
3773 // Setting SSL_VERIFY_PEER allows anonymous clients.
3774 flags: []string{"-verify-peer"},
3775 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3776 }
3777 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3778 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3779 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3780 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3781 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3782 ClientAuth: RequireAnyClientCert,
3783 },
3784 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3785 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3786 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3787 },
3788 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3789 tests = append(tests, testCase{
3790 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3791 name: "ClientAuth-RSA-Client-TLS13",
3792 config: Config{
3793 MaxVersion: VersionTLS13,
3794 ClientAuth: RequireAnyClientCert,
3795 },
3796 flags: []string{
3797 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3798 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3799 },
3800 })
3801 tests = append(tests, testCase{
3802 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3803 name: "ClientAuth-ECDSA-Client",
3804 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3805 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3806 ClientAuth: RequireAnyClientCert,
3807 },
3808 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3809 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3810 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3811 },
3812 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3813 tests = append(tests, testCase{
3814 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3815 name: "ClientAuth-ECDSA-Client-TLS13",
3816 config: Config{
3817 MaxVersion: VersionTLS13,
3818 ClientAuth: RequireAnyClientCert,
3819 },
3820 flags: []string{
3821 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3822 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3823 },
3824 })
3825 tests = append(tests, testCase{
3826 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3827 name: "ClientAuth-NoCertificate-OldCallback",
3828 config: Config{
3829 MaxVersion: VersionTLS12,
3830 ClientAuth: RequestClientCert,
3831 },
3832 flags: []string{"-use-old-client-cert-callback"},
3833 })
3834 tests = append(tests, testCase{
3835 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3836 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3837 config: Config{
3838 MaxVersion: VersionTLS13,
3839 ClientAuth: RequestClientCert,
3840 },
3841 flags: []string{"-use-old-client-cert-callback"},
3842 })
3843 tests = append(tests, testCase{
3844 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3845 name: "ClientAuth-OldCallback",
3846 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3847 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3848 ClientAuth: RequireAnyClientCert,
3849 },
3850 flags: []string{
3851 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3852 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3853 "-use-old-client-cert-callback",
3854 },
3855 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3856 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3857 testType: clientTest,
3858 name: "ClientAuth-OldCallback-TLS13",
3859 config: Config{
3860 MaxVersion: VersionTLS13,
3861 ClientAuth: RequireAnyClientCert,
3862 },
3863 flags: []string{
3864 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3865 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3866 "-use-old-client-cert-callback",
3867 },
3868 })
3869 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3870 testType: serverTest,
3871 name: "ClientAuth-Server",
3872 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3873 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3874 Certificates: []Certificate{rsaCertificate},
3875 },
3876 flags: []string{"-require-any-client-certificate"},
3877 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3878 tests = append(tests, testCase{
3879 testType: serverTest,
3880 name: "ClientAuth-Server-TLS13",
3881 config: Config{
3882 MaxVersion: VersionTLS13,
3883 Certificates: []Certificate{rsaCertificate},
3884 },
3885 flags: []string{"-require-any-client-certificate"},
3886 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3887
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3888 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3889 tests = append(tests, testCase{
3890 testType: serverTest,
3891 name: "Basic-Server-RSA",
3892 config: Config{
3893 MaxVersion: VersionTLS12,
3894 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3895 },
3896 flags: []string{
3897 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3898 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3899 },
3900 })
3901 tests = append(tests, testCase{
3902 testType: serverTest,
3903 name: "Basic-Server-ECDHE-RSA",
3904 config: Config{
3905 MaxVersion: VersionTLS12,
3906 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3907 },
3908 flags: []string{
3909 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3910 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3911 },
3912 })
3913 tests = append(tests, testCase{
3914 testType: serverTest,
3915 name: "Basic-Server-ECDHE-ECDSA",
3916 config: Config{
3917 MaxVersion: VersionTLS12,
3918 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3919 },
3920 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3921 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3922 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3923 },
3924 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]3925 tests = append(tests, testCase{
3926 testType: serverTest,
3927 name: "Basic-Server-Ed25519",
3928 config: Config{
3929 MaxVersion: VersionTLS12,
3930 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3931 },
3932 flags: []string{
3933 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3934 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
3935 "-enable-ed25519",
3936 },
3937 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3938
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3939 // No session ticket support; server doesn't send NewSessionTicket.
3940 tests = append(tests, testCase{
3941 name: "SessionTicketsDisabled-Client",
3942 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3943 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3944 SessionTicketsDisabled: true,
3945 },
3946 })
3947 tests = append(tests, testCase{
3948 testType: serverTest,
3949 name: "SessionTicketsDisabled-Server",
3950 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3951 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3952 SessionTicketsDisabled: true,
3953 },
3954 })
3955
3956 // Skip ServerKeyExchange in PSK key exchange if there's no
3957 // identity hint.
3958 tests = append(tests, testCase{
3959 name: "EmptyPSKHint-Client",
3960 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3961 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3962 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3963 PreSharedKey: []byte("secret"),
3964 },
3965 flags: []string{"-psk", "secret"},
3966 })
3967 tests = append(tests, testCase{
3968 testType: serverTest,
3969 name: "EmptyPSKHint-Server",
3970 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3971 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3972 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3973 PreSharedKey: []byte("secret"),
3974 },
3975 flags: []string{"-psk", "secret"},
3976 })
3977
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3978 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3979 tests = append(tests, testCase{
3980 testType: clientTest,
3981 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3982 config: Config{
3983 MaxVersion: VersionTLS12,
3984 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3985 flags: []string{
3986 "-enable-ocsp-stapling",
3987 "-expect-ocsp-response",
3988 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3989 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3990 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3991 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3992 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3993 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3994 testType: serverTest,
3995 name: "OCSPStapling-Server",
3996 config: Config{
3997 MaxVersion: VersionTLS12,
3998 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3999 expectedOCSPResponse: testOCSPResponse,
4000 flags: []string{
4001 "-ocsp-response",
4002 base64.StdEncoding.EncodeToString(testOCSPResponse),
4003 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]4004 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]4005 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]4006 tests = append(tests, testCase{
4007 testType: clientTest,
4008 name: "OCSPStapling-Client-TLS13",
4009 config: Config{
4010 MaxVersion: VersionTLS13,
4011 },
4012 flags: []string{
4013 "-enable-ocsp-stapling",
4014 "-expect-ocsp-response",
4015 base64.StdEncoding.EncodeToString(testOCSPResponse),
4016 "-verify-peer",
4017 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4018 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]4019 })
4020 tests = append(tests, testCase{
4021 testType: serverTest,
4022 name: "OCSPStapling-Server-TLS13",
4023 config: Config{
4024 MaxVersion: VersionTLS13,
4025 },
4026 expectedOCSPResponse: testOCSPResponse,
4027 flags: []string{
4028 "-ocsp-response",
4029 base64.StdEncoding.EncodeToString(testOCSPResponse),
4030 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4031 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]4032 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]4033
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4034 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4035 for _, vers := range tlsVersions {
4036 if config.protocol == dtls && !vers.hasDTLS {
4037 continue
4038 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4039 for _, testType := range []testType{clientTest, serverTest} {
4040 suffix := "-Client"
4041 if testType == serverTest {
4042 suffix = "-Server"
4043 }
4044 suffix += "-" + vers.name
4045
4046 flag := "-verify-peer"
4047 if testType == serverTest {
4048 flag = "-require-any-client-certificate"
4049 }
4050
4051 tests = append(tests, testCase{
4052 testType: testType,
4053 name: "CertificateVerificationSucceed" + suffix,
4054 config: Config{
4055 MaxVersion: vers.version,
4056 Certificates: []Certificate{rsaCertificate},
4057 },
4058 flags: []string{
4059 flag,
4060 "-expect-verify-result",
4061 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4062 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4063 })
4064 tests = append(tests, testCase{
4065 testType: testType,
4066 name: "CertificateVerificationFail" + suffix,
4067 config: Config{
4068 MaxVersion: vers.version,
4069 Certificates: []Certificate{rsaCertificate},
4070 },
4071 flags: []string{
4072 flag,
4073 "-verify-fail",
4074 },
4075 shouldFail: true,
4076 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
4077 })
4078 }
4079
4080 // By default, the client is in a soft fail mode where the peer
4081 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4082 tests = append(tests, testCase{
4083 testType: clientTest,
4084 name: "CertificateVerificationSoftFail-" + vers.name,
4085 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4086 MaxVersion: vers.version,
4087 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4088 },
4089 flags: []string{
4090 "-verify-fail",
4091 "-expect-verify-result",
4092 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4093 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4094 })
4095 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]4096
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]4097 tests = append(tests, testCase{
4098 name: "ShimSendAlert",
4099 flags: []string{"-send-alert"},
4100 shimWritesFirst: true,
4101 shouldFail: true,
4102 expectedLocalError: "remote error: decompression failure",
4103 })
4104
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4105 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4106 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4107 name: "Renegotiate-Client",
4108 config: Config{
4109 MaxVersion: VersionTLS12,
4110 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]4111 renegotiate: 1,
4112 flags: []string{
4113 "-renegotiate-freely",
4114 "-expect-total-renegotiations", "1",
4115 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4116 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4117
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]4118 tests = append(tests, testCase{
4119 name: "SendHalfHelloRequest",
4120 config: Config{
4121 MaxVersion: VersionTLS12,
4122 Bugs: ProtocolBugs{
4123 PackHelloRequestWithFinished: config.packHandshakeFlight,
4124 },
4125 },
4126 sendHalfHelloRequest: true,
4127 flags: []string{"-renegotiate-ignore"},
4128 shouldFail: true,
4129 expectedError: ":UNEXPECTED_RECORD:",
4130 })
4131
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4132 // NPN on client and server; results in post-handshake message.
4133 tests = append(tests, testCase{
4134 name: "NPN-Client",
4135 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4136 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4137 NextProtos: []string{"foo"},
4138 },
4139 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4140 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4141 expectedNextProto: "foo",
4142 expectedNextProtoType: npn,
4143 })
4144 tests = append(tests, testCase{
4145 testType: serverTest,
4146 name: "NPN-Server",
4147 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4148 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4149 NextProtos: []string{"bar"},
4150 },
4151 flags: []string{
4152 "-advertise-npn", "\x03foo\x03bar\x03baz",
4153 "-expect-next-proto", "bar",
4154 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4155 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4156 expectedNextProto: "bar",
4157 expectedNextProtoType: npn,
4158 })
4159
4160 // TODO(davidben): Add tests for when False Start doesn't trigger.
4161
4162 // Client does False Start and negotiates NPN.
4163 tests = append(tests, testCase{
4164 name: "FalseStart",
4165 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4166 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4167 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4168 NextProtos: []string{"foo"},
4169 Bugs: ProtocolBugs{
4170 ExpectFalseStart: true,
4171 },
4172 },
4173 flags: []string{
4174 "-false-start",
4175 "-select-next-proto", "foo",
4176 },
4177 shimWritesFirst: true,
4178 resumeSession: true,
4179 })
4180
4181 // Client does False Start and negotiates ALPN.
4182 tests = append(tests, testCase{
4183 name: "FalseStart-ALPN",
4184 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4185 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4186 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4187 NextProtos: []string{"foo"},
4188 Bugs: ProtocolBugs{
4189 ExpectFalseStart: true,
4190 },
4191 },
4192 flags: []string{
4193 "-false-start",
4194 "-advertise-alpn", "\x03foo",
4195 },
4196 shimWritesFirst: true,
4197 resumeSession: true,
4198 })
4199
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4200 // False Start without session tickets.
4201 tests = append(tests, testCase{
4202 name: "FalseStart-SessionTicketsDisabled",
4203 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4204 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4205 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4206 NextProtos: []string{"foo"},
4207 SessionTicketsDisabled: true,
4208 Bugs: ProtocolBugs{
4209 ExpectFalseStart: true,
4210 },
4211 },
4212 flags: []string{
4213 "-false-start",
4214 "-select-next-proto", "foo",
4215 },
4216 shimWritesFirst: true,
4217 })
4218
4219 // Server parses a V2ClientHello.
4220 tests = append(tests, testCase{
4221 testType: serverTest,
4222 name: "SendV2ClientHello",
4223 config: Config{
4224 // Choose a cipher suite that does not involve
4225 // elliptic curves, so no extensions are
4226 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4227 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4228 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4229 Bugs: ProtocolBugs{
4230 SendV2ClientHello: true,
4231 },
4232 },
4233 })
4234
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4235 // Test Channel ID
4236 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4237 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4238 continue
4239 }
4240 // Client sends a Channel ID.
4241 tests = append(tests, testCase{
4242 name: "ChannelID-Client-" + ver.name,
4243 config: Config{
4244 MaxVersion: ver.version,
4245 RequestChannelID: true,
4246 },
4247 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4248 resumeSession: true,
4249 expectChannelID: true,
4250 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4251
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4252 // Server accepts a Channel ID.
4253 tests = append(tests, testCase{
4254 testType: serverTest,
4255 name: "ChannelID-Server-" + ver.name,
4256 config: Config{
4257 MaxVersion: ver.version,
4258 ChannelID: channelIDKey,
4259 },
4260 flags: []string{
4261 "-expect-channel-id",
4262 base64.StdEncoding.EncodeToString(channelIDBytes),
4263 },
4264 resumeSession: true,
4265 expectChannelID: true,
4266 })
4267
4268 tests = append(tests, testCase{
4269 testType: serverTest,
4270 name: "InvalidChannelIDSignature-" + ver.name,
4271 config: Config{
4272 MaxVersion: ver.version,
4273 ChannelID: channelIDKey,
4274 Bugs: ProtocolBugs{
4275 InvalidChannelIDSignature: true,
4276 },
4277 },
4278 flags: []string{"-enable-channel-id"},
4279 shouldFail: true,
4280 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4281 })
4282 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4283
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4284 // Channel ID and NPN at the same time, to ensure their relative
4285 // ordering is correct.
4286 tests = append(tests, testCase{
4287 name: "ChannelID-NPN-Client",
4288 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4289 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4290 RequestChannelID: true,
4291 NextProtos: []string{"foo"},
4292 },
4293 flags: []string{
4294 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4295 "-select-next-proto", "foo",
4296 },
4297 resumeSession: true,
4298 expectChannelID: true,
4299 expectedNextProto: "foo",
4300 expectedNextProtoType: npn,
4301 })
4302 tests = append(tests, testCase{
4303 testType: serverTest,
4304 name: "ChannelID-NPN-Server",
4305 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4306 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4307 ChannelID: channelIDKey,
4308 NextProtos: []string{"bar"},
4309 },
4310 flags: []string{
4311 "-expect-channel-id",
4312 base64.StdEncoding.EncodeToString(channelIDBytes),
4313 "-advertise-npn", "\x03foo\x03bar\x03baz",
4314 "-expect-next-proto", "bar",
4315 },
4316 resumeSession: true,
4317 expectChannelID: true,
4318 expectedNextProto: "bar",
4319 expectedNextProtoType: npn,
4320 })
4321
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4322 // Bidirectional shutdown with the runner initiating.
4323 tests = append(tests, testCase{
4324 name: "Shutdown-Runner",
4325 config: Config{
4326 Bugs: ProtocolBugs{
4327 ExpectCloseNotify: true,
4328 },
4329 },
4330 flags: []string{"-check-close-notify"},
4331 })
4332
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4333 if !config.implicitHandshake {
4334 // Bidirectional shutdown with the shim initiating. The runner,
4335 // in the meantime, sends garbage before the close_notify which
4336 // the shim must ignore. This test is disabled under implicit
4337 // handshake tests because the shim never reads or writes.
4338 tests = append(tests, testCase{
4339 name: "Shutdown-Shim",
4340 config: Config{
4341 MaxVersion: VersionTLS12,
4342 Bugs: ProtocolBugs{
4343 ExpectCloseNotify: true,
4344 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4345 },
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4346 shimShutsDown: true,
4347 sendEmptyRecords: 1,
4348 sendWarningAlerts: 1,
4349 flags: []string{"-check-close-notify"},
4350 })
4351 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4352 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4353 // TODO(davidben): DTLS 1.3 will want a similar thing for
4354 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4355 tests = append(tests, testCase{
4356 name: "SkipHelloVerifyRequest",
4357 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4358 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4359 Bugs: ProtocolBugs{
4360 SkipHelloVerifyRequest: true,
4361 },
4362 },
4363 })
4364 }
4365
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4366 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4367 test.protocol = config.protocol
4368 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4369 test.name += "-DTLS"
4370 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4371 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4372 test.name += "-Async"
4373 test.flags = append(test.flags, "-async")
4374 } else {
4375 test.name += "-Sync"
4376 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4377 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4378 test.name += "-SplitHandshakeRecords"
4379 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4380 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4381 test.config.Bugs.MaxPacketLength = 256
4382 test.flags = append(test.flags, "-mtu", "256")
4383 }
4384 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4385 if config.packHandshakeFlight {
4386 test.name += "-PackHandshakeFlight"
4387 test.config.Bugs.PackHandshakeFlight = true
4388 }
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4389 if config.implicitHandshake {
4390 test.name += "-ImplicitHandshake"
4391 test.flags = append(test.flags, "-implicit-handshake")
4392 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4393 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4394 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4395}
4396
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4397func addDDoSCallbackTests() {
4398 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4399 for _, resume := range []bool{false, true} {
4400 suffix := "Resume"
4401 if resume {
4402 suffix = "No" + suffix
4403 }
4404
4405 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4406 testType: serverTest,
4407 name: "Server-DDoS-OK-" + suffix,
4408 config: Config{
4409 MaxVersion: VersionTLS12,
4410 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4411 flags: []string{"-install-ddos-callback"},
4412 resumeSession: resume,
4413 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4414 testCases = append(testCases, testCase{
4415 testType: serverTest,
4416 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4417 config: Config{
4418 MaxVersion: VersionTLS13,
4419 },
4420 flags: []string{"-install-ddos-callback"},
4421 resumeSession: resume,
4422 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4423
4424 failFlag := "-fail-ddos-callback"
4425 if resume {
4426 failFlag = "-fail-second-ddos-callback"
4427 }
4428 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4429 testType: serverTest,
4430 name: "Server-DDoS-Reject-" + suffix,
4431 config: Config{
4432 MaxVersion: VersionTLS12,
4433 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4434 flags: []string{"-install-ddos-callback", failFlag},
4435 resumeSession: resume,
4436 shouldFail: true,
4437 expectedError: ":CONNECTION_REJECTED:",
4438 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4439 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4440 testCases = append(testCases, testCase{
4441 testType: serverTest,
4442 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4443 config: Config{
4444 MaxVersion: VersionTLS13,
4445 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4446 flags: []string{"-install-ddos-callback", failFlag},
4447 resumeSession: resume,
4448 shouldFail: true,
4449 expectedError: ":CONNECTION_REJECTED:",
4450 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4451 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4452 }
4453}
4454
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4455func addVersionNegotiationTests() {
4456 for i, shimVers := range tlsVersions {
4457 // Assemble flags to disable all newer versions on the shim.
4458 var flags []string
4459 for _, vers := range tlsVersions[i+1:] {
4460 flags = append(flags, vers.flag)
4461 }
4462
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4463 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4464 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4465 protocols := []protocol{tls}
4466 if runnerVers.hasDTLS && shimVers.hasDTLS {
4467 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4468 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4469 for _, protocol := range protocols {
4470 expectedVersion := shimVers.version
4471 if runnerVers.version < shimVers.version {
4472 expectedVersion = runnerVers.version
4473 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4474
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4475 suffix := shimVers.name + "-" + runnerVers.name
4476 if protocol == dtls {
4477 suffix += "-DTLS"
4478 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4479
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4480 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4481
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4482 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4483 clientVers := shimVers.version
4484 if clientVers > VersionTLS10 {
4485 clientVers = VersionTLS10
4486 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4487 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4488 serverVers := expectedVersion
4489 if expectedVersion >= VersionTLS13 {
4490 serverVers = VersionTLS10
4491 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4492 serverVers = versionToWire(serverVers, protocol == dtls)
4493
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4494 testCases = append(testCases, testCase{
4495 protocol: protocol,
4496 testType: clientTest,
4497 name: "VersionNegotiation-Client-" + suffix,
4498 config: Config{
4499 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4500 Bugs: ProtocolBugs{
4501 ExpectInitialRecordVersion: clientVers,
4502 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4503 },
4504 flags: flags,
4505 expectedVersion: expectedVersion,
4506 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4507 testCases = append(testCases, testCase{
4508 protocol: protocol,
4509 testType: clientTest,
4510 name: "VersionNegotiation-Client2-" + suffix,
4511 config: Config{
4512 MaxVersion: runnerVers.version,
4513 Bugs: ProtocolBugs{
4514 ExpectInitialRecordVersion: clientVers,
4515 },
4516 },
4517 flags: []string{"-max-version", shimVersFlag},
4518 expectedVersion: expectedVersion,
4519 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4520
4521 testCases = append(testCases, testCase{
4522 protocol: protocol,
4523 testType: serverTest,
4524 name: "VersionNegotiation-Server-" + suffix,
4525 config: Config{
4526 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4527 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4528 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4529 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4530 },
4531 flags: flags,
4532 expectedVersion: expectedVersion,
4533 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4534 testCases = append(testCases, testCase{
4535 protocol: protocol,
4536 testType: serverTest,
4537 name: "VersionNegotiation-Server2-" + suffix,
4538 config: Config{
4539 MaxVersion: runnerVers.version,
4540 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4541 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4542 },
4543 },
4544 flags: []string{"-max-version", shimVersFlag},
4545 expectedVersion: expectedVersion,
4546 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4547 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4548 }
4549 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4550
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4551 // Test the version extension at all versions.
4552 for _, vers := range tlsVersions {
4553 protocols := []protocol{tls}
4554 if vers.hasDTLS {
4555 protocols = append(protocols, dtls)
4556 }
4557 for _, protocol := range protocols {
4558 suffix := vers.name
4559 if protocol == dtls {
4560 suffix += "-DTLS"
4561 }
4562
4563 wireVersion := versionToWire(vers.version, protocol == dtls)
4564 testCases = append(testCases, testCase{
4565 protocol: protocol,
4566 testType: serverTest,
4567 name: "VersionNegotiationExtension-" + suffix,
4568 config: Config{
4569 Bugs: ProtocolBugs{
4570 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4571 },
4572 },
4573 expectedVersion: vers.version,
4574 })
4575 }
4576
4577 }
4578
4579 // If all versions are unknown, negotiation fails.
4580 testCases = append(testCases, testCase{
4581 testType: serverTest,
4582 name: "NoSupportedVersions",
4583 config: Config{
4584 Bugs: ProtocolBugs{
4585 SendSupportedVersions: []uint16{0x1111},
4586 },
4587 },
4588 shouldFail: true,
4589 expectedError: ":UNSUPPORTED_PROTOCOL:",
4590 })
4591 testCases = append(testCases, testCase{
4592 protocol: dtls,
4593 testType: serverTest,
4594 name: "NoSupportedVersions-DTLS",
4595 config: Config{
4596 Bugs: ProtocolBugs{
4597 SendSupportedVersions: []uint16{0x1111},
4598 },
4599 },
4600 shouldFail: true,
4601 expectedError: ":UNSUPPORTED_PROTOCOL:",
4602 })
4603
4604 testCases = append(testCases, testCase{
4605 testType: serverTest,
4606 name: "ClientHelloVersionTooHigh",
4607 config: Config{
4608 MaxVersion: VersionTLS13,
4609 Bugs: ProtocolBugs{
4610 SendClientVersion: 0x0304,
4611 OmitSupportedVersions: true,
4612 },
4613 },
4614 expectedVersion: VersionTLS12,
4615 })
4616
4617 testCases = append(testCases, testCase{
4618 testType: serverTest,
4619 name: "ConflictingVersionNegotiation",
4620 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4621 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4622 SendClientVersion: VersionTLS12,
4623 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4624 },
4625 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4626 // The extension takes precedence over the ClientHello version.
4627 expectedVersion: VersionTLS11,
4628 })
4629
4630 testCases = append(testCases, testCase{
4631 testType: serverTest,
4632 name: "ConflictingVersionNegotiation-2",
4633 config: Config{
4634 Bugs: ProtocolBugs{
4635 SendClientVersion: VersionTLS11,
4636 SendSupportedVersions: []uint16{VersionTLS12},
4637 },
4638 },
4639 // The extension takes precedence over the ClientHello version.
4640 expectedVersion: VersionTLS12,
4641 })
4642
4643 testCases = append(testCases, testCase{
4644 testType: serverTest,
4645 name: "RejectFinalTLS13",
4646 config: Config{
4647 Bugs: ProtocolBugs{
4648 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4649 },
4650 },
4651 // We currently implement a draft TLS 1.3 version. Ensure that
4652 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4653 expectedVersion: VersionTLS12,
4654 })
4655
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4656 // Test that the maximum version is selected regardless of the
4657 // client-sent order.
4658 testCases = append(testCases, testCase{
4659 testType: serverTest,
4660 name: "IgnoreClientVersionOrder",
4661 config: Config{
4662 Bugs: ProtocolBugs{
4663 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4664 },
4665 },
4666 expectedVersion: VersionTLS13,
4667 })
4668
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4669 // Test for version tolerance.
4670 testCases = append(testCases, testCase{
4671 testType: serverTest,
4672 name: "MinorVersionTolerance",
4673 config: Config{
4674 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4675 SendClientVersion: 0x03ff,
4676 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4677 },
4678 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4679 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4680 })
4681 testCases = append(testCases, testCase{
4682 testType: serverTest,
4683 name: "MajorVersionTolerance",
4684 config: Config{
4685 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4686 SendClientVersion: 0x0400,
4687 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4688 },
4689 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4690 // TLS 1.3 must be negotiated with the supported_versions
4691 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4692 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4693 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4694 testCases = append(testCases, testCase{
4695 testType: serverTest,
4696 name: "VersionTolerance-TLS13",
4697 config: Config{
4698 Bugs: ProtocolBugs{
4699 // Although TLS 1.3 does not use
4700 // ClientHello.version, it still tolerates high
4701 // values there.
4702 SendClientVersion: 0x0400,
4703 },
4704 },
4705 expectedVersion: VersionTLS13,
4706 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4707
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4708 testCases = append(testCases, testCase{
4709 protocol: dtls,
4710 testType: serverTest,
4711 name: "MinorVersionTolerance-DTLS",
4712 config: Config{
4713 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4714 SendClientVersion: 0xfe00,
4715 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4716 },
4717 },
4718 expectedVersion: VersionTLS12,
4719 })
4720 testCases = append(testCases, testCase{
4721 protocol: dtls,
4722 testType: serverTest,
4723 name: "MajorVersionTolerance-DTLS",
4724 config: Config{
4725 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4726 SendClientVersion: 0xfdff,
4727 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4728 },
4729 },
4730 expectedVersion: VersionTLS12,
4731 })
4732
4733 // Test that versions below 3.0 are rejected.
4734 testCases = append(testCases, testCase{
4735 testType: serverTest,
4736 name: "VersionTooLow",
4737 config: Config{
4738 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4739 SendClientVersion: 0x0200,
4740 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4741 },
4742 },
4743 shouldFail: true,
4744 expectedError: ":UNSUPPORTED_PROTOCOL:",
4745 })
4746 testCases = append(testCases, testCase{
4747 protocol: dtls,
4748 testType: serverTest,
4749 name: "VersionTooLow-DTLS",
4750 config: Config{
4751 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4752 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4753 },
4754 },
4755 shouldFail: true,
4756 expectedError: ":UNSUPPORTED_PROTOCOL:",
4757 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4758
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4759 testCases = append(testCases, testCase{
4760 name: "ServerBogusVersion",
4761 config: Config{
4762 Bugs: ProtocolBugs{
4763 SendServerHelloVersion: 0x1234,
4764 },
4765 },
4766 shouldFail: true,
4767 expectedError: ":UNSUPPORTED_PROTOCOL:",
4768 })
4769
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4770 // Test TLS 1.3's downgrade signal.
4771 testCases = append(testCases, testCase{
4772 name: "Downgrade-TLS12-Client",
4773 config: Config{
4774 Bugs: ProtocolBugs{
4775 NegotiateVersion: VersionTLS12,
4776 },
4777 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4778 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4779 // TODO(davidben): This test should fail once TLS 1.3 is final
4780 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4781 })
4782 testCases = append(testCases, testCase{
4783 testType: serverTest,
4784 name: "Downgrade-TLS12-Server",
4785 config: Config{
4786 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4787 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4788 },
4789 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4790 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4791 // TODO(davidben): This test should fail once TLS 1.3 is final
4792 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4793 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4794}
4795
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4796func addMinimumVersionTests() {
4797 for i, shimVers := range tlsVersions {
4798 // Assemble flags to disable all older versions on the shim.
4799 var flags []string
4800 for _, vers := range tlsVersions[:i] {
4801 flags = append(flags, vers.flag)
4802 }
4803
4804 for _, runnerVers := range tlsVersions {
4805 protocols := []protocol{tls}
4806 if runnerVers.hasDTLS && shimVers.hasDTLS {
4807 protocols = append(protocols, dtls)
4808 }
4809 for _, protocol := range protocols {
4810 suffix := shimVers.name + "-" + runnerVers.name
4811 if protocol == dtls {
4812 suffix += "-DTLS"
4813 }
4814 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4815
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4816 var expectedVersion uint16
4817 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4818 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4819 if runnerVers.version >= shimVers.version {
4820 expectedVersion = runnerVers.version
4821 } else {
4822 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4823 expectedError = ":UNSUPPORTED_PROTOCOL:"
4824 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4825 }
4826
4827 testCases = append(testCases, testCase{
4828 protocol: protocol,
4829 testType: clientTest,
4830 name: "MinimumVersion-Client-" + suffix,
4831 config: Config{
4832 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4833 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4834 // Ensure the server does not decline to
4835 // select a version (versions extension) or
4836 // cipher (some ciphers depend on versions).
4837 NegotiateVersion: runnerVers.version,
4838 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4839 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4840 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4841 flags: flags,
4842 expectedVersion: expectedVersion,
4843 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4844 expectedError: expectedError,
4845 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4846 })
4847 testCases = append(testCases, testCase{
4848 protocol: protocol,
4849 testType: clientTest,
4850 name: "MinimumVersion-Client2-" + suffix,
4851 config: Config{
4852 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4853 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4854 // Ensure the server does not decline to
4855 // select a version (versions extension) or
4856 // cipher (some ciphers depend on versions).
4857 NegotiateVersion: runnerVers.version,
4858 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4859 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4860 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4861 flags: []string{"-min-version", shimVersFlag},
4862 expectedVersion: expectedVersion,
4863 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4864 expectedError: expectedError,
4865 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4866 })
4867
4868 testCases = append(testCases, testCase{
4869 protocol: protocol,
4870 testType: serverTest,
4871 name: "MinimumVersion-Server-" + suffix,
4872 config: Config{
4873 MaxVersion: runnerVers.version,
4874 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4875 flags: flags,
4876 expectedVersion: expectedVersion,
4877 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4878 expectedError: expectedError,
4879 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4880 })
4881 testCases = append(testCases, testCase{
4882 protocol: protocol,
4883 testType: serverTest,
4884 name: "MinimumVersion-Server2-" + suffix,
4885 config: Config{
4886 MaxVersion: runnerVers.version,
4887 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4888 flags: []string{"-min-version", shimVersFlag},
4889 expectedVersion: expectedVersion,
4890 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4891 expectedError: expectedError,
4892 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4893 })
4894 }
4895 }
4896 }
4897}
4898
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4899func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4900 // TODO(davidben): Extensions, where applicable, all move their server
4901 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4902 // tests for both. Also test interaction with 0-RTT when implemented.
4903
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4904 // Repeat extensions tests all versions except SSL 3.0.
4905 for _, ver := range tlsVersions {
4906 if ver.version == VersionSSL30 {
4907 continue
4908 }
4909
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4910 // Test that duplicate extensions are rejected.
4911 testCases = append(testCases, testCase{
4912 testType: clientTest,
4913 name: "DuplicateExtensionClient-" + ver.name,
4914 config: Config{
4915 MaxVersion: ver.version,
4916 Bugs: ProtocolBugs{
4917 DuplicateExtension: true,
4918 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4919 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4920 shouldFail: true,
4921 expectedLocalError: "remote error: error decoding message",
4922 })
4923 testCases = append(testCases, testCase{
4924 testType: serverTest,
4925 name: "DuplicateExtensionServer-" + ver.name,
4926 config: Config{
4927 MaxVersion: ver.version,
4928 Bugs: ProtocolBugs{
4929 DuplicateExtension: true,
4930 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4931 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4932 shouldFail: true,
4933 expectedLocalError: "remote error: error decoding message",
4934 })
4935
4936 // Test SNI.
4937 testCases = append(testCases, testCase{
4938 testType: clientTest,
4939 name: "ServerNameExtensionClient-" + ver.name,
4940 config: Config{
4941 MaxVersion: ver.version,
4942 Bugs: ProtocolBugs{
4943 ExpectServerName: "example.com",
4944 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4945 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4946 flags: []string{"-host-name", "example.com"},
4947 })
4948 testCases = append(testCases, testCase{
4949 testType: clientTest,
4950 name: "ServerNameExtensionClientMismatch-" + ver.name,
4951 config: Config{
4952 MaxVersion: ver.version,
4953 Bugs: ProtocolBugs{
4954 ExpectServerName: "mismatch.com",
4955 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4956 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4957 flags: []string{"-host-name", "example.com"},
4958 shouldFail: true,
4959 expectedLocalError: "tls: unexpected server name",
4960 })
4961 testCases = append(testCases, testCase{
4962 testType: clientTest,
4963 name: "ServerNameExtensionClientMissing-" + ver.name,
4964 config: Config{
4965 MaxVersion: ver.version,
4966 Bugs: ProtocolBugs{
4967 ExpectServerName: "missing.com",
4968 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4969 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4970 shouldFail: true,
4971 expectedLocalError: "tls: unexpected server name",
4972 })
4973 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]4974 testType: clientTest,
4975 name: "TolerateServerNameAck-" + ver.name,
4976 config: Config{
4977 MaxVersion: ver.version,
4978 Bugs: ProtocolBugs{
4979 SendServerNameAck: true,
4980 },
4981 },
4982 flags: []string{"-host-name", "example.com"},
4983 resumeSession: true,
4984 })
4985 testCases = append(testCases, testCase{
4986 testType: clientTest,
4987 name: "UnsolicitedServerNameAck-" + ver.name,
4988 config: Config{
4989 MaxVersion: ver.version,
4990 Bugs: ProtocolBugs{
4991 SendServerNameAck: true,
4992 },
4993 },
4994 shouldFail: true,
4995 expectedError: ":UNEXPECTED_EXTENSION:",
4996 expectedLocalError: "remote error: unsupported extension",
4997 })
4998 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4999 testType: serverTest,
5000 name: "ServerNameExtensionServer-" + ver.name,
5001 config: Config{
5002 MaxVersion: ver.version,
5003 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]5004 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5005 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5006 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5007 })
5008
5009 // Test ALPN.
5010 testCases = append(testCases, testCase{
5011 testType: clientTest,
5012 name: "ALPNClient-" + ver.name,
5013 config: Config{
5014 MaxVersion: ver.version,
5015 NextProtos: []string{"foo"},
5016 },
5017 flags: []string{
5018 "-advertise-alpn", "\x03foo\x03bar\x03baz",
5019 "-expect-alpn", "foo",
5020 },
5021 expectedNextProto: "foo",
5022 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5023 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5024 })
5025 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]5026 testType: clientTest,
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]5027 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]5028 config: Config{
5029 MaxVersion: ver.version,
5030 Bugs: ProtocolBugs{
5031 SendALPN: "baz",
5032 },
5033 },
5034 flags: []string{
5035 "-advertise-alpn", "\x03foo\x03bar",
5036 },
5037 shouldFail: true,
5038 expectedError: ":INVALID_ALPN_PROTOCOL:",
5039 expectedLocalError: "remote error: illegal parameter",
5040 })
5041 testCases = append(testCases, testCase{
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]5042 testType: clientTest,
5043 name: "ALPNClient-AllowUnknown-" + ver.name,
5044 config: Config{
5045 MaxVersion: ver.version,
5046 Bugs: ProtocolBugs{
5047 SendALPN: "baz",
5048 },
5049 },
5050 flags: []string{
5051 "-advertise-alpn", "\x03foo\x03bar",
5052 "-allow-unknown-alpn-protos",
5053 },
5054 })
5055 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5056 testType: serverTest,
5057 name: "ALPNServer-" + ver.name,
5058 config: Config{
5059 MaxVersion: ver.version,
5060 NextProtos: []string{"foo", "bar", "baz"},
5061 },
5062 flags: []string{
5063 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5064 "-select-alpn", "foo",
5065 },
5066 expectedNextProto: "foo",
5067 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5068 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5069 })
5070 testCases = append(testCases, testCase{
5071 testType: serverTest,
5072 name: "ALPNServer-Decline-" + ver.name,
5073 config: Config{
5074 MaxVersion: ver.version,
5075 NextProtos: []string{"foo", "bar", "baz"},
5076 },
5077 flags: []string{"-decline-alpn"},
5078 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5079 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5080 })
5081
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5082 // Test ALPN in async mode as well to ensure that extensions callbacks are only
5083 // called once.
5084 testCases = append(testCases, testCase{
5085 testType: serverTest,
5086 name: "ALPNServer-Async-" + ver.name,
5087 config: Config{
5088 MaxVersion: ver.version,
5089 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]5090 // Prior to TLS 1.3, exercise the asynchronous session callback.
5091 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5092 },
5093 flags: []string{
5094 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5095 "-select-alpn", "foo",
5096 "-async",
5097 },
5098 expectedNextProto: "foo",
5099 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5100 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5101 })
5102
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5103 var emptyString string
5104 testCases = append(testCases, testCase{
5105 testType: clientTest,
5106 name: "ALPNClient-EmptyProtocolName-" + ver.name,
5107 config: Config{
5108 MaxVersion: ver.version,
5109 NextProtos: []string{""},
5110 Bugs: ProtocolBugs{
5111 // A server returning an empty ALPN protocol
5112 // should be rejected.
5113 ALPNProtocol: &emptyString,
5114 },
5115 },
5116 flags: []string{
5117 "-advertise-alpn", "\x03foo",
5118 },
5119 shouldFail: true,
5120 expectedError: ":PARSE_TLSEXT:",
5121 })
5122 testCases = append(testCases, testCase{
5123 testType: serverTest,
5124 name: "ALPNServer-EmptyProtocolName-" + ver.name,
5125 config: Config{
5126 MaxVersion: ver.version,
5127 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5128 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5129 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5130 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5131 flags: []string{
5132 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5133 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5134 shouldFail: true,
5135 expectedError: ":PARSE_TLSEXT:",
5136 })
5137
5138 // Test NPN and the interaction with ALPN.
5139 if ver.version < VersionTLS13 {
5140 // Test that the server prefers ALPN over NPN.
5141 testCases = append(testCases, testCase{
5142 testType: serverTest,
5143 name: "ALPNServer-Preferred-" + ver.name,
5144 config: Config{
5145 MaxVersion: ver.version,
5146 NextProtos: []string{"foo", "bar", "baz"},
5147 },
5148 flags: []string{
5149 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5150 "-select-alpn", "foo",
5151 "-advertise-npn", "\x03foo\x03bar\x03baz",
5152 },
5153 expectedNextProto: "foo",
5154 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5155 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5156 })
5157 testCases = append(testCases, testCase{
5158 testType: serverTest,
5159 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5160 config: Config{
5161 MaxVersion: ver.version,
5162 NextProtos: []string{"foo", "bar", "baz"},
5163 Bugs: ProtocolBugs{
5164 SwapNPNAndALPN: true,
5165 },
5166 },
5167 flags: []string{
5168 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5169 "-select-alpn", "foo",
5170 "-advertise-npn", "\x03foo\x03bar\x03baz",
5171 },
5172 expectedNextProto: "foo",
5173 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5174 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5175 })
5176
5177 // Test that negotiating both NPN and ALPN is forbidden.
5178 testCases = append(testCases, testCase{
5179 name: "NegotiateALPNAndNPN-" + ver.name,
5180 config: Config{
5181 MaxVersion: ver.version,
5182 NextProtos: []string{"foo", "bar", "baz"},
5183 Bugs: ProtocolBugs{
5184 NegotiateALPNAndNPN: true,
5185 },
5186 },
5187 flags: []string{
5188 "-advertise-alpn", "\x03foo",
5189 "-select-next-proto", "foo",
5190 },
5191 shouldFail: true,
5192 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5193 })
5194 testCases = append(testCases, testCase{
5195 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5196 config: Config{
5197 MaxVersion: ver.version,
5198 NextProtos: []string{"foo", "bar", "baz"},
5199 Bugs: ProtocolBugs{
5200 NegotiateALPNAndNPN: true,
5201 SwapNPNAndALPN: true,
5202 },
5203 },
5204 flags: []string{
5205 "-advertise-alpn", "\x03foo",
5206 "-select-next-proto", "foo",
5207 },
5208 shouldFail: true,
5209 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5210 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5211 }
5212
5213 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5214
5215 // Resume with a corrupt ticket.
5216 testCases = append(testCases, testCase{
5217 testType: serverTest,
5218 name: "CorruptTicket-" + ver.name,
5219 config: Config{
5220 MaxVersion: ver.version,
5221 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5222 FilterTicket: func(in []byte) ([]byte, error) {
5223 in[len(in)-1] ^= 1
5224 return in, nil
5225 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5226 },
5227 },
5228 resumeSession: true,
5229 expectResumeRejected: true,
5230 })
5231 // Test the ticket callback, with and without renewal.
5232 testCases = append(testCases, testCase{
5233 testType: serverTest,
5234 name: "TicketCallback-" + ver.name,
5235 config: Config{
5236 MaxVersion: ver.version,
5237 },
5238 resumeSession: true,
5239 flags: []string{"-use-ticket-callback"},
5240 })
5241 testCases = append(testCases, testCase{
5242 testType: serverTest,
5243 name: "TicketCallback-Renew-" + ver.name,
5244 config: Config{
5245 MaxVersion: ver.version,
5246 Bugs: ProtocolBugs{
5247 ExpectNewTicket: true,
5248 },
5249 },
5250 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5251 resumeSession: true,
5252 })
5253
5254 // Test that the ticket callback is only called once when everything before
5255 // it in the ClientHello is asynchronous. This corrupts the ticket so
5256 // certificate selection callbacks run.
5257 testCases = append(testCases, testCase{
5258 testType: serverTest,
5259 name: "TicketCallback-SingleCall-" + ver.name,
5260 config: Config{
5261 MaxVersion: ver.version,
5262 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5263 FilterTicket: func(in []byte) ([]byte, error) {
5264 in[len(in)-1] ^= 1
5265 return in, nil
5266 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5267 },
5268 },
5269 resumeSession: true,
5270 expectResumeRejected: true,
5271 flags: []string{
5272 "-use-ticket-callback",
5273 "-async",
5274 },
5275 })
5276
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5277 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5278 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5279 testCases = append(testCases, testCase{
5280 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5281 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5282 config: Config{
5283 MaxVersion: ver.version,
5284 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5285 EmptyTicketSessionID: true,
5286 },
5287 },
5288 resumeSession: true,
5289 })
5290 testCases = append(testCases, testCase{
5291 testType: serverTest,
5292 name: "TicketSessionIDLength-16-" + ver.name,
5293 config: Config{
5294 MaxVersion: ver.version,
5295 Bugs: ProtocolBugs{
5296 TicketSessionIDLength: 16,
5297 },
5298 },
5299 resumeSession: true,
5300 })
5301 testCases = append(testCases, testCase{
5302 testType: serverTest,
5303 name: "TicketSessionIDLength-32-" + ver.name,
5304 config: Config{
5305 MaxVersion: ver.version,
5306 Bugs: ProtocolBugs{
5307 TicketSessionIDLength: 32,
5308 },
5309 },
5310 resumeSession: true,
5311 })
5312 testCases = append(testCases, testCase{
5313 testType: serverTest,
5314 name: "TicketSessionIDLength-33-" + ver.name,
5315 config: Config{
5316 MaxVersion: ver.version,
5317 Bugs: ProtocolBugs{
5318 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5319 },
5320 },
5321 resumeSession: true,
5322 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5323 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5324 expectedError: ":DECODE_ERROR:",
5325 })
5326 }
5327
5328 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5329 // are ignored.
5330 if ver.hasDTLS {
5331 testCases = append(testCases, testCase{
5332 protocol: dtls,
5333 name: "SRTP-Client-" + ver.name,
5334 config: Config{
5335 MaxVersion: ver.version,
5336 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5337 },
5338 flags: []string{
5339 "-srtp-profiles",
5340 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5341 },
5342 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5343 })
5344 testCases = append(testCases, testCase{
5345 protocol: dtls,
5346 testType: serverTest,
5347 name: "SRTP-Server-" + ver.name,
5348 config: Config{
5349 MaxVersion: ver.version,
5350 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5351 },
5352 flags: []string{
5353 "-srtp-profiles",
5354 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5355 },
5356 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5357 })
5358 // Test that the MKI is ignored.
5359 testCases = append(testCases, testCase{
5360 protocol: dtls,
5361 testType: serverTest,
5362 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5363 config: Config{
5364 MaxVersion: ver.version,
5365 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5366 Bugs: ProtocolBugs{
5367 SRTPMasterKeyIdentifer: "bogus",
5368 },
5369 },
5370 flags: []string{
5371 "-srtp-profiles",
5372 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5373 },
5374 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5375 })
5376 // Test that SRTP isn't negotiated on the server if there were
5377 // no matching profiles.
5378 testCases = append(testCases, testCase{
5379 protocol: dtls,
5380 testType: serverTest,
5381 name: "SRTP-Server-NoMatch-" + ver.name,
5382 config: Config{
5383 MaxVersion: ver.version,
5384 SRTPProtectionProfiles: []uint16{100, 101, 102},
5385 },
5386 flags: []string{
5387 "-srtp-profiles",
5388 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5389 },
5390 expectedSRTPProtectionProfile: 0,
5391 })
5392 // Test that the server returning an invalid SRTP profile is
5393 // flagged as an error by the client.
5394 testCases = append(testCases, testCase{
5395 protocol: dtls,
5396 name: "SRTP-Client-NoMatch-" + ver.name,
5397 config: Config{
5398 MaxVersion: ver.version,
5399 Bugs: ProtocolBugs{
5400 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5401 },
5402 },
5403 flags: []string{
5404 "-srtp-profiles",
5405 "SRTP_AES128_CM_SHA1_80",
5406 },
5407 shouldFail: true,
5408 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5409 })
5410 }
5411
5412 // Test SCT list.
5413 testCases = append(testCases, testCase{
5414 name: "SignedCertificateTimestampList-Client-" + ver.name,
5415 testType: clientTest,
5416 config: Config{
5417 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5418 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5419 flags: []string{
5420 "-enable-signed-cert-timestamps",
5421 "-expect-signed-cert-timestamps",
5422 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5423 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5424 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5425 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5426
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5427 var differentSCTList []byte
5428 differentSCTList = append(differentSCTList, testSCTList...)
5429 differentSCTList[len(differentSCTList)-1] ^= 1
5430
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5431 // The SCT extension did not specify that it must only be sent on resumption as it
5432 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5433 testCases = append(testCases, testCase{
5434 name: "SendSCTListOnResume-" + ver.name,
5435 config: Config{
5436 MaxVersion: ver.version,
5437 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5438 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5439 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5440 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5441 flags: []string{
5442 "-enable-signed-cert-timestamps",
5443 "-expect-signed-cert-timestamps",
5444 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5445 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5446 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5447 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5448
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5449 testCases = append(testCases, testCase{
5450 name: "SignedCertificateTimestampList-Server-" + ver.name,
5451 testType: serverTest,
5452 config: Config{
5453 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5454 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5455 flags: []string{
5456 "-signed-cert-timestamps",
5457 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5458 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5459 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5460 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5461 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5462
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5463 emptySCTListCert := *testCerts[0].cert
5464 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5465
5466 // Test empty SCT list.
5467 testCases = append(testCases, testCase{
5468 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5469 testType: clientTest,
5470 config: Config{
5471 MaxVersion: ver.version,
5472 Certificates: []Certificate{emptySCTListCert},
5473 },
5474 flags: []string{
5475 "-enable-signed-cert-timestamps",
5476 },
5477 shouldFail: true,
5478 expectedError: ":ERROR_PARSING_EXTENSION:",
5479 })
5480
5481 emptySCTCert := *testCerts[0].cert
5482 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5483
5484 // Test empty SCT in non-empty list.
5485 testCases = append(testCases, testCase{
5486 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5487 testType: clientTest,
5488 config: Config{
5489 MaxVersion: ver.version,
5490 Certificates: []Certificate{emptySCTCert},
5491 },
5492 flags: []string{
5493 "-enable-signed-cert-timestamps",
5494 },
5495 shouldFail: true,
5496 expectedError: ":ERROR_PARSING_EXTENSION:",
5497 })
5498
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5499 // Test that certificate-related extensions are not sent unsolicited.
5500 testCases = append(testCases, testCase{
5501 testType: serverTest,
5502 name: "UnsolicitedCertificateExtensions-" + ver.name,
5503 config: Config{
5504 MaxVersion: ver.version,
5505 Bugs: ProtocolBugs{
5506 NoOCSPStapling: true,
5507 NoSignedCertificateTimestamps: true,
5508 },
5509 },
5510 flags: []string{
5511 "-ocsp-response",
5512 base64.StdEncoding.EncodeToString(testOCSPResponse),
5513 "-signed-cert-timestamps",
5514 base64.StdEncoding.EncodeToString(testSCTList),
5515 },
5516 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5517 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5518
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5519 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5520 testType: clientTest,
5521 name: "ClientHelloPadding",
5522 config: Config{
5523 Bugs: ProtocolBugs{
5524 RequireClientHelloSize: 512,
5525 },
5526 },
5527 // This hostname just needs to be long enough to push the
5528 // ClientHello into F5's danger zone between 256 and 511 bytes
5529 // long.
5530 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5531 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5532
5533 // Extensions should not function in SSL 3.0.
5534 testCases = append(testCases, testCase{
5535 testType: serverTest,
5536 name: "SSLv3Extensions-NoALPN",
5537 config: Config{
5538 MaxVersion: VersionSSL30,
5539 NextProtos: []string{"foo", "bar", "baz"},
5540 },
5541 flags: []string{
5542 "-select-alpn", "foo",
5543 },
5544 expectNoNextProto: true,
5545 })
5546
5547 // Test session tickets separately as they follow a different codepath.
5548 testCases = append(testCases, testCase{
5549 testType: serverTest,
5550 name: "SSLv3Extensions-NoTickets",
5551 config: Config{
5552 MaxVersion: VersionSSL30,
5553 Bugs: ProtocolBugs{
5554 // Historically, session tickets in SSL 3.0
5555 // failed in different ways depending on whether
5556 // the client supported renegotiation_info.
5557 NoRenegotiationInfo: true,
5558 },
5559 },
5560 resumeSession: true,
5561 })
5562 testCases = append(testCases, testCase{
5563 testType: serverTest,
5564 name: "SSLv3Extensions-NoTickets2",
5565 config: Config{
5566 MaxVersion: VersionSSL30,
5567 },
5568 resumeSession: true,
5569 })
5570
5571 // But SSL 3.0 does send and process renegotiation_info.
5572 testCases = append(testCases, testCase{
5573 testType: serverTest,
5574 name: "SSLv3Extensions-RenegotiationInfo",
5575 config: Config{
5576 MaxVersion: VersionSSL30,
5577 Bugs: ProtocolBugs{
5578 RequireRenegotiationInfo: true,
5579 },
5580 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5581 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5582 })
5583 testCases = append(testCases, testCase{
5584 testType: serverTest,
5585 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5586 config: Config{
5587 MaxVersion: VersionSSL30,
5588 Bugs: ProtocolBugs{
5589 NoRenegotiationInfo: true,
5590 SendRenegotiationSCSV: true,
5591 RequireRenegotiationInfo: true,
5592 },
5593 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5594 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5595 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5596
5597 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5598 // in ServerHello.
5599 testCases = append(testCases, testCase{
5600 name: "NPN-Forbidden-TLS13",
5601 config: Config{
5602 MaxVersion: VersionTLS13,
5603 NextProtos: []string{"foo"},
5604 Bugs: ProtocolBugs{
5605 NegotiateNPNAtAllVersions: true,
5606 },
5607 },
5608 flags: []string{"-select-next-proto", "foo"},
5609 shouldFail: true,
5610 expectedError: ":ERROR_PARSING_EXTENSION:",
5611 })
5612 testCases = append(testCases, testCase{
5613 name: "EMS-Forbidden-TLS13",
5614 config: Config{
5615 MaxVersion: VersionTLS13,
5616 Bugs: ProtocolBugs{
5617 NegotiateEMSAtAllVersions: true,
5618 },
5619 },
5620 shouldFail: true,
5621 expectedError: ":ERROR_PARSING_EXTENSION:",
5622 })
5623 testCases = append(testCases, testCase{
5624 name: "RenegotiationInfo-Forbidden-TLS13",
5625 config: Config{
5626 MaxVersion: VersionTLS13,
5627 Bugs: ProtocolBugs{
5628 NegotiateRenegotiationInfoAtAllVersions: true,
5629 },
5630 },
5631 shouldFail: true,
5632 expectedError: ":ERROR_PARSING_EXTENSION:",
5633 })
5634 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5635 name: "Ticket-Forbidden-TLS13",
5636 config: Config{
5637 MaxVersion: VersionTLS12,
5638 },
5639 resumeConfig: &Config{
5640 MaxVersion: VersionTLS13,
5641 Bugs: ProtocolBugs{
5642 AdvertiseTicketExtension: true,
5643 },
5644 },
5645 resumeSession: true,
5646 shouldFail: true,
5647 expectedError: ":ERROR_PARSING_EXTENSION:",
5648 })
5649
5650 // Test that illegal extensions in TLS 1.3 are declined by the server if
5651 // offered in ClientHello. The runner's server will fail if this occurs,
5652 // so we exercise the offering path. (EMS and Renegotiation Info are
5653 // implicit in every test.)
5654 testCases = append(testCases, testCase{
5655 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5656 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5657 config: Config{
5658 MaxVersion: VersionTLS13,
5659 NextProtos: []string{"bar"},
5660 },
5661 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5662 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5663
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5664 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5665 // tolerated.
5666 testCases = append(testCases, testCase{
5667 name: "SendOCSPResponseOnResume-TLS12",
5668 config: Config{
5669 MaxVersion: VersionTLS12,
5670 Bugs: ProtocolBugs{
5671 SendOCSPResponseOnResume: []byte("bogus"),
5672 },
5673 },
5674 flags: []string{
5675 "-enable-ocsp-stapling",
5676 "-expect-ocsp-response",
5677 base64.StdEncoding.EncodeToString(testOCSPResponse),
5678 },
5679 resumeSession: true,
5680 })
5681
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5682 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5683 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5684 config: Config{
5685 MaxVersion: VersionTLS13,
5686 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5687 SendExtensionOnCertificate: testOCSPExtension,
5688 },
5689 },
5690 shouldFail: true,
5691 expectedError: ":UNEXPECTED_EXTENSION:",
5692 })
5693
5694 testCases = append(testCases, testCase{
5695 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5696 config: Config{
5697 MaxVersion: VersionTLS13,
5698 Bugs: ProtocolBugs{
5699 SendExtensionOnCertificate: testSCTExtension,
5700 },
5701 },
5702 shouldFail: true,
5703 expectedError: ":UNEXPECTED_EXTENSION:",
5704 })
5705
5706 // Test that extensions on client certificates are never accepted.
5707 testCases = append(testCases, testCase{
5708 name: "SendExtensionOnClientCertificate-TLS13",
5709 testType: serverTest,
5710 config: Config{
5711 MaxVersion: VersionTLS13,
5712 Certificates: []Certificate{rsaCertificate},
5713 Bugs: ProtocolBugs{
5714 SendExtensionOnCertificate: testOCSPExtension,
5715 },
5716 },
5717 flags: []string{
5718 "-enable-ocsp-stapling",
5719 "-require-any-client-certificate",
5720 },
5721 shouldFail: true,
5722 expectedError: ":UNEXPECTED_EXTENSION:",
5723 })
5724
5725 testCases = append(testCases, testCase{
5726 name: "SendUnknownExtensionOnCertificate-TLS13",
5727 config: Config{
5728 MaxVersion: VersionTLS13,
5729 Bugs: ProtocolBugs{
5730 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5731 },
5732 },
5733 shouldFail: true,
5734 expectedError: ":UNEXPECTED_EXTENSION:",
5735 })
5736
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5737 var differentSCTList []byte
5738 differentSCTList = append(differentSCTList, testSCTList...)
5739 differentSCTList[len(differentSCTList)-1] ^= 1
5740
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5741 // Test that extensions on intermediates are allowed but ignored.
5742 testCases = append(testCases, testCase{
5743 name: "IgnoreExtensionsOnIntermediates-TLS13",
5744 config: Config{
5745 MaxVersion: VersionTLS13,
5746 Certificates: []Certificate{rsaChainCertificate},
5747 Bugs: ProtocolBugs{
5748 // Send different values on the intermediate. This tests
5749 // the intermediate's extensions do not override the
5750 // leaf's.
5751 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5752 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5753 },
5754 },
5755 flags: []string{
5756 "-enable-ocsp-stapling",
5757 "-expect-ocsp-response",
5758 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5759 "-enable-signed-cert-timestamps",
5760 "-expect-signed-cert-timestamps",
5761 base64.StdEncoding.EncodeToString(testSCTList),
5762 },
5763 resumeSession: true,
5764 })
5765
5766 // Test that extensions are not sent on intermediates when configured
5767 // only for a leaf.
5768 testCases = append(testCases, testCase{
5769 testType: serverTest,
5770 name: "SendNoExtensionsOnIntermediate-TLS13",
5771 config: Config{
5772 MaxVersion: VersionTLS13,
5773 Bugs: ProtocolBugs{
5774 ExpectNoExtensionsOnIntermediate: true,
5775 },
5776 },
5777 flags: []string{
5778 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5779 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5780 "-ocsp-response",
5781 base64.StdEncoding.EncodeToString(testOCSPResponse),
5782 "-signed-cert-timestamps",
5783 base64.StdEncoding.EncodeToString(testSCTList),
5784 },
5785 })
5786
5787 // Test that extensions are not sent on client certificates.
5788 testCases = append(testCases, testCase{
5789 name: "SendNoClientCertificateExtensions-TLS13",
5790 config: Config{
5791 MaxVersion: VersionTLS13,
5792 ClientAuth: RequireAnyClientCert,
5793 },
5794 flags: []string{
5795 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5796 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5797 "-ocsp-response",
5798 base64.StdEncoding.EncodeToString(testOCSPResponse),
5799 "-signed-cert-timestamps",
5800 base64.StdEncoding.EncodeToString(testSCTList),
5801 },
5802 })
5803
5804 testCases = append(testCases, testCase{
5805 name: "SendDuplicateExtensionsOnCerts-TLS13",
5806 config: Config{
5807 MaxVersion: VersionTLS13,
5808 Bugs: ProtocolBugs{
5809 SendDuplicateCertExtensions: true,
5810 },
5811 },
5812 flags: []string{
5813 "-enable-ocsp-stapling",
5814 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5815 },
5816 resumeSession: true,
5817 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5818 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5819 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5820
5821 testCases = append(testCases, testCase{
5822 name: "SignedCertificateTimestampListInvalid-Server",
5823 testType: serverTest,
5824 flags: []string{
5825 "-signed-cert-timestamps",
5826 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5827 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5828 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5829 expectedError: ":INVALID_SCT_LIST:",
5830 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5831}
5832
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5833func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5834 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5835 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5836 // SSL 3.0 does not have tickets and TLS 1.3 does not
5837 // have session IDs, so skip their cross-resumption
5838 // tests.
5839 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5840 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5841 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5842 }
5843
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5844 protocols := []protocol{tls}
5845 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5846 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5847 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5848 for _, protocol := range protocols {
5849 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5850 if protocol == dtls {
5851 suffix += "-DTLS"
5852 }
5853
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5854 if sessionVers.version == resumeVers.version {
5855 testCases = append(testCases, testCase{
5856 protocol: protocol,
5857 name: "Resume-Client" + suffix,
5858 resumeSession: true,
5859 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5860 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5861 Bugs: ProtocolBugs{
5862 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5863 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5864 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5865 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5866 expectedVersion: sessionVers.version,
5867 expectedResumeVersion: resumeVers.version,
5868 })
5869 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5870 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5871
5872 // Offering a TLS 1.3 session sends an empty session ID, so
5873 // there is no way to convince a non-lookahead client the
5874 // session was resumed. It will appear to the client that a
5875 // stray ChangeCipherSpec was sent.
5876 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5877 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5878 }
5879
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5880 testCases = append(testCases, testCase{
5881 protocol: protocol,
5882 name: "Resume-Client-Mismatch" + suffix,
5883 resumeSession: true,
5884 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5885 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5886 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5887 expectedVersion: sessionVers.version,
5888 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5889 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5890 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5891 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5892 },
5893 },
5894 expectedResumeVersion: resumeVers.version,
5895 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5896 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5897 })
5898 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5899
5900 testCases = append(testCases, testCase{
5901 protocol: protocol,
5902 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5903 resumeSession: true,
5904 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5905 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5906 },
5907 expectedVersion: sessionVers.version,
5908 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5909 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5910 },
5911 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5912 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5913 expectedResumeVersion: resumeVers.version,
5914 })
5915
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5916 testCases = append(testCases, testCase{
5917 protocol: protocol,
5918 testType: serverTest,
5919 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5920 resumeSession: true,
5921 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5922 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5923 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5924 expectedVersion: sessionVers.version,
5925 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5926 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5927 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5928 Bugs: ProtocolBugs{
5929 SendBothTickets: true,
5930 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5931 },
5932 expectedResumeVersion: resumeVers.version,
5933 })
5934 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5935 }
5936 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5937
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5938 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5939 testCases = append(testCases, testCase{
5940 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5941 name: "ShimTicketRewritable",
5942 resumeSession: true,
5943 config: Config{
5944 MaxVersion: VersionTLS12,
5945 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5946 Bugs: ProtocolBugs{
5947 FilterTicket: func(in []byte) ([]byte, error) {
5948 in, err := SetShimTicketVersion(in, VersionTLS12)
5949 if err != nil {
5950 return nil, err
5951 }
5952 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5953 },
5954 },
5955 },
5956 flags: []string{
5957 "-ticket-key",
5958 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5959 },
5960 })
5961
5962 // Resumptions are declined if the version does not match.
5963 testCases = append(testCases, testCase{
5964 testType: serverTest,
5965 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5966 resumeSession: true,
5967 config: Config{
5968 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5969 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5970 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5971 FilterTicket: func(in []byte) ([]byte, error) {
5972 return SetShimTicketVersion(in, VersionTLS13)
5973 },
5974 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5975 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5976 flags: []string{
5977 "-ticket-key",
5978 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5979 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5980 expectResumeRejected: true,
5981 })
5982
5983 testCases = append(testCases, testCase{
5984 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5985 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5986 resumeSession: true,
5987 config: Config{
5988 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5989 Bugs: ProtocolBugs{
5990 FilterTicket: func(in []byte) ([]byte, error) {
5991 return SetShimTicketVersion(in, VersionTLS12)
5992 },
5993 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5994 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5995 flags: []string{
5996 "-ticket-key",
5997 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5998 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5999 expectResumeRejected: true,
6000 })
6001
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6002 // Resumptions are declined if the cipher is invalid or disabled.
6003 testCases = append(testCases, testCase{
6004 testType: serverTest,
6005 name: "Resume-Server-DeclineBadCipher",
6006 resumeSession: true,
6007 config: Config{
6008 MaxVersion: VersionTLS12,
6009 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6010 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6011 FilterTicket: func(in []byte) ([]byte, error) {
6012 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
6013 },
6014 },
6015 },
6016 flags: []string{
6017 "-ticket-key",
6018 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6019 },
6020 expectResumeRejected: true,
6021 })
6022
6023 testCases = append(testCases, testCase{
6024 testType: serverTest,
6025 name: "Resume-Server-DeclineBadCipher-2",
6026 resumeSession: true,
6027 config: Config{
6028 MaxVersion: VersionTLS12,
6029 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6030 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6031 FilterTicket: func(in []byte) ([]byte, error) {
6032 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
6033 },
6034 },
6035 },
6036 flags: []string{
6037 "-cipher", "AES128",
6038 "-ticket-key",
6039 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6040 },
6041 expectResumeRejected: true,
6042 })
6043
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6044 // Sessions are not resumed if they do not use the preferred cipher.
6045 testCases = append(testCases, testCase{
6046 testType: serverTest,
6047 name: "Resume-Server-CipherNotPreferred",
6048 resumeSession: true,
6049 config: Config{
6050 MaxVersion: VersionTLS12,
6051 Bugs: ProtocolBugs{
6052 ExpectNewTicket: true,
6053 FilterTicket: func(in []byte) ([]byte, error) {
6054 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
6055 },
6056 },
6057 },
6058 flags: []string{
6059 "-ticket-key",
6060 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6061 },
6062 shouldFail: false,
6063 expectResumeRejected: true,
6064 })
6065
6066 // TLS 1.3 allows sessions to be resumed at a different cipher if their
6067 // PRF hashes match, but BoringSSL will always decline such resumptions.
6068 testCases = append(testCases, testCase{
6069 testType: serverTest,
6070 name: "Resume-Server-CipherNotPreferred-TLS13",
6071 resumeSession: true,
6072 config: Config{
6073 MaxVersion: VersionTLS13,
6074 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
6075 Bugs: ProtocolBugs{
6076 FilterTicket: func(in []byte) ([]byte, error) {
6077 // If the client (runner) offers ChaCha20-Poly1305 first, the
6078 // server (shim) always prefers it. Switch it to AES-GCM.
6079 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
6080 },
6081 },
6082 },
6083 flags: []string{
6084 "-ticket-key",
6085 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6086 },
6087 shouldFail: false,
6088 expectResumeRejected: true,
6089 })
6090
6091 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6092 testCases = append(testCases, testCase{
6093 testType: serverTest,
6094 name: "Resume-Server-DeclineBadCipher-TLS13",
6095 resumeSession: true,
6096 config: Config{
6097 MaxVersion: VersionTLS13,
6098 Bugs: ProtocolBugs{
6099 FilterTicket: func(in []byte) ([]byte, error) {
6100 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
6101 },
6102 },
6103 },
6104 flags: []string{
6105 "-ticket-key",
6106 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6107 },
6108 expectResumeRejected: true,
6109 })
6110
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6111 // If the client does not offer the cipher from the session, decline to
6112 // resume. Clients are forbidden from doing this, but BoringSSL selects
6113 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6114 testCases = append(testCases, testCase{
6115 testType: serverTest,
6116 name: "Resume-Server-UnofferedCipher",
6117 resumeSession: true,
6118 config: Config{
6119 MaxVersion: VersionTLS12,
6120 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6121 },
6122 resumeConfig: &Config{
6123 MaxVersion: VersionTLS12,
6124 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6125 Bugs: ProtocolBugs{
6126 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6127 },
6128 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6129 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6130 })
6131
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6132 // In TLS 1.3, clients may advertise a cipher list which does not
6133 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]6134 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
6135 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6136 testCases = append(testCases, testCase{
6137 testType: serverTest,
6138 name: "Resume-Server-UnofferedCipher-TLS13",
6139 resumeSession: true,
6140 config: Config{
6141 MaxVersion: VersionTLS13,
6142 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6143 },
6144 resumeConfig: &Config{
6145 MaxVersion: VersionTLS13,
6146 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6147 Bugs: ProtocolBugs{
6148 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6149 },
6150 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6151 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6152 })
6153
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6154 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6155 testCases = append(testCases, testCase{
6156 name: "Resume-Client-CipherMismatch",
6157 resumeSession: true,
6158 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6159 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6160 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6161 },
6162 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6163 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6164 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6165 Bugs: ProtocolBugs{
6166 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6167 },
6168 },
6169 shouldFail: true,
6170 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6171 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6172
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6173 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6174 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6175 testCases = append(testCases, testCase{
6176 name: "Resume-Client-CipherMismatch-TLS13",
6177 resumeSession: true,
6178 config: Config{
6179 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6180 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6181 },
6182 resumeConfig: &Config{
6183 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6184 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6185 },
6186 })
6187
6188 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6189 testCases = append(testCases, testCase{
6190 name: "Resume-Client-PRFMismatch-TLS13",
6191 resumeSession: true,
6192 config: Config{
6193 MaxVersion: VersionTLS13,
6194 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6195 },
6196 resumeConfig: &Config{
6197 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6198 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6199 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6200 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6201 },
6202 },
6203 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6204 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6205 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6206
6207 testCases = append(testCases, testCase{
6208 testType: serverTest,
6209 name: "Resume-Server-BinderWrongLength",
6210 resumeSession: true,
6211 config: Config{
6212 MaxVersion: VersionTLS13,
6213 Bugs: ProtocolBugs{
6214 SendShortPSKBinder: true,
6215 },
6216 },
6217 shouldFail: true,
6218 expectedLocalError: "remote error: error decrypting message",
6219 expectedError: ":DIGEST_CHECK_FAILED:",
6220 })
6221
6222 testCases = append(testCases, testCase{
6223 testType: serverTest,
6224 name: "Resume-Server-NoPSKBinder",
6225 resumeSession: true,
6226 config: Config{
6227 MaxVersion: VersionTLS13,
6228 Bugs: ProtocolBugs{
6229 SendNoPSKBinder: true,
6230 },
6231 },
6232 shouldFail: true,
6233 expectedLocalError: "remote error: error decoding message",
6234 expectedError: ":DECODE_ERROR:",
6235 })
6236
6237 testCases = append(testCases, testCase{
6238 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6239 name: "Resume-Server-ExtraPSKBinder",
6240 resumeSession: true,
6241 config: Config{
6242 MaxVersion: VersionTLS13,
6243 Bugs: ProtocolBugs{
6244 SendExtraPSKBinder: true,
6245 },
6246 },
6247 shouldFail: true,
6248 expectedLocalError: "remote error: illegal parameter",
6249 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6250 })
6251
6252 testCases = append(testCases, testCase{
6253 testType: serverTest,
6254 name: "Resume-Server-ExtraIdentityNoBinder",
6255 resumeSession: true,
6256 config: Config{
6257 MaxVersion: VersionTLS13,
6258 Bugs: ProtocolBugs{
6259 ExtraPSKIdentity: true,
6260 },
6261 },
6262 shouldFail: true,
6263 expectedLocalError: "remote error: illegal parameter",
6264 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6265 })
6266
6267 testCases = append(testCases, testCase{
6268 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6269 name: "Resume-Server-InvalidPSKBinder",
6270 resumeSession: true,
6271 config: Config{
6272 MaxVersion: VersionTLS13,
6273 Bugs: ProtocolBugs{
6274 SendInvalidPSKBinder: true,
6275 },
6276 },
6277 shouldFail: true,
6278 expectedLocalError: "remote error: error decrypting message",
6279 expectedError: ":DIGEST_CHECK_FAILED:",
6280 })
6281
6282 testCases = append(testCases, testCase{
6283 testType: serverTest,
6284 name: "Resume-Server-PSKBinderFirstExtension",
6285 resumeSession: true,
6286 config: Config{
6287 MaxVersion: VersionTLS13,
6288 Bugs: ProtocolBugs{
6289 PSKBinderFirst: true,
6290 },
6291 },
6292 shouldFail: true,
6293 expectedLocalError: "remote error: illegal parameter",
6294 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6295 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6296}
6297
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6298func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6299 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6300 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6301 testType: serverTest,
6302 name: "Renegotiate-Server-Forbidden",
6303 config: Config{
6304 MaxVersion: VersionTLS12,
6305 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6306 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6307 shouldFail: true,
6308 expectedError: ":NO_RENEGOTIATION:",
6309 expectedLocalError: "remote error: no renegotiation",
6310 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6311 // The server shouldn't echo the renegotiation extension unless
6312 // requested by the client.
6313 testCases = append(testCases, testCase{
6314 testType: serverTest,
6315 name: "Renegotiate-Server-NoExt",
6316 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6317 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6318 Bugs: ProtocolBugs{
6319 NoRenegotiationInfo: true,
6320 RequireRenegotiationInfo: true,
6321 },
6322 },
6323 shouldFail: true,
6324 expectedLocalError: "renegotiation extension missing",
6325 })
6326 // The renegotiation SCSV should be sufficient for the server to echo
6327 // the extension.
6328 testCases = append(testCases, testCase{
6329 testType: serverTest,
6330 name: "Renegotiate-Server-NoExt-SCSV",
6331 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6332 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6333 Bugs: ProtocolBugs{
6334 NoRenegotiationInfo: true,
6335 SendRenegotiationSCSV: true,
6336 RequireRenegotiationInfo: true,
6337 },
6338 },
6339 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6340 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6341 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6342 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6343 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6344 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6345 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6346 },
6347 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6348 renegotiate: 1,
6349 flags: []string{
6350 "-renegotiate-freely",
6351 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6352 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6353 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6354 })
6355 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6356 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6357 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6358 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6359 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6360 Bugs: ProtocolBugs{
6361 EmptyRenegotiationInfo: true,
6362 },
6363 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6364 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6365 shouldFail: true,
6366 expectedError: ":RENEGOTIATION_MISMATCH:",
6367 })
6368 testCases = append(testCases, testCase{
6369 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6370 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6371 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6372 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6373 Bugs: ProtocolBugs{
6374 BadRenegotiationInfo: true,
6375 },
6376 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6377 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6378 shouldFail: true,
6379 expectedError: ":RENEGOTIATION_MISMATCH:",
6380 })
6381 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6382 name: "Renegotiate-Client-Downgrade",
6383 renegotiate: 1,
6384 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6385 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6386 Bugs: ProtocolBugs{
6387 NoRenegotiationInfoAfterInitial: true,
6388 },
6389 },
6390 flags: []string{"-renegotiate-freely"},
6391 shouldFail: true,
6392 expectedError: ":RENEGOTIATION_MISMATCH:",
6393 })
6394 testCases = append(testCases, testCase{
6395 name: "Renegotiate-Client-Upgrade",
6396 renegotiate: 1,
6397 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6398 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6399 Bugs: ProtocolBugs{
6400 NoRenegotiationInfoInInitial: true,
6401 },
6402 },
6403 flags: []string{"-renegotiate-freely"},
6404 shouldFail: true,
6405 expectedError: ":RENEGOTIATION_MISMATCH:",
6406 })
6407 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6408 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6409 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6410 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6411 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6412 Bugs: ProtocolBugs{
6413 NoRenegotiationInfo: true,
6414 },
6415 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6416 flags: []string{
6417 "-renegotiate-freely",
6418 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6419 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6420 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6421 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6422
6423 // Test that the server may switch ciphers on renegotiation without
6424 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6425 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6426 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6427 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6428 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6429 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6430 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6431 },
6432 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6433 flags: []string{
6434 "-renegotiate-freely",
6435 "-expect-total-renegotiations", "1",
6436 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6437 })
6438 testCases = append(testCases, testCase{
6439 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6440 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6441 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6442 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6443 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6444 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6445 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6446 flags: []string{
6447 "-renegotiate-freely",
6448 "-expect-total-renegotiations", "1",
6449 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6450 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6451
6452 // Test that the server may not switch versions on renegotiation.
6453 testCases = append(testCases, testCase{
6454 name: "Renegotiate-Client-SwitchVersion",
6455 config: Config{
6456 MaxVersion: VersionTLS12,
6457 // Pick a cipher which exists at both versions.
6458 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6459 Bugs: ProtocolBugs{
6460 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6461 // Avoid failing early at the record layer.
6462 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6463 },
6464 },
6465 renegotiate: 1,
6466 flags: []string{
6467 "-renegotiate-freely",
6468 "-expect-total-renegotiations", "1",
6469 },
6470 shouldFail: true,
6471 expectedError: ":WRONG_SSL_VERSION:",
6472 })
6473
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6474 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6475 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6476 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6477 config: Config{
6478 MaxVersion: VersionTLS10,
6479 Bugs: ProtocolBugs{
6480 RequireSameRenegoClientVersion: true,
6481 },
6482 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6483 flags: []string{
6484 "-renegotiate-freely",
6485 "-expect-total-renegotiations", "1",
6486 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6487 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6488 testCases = append(testCases, testCase{
6489 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6490 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6491 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6492 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6493 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6494 NextProtos: []string{"foo"},
6495 },
6496 flags: []string{
6497 "-false-start",
6498 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6499 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6500 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6501 },
6502 shimWritesFirst: true,
6503 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6504
6505 // Client-side renegotiation controls.
6506 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6507 name: "Renegotiate-Client-Forbidden-1",
6508 config: Config{
6509 MaxVersion: VersionTLS12,
6510 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6511 renegotiate: 1,
6512 shouldFail: true,
6513 expectedError: ":NO_RENEGOTIATION:",
6514 expectedLocalError: "remote error: no renegotiation",
6515 })
6516 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6517 name: "Renegotiate-Client-Once-1",
6518 config: Config{
6519 MaxVersion: VersionTLS12,
6520 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6521 renegotiate: 1,
6522 flags: []string{
6523 "-renegotiate-once",
6524 "-expect-total-renegotiations", "1",
6525 },
6526 })
6527 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6528 name: "Renegotiate-Client-Freely-1",
6529 config: Config{
6530 MaxVersion: VersionTLS12,
6531 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6532 renegotiate: 1,
6533 flags: []string{
6534 "-renegotiate-freely",
6535 "-expect-total-renegotiations", "1",
6536 },
6537 })
6538 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6539 name: "Renegotiate-Client-Once-2",
6540 config: Config{
6541 MaxVersion: VersionTLS12,
6542 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6543 renegotiate: 2,
6544 flags: []string{"-renegotiate-once"},
6545 shouldFail: true,
6546 expectedError: ":NO_RENEGOTIATION:",
6547 expectedLocalError: "remote error: no renegotiation",
6548 })
6549 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6550 name: "Renegotiate-Client-Freely-2",
6551 config: Config{
6552 MaxVersion: VersionTLS12,
6553 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6554 renegotiate: 2,
6555 flags: []string{
6556 "-renegotiate-freely",
6557 "-expect-total-renegotiations", "2",
6558 },
6559 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6560 testCases = append(testCases, testCase{
6561 name: "Renegotiate-Client-NoIgnore",
6562 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6563 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6564 Bugs: ProtocolBugs{
6565 SendHelloRequestBeforeEveryAppDataRecord: true,
6566 },
6567 },
6568 shouldFail: true,
6569 expectedError: ":NO_RENEGOTIATION:",
6570 })
6571 testCases = append(testCases, testCase{
6572 name: "Renegotiate-Client-Ignore",
6573 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6574 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6575 Bugs: ProtocolBugs{
6576 SendHelloRequestBeforeEveryAppDataRecord: true,
6577 },
6578 },
6579 flags: []string{
6580 "-renegotiate-ignore",
6581 "-expect-total-renegotiations", "0",
6582 },
6583 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6584
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6585 // Renegotiation is not allowed at SSL 3.0.
6586 testCases = append(testCases, testCase{
6587 name: "Renegotiate-Client-SSL3",
6588 config: Config{
6589 MaxVersion: VersionSSL30,
6590 },
6591 renegotiate: 1,
6592 flags: []string{
6593 "-renegotiate-freely",
6594 "-expect-total-renegotiations", "1",
6595 },
6596 shouldFail: true,
6597 expectedError: ":NO_RENEGOTIATION:",
6598 expectedLocalError: "remote error: no renegotiation",
6599 })
6600
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6601 // Renegotiation is not allowed when there is an unfinished write.
6602 testCases = append(testCases, testCase{
6603 name: "Renegotiate-Client-UnfinishedWrite",
6604 config: Config{
6605 MaxVersion: VersionTLS12,
6606 },
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]6607 renegotiate: 1,
6608 readWithUnfinishedWrite: true,
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6609 flags: []string{
6610 "-async",
6611 "-renegotiate-freely",
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6612 },
6613 shouldFail: true,
6614 expectedError: ":NO_RENEGOTIATION:",
6615 // We do not successfully send the no_renegotiation alert in
6616 // this case. https://crbug.com/boringssl/130
6617 })
6618
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6619 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6620 testCases = append(testCases, testCase{
6621 name: "StrayHelloRequest",
6622 config: Config{
6623 MaxVersion: VersionTLS12,
6624 Bugs: ProtocolBugs{
6625 SendHelloRequestBeforeEveryHandshakeMessage: true,
6626 },
6627 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6628 shouldFail: true,
6629 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6630 })
6631 testCases = append(testCases, testCase{
6632 name: "StrayHelloRequest-Packed",
6633 config: Config{
6634 MaxVersion: VersionTLS12,
6635 Bugs: ProtocolBugs{
6636 PackHandshakeFlight: true,
6637 SendHelloRequestBeforeEveryHandshakeMessage: true,
6638 },
6639 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6640 shouldFail: true,
6641 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6642 })
6643
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6644 // Test renegotiation works if HelloRequest and server Finished come in
6645 // the same record.
6646 testCases = append(testCases, testCase{
6647 name: "Renegotiate-Client-Packed",
6648 config: Config{
6649 MaxVersion: VersionTLS12,
6650 Bugs: ProtocolBugs{
6651 PackHandshakeFlight: true,
6652 PackHelloRequestWithFinished: true,
6653 },
6654 },
6655 renegotiate: 1,
6656 flags: []string{
6657 "-renegotiate-freely",
6658 "-expect-total-renegotiations", "1",
6659 },
6660 })
6661
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6662 // Renegotiation is forbidden in TLS 1.3.
6663 testCases = append(testCases, testCase{
6664 name: "Renegotiate-Client-TLS13",
6665 config: Config{
6666 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6667 Bugs: ProtocolBugs{
6668 SendHelloRequestBeforeEveryAppDataRecord: true,
6669 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6670 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6671 flags: []string{
6672 "-renegotiate-freely",
6673 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6674 shouldFail: true,
6675 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6676 })
6677
6678 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6679 testCases = append(testCases, testCase{
6680 name: "StrayHelloRequest-TLS13",
6681 config: Config{
6682 MaxVersion: VersionTLS13,
6683 Bugs: ProtocolBugs{
6684 SendHelloRequestBeforeEveryHandshakeMessage: true,
6685 },
6686 },
6687 shouldFail: true,
6688 expectedError: ":UNEXPECTED_MESSAGE:",
6689 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6690
6691 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6692 // always reads as supporting it, regardless of whether it was
6693 // negotiated.
6694 testCases = append(testCases, testCase{
6695 name: "AlwaysReportRenegotiationInfo-TLS13",
6696 config: Config{
6697 MaxVersion: VersionTLS13,
6698 Bugs: ProtocolBugs{
6699 NoRenegotiationInfo: true,
6700 },
6701 },
6702 flags: []string{
6703 "-expect-secure-renegotiation",
6704 },
6705 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]6706
6707 // Certificates may not change on renegotiation.
6708 testCases = append(testCases, testCase{
6709 name: "Renegotiation-CertificateChange",
6710 config: Config{
6711 MaxVersion: VersionTLS12,
6712 Certificates: []Certificate{rsaCertificate},
6713 Bugs: ProtocolBugs{
6714 RenegotiationCertificate: &rsaChainCertificate,
6715 },
6716 },
6717 renegotiate: 1,
6718 flags: []string{"-renegotiate-freely"},
6719 shouldFail: true,
6720 expectedError: ":SERVER_CERT_CHANGED:",
6721 })
6722 testCases = append(testCases, testCase{
6723 name: "Renegotiation-CertificateChange-2",
6724 config: Config{
6725 MaxVersion: VersionTLS12,
6726 Certificates: []Certificate{rsaCertificate},
6727 Bugs: ProtocolBugs{
6728 RenegotiationCertificate: &rsa1024Certificate,
6729 },
6730 },
6731 renegotiate: 1,
6732 flags: []string{"-renegotiate-freely"},
6733 shouldFail: true,
6734 expectedError: ":SERVER_CERT_CHANGED:",
6735 })
David Benjaminbbf42462017-03-14 21:27:10 -0400[diff] [blame]6736
6737 // We do not negotiate ALPN after the initial handshake. This is
6738 // error-prone and only risks bugs in consumers.
6739 testCases = append(testCases, testCase{
6740 testType: clientTest,
6741 name: "Renegotiation-ForbidALPN",
6742 config: Config{
6743 MaxVersion: VersionTLS12,
6744 Bugs: ProtocolBugs{
6745 // Forcibly negotiate ALPN on both initial and
6746 // renegotiation handshakes. The test stack will
6747 // internally check the client does not offer
6748 // it.
6749 SendALPN: "foo",
6750 },
6751 },
6752 flags: []string{
6753 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6754 "-expect-alpn", "foo",
6755 "-renegotiate-freely",
6756 },
6757 renegotiate: 1,
6758 shouldFail: true,
6759 expectedError: ":UNEXPECTED_EXTENSION:",
6760 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6761}
6762
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6763func addDTLSReplayTests() {
6764 // Test that sequence number replays are detected.
6765 testCases = append(testCases, testCase{
6766 protocol: dtls,
6767 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6768 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6769 replayWrites: true,
6770 })
6771
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6772 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6773 // than the retransmit window.
6774 testCases = append(testCases, testCase{
6775 protocol: dtls,
6776 name: "DTLS-Replay-LargeGaps",
6777 config: Config{
6778 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6779 SequenceNumberMapping: func(in uint64) uint64 {
6780 return in * 127
6781 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6782 },
6783 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6784 messageCount: 200,
6785 replayWrites: true,
6786 })
6787
6788 // Test the incoming sequence number changing non-monotonically.
6789 testCases = append(testCases, testCase{
6790 protocol: dtls,
6791 name: "DTLS-Replay-NonMonotonic",
6792 config: Config{
6793 Bugs: ProtocolBugs{
6794 SequenceNumberMapping: func(in uint64) uint64 {
6795 return in ^ 31
6796 },
6797 },
6798 },
6799 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6800 replayWrites: true,
6801 })
6802}
6803
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6804var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6805 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6806 id signatureAlgorithm
6807 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6808}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6809 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6810 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6811 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6812 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6813 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6814 // The “P256” in the following line is not a mistake. In TLS 1.2 the
6815 // hash function doesn't have to match the curve and so the same
6816 // signature algorithm works with P-224.
6817 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6818 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6819 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6820 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6821 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6822 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6823 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6824 {"Ed25519", signatureEd25519, testCertEd25519},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6825 // Tests for key types prior to TLS 1.2.
6826 {"RSA", 0, testCertRSA},
6827 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6828}
6829
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6830const fakeSigAlg1 signatureAlgorithm = 0x2a01
6831const fakeSigAlg2 signatureAlgorithm = 0xff01
6832
6833func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6834 // Not all ciphers involve a signature. Advertise a list which gives all
6835 // versions a signing cipher.
6836 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6837 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6838 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6839 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6840 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6841 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6842 }
6843 if *includeDHE {
6844 signingCiphers = append(signingCiphers, TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6845 }
6846
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6847 var allAlgorithms []signatureAlgorithm
6848 for _, alg := range testSignatureAlgorithms {
6849 if alg.id != 0 {
6850 allAlgorithms = append(allAlgorithms, alg.id)
6851 }
6852 }
6853
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6854 // Make sure each signature algorithm works. Include some fake values in
6855 // the list and ensure they're ignored.
6856 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6857 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6858 if (ver.version < VersionTLS12) != (alg.id == 0) {
6859 continue
6860 }
6861
6862 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6863 // or remove it in C.
6864 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6865 continue
6866 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6867
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6868 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6869 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6870 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6871 shouldSignFail = true
6872 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6873 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6874 // RSA-PKCS1 does not exist in TLS 1.3.
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6875 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
6876 shouldSignFail = true
6877 shouldVerifyFail = true
6878 }
6879 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
6880 // the curve has to match the hash size.
6881 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6882 shouldSignFail = true
6883 shouldVerifyFail = true
6884 }
6885
6886 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6887 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6888 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6889 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6890
6891 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6892 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6893 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6894 }
6895 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6896 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6897 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6898
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6899 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6900
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6901 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6902 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6903 config: Config{
6904 MaxVersion: ver.version,
6905 ClientAuth: RequireAnyClientCert,
6906 VerifySignatureAlgorithms: []signatureAlgorithm{
6907 fakeSigAlg1,
6908 alg.id,
6909 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6910 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6911 },
6912 flags: []string{
6913 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6914 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6915 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6916 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6917 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6918 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6919 expectedError: signError,
6920 expectedPeerSignatureAlgorithm: alg.id,
6921 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6922
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6923 testCases = append(testCases, testCase{
6924 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6925 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6926 config: Config{
6927 MaxVersion: ver.version,
6928 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6929 SignSignatureAlgorithms: []signatureAlgorithm{
6930 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6931 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6932 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6933 SkipECDSACurveCheck: shouldVerifyFail,
6934 IgnoreSignatureVersionChecks: shouldVerifyFail,
6935 // Some signature algorithms may not be advertised.
6936 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6937 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6938 },
6939 flags: []string{
6940 "-require-any-client-certificate",
6941 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6942 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6943 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6944 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6945 // Resume the session to assert the peer signature
6946 // algorithm is reported on both handshakes.
6947 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6948 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6949 expectedError: verifyError,
6950 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6951
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6952 // No signing cipher for SSL 3.0.
6953 if *includeDHE || ver.version > VersionSSL30 {
6954 testCases = append(testCases, testCase{
6955 testType: serverTest,
6956 name: "ServerAuth-Sign" + suffix,
6957 config: Config{
6958 MaxVersion: ver.version,
6959 CipherSuites: signingCiphers,
6960 VerifySignatureAlgorithms: []signatureAlgorithm{
6961 fakeSigAlg1,
6962 alg.id,
6963 fakeSigAlg2,
6964 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6965 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6966 flags: []string{
6967 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6968 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6969 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6970 "-enable-ed25519",
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6971 },
6972 shouldFail: shouldSignFail,
6973 expectedError: signError,
6974 expectedPeerSignatureAlgorithm: alg.id,
6975 })
6976 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6977
6978 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6979 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6980 config: Config{
6981 MaxVersion: ver.version,
6982 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6983 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6984 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6985 alg.id,
6986 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6987 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6988 SkipECDSACurveCheck: shouldVerifyFail,
6989 IgnoreSignatureVersionChecks: shouldVerifyFail,
6990 // Some signature algorithms may not be advertised.
6991 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6992 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6993 },
6994 flags: []string{
6995 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6996 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6997 "-enable-ed25519",
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6998 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6999 // Resume the session to assert the peer signature
7000 // algorithm is reported on both handshakes.
7001 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7002 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7003 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7004 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7005
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7006 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7007 testCases = append(testCases, testCase{
7008 testType: serverTest,
7009 name: "ClientAuth-InvalidSignature" + suffix,
7010 config: Config{
7011 MaxVersion: ver.version,
7012 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
7013 SignSignatureAlgorithms: []signatureAlgorithm{
7014 alg.id,
7015 },
7016 Bugs: ProtocolBugs{
7017 InvalidSignature: true,
7018 },
7019 },
7020 flags: []string{
7021 "-require-any-client-certificate",
7022 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7023 "-enable-ed25519",
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7024 },
7025 shouldFail: true,
7026 expectedError: ":BAD_SIGNATURE:",
7027 })
7028
7029 testCases = append(testCases, testCase{
7030 name: "ServerAuth-InvalidSignature" + suffix,
7031 config: Config{
7032 MaxVersion: ver.version,
7033 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
7034 CipherSuites: signingCiphers,
7035 SignSignatureAlgorithms: []signatureAlgorithm{
7036 alg.id,
7037 },
7038 Bugs: ProtocolBugs{
7039 InvalidSignature: true,
7040 },
7041 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7042 flags: []string{
7043 "-enable-all-curves",
7044 "-enable-ed25519",
7045 },
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7046 shouldFail: true,
7047 expectedError: ":BAD_SIGNATURE:",
7048 })
7049 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7050
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7051 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7052 testCases = append(testCases, testCase{
7053 name: "ClientAuth-Sign-Negotiate" + suffix,
7054 config: Config{
7055 MaxVersion: ver.version,
7056 ClientAuth: RequireAnyClientCert,
7057 VerifySignatureAlgorithms: allAlgorithms,
7058 },
7059 flags: []string{
7060 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7061 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7062 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7063 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7064 "-signing-prefs", strconv.Itoa(int(alg.id)),
7065 },
7066 expectedPeerSignatureAlgorithm: alg.id,
7067 })
7068
7069 testCases = append(testCases, testCase{
7070 testType: serverTest,
7071 name: "ServerAuth-Sign-Negotiate" + suffix,
7072 config: Config{
7073 MaxVersion: ver.version,
7074 CipherSuites: signingCiphers,
7075 VerifySignatureAlgorithms: allAlgorithms,
7076 },
7077 flags: []string{
7078 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7079 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7080 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7081 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7082 "-signing-prefs", strconv.Itoa(int(alg.id)),
7083 },
7084 expectedPeerSignatureAlgorithm: alg.id,
7085 })
7086 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7087 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7088 }
7089
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7090 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7091 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7092 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7093 config: Config{
7094 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7095 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7096 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7097 signatureECDSAWithP521AndSHA512,
7098 signatureRSAPKCS1WithSHA384,
7099 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7100 },
7101 },
7102 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7103 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7104 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7105 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7106 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7107 })
7108
7109 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7110 name: "ClientAuth-SignatureType-TLS13",
7111 config: Config{
7112 ClientAuth: RequireAnyClientCert,
7113 MaxVersion: VersionTLS13,
7114 VerifySignatureAlgorithms: []signatureAlgorithm{
7115 signatureECDSAWithP521AndSHA512,
7116 signatureRSAPKCS1WithSHA384,
7117 signatureRSAPSSWithSHA384,
7118 signatureECDSAWithSHA1,
7119 },
7120 },
7121 flags: []string{
7122 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7123 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7124 },
7125 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7126 })
7127
7128 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7129 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7130 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7131 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7132 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7133 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7134 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7135 signatureECDSAWithP521AndSHA512,
7136 signatureRSAPKCS1WithSHA384,
7137 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7138 },
7139 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7140 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7141 })
7142
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7143 testCases = append(testCases, testCase{
7144 testType: serverTest,
7145 name: "ServerAuth-SignatureType-TLS13",
7146 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7147 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7148 VerifySignatureAlgorithms: []signatureAlgorithm{
7149 signatureECDSAWithP521AndSHA512,
7150 signatureRSAPKCS1WithSHA384,
7151 signatureRSAPSSWithSHA384,
7152 signatureECDSAWithSHA1,
7153 },
7154 },
7155 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7156 })
7157
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7158 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7159 testCases = append(testCases, testCase{
7160 testType: serverTest,
7161 name: "Verify-ClientAuth-SignatureType",
7162 config: Config{
7163 MaxVersion: VersionTLS12,
7164 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7165 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7166 signatureRSAPKCS1WithSHA256,
7167 },
7168 Bugs: ProtocolBugs{
7169 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7170 },
7171 },
7172 flags: []string{
7173 "-require-any-client-certificate",
7174 },
7175 shouldFail: true,
7176 expectedError: ":WRONG_SIGNATURE_TYPE:",
7177 })
7178
7179 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7180 testType: serverTest,
7181 name: "Verify-ClientAuth-SignatureType-TLS13",
7182 config: Config{
7183 MaxVersion: VersionTLS13,
7184 Certificates: []Certificate{rsaCertificate},
7185 SignSignatureAlgorithms: []signatureAlgorithm{
7186 signatureRSAPSSWithSHA256,
7187 },
7188 Bugs: ProtocolBugs{
7189 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7190 },
7191 },
7192 flags: []string{
7193 "-require-any-client-certificate",
7194 },
7195 shouldFail: true,
7196 expectedError: ":WRONG_SIGNATURE_TYPE:",
7197 })
7198
7199 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7200 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7201 config: Config{
7202 MaxVersion: VersionTLS12,
7203 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7204 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7205 signatureRSAPKCS1WithSHA256,
7206 },
7207 Bugs: ProtocolBugs{
7208 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7209 },
7210 },
7211 shouldFail: true,
7212 expectedError: ":WRONG_SIGNATURE_TYPE:",
7213 })
7214
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7215 testCases = append(testCases, testCase{
7216 name: "Verify-ServerAuth-SignatureType-TLS13",
7217 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7218 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7219 SignSignatureAlgorithms: []signatureAlgorithm{
7220 signatureRSAPSSWithSHA256,
7221 },
7222 Bugs: ProtocolBugs{
7223 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7224 },
7225 },
7226 shouldFail: true,
7227 expectedError: ":WRONG_SIGNATURE_TYPE:",
7228 })
7229
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7230 // Test that, if the list is missing, the peer falls back to SHA-1 in
7231 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7232 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7233 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7234 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7235 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7236 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7237 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7238 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7239 },
7240 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7241 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7242 },
7243 },
7244 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7245 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7246 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7247 },
7248 })
7249
7250 testCases = append(testCases, testCase{
7251 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7252 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7253 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7254 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7255 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7256 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7257 },
7258 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7259 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7260 },
7261 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7262 flags: []string{
7263 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7264 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7265 },
7266 })
7267
7268 testCases = append(testCases, testCase{
7269 name: "ClientAuth-SHA1-Fallback-ECDSA",
7270 config: Config{
7271 MaxVersion: VersionTLS12,
7272 ClientAuth: RequireAnyClientCert,
7273 VerifySignatureAlgorithms: []signatureAlgorithm{
7274 signatureECDSAWithSHA1,
7275 },
7276 Bugs: ProtocolBugs{
7277 NoSignatureAlgorithms: true,
7278 },
7279 },
7280 flags: []string{
7281 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7282 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7283 },
7284 })
7285
7286 testCases = append(testCases, testCase{
7287 testType: serverTest,
7288 name: "ServerAuth-SHA1-Fallback-ECDSA",
7289 config: Config{
7290 MaxVersion: VersionTLS12,
7291 VerifySignatureAlgorithms: []signatureAlgorithm{
7292 signatureECDSAWithSHA1,
7293 },
7294 Bugs: ProtocolBugs{
7295 NoSignatureAlgorithms: true,
7296 },
7297 },
7298 flags: []string{
7299 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7300 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7301 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7302 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7303
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7304 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7305 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7306 config: Config{
7307 MaxVersion: VersionTLS13,
7308 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7309 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7310 signatureRSAPKCS1WithSHA1,
7311 },
7312 Bugs: ProtocolBugs{
7313 NoSignatureAlgorithms: true,
7314 },
7315 },
7316 flags: []string{
7317 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7318 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7319 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7320 shouldFail: true,
7321 // An empty CertificateRequest signature algorithm list is a
7322 // syntax error in TLS 1.3.
7323 expectedError: ":DECODE_ERROR:",
7324 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7325 })
7326
7327 testCases = append(testCases, testCase{
7328 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7329 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7330 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7331 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7332 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7333 signatureRSAPKCS1WithSHA1,
7334 },
7335 Bugs: ProtocolBugs{
7336 NoSignatureAlgorithms: true,
7337 },
7338 },
7339 shouldFail: true,
7340 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7341 })
7342
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7343 // Test that hash preferences are enforced. BoringSSL does not implement
7344 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7345 testCases = append(testCases, testCase{
7346 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7347 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7348 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7349 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7350 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7351 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7352 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7353 },
7354 Bugs: ProtocolBugs{
7355 IgnorePeerSignatureAlgorithmPreferences: true,
7356 },
7357 },
7358 flags: []string{"-require-any-client-certificate"},
7359 shouldFail: true,
7360 expectedError: ":WRONG_SIGNATURE_TYPE:",
7361 })
7362
7363 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7364 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7365 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7366 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7367 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7368 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7369 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7370 },
7371 Bugs: ProtocolBugs{
7372 IgnorePeerSignatureAlgorithmPreferences: true,
7373 },
7374 },
7375 shouldFail: true,
7376 expectedError: ":WRONG_SIGNATURE_TYPE:",
7377 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7378 testCases = append(testCases, testCase{
7379 testType: serverTest,
7380 name: "ClientAuth-Enforced-TLS13",
7381 config: Config{
7382 MaxVersion: VersionTLS13,
7383 Certificates: []Certificate{rsaCertificate},
7384 SignSignatureAlgorithms: []signatureAlgorithm{
7385 signatureRSAPKCS1WithMD5,
7386 },
7387 Bugs: ProtocolBugs{
7388 IgnorePeerSignatureAlgorithmPreferences: true,
7389 IgnoreSignatureVersionChecks: true,
7390 },
7391 },
7392 flags: []string{"-require-any-client-certificate"},
7393 shouldFail: true,
7394 expectedError: ":WRONG_SIGNATURE_TYPE:",
7395 })
7396
7397 testCases = append(testCases, testCase{
7398 name: "ServerAuth-Enforced-TLS13",
7399 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7400 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7401 SignSignatureAlgorithms: []signatureAlgorithm{
7402 signatureRSAPKCS1WithMD5,
7403 },
7404 Bugs: ProtocolBugs{
7405 IgnorePeerSignatureAlgorithmPreferences: true,
7406 IgnoreSignatureVersionChecks: true,
7407 },
7408 },
7409 shouldFail: true,
7410 expectedError: ":WRONG_SIGNATURE_TYPE:",
7411 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7412
7413 // Test that the agreed upon digest respects the client preferences and
7414 // the server digests.
7415 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7416 name: "NoCommonAlgorithms-Digests",
7417 config: Config{
7418 MaxVersion: VersionTLS12,
7419 ClientAuth: RequireAnyClientCert,
7420 VerifySignatureAlgorithms: []signatureAlgorithm{
7421 signatureRSAPKCS1WithSHA512,
7422 signatureRSAPKCS1WithSHA1,
7423 },
7424 },
7425 flags: []string{
7426 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7427 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7428 "-digest-prefs", "SHA256",
7429 },
7430 shouldFail: true,
7431 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7432 })
7433 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7434 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7435 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7436 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7437 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7438 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7439 signatureRSAPKCS1WithSHA512,
7440 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7441 },
7442 },
7443 flags: []string{
7444 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7445 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7446 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7447 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7448 shouldFail: true,
7449 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7450 })
7451 testCases = append(testCases, testCase{
7452 name: "NoCommonAlgorithms-TLS13",
7453 config: Config{
7454 MaxVersion: VersionTLS13,
7455 ClientAuth: RequireAnyClientCert,
7456 VerifySignatureAlgorithms: []signatureAlgorithm{
7457 signatureRSAPSSWithSHA512,
7458 signatureRSAPSSWithSHA384,
7459 },
7460 },
7461 flags: []string{
7462 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7463 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7464 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7465 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7466 shouldFail: true,
7467 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7468 })
7469 testCases = append(testCases, testCase{
7470 name: "Agree-Digest-SHA256",
7471 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7472 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7473 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7474 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7475 signatureRSAPKCS1WithSHA1,
7476 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7477 },
7478 },
7479 flags: []string{
7480 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7481 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7482 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7483 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7484 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7485 })
7486 testCases = append(testCases, testCase{
7487 name: "Agree-Digest-SHA1",
7488 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7489 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7490 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7491 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7492 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7493 },
7494 },
7495 flags: []string{
7496 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7497 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7498 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7499 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7500 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7501 })
7502 testCases = append(testCases, testCase{
7503 name: "Agree-Digest-Default",
7504 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7505 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7506 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7507 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7508 signatureRSAPKCS1WithSHA256,
7509 signatureECDSAWithP256AndSHA256,
7510 signatureRSAPKCS1WithSHA1,
7511 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7512 },
7513 },
7514 flags: []string{
7515 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7516 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7517 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7518 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7519 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7520
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7521 // Test that the signing preference list may include extra algorithms
7522 // without negotiation problems.
7523 testCases = append(testCases, testCase{
7524 testType: serverTest,
7525 name: "FilterExtraAlgorithms",
7526 config: Config{
7527 MaxVersion: VersionTLS12,
7528 VerifySignatureAlgorithms: []signatureAlgorithm{
7529 signatureRSAPKCS1WithSHA256,
7530 },
7531 },
7532 flags: []string{
7533 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7534 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7535 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7536 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7537 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7538 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7539 },
7540 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7541 })
7542
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7543 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7544 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7545 testCases = append(testCases, testCase{
7546 name: "CheckLeafCurve",
7547 config: Config{
7548 MaxVersion: VersionTLS12,
7549 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7550 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7551 },
7552 flags: []string{"-p384-only"},
7553 shouldFail: true,
7554 expectedError: ":BAD_ECC_CERT:",
7555 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7556
7557 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7558 testCases = append(testCases, testCase{
7559 name: "CheckLeafCurve-TLS13",
7560 config: Config{
7561 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7562 Certificates: []Certificate{ecdsaP256Certificate},
7563 },
7564 flags: []string{"-p384-only"},
7565 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7566
7567 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7568 testCases = append(testCases, testCase{
7569 name: "ECDSACurveMismatch-Verify-TLS12",
7570 config: Config{
7571 MaxVersion: VersionTLS12,
7572 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7573 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7574 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7575 signatureECDSAWithP384AndSHA384,
7576 },
7577 },
7578 })
7579
7580 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7581 testCases = append(testCases, testCase{
7582 name: "ECDSACurveMismatch-Verify-TLS13",
7583 config: Config{
7584 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7585 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7586 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7587 signatureECDSAWithP384AndSHA384,
7588 },
7589 Bugs: ProtocolBugs{
7590 SkipECDSACurveCheck: true,
7591 },
7592 },
7593 shouldFail: true,
7594 expectedError: ":WRONG_SIGNATURE_TYPE:",
7595 })
7596
7597 // Signature algorithm selection in TLS 1.3 should take the curve into
7598 // account.
7599 testCases = append(testCases, testCase{
7600 testType: serverTest,
7601 name: "ECDSACurveMismatch-Sign-TLS13",
7602 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7603 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7604 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7605 signatureECDSAWithP384AndSHA384,
7606 signatureECDSAWithP256AndSHA256,
7607 },
7608 },
7609 flags: []string{
7610 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7611 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7612 },
7613 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7614 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7615
7616 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7617 // server does not attempt to sign in that case.
7618 testCases = append(testCases, testCase{
7619 testType: serverTest,
7620 name: "RSA-PSS-Large",
7621 config: Config{
7622 MaxVersion: VersionTLS13,
7623 VerifySignatureAlgorithms: []signatureAlgorithm{
7624 signatureRSAPSSWithSHA512,
7625 },
7626 },
7627 flags: []string{
7628 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7629 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7630 },
7631 shouldFail: true,
7632 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7633 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7634
7635 // Test that RSA-PSS is enabled by default for TLS 1.2.
7636 testCases = append(testCases, testCase{
7637 testType: clientTest,
7638 name: "RSA-PSS-Default-Verify",
7639 config: Config{
7640 MaxVersion: VersionTLS12,
7641 SignSignatureAlgorithms: []signatureAlgorithm{
7642 signatureRSAPSSWithSHA256,
7643 },
7644 },
7645 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7646 })
7647
7648 testCases = append(testCases, testCase{
7649 testType: serverTest,
7650 name: "RSA-PSS-Default-Sign",
7651 config: Config{
7652 MaxVersion: VersionTLS12,
7653 VerifySignatureAlgorithms: []signatureAlgorithm{
7654 signatureRSAPSSWithSHA256,
7655 },
7656 },
7657 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7658 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7659
7660 // TLS 1.1 and below has no way to advertise support for or negotiate
7661 // Ed25519's signature algorithm.
7662 testCases = append(testCases, testCase{
7663 testType: clientTest,
7664 name: "NoEd25519-TLS11-ServerAuth-Verify",
7665 config: Config{
7666 MaxVersion: VersionTLS11,
7667 Certificates: []Certificate{ed25519Certificate},
7668 Bugs: ProtocolBugs{
7669 // Sign with Ed25519 even though it is TLS 1.1.
7670 UseLegacySigningAlgorithm: signatureEd25519,
7671 },
7672 },
7673 flags: []string{"-enable-ed25519"},
7674 shouldFail: true,
7675 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7676 })
7677 testCases = append(testCases, testCase{
7678 testType: serverTest,
7679 name: "NoEd25519-TLS11-ServerAuth-Sign",
7680 config: Config{
7681 MaxVersion: VersionTLS11,
7682 },
7683 flags: []string{
7684 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7685 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7686 },
7687 shouldFail: true,
7688 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7689 })
7690 testCases = append(testCases, testCase{
7691 testType: serverTest,
7692 name: "NoEd25519-TLS11-ClientAuth-Verify",
7693 config: Config{
7694 MaxVersion: VersionTLS11,
7695 Certificates: []Certificate{ed25519Certificate},
7696 Bugs: ProtocolBugs{
7697 // Sign with Ed25519 even though it is TLS 1.1.
7698 UseLegacySigningAlgorithm: signatureEd25519,
7699 },
7700 },
7701 flags: []string{
7702 "-enable-ed25519",
7703 "-require-any-client-certificate",
7704 },
7705 shouldFail: true,
7706 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7707 })
7708 testCases = append(testCases, testCase{
7709 testType: clientTest,
7710 name: "NoEd25519-TLS11-ClientAuth-Sign",
7711 config: Config{
7712 MaxVersion: VersionTLS11,
7713 ClientAuth: RequireAnyClientCert,
7714 },
7715 flags: []string{
7716 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7717 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7718 },
7719 shouldFail: true,
7720 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7721 })
7722
7723 // Test Ed25519 is not advertised by default.
7724 testCases = append(testCases, testCase{
7725 testType: clientTest,
7726 name: "Ed25519DefaultDisable-NoAdvertise",
7727 config: Config{
7728 Certificates: []Certificate{ed25519Certificate},
7729 },
7730 shouldFail: true,
7731 expectedLocalError: "tls: no common signature algorithms",
7732 })
7733
7734 // Test Ed25519, when disabled, is not accepted if the peer ignores our
7735 // preferences.
7736 testCases = append(testCases, testCase{
7737 testType: clientTest,
7738 name: "Ed25519DefaultDisable-NoAccept",
7739 config: Config{
7740 Certificates: []Certificate{ed25519Certificate},
7741 Bugs: ProtocolBugs{
7742 IgnorePeerSignatureAlgorithmPreferences: true,
7743 },
7744 },
7745 shouldFail: true,
7746 expectedLocalError: "remote error: illegal parameter",
7747 expectedError: ":WRONG_SIGNATURE_TYPE:",
7748 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7749}
7750
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7751// timeouts is the retransmit schedule for BoringSSL. It doubles and
7752// caps at 60 seconds. On the 13th timeout, it gives up.
7753var timeouts = []time.Duration{
7754 1 * time.Second,
7755 2 * time.Second,
7756 4 * time.Second,
7757 8 * time.Second,
7758 16 * time.Second,
7759 32 * time.Second,
7760 60 * time.Second,
7761 60 * time.Second,
7762 60 * time.Second,
7763 60 * time.Second,
7764 60 * time.Second,
7765 60 * time.Second,
7766 60 * time.Second,
7767}
7768
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7769// shortTimeouts is an alternate set of timeouts which would occur if the
7770// initial timeout duration was set to 250ms.
7771var shortTimeouts = []time.Duration{
7772 250 * time.Millisecond,
7773 500 * time.Millisecond,
7774 1 * time.Second,
7775 2 * time.Second,
7776 4 * time.Second,
7777 8 * time.Second,
7778 16 * time.Second,
7779 32 * time.Second,
7780 60 * time.Second,
7781 60 * time.Second,
7782 60 * time.Second,
7783 60 * time.Second,
7784 60 * time.Second,
7785}
7786
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7787func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7788 // These tests work by coordinating some behavior on both the shim and
7789 // the runner.
7790 //
7791 // TimeoutSchedule configures the runner to send a series of timeout
7792 // opcodes to the shim (see packetAdaptor) immediately before reading
7793 // each peer handshake flight N. The timeout opcode both simulates a
7794 // timeout in the shim and acts as a synchronization point to help the
7795 // runner bracket each handshake flight.
7796 //
7797 // We assume the shim does not read from the channel eagerly. It must
7798 // first wait until it has sent flight N and is ready to receive
7799 // handshake flight N+1. At this point, it will process the timeout
7800 // opcode. It must then immediately respond with a timeout ACK and act
7801 // as if the shim was idle for the specified amount of time.
7802 //
7803 // The runner then drops all packets received before the ACK and
7804 // continues waiting for flight N. This ordering results in one attempt
7805 // at sending flight N to be dropped. For the test to complete, the
7806 // shim must send flight N again, testing that the shim implements DTLS
7807 // retransmit on a timeout.
7808
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7809 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7810 // likely be more epochs to cross and the final message's retransmit may
7811 // be more complex.
7812
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7813 // Test that this is indeed the timeout schedule. Stress all
7814 // four patterns of handshake.
7815 for i := 1; i < len(timeouts); i++ {
7816 number := strconv.Itoa(i)
7817 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7818 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7819 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7820 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7821 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7822 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7823 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7824 },
7825 },
7826 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7827 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7828 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7829 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7830 protocol: dtls,
7831 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7832 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7833 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7834 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7835 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7836 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7837 },
7838 },
7839 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7840 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7841 })
7842 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7843
7844 // Test that exceeding the timeout schedule hits a read
7845 // timeout.
7846 testCases = append(testCases, testCase{
7847 protocol: dtls,
7848 name: "DTLS-Retransmit-Timeout",
7849 config: Config{
7850 MaxVersion: VersionTLS12,
7851 Bugs: ProtocolBugs{
7852 TimeoutSchedule: timeouts,
7853 },
7854 },
7855 resumeSession: true,
7856 flags: []string{"-async"},
7857 shouldFail: true,
7858 expectedError: ":READ_TIMEOUT_EXPIRED:",
7859 })
7860
7861 // Test that timeout handling has a fudge factor, due to API
7862 // problems.
7863 testCases = append(testCases, testCase{
7864 protocol: dtls,
7865 name: "DTLS-Retransmit-Fudge",
7866 config: Config{
7867 MaxVersion: VersionTLS12,
7868 Bugs: ProtocolBugs{
7869 TimeoutSchedule: []time.Duration{
7870 timeouts[0] - 10*time.Millisecond,
7871 },
7872 },
7873 },
7874 resumeSession: true,
7875 flags: []string{"-async"},
7876 })
7877
7878 // Test that the final Finished retransmitting isn't
7879 // duplicated if the peer badly fragments everything.
7880 testCases = append(testCases, testCase{
7881 testType: serverTest,
7882 protocol: dtls,
7883 name: "DTLS-Retransmit-Fragmented",
7884 config: Config{
7885 MaxVersion: VersionTLS12,
7886 Bugs: ProtocolBugs{
7887 TimeoutSchedule: []time.Duration{timeouts[0]},
7888 MaxHandshakeRecordLength: 2,
7889 },
7890 },
7891 flags: []string{"-async"},
7892 })
7893
7894 // Test the timeout schedule when a shorter initial timeout duration is set.
7895 testCases = append(testCases, testCase{
7896 protocol: dtls,
7897 name: "DTLS-Retransmit-Short-Client",
7898 config: Config{
7899 MaxVersion: VersionTLS12,
7900 Bugs: ProtocolBugs{
7901 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7902 },
7903 },
7904 resumeSession: true,
7905 flags: []string{
7906 "-async",
7907 "-initial-timeout-duration-ms", "250",
7908 },
7909 })
7910 testCases = append(testCases, testCase{
7911 protocol: dtls,
7912 testType: serverTest,
7913 name: "DTLS-Retransmit-Short-Server",
7914 config: Config{
7915 MaxVersion: VersionTLS12,
7916 Bugs: ProtocolBugs{
7917 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7918 },
7919 },
7920 resumeSession: true,
7921 flags: []string{
7922 "-async",
7923 "-initial-timeout-duration-ms", "250",
7924 },
7925 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7926}
7927
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7928func addExportKeyingMaterialTests() {
7929 for _, vers := range tlsVersions {
7930 if vers.version == VersionSSL30 {
7931 continue
7932 }
7933 testCases = append(testCases, testCase{
7934 name: "ExportKeyingMaterial-" + vers.name,
7935 config: Config{
7936 MaxVersion: vers.version,
7937 },
7938 exportKeyingMaterial: 1024,
7939 exportLabel: "label",
7940 exportContext: "context",
7941 useExportContext: true,
7942 })
7943 testCases = append(testCases, testCase{
7944 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7945 config: Config{
7946 MaxVersion: vers.version,
7947 },
7948 exportKeyingMaterial: 1024,
7949 })
7950 testCases = append(testCases, testCase{
7951 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7952 config: Config{
7953 MaxVersion: vers.version,
7954 },
7955 exportKeyingMaterial: 1024,
7956 useExportContext: true,
7957 })
7958 testCases = append(testCases, testCase{
7959 name: "ExportKeyingMaterial-Small-" + vers.name,
7960 config: Config{
7961 MaxVersion: vers.version,
7962 },
7963 exportKeyingMaterial: 1,
7964 exportLabel: "label",
7965 exportContext: "context",
7966 useExportContext: true,
7967 })
7968 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7969
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7970 testCases = append(testCases, testCase{
7971 name: "ExportKeyingMaterial-SSL3",
7972 config: Config{
7973 MaxVersion: VersionSSL30,
7974 },
7975 exportKeyingMaterial: 1024,
7976 exportLabel: "label",
7977 exportContext: "context",
7978 useExportContext: true,
7979 shouldFail: true,
7980 expectedError: "failed to export keying material",
7981 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7982
7983 // Exporters work during a False Start.
7984 testCases = append(testCases, testCase{
7985 name: "ExportKeyingMaterial-FalseStart",
7986 config: Config{
7987 MaxVersion: VersionTLS12,
7988 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7989 NextProtos: []string{"foo"},
7990 Bugs: ProtocolBugs{
7991 ExpectFalseStart: true,
7992 },
7993 },
7994 flags: []string{
7995 "-false-start",
7996 "-advertise-alpn", "\x03foo",
7997 },
7998 shimWritesFirst: true,
7999 exportKeyingMaterial: 1024,
8000 exportLabel: "label",
8001 exportContext: "context",
8002 useExportContext: true,
8003 })
8004
8005 // Exporters do not work in the middle of a renegotiation. Test this by
8006 // triggering the exporter after every SSL_read call and configuring the
8007 // shim to run asynchronously.
8008 testCases = append(testCases, testCase{
8009 name: "ExportKeyingMaterial-Renegotiate",
8010 config: Config{
8011 MaxVersion: VersionTLS12,
8012 },
8013 renegotiate: 1,
8014 flags: []string{
8015 "-async",
8016 "-use-exporter-between-reads",
8017 "-renegotiate-freely",
8018 "-expect-total-renegotiations", "1",
8019 },
8020 shouldFail: true,
8021 expectedError: "failed to export keying material",
8022 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]8023}
8024
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8025func addTLSUniqueTests() {
8026 for _, isClient := range []bool{false, true} {
8027 for _, isResumption := range []bool{false, true} {
8028 for _, hasEMS := range []bool{false, true} {
8029 var suffix string
8030 if isResumption {
8031 suffix = "Resume-"
8032 } else {
8033 suffix = "Full-"
8034 }
8035
8036 if hasEMS {
8037 suffix += "EMS-"
8038 } else {
8039 suffix += "NoEMS-"
8040 }
8041
8042 if isClient {
8043 suffix += "Client"
8044 } else {
8045 suffix += "Server"
8046 }
8047
8048 test := testCase{
8049 name: "TLSUnique-" + suffix,
8050 testTLSUnique: true,
8051 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8052 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8053 Bugs: ProtocolBugs{
8054 NoExtendedMasterSecret: !hasEMS,
8055 },
8056 },
8057 }
8058
8059 if isResumption {
8060 test.resumeSession = true
8061 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8062 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8063 Bugs: ProtocolBugs{
8064 NoExtendedMasterSecret: !hasEMS,
8065 },
8066 }
8067 }
8068
8069 if isResumption && !hasEMS {
8070 test.shouldFail = true
8071 test.expectedError = "failed to get tls-unique"
8072 }
8073
8074 testCases = append(testCases, test)
8075 }
8076 }
8077 }
8078}
8079
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8080func addCustomExtensionTests() {
8081 expectedContents := "custom extension"
8082 emptyString := ""
8083
8084 for _, isClient := range []bool{false, true} {
8085 suffix := "Server"
8086 flag := "-enable-server-custom-extension"
8087 testType := serverTest
8088 if isClient {
8089 suffix = "Client"
8090 flag = "-enable-client-custom-extension"
8091 testType = clientTest
8092 }
8093
8094 testCases = append(testCases, testCase{
8095 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8096 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8097 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8098 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8099 Bugs: ProtocolBugs{
8100 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8101 ExpectedCustomExtension: &expectedContents,
8102 },
8103 },
8104 flags: []string{flag},
8105 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8106 testCases = append(testCases, testCase{
8107 testType: testType,
8108 name: "CustomExtensions-" + suffix + "-TLS13",
8109 config: Config{
8110 MaxVersion: VersionTLS13,
8111 Bugs: ProtocolBugs{
8112 CustomExtension: expectedContents,
8113 ExpectedCustomExtension: &expectedContents,
8114 },
8115 },
8116 flags: []string{flag},
8117 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8118
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]8119 // 0-RTT is not currently supported with Custom Extensions.
8120 testCases = append(testCases, testCase{
8121 testType: testType,
8122 name: "CustomExtensions-" + suffix + "-EarlyData",
8123 config: Config{
8124 MaxVersion: VersionTLS13,
8125 Bugs: ProtocolBugs{
8126 CustomExtension: expectedContents,
8127 ExpectedCustomExtension: &expectedContents,
8128 },
8129 },
8130 shouldFail: true,
8131 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8132 flags: []string{flag, "-enable-early-data"},
8133 })
8134
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8135 // If the parse callback fails, the handshake should also fail.
8136 testCases = append(testCases, testCase{
8137 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8138 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8139 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8140 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8141 Bugs: ProtocolBugs{
8142 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8143 ExpectedCustomExtension: &expectedContents,
8144 },
8145 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8146 flags: []string{flag},
8147 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8148 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8149 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8150 testCases = append(testCases, testCase{
8151 testType: testType,
8152 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
8153 config: Config{
8154 MaxVersion: VersionTLS13,
8155 Bugs: ProtocolBugs{
8156 CustomExtension: expectedContents + "foo",
8157 ExpectedCustomExtension: &expectedContents,
8158 },
8159 },
8160 flags: []string{flag},
8161 shouldFail: true,
8162 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8163 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8164
8165 // If the add callback fails, the handshake should also fail.
8166 testCases = append(testCases, testCase{
8167 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8168 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8169 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8170 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8171 Bugs: ProtocolBugs{
8172 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8173 ExpectedCustomExtension: &expectedContents,
8174 },
8175 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8176 flags: []string{flag, "-custom-extension-fail-add"},
8177 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8178 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8179 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8180 testCases = append(testCases, testCase{
8181 testType: testType,
8182 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
8183 config: Config{
8184 MaxVersion: VersionTLS13,
8185 Bugs: ProtocolBugs{
8186 CustomExtension: expectedContents,
8187 ExpectedCustomExtension: &expectedContents,
8188 },
8189 },
8190 flags: []string{flag, "-custom-extension-fail-add"},
8191 shouldFail: true,
8192 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8193 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8194
8195 // If the add callback returns zero, no extension should be
8196 // added.
8197 skipCustomExtension := expectedContents
8198 if isClient {
8199 // For the case where the client skips sending the
8200 // custom extension, the server must not “echo” it.
8201 skipCustomExtension = ""
8202 }
8203 testCases = append(testCases, testCase{
8204 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8205 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8206 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8207 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8208 Bugs: ProtocolBugs{
8209 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8210 ExpectedCustomExtension: &emptyString,
8211 },
8212 },
8213 flags: []string{flag, "-custom-extension-skip"},
8214 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8215 testCases = append(testCases, testCase{
8216 testType: testType,
8217 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
8218 config: Config{
8219 MaxVersion: VersionTLS13,
8220 Bugs: ProtocolBugs{
8221 CustomExtension: skipCustomExtension,
8222 ExpectedCustomExtension: &emptyString,
8223 },
8224 },
8225 flags: []string{flag, "-custom-extension-skip"},
8226 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8227 }
8228
8229 // The custom extension add callback should not be called if the client
8230 // doesn't send the extension.
8231 testCases = append(testCases, testCase{
8232 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8233 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8234 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8235 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8236 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8237 ExpectedCustomExtension: &emptyString,
8238 },
8239 },
8240 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8241 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8242
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8243 testCases = append(testCases, testCase{
8244 testType: serverTest,
8245 name: "CustomExtensions-NotCalled-Server-TLS13",
8246 config: Config{
8247 MaxVersion: VersionTLS13,
8248 Bugs: ProtocolBugs{
8249 ExpectedCustomExtension: &emptyString,
8250 },
8251 },
8252 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8253 })
8254
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8255 // Test an unknown extension from the server.
8256 testCases = append(testCases, testCase{
8257 testType: clientTest,
8258 name: "UnknownExtension-Client",
8259 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8260 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8261 Bugs: ProtocolBugs{
8262 CustomExtension: expectedContents,
8263 },
8264 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8265 shouldFail: true,
8266 expectedError: ":UNEXPECTED_EXTENSION:",
8267 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8268 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8269 testCases = append(testCases, testCase{
8270 testType: clientTest,
8271 name: "UnknownExtension-Client-TLS13",
8272 config: Config{
8273 MaxVersion: VersionTLS13,
8274 Bugs: ProtocolBugs{
8275 CustomExtension: expectedContents,
8276 },
8277 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8278 shouldFail: true,
8279 expectedError: ":UNEXPECTED_EXTENSION:",
8280 expectedLocalError: "remote error: unsupported extension",
8281 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8282 testCases = append(testCases, testCase{
8283 testType: clientTest,
8284 name: "UnknownUnencryptedExtension-Client-TLS13",
8285 config: Config{
8286 MaxVersion: VersionTLS13,
8287 Bugs: ProtocolBugs{
8288 CustomUnencryptedExtension: expectedContents,
8289 },
8290 },
8291 shouldFail: true,
8292 expectedError: ":UNEXPECTED_EXTENSION:",
8293 // The shim must send an alert, but alerts at this point do not
8294 // get successfully decrypted by the runner.
8295 expectedLocalError: "local error: bad record MAC",
8296 })
8297 testCases = append(testCases, testCase{
8298 testType: clientTest,
8299 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8300 config: Config{
8301 MaxVersion: VersionTLS13,
8302 Bugs: ProtocolBugs{
8303 SendUnencryptedALPN: "foo",
8304 },
8305 },
8306 flags: []string{
8307 "-advertise-alpn", "\x03foo\x03bar",
8308 },
8309 shouldFail: true,
8310 expectedError: ":UNEXPECTED_EXTENSION:",
8311 // The shim must send an alert, but alerts at this point do not
8312 // get successfully decrypted by the runner.
8313 expectedLocalError: "local error: bad record MAC",
8314 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8315
8316 // Test a known but unoffered extension from the server.
8317 testCases = append(testCases, testCase{
8318 testType: clientTest,
8319 name: "UnofferedExtension-Client",
8320 config: Config{
8321 MaxVersion: VersionTLS12,
8322 Bugs: ProtocolBugs{
8323 SendALPN: "alpn",
8324 },
8325 },
8326 shouldFail: true,
8327 expectedError: ":UNEXPECTED_EXTENSION:",
8328 expectedLocalError: "remote error: unsupported extension",
8329 })
8330 testCases = append(testCases, testCase{
8331 testType: clientTest,
8332 name: "UnofferedExtension-Client-TLS13",
8333 config: Config{
8334 MaxVersion: VersionTLS13,
8335 Bugs: ProtocolBugs{
8336 SendALPN: "alpn",
8337 },
8338 },
8339 shouldFail: true,
8340 expectedError: ":UNEXPECTED_EXTENSION:",
8341 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8342 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8343}
8344
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8345func addRSAClientKeyExchangeTests() {
8346 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8347 testCases = append(testCases, testCase{
8348 testType: serverTest,
8349 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8350 config: Config{
8351 // Ensure the ClientHello version and final
8352 // version are different, to detect if the
8353 // server uses the wrong one.
8354 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8355 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8356 Bugs: ProtocolBugs{
8357 BadRSAClientKeyExchange: bad,
8358 },
8359 },
8360 shouldFail: true,
8361 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8362 })
8363 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8364
8365 // The server must compare whatever was in ClientHello.version for the
8366 // RSA premaster.
8367 testCases = append(testCases, testCase{
8368 testType: serverTest,
8369 name: "SendClientVersion-RSA",
8370 config: Config{
8371 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8372 Bugs: ProtocolBugs{
8373 SendClientVersion: 0x1234,
8374 },
8375 },
8376 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8377 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8378}
8379
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8380var testCurves = []struct {
8381 name string
8382 id CurveID
8383}{
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]8384 {"P-224", CurveP224},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8385 {"P-256", CurveP256},
8386 {"P-384", CurveP384},
8387 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8388 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8389}
8390
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8391const bogusCurve = 0x1234
8392
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8393func addCurveTests() {
8394 for _, curve := range testCurves {
8395 testCases = append(testCases, testCase{
8396 name: "CurveTest-Client-" + curve.name,
8397 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8398 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8399 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8400 CurvePreferences: []CurveID{curve.id},
8401 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8402 flags: []string{
8403 "-enable-all-curves",
8404 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8405 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8406 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8407 })
8408 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8409 name: "CurveTest-Client-" + curve.name + "-TLS13",
8410 config: Config{
8411 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8412 CurvePreferences: []CurveID{curve.id},
8413 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8414 flags: []string{
8415 "-enable-all-curves",
8416 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8417 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8418 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8419 })
8420 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8421 testType: serverTest,
8422 name: "CurveTest-Server-" + curve.name,
8423 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8424 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8425 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8426 CurvePreferences: []CurveID{curve.id},
8427 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8428 flags: []string{
8429 "-enable-all-curves",
8430 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8431 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8432 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8433 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8434 testCases = append(testCases, testCase{
8435 testType: serverTest,
8436 name: "CurveTest-Server-" + curve.name + "-TLS13",
8437 config: Config{
8438 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8439 CurvePreferences: []CurveID{curve.id},
8440 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8441 flags: []string{
8442 "-enable-all-curves",
8443 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8444 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8445 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8446 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8447 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8448
8449 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8450 testCases = append(testCases, testCase{
8451 testType: serverTest,
8452 name: "UnknownCurve",
8453 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8454 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8455 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8456 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8457 },
8458 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8459
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8460 // The server must be tolerant to bogus curves.
8461 testCases = append(testCases, testCase{
8462 testType: serverTest,
8463 name: "UnknownCurve-TLS13",
8464 config: Config{
8465 MaxVersion: VersionTLS13,
8466 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8467 },
8468 })
8469
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8470 // The server must not consider ECDHE ciphers when there are no
8471 // supported curves.
8472 testCases = append(testCases, testCase{
8473 testType: serverTest,
8474 name: "NoSupportedCurves",
8475 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8476 MaxVersion: VersionTLS12,
8477 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8478 Bugs: ProtocolBugs{
8479 NoSupportedCurves: true,
8480 },
8481 },
8482 shouldFail: true,
8483 expectedError: ":NO_SHARED_CIPHER:",
8484 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8485 testCases = append(testCases, testCase{
8486 testType: serverTest,
8487 name: "NoSupportedCurves-TLS13",
8488 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8489 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8490 Bugs: ProtocolBugs{
8491 NoSupportedCurves: true,
8492 },
8493 },
8494 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8495 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8496 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8497
8498 // The server must fall back to another cipher when there are no
8499 // supported curves.
8500 testCases = append(testCases, testCase{
8501 testType: serverTest,
8502 name: "NoCommonCurves",
8503 config: Config{
8504 MaxVersion: VersionTLS12,
8505 CipherSuites: []uint16{
8506 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8507 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8508 },
8509 CurvePreferences: []CurveID{CurveP224},
8510 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8511 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8512 })
8513
8514 // The client must reject bogus curves and disabled curves.
8515 testCases = append(testCases, testCase{
8516 name: "BadECDHECurve",
8517 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8518 MaxVersion: VersionTLS12,
8519 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8520 Bugs: ProtocolBugs{
8521 SendCurve: bogusCurve,
8522 },
8523 },
8524 shouldFail: true,
8525 expectedError: ":WRONG_CURVE:",
8526 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8527 testCases = append(testCases, testCase{
8528 name: "BadECDHECurve-TLS13",
8529 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8530 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8531 Bugs: ProtocolBugs{
8532 SendCurve: bogusCurve,
8533 },
8534 },
8535 shouldFail: true,
8536 expectedError: ":WRONG_CURVE:",
8537 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8538
8539 testCases = append(testCases, testCase{
8540 name: "UnsupportedCurve",
8541 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8542 MaxVersion: VersionTLS12,
8543 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8544 CurvePreferences: []CurveID{CurveP256},
8545 Bugs: ProtocolBugs{
8546 IgnorePeerCurvePreferences: true,
8547 },
8548 },
8549 flags: []string{"-p384-only"},
8550 shouldFail: true,
8551 expectedError: ":WRONG_CURVE:",
8552 })
8553
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8554 testCases = append(testCases, testCase{
8555 // TODO(davidben): Add a TLS 1.3 version where
8556 // HelloRetryRequest requests an unsupported curve.
8557 name: "UnsupportedCurve-ServerHello-TLS13",
8558 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8559 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8560 CurvePreferences: []CurveID{CurveP384},
8561 Bugs: ProtocolBugs{
8562 SendCurve: CurveP256,
8563 },
8564 },
8565 flags: []string{"-p384-only"},
8566 shouldFail: true,
8567 expectedError: ":WRONG_CURVE:",
8568 })
8569
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8570 // Test invalid curve points.
8571 testCases = append(testCases, testCase{
8572 name: "InvalidECDHPoint-Client",
8573 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8574 MaxVersion: VersionTLS12,
8575 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8576 CurvePreferences: []CurveID{CurveP256},
8577 Bugs: ProtocolBugs{
8578 InvalidECDHPoint: true,
8579 },
8580 },
8581 shouldFail: true,
8582 expectedError: ":INVALID_ENCODING:",
8583 })
8584 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8585 name: "InvalidECDHPoint-Client-TLS13",
8586 config: Config{
8587 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8588 CurvePreferences: []CurveID{CurveP256},
8589 Bugs: ProtocolBugs{
8590 InvalidECDHPoint: true,
8591 },
8592 },
8593 shouldFail: true,
8594 expectedError: ":INVALID_ENCODING:",
8595 })
8596 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8597 testType: serverTest,
8598 name: "InvalidECDHPoint-Server",
8599 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8600 MaxVersion: VersionTLS12,
8601 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8602 CurvePreferences: []CurveID{CurveP256},
8603 Bugs: ProtocolBugs{
8604 InvalidECDHPoint: true,
8605 },
8606 },
8607 shouldFail: true,
8608 expectedError: ":INVALID_ENCODING:",
8609 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8610 testCases = append(testCases, testCase{
8611 testType: serverTest,
8612 name: "InvalidECDHPoint-Server-TLS13",
8613 config: Config{
8614 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8615 CurvePreferences: []CurveID{CurveP256},
8616 Bugs: ProtocolBugs{
8617 InvalidECDHPoint: true,
8618 },
8619 },
8620 shouldFail: true,
8621 expectedError: ":INVALID_ENCODING:",
8622 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8623
8624 // The previous curve ID should be reported on TLS 1.2 resumption.
8625 testCases = append(testCases, testCase{
8626 name: "CurveID-Resume-Client",
8627 config: Config{
8628 MaxVersion: VersionTLS12,
8629 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8630 CurvePreferences: []CurveID{CurveX25519},
8631 },
8632 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8633 resumeSession: true,
8634 })
8635 testCases = append(testCases, testCase{
8636 testType: serverTest,
8637 name: "CurveID-Resume-Server",
8638 config: Config{
8639 MaxVersion: VersionTLS12,
8640 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8641 CurvePreferences: []CurveID{CurveX25519},
8642 },
8643 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8644 resumeSession: true,
8645 })
8646
8647 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8648 // one should be reported.
8649 testCases = append(testCases, testCase{
8650 name: "CurveID-Resume-Client-TLS13",
8651 config: Config{
8652 MaxVersion: VersionTLS13,
8653 CurvePreferences: []CurveID{CurveX25519},
8654 },
8655 resumeConfig: &Config{
8656 MaxVersion: VersionTLS13,
8657 CurvePreferences: []CurveID{CurveP256},
8658 },
8659 flags: []string{
8660 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8661 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8662 },
8663 resumeSession: true,
8664 })
8665 testCases = append(testCases, testCase{
8666 testType: serverTest,
8667 name: "CurveID-Resume-Server-TLS13",
8668 config: Config{
8669 MaxVersion: VersionTLS13,
8670 CurvePreferences: []CurveID{CurveX25519},
8671 },
8672 resumeConfig: &Config{
8673 MaxVersion: VersionTLS13,
8674 CurvePreferences: []CurveID{CurveP256},
8675 },
8676 flags: []string{
8677 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8678 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8679 },
8680 resumeSession: true,
8681 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8682
8683 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8684 testCases = append(testCases, testCase{
8685 name: "PointFormat-ServerHello-TLS12",
8686 config: Config{
8687 MaxVersion: VersionTLS12,
8688 Bugs: ProtocolBugs{
8689 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8690 },
8691 },
8692 })
8693 testCases = append(testCases, testCase{
8694 name: "PointFormat-EncryptedExtensions-TLS13",
8695 config: Config{
8696 MaxVersion: VersionTLS13,
8697 Bugs: ProtocolBugs{
8698 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8699 },
8700 },
8701 shouldFail: true,
8702 expectedError: ":ERROR_PARSING_EXTENSION:",
8703 })
8704
8705 // Test that we tolerate unknown point formats, as long as
8706 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8707 // check they are still functional.
8708 testCases = append(testCases, testCase{
8709 name: "PointFormat-Client-Tolerance",
8710 config: Config{
8711 MaxVersion: VersionTLS12,
8712 Bugs: ProtocolBugs{
8713 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8714 },
8715 },
8716 })
8717 testCases = append(testCases, testCase{
8718 testType: serverTest,
8719 name: "PointFormat-Server-Tolerance",
8720 config: Config{
8721 MaxVersion: VersionTLS12,
8722 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8723 Bugs: ProtocolBugs{
8724 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8725 },
8726 },
8727 })
8728
8729 // Test TLS 1.2 does not require the point format extension to be
8730 // present.
8731 testCases = append(testCases, testCase{
8732 name: "PointFormat-Client-Missing",
8733 config: Config{
8734 MaxVersion: VersionTLS12,
8735 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8736 Bugs: ProtocolBugs{
8737 SendSupportedPointFormats: []byte{},
8738 },
8739 },
8740 })
8741 testCases = append(testCases, testCase{
8742 testType: serverTest,
8743 name: "PointFormat-Server-Missing",
8744 config: Config{
8745 MaxVersion: VersionTLS12,
8746 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8747 Bugs: ProtocolBugs{
8748 SendSupportedPointFormats: []byte{},
8749 },
8750 },
8751 })
8752
8753 // If the point format extension is present, uncompressed points must be
8754 // offered. BoringSSL requires this whether or not ECDHE is used.
8755 testCases = append(testCases, testCase{
8756 name: "PointFormat-Client-MissingUncompressed",
8757 config: Config{
8758 MaxVersion: VersionTLS12,
8759 Bugs: ProtocolBugs{
8760 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8761 },
8762 },
8763 shouldFail: true,
8764 expectedError: ":ERROR_PARSING_EXTENSION:",
8765 })
8766 testCases = append(testCases, testCase{
8767 testType: serverTest,
8768 name: "PointFormat-Server-MissingUncompressed",
8769 config: Config{
8770 MaxVersion: VersionTLS12,
8771 Bugs: ProtocolBugs{
8772 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8773 },
8774 },
8775 shouldFail: true,
8776 expectedError: ":ERROR_PARSING_EXTENSION:",
8777 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8778}
8779
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8780func addTLS13RecordTests() {
8781 testCases = append(testCases, testCase{
8782 name: "TLS13-RecordPadding",
8783 config: Config{
8784 MaxVersion: VersionTLS13,
8785 MinVersion: VersionTLS13,
8786 Bugs: ProtocolBugs{
8787 RecordPadding: 10,
8788 },
8789 },
8790 })
8791
8792 testCases = append(testCases, testCase{
8793 name: "TLS13-EmptyRecords",
8794 config: Config{
8795 MaxVersion: VersionTLS13,
8796 MinVersion: VersionTLS13,
8797 Bugs: ProtocolBugs{
8798 OmitRecordContents: true,
8799 },
8800 },
8801 shouldFail: true,
8802 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8803 })
8804
8805 testCases = append(testCases, testCase{
8806 name: "TLS13-OnlyPadding",
8807 config: Config{
8808 MaxVersion: VersionTLS13,
8809 MinVersion: VersionTLS13,
8810 Bugs: ProtocolBugs{
8811 OmitRecordContents: true,
8812 RecordPadding: 10,
8813 },
8814 },
8815 shouldFail: true,
8816 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8817 })
8818
8819 testCases = append(testCases, testCase{
8820 name: "TLS13-WrongOuterRecord",
8821 config: Config{
8822 MaxVersion: VersionTLS13,
8823 MinVersion: VersionTLS13,
8824 Bugs: ProtocolBugs{
8825 OuterRecordType: recordTypeHandshake,
8826 },
8827 },
8828 shouldFail: true,
8829 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8830 })
8831}
8832
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8833func addSessionTicketTests() {
8834 testCases = append(testCases, testCase{
8835 // In TLS 1.2 and below, empty NewSessionTicket messages
8836 // mean the server changed its mind on sending a ticket.
8837 name: "SendEmptySessionTicket",
8838 config: Config{
8839 MaxVersion: VersionTLS12,
8840 Bugs: ProtocolBugs{
8841 SendEmptySessionTicket: true,
8842 },
8843 },
8844 flags: []string{"-expect-no-session"},
8845 })
8846
8847 // Test that the server ignores unknown PSK modes.
8848 testCases = append(testCases, testCase{
8849 testType: serverTest,
8850 name: "TLS13-SendUnknownModeSessionTicket-Server",
8851 config: Config{
8852 MaxVersion: VersionTLS13,
8853 Bugs: ProtocolBugs{
8854 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8855 },
8856 },
8857 resumeSession: true,
8858 expectedResumeVersion: VersionTLS13,
8859 })
8860
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8861 // Test that the server does not send session tickets with no matching key exchange mode.
8862 testCases = append(testCases, testCase{
8863 testType: serverTest,
8864 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8865 config: Config{
8866 MaxVersion: VersionTLS13,
8867 Bugs: ProtocolBugs{
8868 SendPSKKeyExchangeModes: []byte{0x1a},
8869 ExpectNoNewSessionTicket: true,
8870 },
8871 },
8872 })
8873
8874 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8875 testCases = append(testCases, testCase{
8876 testType: serverTest,
8877 name: "TLS13-SendBadKEModeSessionTicket-Server",
8878 config: Config{
8879 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8880 },
8881 resumeConfig: &Config{
8882 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8883 Bugs: ProtocolBugs{
8884 SendPSKKeyExchangeModes: []byte{0x1a},
8885 },
8886 },
8887 resumeSession: true,
8888 expectResumeRejected: true,
8889 })
8890
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8891 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8892 testCases = append(testCases, testCase{
8893 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8894 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8895 config: Config{
8896 MaxVersion: VersionTLS13,
8897 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8898 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8899 },
8900 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8901 resumeSession: true,
8902 flags: []string{
8903 "-resumption-delay", "10",
8904 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8905 })
8906
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8907 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8908 testCases = append(testCases, testCase{
8909 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8910 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8911 config: Config{
8912 MaxVersion: VersionTLS13,
8913 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8914 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8915 },
8916 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8917 resumeSession: true,
8918 shouldFail: true,
8919 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8920 })
8921
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8922 // Test that the server's ticket age skew reporting works.
8923 testCases = append(testCases, testCase{
8924 testType: serverTest,
8925 name: "TLS13-TicketAgeSkew-Forward",
8926 config: Config{
8927 MaxVersion: VersionTLS13,
8928 Bugs: ProtocolBugs{
8929 SendTicketAge: 15 * time.Second,
8930 },
8931 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8932 resumeSession: true,
8933 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8934 flags: []string{
8935 "-resumption-delay", "10",
8936 "-expect-ticket-age-skew", "5",
8937 },
8938 })
8939 testCases = append(testCases, testCase{
8940 testType: serverTest,
8941 name: "TLS13-TicketAgeSkew-Backward",
8942 config: Config{
8943 MaxVersion: VersionTLS13,
8944 Bugs: ProtocolBugs{
8945 SendTicketAge: 5 * time.Second,
8946 },
8947 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8948 resumeSession: true,
8949 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8950 flags: []string{
8951 "-resumption-delay", "10",
8952 "-expect-ticket-age-skew", "-5",
8953 },
8954 })
8955
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8956 testCases = append(testCases, testCase{
8957 testType: clientTest,
8958 name: "TLS13-SendTicketEarlyDataInfo",
8959 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8960 MaxVersion: VersionTLS13,
8961 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8962 },
8963 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8964 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8965 "-expect-early-data-info",
8966 },
8967 })
8968
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8969 // Test that 0-RTT tickets are ignored in clients unless opted in.
8970 testCases = append(testCases, testCase{
8971 testType: clientTest,
8972 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8973 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8974 MaxVersion: VersionTLS13,
8975 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8976 },
8977 })
8978
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8979 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8980 testType: clientTest,
8981 name: "TLS13-DuplicateTicketEarlyDataInfo",
8982 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8983 MaxVersion: VersionTLS13,
8984 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8985 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8986 DuplicateTicketEarlyDataInfo: true,
8987 },
8988 },
8989 shouldFail: true,
8990 expectedError: ":DUPLICATE_EXTENSION:",
8991 expectedLocalError: "remote error: illegal parameter",
8992 })
8993
8994 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8995 testType: serverTest,
8996 name: "TLS13-ExpectTicketEarlyDataInfo",
8997 config: Config{
8998 MaxVersion: VersionTLS13,
8999 Bugs: ProtocolBugs{
9000 ExpectTicketEarlyDataInfo: true,
9001 },
9002 },
9003 flags: []string{
9004 "-enable-early-data",
9005 },
9006 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9007
9008 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
9009 // is honored.
9010 testCases = append(testCases, testCase{
9011 testType: clientTest,
9012 name: "TLS13-HonorServerSessionTicketLifetime",
9013 config: Config{
9014 MaxVersion: VersionTLS13,
9015 Bugs: ProtocolBugs{
9016 SendTicketLifetime: 20 * time.Second,
9017 },
9018 },
9019 flags: []string{
9020 "-resumption-delay", "19",
9021 },
9022 resumeSession: true,
9023 })
9024 testCases = append(testCases, testCase{
9025 testType: clientTest,
9026 name: "TLS13-HonorServerSessionTicketLifetime-2",
9027 config: Config{
9028 MaxVersion: VersionTLS13,
9029 Bugs: ProtocolBugs{
9030 SendTicketLifetime: 20 * time.Second,
9031 // The client should not offer the expired session.
9032 ExpectNoTLS13PSK: true,
9033 },
9034 },
9035 flags: []string{
9036 "-resumption-delay", "21",
9037 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]9038 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9039 expectResumeRejected: true,
9040 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9041}
9042
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9043func addChangeCipherSpecTests() {
9044 // Test missing ChangeCipherSpecs.
9045 testCases = append(testCases, testCase{
9046 name: "SkipChangeCipherSpec-Client",
9047 config: Config{
9048 MaxVersion: VersionTLS12,
9049 Bugs: ProtocolBugs{
9050 SkipChangeCipherSpec: true,
9051 },
9052 },
9053 shouldFail: true,
9054 expectedError: ":UNEXPECTED_RECORD:",
9055 })
9056 testCases = append(testCases, testCase{
9057 testType: serverTest,
9058 name: "SkipChangeCipherSpec-Server",
9059 config: Config{
9060 MaxVersion: VersionTLS12,
9061 Bugs: ProtocolBugs{
9062 SkipChangeCipherSpec: true,
9063 },
9064 },
9065 shouldFail: true,
9066 expectedError: ":UNEXPECTED_RECORD:",
9067 })
9068 testCases = append(testCases, testCase{
9069 testType: serverTest,
9070 name: "SkipChangeCipherSpec-Server-NPN",
9071 config: Config{
9072 MaxVersion: VersionTLS12,
9073 NextProtos: []string{"bar"},
9074 Bugs: ProtocolBugs{
9075 SkipChangeCipherSpec: true,
9076 },
9077 },
9078 flags: []string{
9079 "-advertise-npn", "\x03foo\x03bar\x03baz",
9080 },
9081 shouldFail: true,
9082 expectedError: ":UNEXPECTED_RECORD:",
9083 })
9084
9085 // Test synchronization between the handshake and ChangeCipherSpec.
9086 // Partial post-CCS handshake messages before ChangeCipherSpec should be
9087 // rejected. Test both with and without handshake packing to handle both
9088 // when the partial post-CCS message is in its own record and when it is
9089 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9090 for _, packed := range []bool{false, true} {
9091 var suffix string
9092 if packed {
9093 suffix = "-Packed"
9094 }
9095
9096 testCases = append(testCases, testCase{
9097 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
9098 config: Config{
9099 MaxVersion: VersionTLS12,
9100 Bugs: ProtocolBugs{
9101 FragmentAcrossChangeCipherSpec: true,
9102 PackHandshakeFlight: packed,
9103 },
9104 },
9105 shouldFail: true,
9106 expectedError: ":UNEXPECTED_RECORD:",
9107 })
9108 testCases = append(testCases, testCase{
9109 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
9110 config: Config{
9111 MaxVersion: VersionTLS12,
9112 },
9113 resumeSession: true,
9114 resumeConfig: &Config{
9115 MaxVersion: VersionTLS12,
9116 Bugs: ProtocolBugs{
9117 FragmentAcrossChangeCipherSpec: true,
9118 PackHandshakeFlight: packed,
9119 },
9120 },
9121 shouldFail: true,
9122 expectedError: ":UNEXPECTED_RECORD:",
9123 })
9124 testCases = append(testCases, testCase{
9125 testType: serverTest,
9126 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
9127 config: Config{
9128 MaxVersion: VersionTLS12,
9129 Bugs: ProtocolBugs{
9130 FragmentAcrossChangeCipherSpec: true,
9131 PackHandshakeFlight: packed,
9132 },
9133 },
9134 shouldFail: true,
9135 expectedError: ":UNEXPECTED_RECORD:",
9136 })
9137 testCases = append(testCases, testCase{
9138 testType: serverTest,
9139 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
9140 config: Config{
9141 MaxVersion: VersionTLS12,
9142 },
9143 resumeSession: true,
9144 resumeConfig: &Config{
9145 MaxVersion: VersionTLS12,
9146 Bugs: ProtocolBugs{
9147 FragmentAcrossChangeCipherSpec: true,
9148 PackHandshakeFlight: packed,
9149 },
9150 },
9151 shouldFail: true,
9152 expectedError: ":UNEXPECTED_RECORD:",
9153 })
9154 testCases = append(testCases, testCase{
9155 testType: serverTest,
9156 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
9157 config: Config{
9158 MaxVersion: VersionTLS12,
9159 NextProtos: []string{"bar"},
9160 Bugs: ProtocolBugs{
9161 FragmentAcrossChangeCipherSpec: true,
9162 PackHandshakeFlight: packed,
9163 },
9164 },
9165 flags: []string{
9166 "-advertise-npn", "\x03foo\x03bar\x03baz",
9167 },
9168 shouldFail: true,
9169 expectedError: ":UNEXPECTED_RECORD:",
9170 })
9171 }
9172
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]9173 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
9174 // messages in the handshake queue. Do this by testing the server
9175 // reading the client Finished, reversing the flight so Finished comes
9176 // first.
9177 testCases = append(testCases, testCase{
9178 protocol: dtls,
9179 testType: serverTest,
9180 name: "SendUnencryptedFinished-DTLS",
9181 config: Config{
9182 MaxVersion: VersionTLS12,
9183 Bugs: ProtocolBugs{
9184 SendUnencryptedFinished: true,
9185 ReverseHandshakeFragments: true,
9186 },
9187 },
9188 shouldFail: true,
9189 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9190 })
9191
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9192 // Test synchronization between encryption changes and the handshake in
9193 // TLS 1.3, where ChangeCipherSpec is implicit.
9194 testCases = append(testCases, testCase{
9195 name: "PartialEncryptedExtensionsWithServerHello",
9196 config: Config{
9197 MaxVersion: VersionTLS13,
9198 Bugs: ProtocolBugs{
9199 PartialEncryptedExtensionsWithServerHello: true,
9200 },
9201 },
9202 shouldFail: true,
9203 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9204 })
9205 testCases = append(testCases, testCase{
9206 testType: serverTest,
9207 name: "PartialClientFinishedWithClientHello",
9208 config: Config{
9209 MaxVersion: VersionTLS13,
9210 Bugs: ProtocolBugs{
9211 PartialClientFinishedWithClientHello: true,
9212 },
9213 },
9214 shouldFail: true,
9215 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9216 })
9217
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9218 // Test that early ChangeCipherSpecs are handled correctly.
9219 testCases = append(testCases, testCase{
9220 testType: serverTest,
9221 name: "EarlyChangeCipherSpec-server-1",
9222 config: Config{
9223 MaxVersion: VersionTLS12,
9224 Bugs: ProtocolBugs{
9225 EarlyChangeCipherSpec: 1,
9226 },
9227 },
9228 shouldFail: true,
9229 expectedError: ":UNEXPECTED_RECORD:",
9230 })
9231 testCases = append(testCases, testCase{
9232 testType: serverTest,
9233 name: "EarlyChangeCipherSpec-server-2",
9234 config: Config{
9235 MaxVersion: VersionTLS12,
9236 Bugs: ProtocolBugs{
9237 EarlyChangeCipherSpec: 2,
9238 },
9239 },
9240 shouldFail: true,
9241 expectedError: ":UNEXPECTED_RECORD:",
9242 })
9243 testCases = append(testCases, testCase{
9244 protocol: dtls,
9245 name: "StrayChangeCipherSpec",
9246 config: Config{
9247 // TODO(davidben): Once DTLS 1.3 exists, test
9248 // that stray ChangeCipherSpec messages are
9249 // rejected.
9250 MaxVersion: VersionTLS12,
9251 Bugs: ProtocolBugs{
9252 StrayChangeCipherSpec: true,
9253 },
9254 },
9255 })
9256
9257 // Test that the contents of ChangeCipherSpec are checked.
9258 testCases = append(testCases, testCase{
9259 name: "BadChangeCipherSpec-1",
9260 config: Config{
9261 MaxVersion: VersionTLS12,
9262 Bugs: ProtocolBugs{
9263 BadChangeCipherSpec: []byte{2},
9264 },
9265 },
9266 shouldFail: true,
9267 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9268 })
9269 testCases = append(testCases, testCase{
9270 name: "BadChangeCipherSpec-2",
9271 config: Config{
9272 MaxVersion: VersionTLS12,
9273 Bugs: ProtocolBugs{
9274 BadChangeCipherSpec: []byte{1, 1},
9275 },
9276 },
9277 shouldFail: true,
9278 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9279 })
9280 testCases = append(testCases, testCase{
9281 protocol: dtls,
9282 name: "BadChangeCipherSpec-DTLS-1",
9283 config: Config{
9284 MaxVersion: VersionTLS12,
9285 Bugs: ProtocolBugs{
9286 BadChangeCipherSpec: []byte{2},
9287 },
9288 },
9289 shouldFail: true,
9290 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9291 })
9292 testCases = append(testCases, testCase{
9293 protocol: dtls,
9294 name: "BadChangeCipherSpec-DTLS-2",
9295 config: Config{
9296 MaxVersion: VersionTLS12,
9297 Bugs: ProtocolBugs{
9298 BadChangeCipherSpec: []byte{1, 1},
9299 },
9300 },
9301 shouldFail: true,
9302 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9303 })
9304}
9305
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9306type perMessageTest struct {
9307 messageType uint8
9308 test testCase
9309}
9310
9311// makePerMessageTests returns a series of test templates which cover each
9312// message in the TLS handshake. These may be used with bugs like
9313// WrongMessageType to fully test a per-message bug.
9314func makePerMessageTests() []perMessageTest {
9315 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9316 for _, protocol := range []protocol{tls, dtls} {
9317 var suffix string
9318 if protocol == dtls {
9319 suffix = "-DTLS"
9320 }
9321
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9322 ret = append(ret, perMessageTest{
9323 messageType: typeClientHello,
9324 test: testCase{
9325 protocol: protocol,
9326 testType: serverTest,
9327 name: "ClientHello" + suffix,
9328 config: Config{
9329 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9330 },
9331 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9332 })
9333
9334 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9335 ret = append(ret, perMessageTest{
9336 messageType: typeHelloVerifyRequest,
9337 test: testCase{
9338 protocol: protocol,
9339 name: "HelloVerifyRequest" + suffix,
9340 config: Config{
9341 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9342 },
9343 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9344 })
9345 }
9346
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9347 ret = append(ret, perMessageTest{
9348 messageType: typeServerHello,
9349 test: testCase{
9350 protocol: protocol,
9351 name: "ServerHello" + suffix,
9352 config: Config{
9353 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9354 },
9355 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9356 })
9357
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9358 ret = append(ret, perMessageTest{
9359 messageType: typeCertificate,
9360 test: testCase{
9361 protocol: protocol,
9362 name: "ServerCertificate" + suffix,
9363 config: Config{
9364 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9365 },
9366 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9367 })
9368
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9369 ret = append(ret, perMessageTest{
9370 messageType: typeCertificateStatus,
9371 test: testCase{
9372 protocol: protocol,
9373 name: "CertificateStatus" + suffix,
9374 config: Config{
9375 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9376 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9377 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9378 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9379 })
9380
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9381 ret = append(ret, perMessageTest{
9382 messageType: typeServerKeyExchange,
9383 test: testCase{
9384 protocol: protocol,
9385 name: "ServerKeyExchange" + suffix,
9386 config: Config{
9387 MaxVersion: VersionTLS12,
9388 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9389 },
9390 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9391 })
9392
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9393 ret = append(ret, perMessageTest{
9394 messageType: typeCertificateRequest,
9395 test: testCase{
9396 protocol: protocol,
9397 name: "CertificateRequest" + suffix,
9398 config: Config{
9399 MaxVersion: VersionTLS12,
9400 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9401 },
9402 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9403 })
9404
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9405 ret = append(ret, perMessageTest{
9406 messageType: typeServerHelloDone,
9407 test: testCase{
9408 protocol: protocol,
9409 name: "ServerHelloDone" + suffix,
9410 config: Config{
9411 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9412 },
9413 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9414 })
9415
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9416 ret = append(ret, perMessageTest{
9417 messageType: typeCertificate,
9418 test: testCase{
9419 testType: serverTest,
9420 protocol: protocol,
9421 name: "ClientCertificate" + suffix,
9422 config: Config{
9423 Certificates: []Certificate{rsaCertificate},
9424 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9425 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9426 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9427 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9428 })
9429
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9430 ret = append(ret, perMessageTest{
9431 messageType: typeCertificateVerify,
9432 test: testCase{
9433 testType: serverTest,
9434 protocol: protocol,
9435 name: "CertificateVerify" + suffix,
9436 config: Config{
9437 Certificates: []Certificate{rsaCertificate},
9438 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9439 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9440 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9441 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9442 })
9443
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9444 ret = append(ret, perMessageTest{
9445 messageType: typeClientKeyExchange,
9446 test: testCase{
9447 testType: serverTest,
9448 protocol: protocol,
9449 name: "ClientKeyExchange" + suffix,
9450 config: Config{
9451 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9452 },
9453 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9454 })
9455
9456 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9457 ret = append(ret, perMessageTest{
9458 messageType: typeNextProtocol,
9459 test: testCase{
9460 testType: serverTest,
9461 protocol: protocol,
9462 name: "NextProtocol" + suffix,
9463 config: Config{
9464 MaxVersion: VersionTLS12,
9465 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9466 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9467 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9468 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9469 })
9470
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9471 ret = append(ret, perMessageTest{
9472 messageType: typeChannelID,
9473 test: testCase{
9474 testType: serverTest,
9475 protocol: protocol,
9476 name: "ChannelID" + suffix,
9477 config: Config{
9478 MaxVersion: VersionTLS12,
9479 ChannelID: channelIDKey,
9480 },
9481 flags: []string{
9482 "-expect-channel-id",
9483 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9484 },
9485 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9486 })
9487 }
9488
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9489 ret = append(ret, perMessageTest{
9490 messageType: typeFinished,
9491 test: testCase{
9492 testType: serverTest,
9493 protocol: protocol,
9494 name: "ClientFinished" + suffix,
9495 config: Config{
9496 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9497 },
9498 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9499 })
9500
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9501 ret = append(ret, perMessageTest{
9502 messageType: typeNewSessionTicket,
9503 test: testCase{
9504 protocol: protocol,
9505 name: "NewSessionTicket" + suffix,
9506 config: Config{
9507 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9508 },
9509 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9510 })
9511
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9512 ret = append(ret, perMessageTest{
9513 messageType: typeFinished,
9514 test: testCase{
9515 protocol: protocol,
9516 name: "ServerFinished" + suffix,
9517 config: Config{
9518 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9519 },
9520 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9521 })
9522
9523 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9524
9525 ret = append(ret, perMessageTest{
9526 messageType: typeClientHello,
9527 test: testCase{
9528 testType: serverTest,
9529 name: "TLS13-ClientHello",
9530 config: Config{
9531 MaxVersion: VersionTLS13,
9532 },
9533 },
9534 })
9535
9536 ret = append(ret, perMessageTest{
9537 messageType: typeServerHello,
9538 test: testCase{
9539 name: "TLS13-ServerHello",
9540 config: Config{
9541 MaxVersion: VersionTLS13,
9542 },
9543 },
9544 })
9545
9546 ret = append(ret, perMessageTest{
9547 messageType: typeEncryptedExtensions,
9548 test: testCase{
9549 name: "TLS13-EncryptedExtensions",
9550 config: Config{
9551 MaxVersion: VersionTLS13,
9552 },
9553 },
9554 })
9555
9556 ret = append(ret, perMessageTest{
9557 messageType: typeCertificateRequest,
9558 test: testCase{
9559 name: "TLS13-CertificateRequest",
9560 config: Config{
9561 MaxVersion: VersionTLS13,
9562 ClientAuth: RequireAnyClientCert,
9563 },
9564 },
9565 })
9566
9567 ret = append(ret, perMessageTest{
9568 messageType: typeCertificate,
9569 test: testCase{
9570 name: "TLS13-ServerCertificate",
9571 config: Config{
9572 MaxVersion: VersionTLS13,
9573 },
9574 },
9575 })
9576
9577 ret = append(ret, perMessageTest{
9578 messageType: typeCertificateVerify,
9579 test: testCase{
9580 name: "TLS13-ServerCertificateVerify",
9581 config: Config{
9582 MaxVersion: VersionTLS13,
9583 },
9584 },
9585 })
9586
9587 ret = append(ret, perMessageTest{
9588 messageType: typeFinished,
9589 test: testCase{
9590 name: "TLS13-ServerFinished",
9591 config: Config{
9592 MaxVersion: VersionTLS13,
9593 },
9594 },
9595 })
9596
9597 ret = append(ret, perMessageTest{
9598 messageType: typeCertificate,
9599 test: testCase{
9600 testType: serverTest,
9601 name: "TLS13-ClientCertificate",
9602 config: Config{
9603 Certificates: []Certificate{rsaCertificate},
9604 MaxVersion: VersionTLS13,
9605 },
9606 flags: []string{"-require-any-client-certificate"},
9607 },
9608 })
9609
9610 ret = append(ret, perMessageTest{
9611 messageType: typeCertificateVerify,
9612 test: testCase{
9613 testType: serverTest,
9614 name: "TLS13-ClientCertificateVerify",
9615 config: Config{
9616 Certificates: []Certificate{rsaCertificate},
9617 MaxVersion: VersionTLS13,
9618 },
9619 flags: []string{"-require-any-client-certificate"},
9620 },
9621 })
9622
9623 ret = append(ret, perMessageTest{
9624 messageType: typeFinished,
9625 test: testCase{
9626 testType: serverTest,
9627 name: "TLS13-ClientFinished",
9628 config: Config{
9629 MaxVersion: VersionTLS13,
9630 },
9631 },
9632 })
9633
9634 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9635}
9636
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9637func addWrongMessageTypeTests() {
9638 for _, t := range makePerMessageTests() {
9639 t.test.name = "WrongMessageType-" + t.test.name
9640 t.test.config.Bugs.SendWrongMessageType = t.messageType
9641 t.test.shouldFail = true
9642 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9643 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9644
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9645 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9646 // In TLS 1.3, a bad ServerHello means the client sends
9647 // an unencrypted alert while the server expects
9648 // encryption, so the alert is not readable by runner.
9649 t.test.expectedLocalError = "local error: bad record MAC"
9650 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9651
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9652 testCases = append(testCases, t.test)
9653 }
David Benjaminebacdee2017-04-08 11:00:45 -0400[diff] [blame]9654
9655 // The processing order for TLS 1.3 version negotiation is such that one
9656 // may accidentally accept a HelloRetryRequest in lieu of ServerHello in
9657 // TLS 1.2. Test that we do not do this.
9658 testCases = append(testCases, testCase{
9659 name: "SendServerHelloAsHelloRetryRequest",
9660 config: Config{
9661 MaxVersion: VersionTLS12,
9662 Bugs: ProtocolBugs{
9663 SendServerHelloAsHelloRetryRequest: true,
9664 },
9665 },
9666 shouldFail: true,
9667 expectedError: ":UNEXPECTED_MESSAGE:",
9668 expectedLocalError: "remote error: unexpected message",
9669 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9670}
9671
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9672func addTrailingMessageDataTests() {
9673 for _, t := range makePerMessageTests() {
9674 t.test.name = "TrailingMessageData-" + t.test.name
9675 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9676 t.test.shouldFail = true
9677 t.test.expectedError = ":DECODE_ERROR:"
9678 t.test.expectedLocalError = "remote error: error decoding message"
9679
9680 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9681 // In TLS 1.3, a bad ServerHello means the client sends
9682 // an unencrypted alert while the server expects
9683 // encryption, so the alert is not readable by runner.
9684 t.test.expectedLocalError = "local error: bad record MAC"
9685 }
9686
9687 if t.messageType == typeFinished {
9688 // Bad Finished messages read as the verify data having
9689 // the wrong length.
9690 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9691 t.test.expectedLocalError = "remote error: error decrypting message"
9692 }
9693
9694 testCases = append(testCases, t.test)
9695 }
9696}
9697
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9698func addTLS13HandshakeTests() {
9699 testCases = append(testCases, testCase{
9700 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9701 name: "NegotiatePSKResumption-TLS13",
9702 config: Config{
9703 MaxVersion: VersionTLS13,
9704 Bugs: ProtocolBugs{
9705 NegotiatePSKResumption: true,
9706 },
9707 },
9708 resumeSession: true,
9709 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9710 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9711 })
9712
9713 testCases = append(testCases, testCase{
9714 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9715 name: "MissingKeyShare-Client",
9716 config: Config{
9717 MaxVersion: VersionTLS13,
9718 Bugs: ProtocolBugs{
9719 MissingKeyShare: true,
9720 },
9721 },
9722 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9723 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9724 })
9725
9726 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9727 testType: serverTest,
9728 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9729 config: Config{
9730 MaxVersion: VersionTLS13,
9731 Bugs: ProtocolBugs{
9732 MissingKeyShare: true,
9733 },
9734 },
9735 shouldFail: true,
9736 expectedError: ":MISSING_KEY_SHARE:",
9737 })
9738
9739 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9740 testType: serverTest,
9741 name: "DuplicateKeyShares",
9742 config: Config{
9743 MaxVersion: VersionTLS13,
9744 Bugs: ProtocolBugs{
9745 DuplicateKeyShares: true,
9746 },
9747 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9748 shouldFail: true,
9749 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9750 })
9751
9752 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9753 testType: serverTest,
9754 name: "SkipEarlyData",
9755 config: Config{
9756 MaxVersion: VersionTLS13,
9757 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9758 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9759 },
9760 },
9761 })
9762
9763 testCases = append(testCases, testCase{
9764 testType: serverTest,
9765 name: "SkipEarlyData-OmitEarlyDataExtension",
9766 config: Config{
9767 MaxVersion: VersionTLS13,
9768 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9769 SendFakeEarlyDataLength: 4,
9770 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9771 },
9772 },
9773 shouldFail: true,
9774 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9775 })
9776
9777 testCases = append(testCases, testCase{
9778 testType: serverTest,
9779 name: "SkipEarlyData-TooMuchData",
9780 config: Config{
9781 MaxVersion: VersionTLS13,
9782 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9783 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9784 },
9785 },
9786 shouldFail: true,
9787 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9788 })
9789
9790 testCases = append(testCases, testCase{
9791 testType: serverTest,
9792 name: "SkipEarlyData-Interleaved",
9793 config: Config{
9794 MaxVersion: VersionTLS13,
9795 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9796 SendFakeEarlyDataLength: 4,
9797 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9798 },
9799 },
9800 shouldFail: true,
9801 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9802 })
9803
9804 testCases = append(testCases, testCase{
9805 testType: serverTest,
9806 name: "SkipEarlyData-EarlyDataInTLS12",
9807 config: Config{
9808 MaxVersion: VersionTLS13,
9809 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9810 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9811 },
9812 },
9813 shouldFail: true,
9814 expectedError: ":UNEXPECTED_RECORD:",
9815 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9816 })
9817
9818 testCases = append(testCases, testCase{
9819 testType: serverTest,
9820 name: "SkipEarlyData-HRR",
9821 config: Config{
9822 MaxVersion: VersionTLS13,
9823 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9824 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9825 },
9826 DefaultCurves: []CurveID{},
9827 },
9828 })
9829
9830 testCases = append(testCases, testCase{
9831 testType: serverTest,
9832 name: "SkipEarlyData-HRR-Interleaved",
9833 config: Config{
9834 MaxVersion: VersionTLS13,
9835 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9836 SendFakeEarlyDataLength: 4,
9837 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9838 },
9839 DefaultCurves: []CurveID{},
9840 },
9841 shouldFail: true,
9842 expectedError: ":UNEXPECTED_RECORD:",
9843 })
9844
9845 testCases = append(testCases, testCase{
9846 testType: serverTest,
9847 name: "SkipEarlyData-HRR-TooMuchData",
9848 config: Config{
9849 MaxVersion: VersionTLS13,
9850 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9851 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9852 },
9853 DefaultCurves: []CurveID{},
9854 },
9855 shouldFail: true,
9856 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9857 })
9858
9859 // Test that skipping early data looking for cleartext correctly
9860 // processes an alert record.
9861 testCases = append(testCases, testCase{
9862 testType: serverTest,
9863 name: "SkipEarlyData-HRR-FatalAlert",
9864 config: Config{
9865 MaxVersion: VersionTLS13,
9866 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9867 SendEarlyAlert: true,
9868 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9869 },
9870 DefaultCurves: []CurveID{},
9871 },
9872 shouldFail: true,
9873 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9874 })
9875
9876 testCases = append(testCases, testCase{
9877 testType: serverTest,
9878 name: "SkipEarlyData-SecondClientHelloEarlyData",
9879 config: Config{
9880 MaxVersion: VersionTLS13,
9881 Bugs: ProtocolBugs{
9882 SendEarlyDataOnSecondClientHello: true,
9883 },
9884 DefaultCurves: []CurveID{},
9885 },
9886 shouldFail: true,
9887 expectedLocalError: "remote error: bad record MAC",
9888 })
9889
9890 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9891 testType: clientTest,
9892 name: "EmptyEncryptedExtensions",
9893 config: Config{
9894 MaxVersion: VersionTLS13,
9895 Bugs: ProtocolBugs{
9896 EmptyEncryptedExtensions: true,
9897 },
9898 },
9899 shouldFail: true,
9900 expectedLocalError: "remote error: error decoding message",
9901 })
9902
9903 testCases = append(testCases, testCase{
9904 testType: clientTest,
9905 name: "EncryptedExtensionsWithKeyShare",
9906 config: Config{
9907 MaxVersion: VersionTLS13,
9908 Bugs: ProtocolBugs{
9909 EncryptedExtensionsWithKeyShare: true,
9910 },
9911 },
9912 shouldFail: true,
9913 expectedLocalError: "remote error: unsupported extension",
9914 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9915
9916 testCases = append(testCases, testCase{
9917 testType: serverTest,
9918 name: "SendHelloRetryRequest",
9919 config: Config{
9920 MaxVersion: VersionTLS13,
9921 // Require a HelloRetryRequest for every curve.
9922 DefaultCurves: []CurveID{},
9923 },
9924 expectedCurveID: CurveX25519,
9925 })
9926
9927 testCases = append(testCases, testCase{
9928 testType: serverTest,
9929 name: "SendHelloRetryRequest-2",
9930 config: Config{
9931 MaxVersion: VersionTLS13,
9932 DefaultCurves: []CurveID{CurveP384},
9933 },
9934 // Although the ClientHello did not predict our preferred curve,
9935 // we always select it whether it is predicted or not.
9936 expectedCurveID: CurveX25519,
9937 })
9938
9939 testCases = append(testCases, testCase{
9940 name: "UnknownCurve-HelloRetryRequest",
9941 config: Config{
9942 MaxVersion: VersionTLS13,
9943 // P-384 requires HelloRetryRequest in BoringSSL.
9944 CurvePreferences: []CurveID{CurveP384},
9945 Bugs: ProtocolBugs{
9946 SendHelloRetryRequestCurve: bogusCurve,
9947 },
9948 },
9949 shouldFail: true,
9950 expectedError: ":WRONG_CURVE:",
9951 })
9952
9953 testCases = append(testCases, testCase{
9954 name: "DisabledCurve-HelloRetryRequest",
9955 config: Config{
9956 MaxVersion: VersionTLS13,
9957 CurvePreferences: []CurveID{CurveP256},
9958 Bugs: ProtocolBugs{
9959 IgnorePeerCurvePreferences: true,
9960 },
9961 },
9962 flags: []string{"-p384-only"},
9963 shouldFail: true,
9964 expectedError: ":WRONG_CURVE:",
9965 })
9966
9967 testCases = append(testCases, testCase{
9968 name: "UnnecessaryHelloRetryRequest",
9969 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9970 MaxVersion: VersionTLS13,
9971 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9972 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9973 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9974 },
9975 },
9976 shouldFail: true,
9977 expectedError: ":WRONG_CURVE:",
9978 })
9979
9980 testCases = append(testCases, testCase{
9981 name: "SecondHelloRetryRequest",
9982 config: Config{
9983 MaxVersion: VersionTLS13,
9984 // P-384 requires HelloRetryRequest in BoringSSL.
9985 CurvePreferences: []CurveID{CurveP384},
9986 Bugs: ProtocolBugs{
9987 SecondHelloRetryRequest: true,
9988 },
9989 },
9990 shouldFail: true,
9991 expectedError: ":UNEXPECTED_MESSAGE:",
9992 })
9993
9994 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9995 name: "HelloRetryRequest-Empty",
9996 config: Config{
9997 MaxVersion: VersionTLS13,
9998 Bugs: ProtocolBugs{
9999 AlwaysSendHelloRetryRequest: true,
10000 },
10001 },
10002 shouldFail: true,
10003 expectedError: ":DECODE_ERROR:",
10004 })
10005
10006 testCases = append(testCases, testCase{
10007 name: "HelloRetryRequest-DuplicateCurve",
10008 config: Config{
10009 MaxVersion: VersionTLS13,
10010 // P-384 requires a HelloRetryRequest against BoringSSL's default
10011 // configuration. Assert this ExpectMissingKeyShare.
10012 CurvePreferences: []CurveID{CurveP384},
10013 Bugs: ProtocolBugs{
10014 ExpectMissingKeyShare: true,
10015 DuplicateHelloRetryRequestExtensions: true,
10016 },
10017 },
10018 shouldFail: true,
10019 expectedError: ":DUPLICATE_EXTENSION:",
10020 expectedLocalError: "remote error: illegal parameter",
10021 })
10022
10023 testCases = append(testCases, testCase{
10024 name: "HelloRetryRequest-Cookie",
10025 config: Config{
10026 MaxVersion: VersionTLS13,
10027 Bugs: ProtocolBugs{
10028 SendHelloRetryRequestCookie: []byte("cookie"),
10029 },
10030 },
10031 })
10032
10033 testCases = append(testCases, testCase{
10034 name: "HelloRetryRequest-DuplicateCookie",
10035 config: Config{
10036 MaxVersion: VersionTLS13,
10037 Bugs: ProtocolBugs{
10038 SendHelloRetryRequestCookie: []byte("cookie"),
10039 DuplicateHelloRetryRequestExtensions: true,
10040 },
10041 },
10042 shouldFail: true,
10043 expectedError: ":DUPLICATE_EXTENSION:",
10044 expectedLocalError: "remote error: illegal parameter",
10045 })
10046
10047 testCases = append(testCases, testCase{
10048 name: "HelloRetryRequest-EmptyCookie",
10049 config: Config{
10050 MaxVersion: VersionTLS13,
10051 Bugs: ProtocolBugs{
10052 SendHelloRetryRequestCookie: []byte{},
10053 },
10054 },
10055 shouldFail: true,
10056 expectedError: ":DECODE_ERROR:",
10057 })
10058
10059 testCases = append(testCases, testCase{
10060 name: "HelloRetryRequest-Cookie-Curve",
10061 config: Config{
10062 MaxVersion: VersionTLS13,
10063 // P-384 requires HelloRetryRequest in BoringSSL.
10064 CurvePreferences: []CurveID{CurveP384},
10065 Bugs: ProtocolBugs{
10066 SendHelloRetryRequestCookie: []byte("cookie"),
10067 ExpectMissingKeyShare: true,
10068 },
10069 },
10070 })
10071
10072 testCases = append(testCases, testCase{
10073 name: "HelloRetryRequest-Unknown",
10074 config: Config{
10075 MaxVersion: VersionTLS13,
10076 Bugs: ProtocolBugs{
10077 CustomHelloRetryRequestExtension: "extension",
10078 },
10079 },
10080 shouldFail: true,
10081 expectedError: ":UNEXPECTED_EXTENSION:",
10082 expectedLocalError: "remote error: unsupported extension",
10083 })
10084
10085 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10086 testType: serverTest,
10087 name: "SecondClientHelloMissingKeyShare",
10088 config: Config{
10089 MaxVersion: VersionTLS13,
10090 DefaultCurves: []CurveID{},
10091 Bugs: ProtocolBugs{
10092 SecondClientHelloMissingKeyShare: true,
10093 },
10094 },
10095 shouldFail: true,
10096 expectedError: ":MISSING_KEY_SHARE:",
10097 })
10098
10099 testCases = append(testCases, testCase{
10100 testType: serverTest,
10101 name: "SecondClientHelloWrongCurve",
10102 config: Config{
10103 MaxVersion: VersionTLS13,
10104 DefaultCurves: []CurveID{},
10105 Bugs: ProtocolBugs{
10106 MisinterpretHelloRetryRequestCurve: CurveP521,
10107 },
10108 },
10109 shouldFail: true,
10110 expectedError: ":WRONG_CURVE:",
10111 })
10112
10113 testCases = append(testCases, testCase{
10114 name: "HelloRetryRequestVersionMismatch",
10115 config: Config{
10116 MaxVersion: VersionTLS13,
10117 // P-384 requires HelloRetryRequest in BoringSSL.
10118 CurvePreferences: []CurveID{CurveP384},
10119 Bugs: ProtocolBugs{
10120 SendServerHelloVersion: 0x0305,
10121 },
10122 },
10123 shouldFail: true,
10124 expectedError: ":WRONG_VERSION_NUMBER:",
10125 })
10126
10127 testCases = append(testCases, testCase{
10128 name: "HelloRetryRequestCurveMismatch",
10129 config: Config{
10130 MaxVersion: VersionTLS13,
10131 // P-384 requires HelloRetryRequest in BoringSSL.
10132 CurvePreferences: []CurveID{CurveP384},
10133 Bugs: ProtocolBugs{
10134 // Send P-384 (correct) in the HelloRetryRequest.
10135 SendHelloRetryRequestCurve: CurveP384,
10136 // But send P-256 in the ServerHello.
10137 SendCurve: CurveP256,
10138 },
10139 },
10140 shouldFail: true,
10141 expectedError: ":WRONG_CURVE:",
10142 })
10143
10144 // Test the server selecting a curve that requires a HelloRetryRequest
10145 // without sending it.
10146 testCases = append(testCases, testCase{
10147 name: "SkipHelloRetryRequest",
10148 config: Config{
10149 MaxVersion: VersionTLS13,
10150 // P-384 requires HelloRetryRequest in BoringSSL.
10151 CurvePreferences: []CurveID{CurveP384},
10152 Bugs: ProtocolBugs{
10153 SkipHelloRetryRequest: true,
10154 },
10155 },
10156 shouldFail: true,
10157 expectedError: ":WRONG_CURVE:",
10158 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]10159
10160 testCases = append(testCases, testCase{
10161 name: "TLS13-RequestContextInHandshake",
10162 config: Config{
10163 MaxVersion: VersionTLS13,
10164 MinVersion: VersionTLS13,
10165 ClientAuth: RequireAnyClientCert,
10166 Bugs: ProtocolBugs{
10167 SendRequestContext: []byte("request context"),
10168 },
10169 },
10170 flags: []string{
10171 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10172 "-key-file", path.Join(*resourceDir, rsaKeyFile),
10173 },
10174 shouldFail: true,
10175 expectedError: ":DECODE_ERROR:",
10176 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]10177
10178 testCases = append(testCases, testCase{
10179 testType: serverTest,
10180 name: "TLS13-TrailingKeyShareData",
10181 config: Config{
10182 MaxVersion: VersionTLS13,
10183 Bugs: ProtocolBugs{
10184 TrailingKeyShareData: true,
10185 },
10186 },
10187 shouldFail: true,
10188 expectedError: ":DECODE_ERROR:",
10189 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]10190
10191 testCases = append(testCases, testCase{
10192 name: "TLS13-AlwaysSelectPSKIdentity",
10193 config: Config{
10194 MaxVersion: VersionTLS13,
10195 Bugs: ProtocolBugs{
10196 AlwaysSelectPSKIdentity: true,
10197 },
10198 },
10199 shouldFail: true,
10200 expectedError: ":UNEXPECTED_EXTENSION:",
10201 })
10202
10203 testCases = append(testCases, testCase{
10204 name: "TLS13-InvalidPSKIdentity",
10205 config: Config{
10206 MaxVersion: VersionTLS13,
10207 Bugs: ProtocolBugs{
10208 SelectPSKIdentityOnResume: 1,
10209 },
10210 },
10211 resumeSession: true,
10212 shouldFail: true,
10213 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
10214 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10215
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10216 testCases = append(testCases, testCase{
10217 testType: serverTest,
10218 name: "TLS13-ExtraPSKIdentity",
10219 config: Config{
10220 MaxVersion: VersionTLS13,
10221 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]10222 ExtraPSKIdentity: true,
10223 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10224 },
10225 },
10226 resumeSession: true,
10227 })
10228
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10229 // Test that unknown NewSessionTicket extensions are tolerated.
10230 testCases = append(testCases, testCase{
10231 name: "TLS13-CustomTicketExtension",
10232 config: Config{
10233 MaxVersion: VersionTLS13,
10234 Bugs: ProtocolBugs{
10235 CustomTicketExtension: "1234",
10236 },
10237 },
10238 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10239
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10240 testCases = append(testCases, testCase{
10241 testType: clientTest,
10242 name: "TLS13-DataLessEarlyData-Reject-Client",
10243 config: Config{
10244 MaxVersion: VersionTLS13,
10245 MaxEarlyDataSize: 16384,
10246 },
10247 resumeConfig: &Config{
10248 MaxVersion: VersionTLS13,
10249 MaxEarlyDataSize: 16384,
10250 Bugs: ProtocolBugs{
10251 AlwaysRejectEarlyData: true,
10252 },
10253 },
10254 resumeSession: true,
10255 flags: []string{
10256 "-enable-early-data",
10257 "-expect-early-data-info",
10258 "-expect-reject-early-data",
10259 },
10260 })
10261
10262 testCases = append(testCases, testCase{
10263 testType: clientTest,
10264 name: "TLS13-DataLessEarlyData-HRR-Client",
10265 config: Config{
10266 MaxVersion: VersionTLS13,
10267 MaxEarlyDataSize: 16384,
10268 },
10269 resumeConfig: &Config{
10270 MaxVersion: VersionTLS13,
10271 MaxEarlyDataSize: 16384,
10272 Bugs: ProtocolBugs{
10273 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10274 },
10275 },
10276 resumeSession: true,
10277 flags: []string{
10278 "-enable-early-data",
10279 "-expect-early-data-info",
10280 "-expect-reject-early-data",
10281 },
10282 })
10283
10284 // The client must check the server does not send the early_data
10285 // extension while rejecting the session.
10286 testCases = append(testCases, testCase{
10287 testType: clientTest,
10288 name: "TLS13-EarlyDataWithoutResume-Client",
10289 config: Config{
10290 MaxVersion: VersionTLS13,
10291 MaxEarlyDataSize: 16384,
10292 },
10293 resumeConfig: &Config{
10294 MaxVersion: VersionTLS13,
10295 SessionTicketsDisabled: true,
10296 Bugs: ProtocolBugs{
10297 SendEarlyDataExtension: true,
10298 },
10299 },
10300 resumeSession: true,
10301 flags: []string{
10302 "-enable-early-data",
10303 "-expect-early-data-info",
10304 },
10305 shouldFail: true,
10306 expectedError: ":UNEXPECTED_EXTENSION:",
10307 })
10308
10309 // The client must fail with a dedicated error code if the server
10310 // responds with TLS 1.2 when offering 0-RTT.
10311 testCases = append(testCases, testCase{
10312 testType: clientTest,
10313 name: "TLS13-EarlyDataVersionDowngrade-Client",
10314 config: Config{
10315 MaxVersion: VersionTLS13,
10316 MaxEarlyDataSize: 16384,
10317 },
10318 resumeConfig: &Config{
10319 MaxVersion: VersionTLS12,
10320 },
10321 resumeSession: true,
10322 flags: []string{
10323 "-enable-early-data",
10324 "-expect-early-data-info",
10325 },
10326 shouldFail: true,
10327 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10328 })
10329
10330 // Test that the client rejects an (unsolicited) early_data extension if
10331 // the server sent an HRR.
10332 testCases = append(testCases, testCase{
10333 testType: clientTest,
10334 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10335 config: Config{
10336 MaxVersion: VersionTLS13,
10337 MaxEarlyDataSize: 16384,
10338 },
10339 resumeConfig: &Config{
10340 MaxVersion: VersionTLS13,
10341 MaxEarlyDataSize: 16384,
10342 Bugs: ProtocolBugs{
10343 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10344 SendEarlyDataExtension: true,
10345 },
10346 },
10347 resumeSession: true,
10348 flags: []string{
10349 "-enable-early-data",
10350 "-expect-early-data-info",
10351 },
10352 shouldFail: true,
10353 expectedError: ":UNEXPECTED_EXTENSION:",
10354 })
10355
10356 fooString := "foo"
10357 barString := "bar"
10358
10359 // Test that the client reports the correct ALPN after a 0-RTT reject
10360 // that changed it.
10361 testCases = append(testCases, testCase{
10362 testType: clientTest,
10363 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10364 config: Config{
10365 MaxVersion: VersionTLS13,
10366 MaxEarlyDataSize: 16384,
10367 Bugs: ProtocolBugs{
10368 ALPNProtocol: &fooString,
10369 },
10370 },
10371 resumeConfig: &Config{
10372 MaxVersion: VersionTLS13,
10373 MaxEarlyDataSize: 16384,
10374 Bugs: ProtocolBugs{
10375 ALPNProtocol: &barString,
10376 },
10377 },
10378 resumeSession: true,
10379 flags: []string{
10380 "-advertise-alpn", "\x03foo\x03bar",
10381 "-enable-early-data",
10382 "-expect-early-data-info",
10383 "-expect-reject-early-data",
10384 "-expect-alpn", "foo",
10385 "-expect-resume-alpn", "bar",
10386 },
10387 })
10388
10389 // Test that the client reports the correct ALPN after a 0-RTT reject if
10390 // ALPN was omitted from the first connection.
10391 testCases = append(testCases, testCase{
10392 testType: clientTest,
10393 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10394 config: Config{
10395 MaxVersion: VersionTLS13,
10396 MaxEarlyDataSize: 16384,
10397 },
10398 resumeConfig: &Config{
10399 MaxVersion: VersionTLS13,
10400 MaxEarlyDataSize: 16384,
10401 NextProtos: []string{"foo"},
10402 },
10403 resumeSession: true,
10404 flags: []string{
10405 "-advertise-alpn", "\x03foo\x03bar",
10406 "-enable-early-data",
10407 "-expect-early-data-info",
10408 "-expect-reject-early-data",
10409 "-expect-no-alpn",
10410 "-expect-resume-alpn", "foo",
10411 },
10412 })
10413
10414 // Test that the client reports the correct ALPN after a 0-RTT reject if
10415 // ALPN was omitted from the second connection.
10416 testCases = append(testCases, testCase{
10417 testType: clientTest,
10418 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10419 config: Config{
10420 MaxVersion: VersionTLS13,
10421 MaxEarlyDataSize: 16384,
10422 NextProtos: []string{"foo"},
10423 },
10424 resumeConfig: &Config{
10425 MaxVersion: VersionTLS13,
10426 MaxEarlyDataSize: 16384,
10427 },
10428 resumeSession: true,
10429 flags: []string{
10430 "-advertise-alpn", "\x03foo\x03bar",
10431 "-enable-early-data",
10432 "-expect-early-data-info",
10433 "-expect-reject-early-data",
10434 "-expect-alpn", "foo",
10435 "-expect-no-resume-alpn",
10436 },
10437 })
10438
10439 // Test that the client enforces ALPN match on 0-RTT accept.
10440 testCases = append(testCases, testCase{
10441 testType: clientTest,
10442 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10443 config: Config{
10444 MaxVersion: VersionTLS13,
10445 MaxEarlyDataSize: 16384,
10446 Bugs: ProtocolBugs{
10447 ALPNProtocol: &fooString,
10448 },
10449 },
10450 resumeConfig: &Config{
10451 MaxVersion: VersionTLS13,
10452 MaxEarlyDataSize: 16384,
10453 Bugs: ProtocolBugs{
10454 AlwaysAcceptEarlyData: true,
10455 ALPNProtocol: &barString,
10456 },
10457 },
10458 resumeSession: true,
10459 flags: []string{
10460 "-advertise-alpn", "\x03foo\x03bar",
10461 "-enable-early-data",
10462 "-expect-early-data-info",
10463 },
10464 shouldFail: true,
10465 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10466 })
10467
10468 // Test that the server correctly rejects 0-RTT when the previous
10469 // session did not allow early data on resumption.
10470 testCases = append(testCases, testCase{
10471 testType: serverTest,
10472 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10473 config: Config{
10474 MaxVersion: VersionTLS13,
10475 },
10476 resumeConfig: &Config{
10477 MaxVersion: VersionTLS13,
10478 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10479 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10480 ExpectEarlyDataAccepted: false,
10481 },
10482 },
10483 resumeSession: true,
10484 flags: []string{
10485 "-enable-resume-early-data",
10486 "-expect-reject-early-data",
10487 },
10488 })
10489
10490 // Test that we reject early data where ALPN is omitted from the first
10491 // connection.
10492 testCases = append(testCases, testCase{
10493 testType: serverTest,
10494 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10495 config: Config{
10496 MaxVersion: VersionTLS13,
10497 NextProtos: []string{},
10498 },
10499 resumeConfig: &Config{
10500 MaxVersion: VersionTLS13,
10501 NextProtos: []string{"foo"},
10502 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10503 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10504 ExpectEarlyDataAccepted: false,
10505 },
10506 },
10507 resumeSession: true,
10508 flags: []string{
10509 "-enable-early-data",
10510 "-select-alpn", "",
10511 "-select-resume-alpn", "foo",
10512 },
10513 })
10514
10515 // Test that we reject early data where ALPN is omitted from the second
10516 // connection.
10517 testCases = append(testCases, testCase{
10518 testType: serverTest,
10519 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10520 config: Config{
10521 MaxVersion: VersionTLS13,
10522 NextProtos: []string{"foo"},
10523 },
10524 resumeConfig: &Config{
10525 MaxVersion: VersionTLS13,
10526 NextProtos: []string{},
10527 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10528 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10529 ExpectEarlyDataAccepted: false,
10530 },
10531 },
10532 resumeSession: true,
10533 flags: []string{
10534 "-enable-early-data",
10535 "-select-alpn", "foo",
10536 "-select-resume-alpn", "",
10537 },
10538 })
10539
10540 // Test that we reject early data with mismatched ALPN.
10541 testCases = append(testCases, testCase{
10542 testType: serverTest,
10543 name: "TLS13-EarlyData-ALPNMismatch-Server",
10544 config: Config{
10545 MaxVersion: VersionTLS13,
10546 NextProtos: []string{"foo"},
10547 },
10548 resumeConfig: &Config{
10549 MaxVersion: VersionTLS13,
10550 NextProtos: []string{"bar"},
10551 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10552 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10553 ExpectEarlyDataAccepted: false,
10554 },
10555 },
10556 resumeSession: true,
10557 flags: []string{
10558 "-enable-early-data",
10559 "-select-alpn", "foo",
10560 "-select-resume-alpn", "bar",
10561 },
10562 })
10563
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10564 // Test that the client offering 0-RTT and Channel ID forbids the server
10565 // from accepting both.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10566 testCases = append(testCases, testCase{
10567 testType: clientTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10568 name: "TLS13-EarlyDataChannelID-AcceptBoth-Client",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10569 config: Config{
10570 MaxVersion: VersionTLS13,
10571 MaxEarlyDataSize: 16384,
10572 RequestChannelID: true,
10573 },
10574 resumeSession: true,
10575 expectChannelID: true,
10576 shouldFail: true,
10577 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
10578 flags: []string{
10579 "-enable-early-data",
10580 "-expect-early-data-info",
10581 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10582 },
10583 })
10584
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10585 // Test that the client offering Channel ID and 0-RTT allows the server
10586 // to decline 0-RTT.
10587 testCases = append(testCases, testCase{
10588 testType: clientTest,
10589 name: "TLS13-EarlyDataChannelID-AcceptChannelID-Client",
10590 config: Config{
10591 MaxVersion: VersionTLS13,
10592 MaxEarlyDataSize: 16384,
10593 RequestChannelID: true,
10594 Bugs: ProtocolBugs{
10595 AlwaysRejectEarlyData: true,
10596 },
10597 },
10598 resumeSession: true,
10599 expectChannelID: true,
10600 flags: []string{
10601 "-enable-early-data",
10602 "-expect-early-data-info",
10603 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10604 "-expect-reject-early-data",
10605 },
10606 })
10607
10608 // Test that the client offering Channel ID and 0-RTT allows the server
10609 // to decline Channel ID.
10610 testCases = append(testCases, testCase{
10611 testType: clientTest,
10612 name: "TLS13-EarlyDataChannelID-AcceptEarlyData-Client",
10613 config: Config{
10614 MaxVersion: VersionTLS13,
10615 MaxEarlyDataSize: 16384,
10616 },
10617 resumeSession: true,
10618 flags: []string{
10619 "-enable-early-data",
10620 "-expect-early-data-info",
10621 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10622 "-expect-accept-early-data",
10623 },
10624 })
10625
10626 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
10627 // if it would negotiate Channel ID.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10628 testCases = append(testCases, testCase{
10629 testType: serverTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10630 name: "TLS13-EarlyDataChannelID-OfferBoth-Server",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10631 config: Config{
10632 MaxVersion: VersionTLS13,
10633 ChannelID: channelIDKey,
10634 Bugs: ProtocolBugs{
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10635 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10636 ExpectEarlyDataAccepted: false,
10637 },
10638 },
10639 resumeSession: true,
10640 expectChannelID: true,
10641 flags: []string{
10642 "-enable-early-data",
10643 "-expect-reject-early-data",
10644 "-expect-channel-id",
10645 base64.StdEncoding.EncodeToString(channelIDBytes),
10646 },
10647 })
10648
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10649 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
10650 // if not offered Channel ID.
10651 testCases = append(testCases, testCase{
10652 testType: serverTest,
10653 name: "TLS13-EarlyDataChannelID-OfferEarlyData-Server",
10654 config: Config{
10655 MaxVersion: VersionTLS13,
10656 Bugs: ProtocolBugs{
10657 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10658 ExpectEarlyDataAccepted: true,
10659 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
10660 },
10661 },
10662 resumeSession: true,
10663 expectChannelID: false,
10664 flags: []string{
10665 "-enable-early-data",
10666 "-expect-accept-early-data",
10667 "-enable-channel-id",
10668 },
10669 })
10670
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10671 // Test that the server rejects 0-RTT streams without end_of_early_data.
10672 // The subsequent records should fail to decrypt.
10673 testCases = append(testCases, testCase{
10674 testType: serverTest,
10675 name: "TLS13-EarlyData-SkipEndOfEarlyData",
10676 config: Config{
10677 MaxVersion: VersionTLS13,
10678 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10679 SendEarlyData: [][]byte{{1, 2, 3, 4}},
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10680 ExpectEarlyDataAccepted: true,
10681 SkipEndOfEarlyData: true,
10682 },
10683 },
10684 resumeSession: true,
10685 flags: []string{"-enable-early-data"},
10686 shouldFail: true,
10687 expectedLocalError: "remote error: bad record MAC",
10688 expectedError: ":BAD_DECRYPT:",
10689 })
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10690
10691 testCases = append(testCases, testCase{
10692 testType: serverTest,
10693 name: "TLS13-EarlyData-UnexpectedHandshake-Server",
10694 config: Config{
10695 MaxVersion: VersionTLS13,
10696 },
10697 resumeConfig: &Config{
10698 MaxVersion: VersionTLS13,
10699 Bugs: ProtocolBugs{
10700 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10701 SendStrayEarlyHandshake: true,
10702 ExpectEarlyDataAccepted: true},
10703 },
10704 resumeSession: true,
10705 shouldFail: true,
10706 expectedError: ":UNEXPECTED_RECORD:",
10707 expectedLocalError: "remote error: unexpected message",
10708 flags: []string{
10709 "-enable-early-data",
10710 },
10711 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10712}
10713
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10714func addTLS13CipherPreferenceTests() {
10715 // Test that client preference is honored if the shim has AES hardware
10716 // and ChaCha20-Poly1305 is preferred otherwise.
10717 testCases = append(testCases, testCase{
10718 testType: serverTest,
10719 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10720 config: Config{
10721 MaxVersion: VersionTLS13,
10722 CipherSuites: []uint16{
10723 TLS_CHACHA20_POLY1305_SHA256,
10724 TLS_AES_128_GCM_SHA256,
10725 },
10726 },
10727 flags: []string{
10728 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10729 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10730 },
10731 })
10732
10733 testCases = append(testCases, testCase{
10734 testType: serverTest,
10735 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10736 config: Config{
10737 MaxVersion: VersionTLS13,
10738 CipherSuites: []uint16{
10739 TLS_AES_128_GCM_SHA256,
10740 TLS_CHACHA20_POLY1305_SHA256,
10741 },
10742 },
10743 flags: []string{
10744 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10745 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10746 },
10747 })
10748
10749 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10750 // whether it has AES hardware.
10751 testCases = append(testCases, testCase{
10752 name: "TLS13-CipherPreference-Client",
10753 config: Config{
10754 MaxVersion: VersionTLS13,
10755 // Use the client cipher order. (This is the default but
10756 // is listed to be explicit.)
10757 PreferServerCipherSuites: false,
10758 },
10759 flags: []string{
10760 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10761 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10762 },
10763 })
10764}
10765
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10766func addPeekTests() {
10767 // Test SSL_peek works, including on empty records.
10768 testCases = append(testCases, testCase{
10769 name: "Peek-Basic",
10770 sendEmptyRecords: 1,
10771 flags: []string{"-peek-then-read"},
10772 })
10773
10774 // Test SSL_peek can drive the initial handshake.
10775 testCases = append(testCases, testCase{
10776 name: "Peek-ImplicitHandshake",
10777 flags: []string{
10778 "-peek-then-read",
10779 "-implicit-handshake",
10780 },
10781 })
10782
10783 // Test SSL_peek can discover and drive a renegotiation.
10784 testCases = append(testCases, testCase{
10785 name: "Peek-Renegotiate",
10786 config: Config{
10787 MaxVersion: VersionTLS12,
10788 },
10789 renegotiate: 1,
10790 flags: []string{
10791 "-peek-then-read",
10792 "-renegotiate-freely",
10793 "-expect-total-renegotiations", "1",
10794 },
10795 })
10796
10797 // Test SSL_peek can discover a close_notify.
10798 testCases = append(testCases, testCase{
10799 name: "Peek-Shutdown",
10800 config: Config{
10801 Bugs: ProtocolBugs{
10802 ExpectCloseNotify: true,
10803 },
10804 },
10805 flags: []string{
10806 "-peek-then-read",
10807 "-check-close-notify",
10808 },
10809 })
10810
10811 // Test SSL_peek can discover an alert.
10812 testCases = append(testCases, testCase{
10813 name: "Peek-Alert",
10814 config: Config{
10815 Bugs: ProtocolBugs{
10816 SendSpuriousAlert: alertRecordOverflow,
10817 },
10818 },
10819 flags: []string{"-peek-then-read"},
10820 shouldFail: true,
10821 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10822 })
10823
10824 // Test SSL_peek can handle KeyUpdate.
10825 testCases = append(testCases, testCase{
10826 name: "Peek-KeyUpdate",
10827 config: Config{
10828 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10829 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]10830 sendKeyUpdates: 1,
10831 keyUpdateRequest: keyUpdateNotRequested,
10832 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10833 })
10834}
10835
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10836func addRecordVersionTests() {
10837 for _, ver := range tlsVersions {
10838 // Test that the record version is enforced.
10839 testCases = append(testCases, testCase{
10840 name: "CheckRecordVersion-" + ver.name,
10841 config: Config{
10842 MinVersion: ver.version,
10843 MaxVersion: ver.version,
10844 Bugs: ProtocolBugs{
10845 SendRecordVersion: 0x03ff,
10846 },
10847 },
10848 shouldFail: true,
10849 expectedError: ":WRONG_VERSION_NUMBER:",
10850 })
10851
10852 // Test that the ClientHello may use any record version, for
10853 // compatibility reasons.
10854 testCases = append(testCases, testCase{
10855 testType: serverTest,
10856 name: "LooseInitialRecordVersion-" + ver.name,
10857 config: Config{
10858 MinVersion: ver.version,
10859 MaxVersion: ver.version,
10860 Bugs: ProtocolBugs{
10861 SendInitialRecordVersion: 0x03ff,
10862 },
10863 },
10864 })
10865
10866 // Test that garbage ClientHello record versions are rejected.
10867 testCases = append(testCases, testCase{
10868 testType: serverTest,
10869 name: "GarbageInitialRecordVersion-" + ver.name,
10870 config: Config{
10871 MinVersion: ver.version,
10872 MaxVersion: ver.version,
10873 Bugs: ProtocolBugs{
10874 SendInitialRecordVersion: 0xffff,
10875 },
10876 },
10877 shouldFail: true,
10878 expectedError: ":WRONG_VERSION_NUMBER:",
10879 })
10880 }
10881}
10882
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10883func addCertificateTests() {
10884 // Test that a certificate chain with intermediate may be sent and
10885 // received as both client and server.
10886 for _, ver := range tlsVersions {
10887 testCases = append(testCases, testCase{
10888 testType: clientTest,
10889 name: "SendReceiveIntermediate-Client-" + ver.name,
10890 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10891 MinVersion: ver.version,
10892 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10893 Certificates: []Certificate{rsaChainCertificate},
10894 ClientAuth: RequireAnyClientCert,
10895 },
10896 expectPeerCertificate: &rsaChainCertificate,
10897 flags: []string{
10898 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10899 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10900 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10901 },
10902 })
10903
10904 testCases = append(testCases, testCase{
10905 testType: serverTest,
10906 name: "SendReceiveIntermediate-Server-" + ver.name,
10907 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10908 MinVersion: ver.version,
10909 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10910 Certificates: []Certificate{rsaChainCertificate},
10911 },
10912 expectPeerCertificate: &rsaChainCertificate,
10913 flags: []string{
10914 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10915 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10916 "-require-any-client-certificate",
10917 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10918 },
10919 })
10920 }
10921}
10922
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10923func addRetainOnlySHA256ClientCertTests() {
10924 for _, ver := range tlsVersions {
10925 // Test that enabling
10926 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10927 // actually requesting a client certificate is a no-op.
10928 testCases = append(testCases, testCase{
10929 testType: serverTest,
10930 name: "RetainOnlySHA256-NoCert-" + ver.name,
10931 config: Config{
10932 MinVersion: ver.version,
10933 MaxVersion: ver.version,
10934 },
10935 flags: []string{
10936 "-retain-only-sha256-client-cert-initial",
10937 "-retain-only-sha256-client-cert-resume",
10938 },
10939 resumeSession: true,
10940 })
10941
10942 // Test that when retaining only a SHA-256 certificate is
10943 // enabled, the hash appears as expected.
10944 testCases = append(testCases, testCase{
10945 testType: serverTest,
10946 name: "RetainOnlySHA256-Cert-" + ver.name,
10947 config: Config{
10948 MinVersion: ver.version,
10949 MaxVersion: ver.version,
10950 Certificates: []Certificate{rsaCertificate},
10951 },
10952 flags: []string{
10953 "-verify-peer",
10954 "-retain-only-sha256-client-cert-initial",
10955 "-retain-only-sha256-client-cert-resume",
10956 "-expect-sha256-client-cert-initial",
10957 "-expect-sha256-client-cert-resume",
10958 },
10959 resumeSession: true,
10960 })
10961
10962 // Test that when the config changes from on to off, a
10963 // resumption is rejected because the server now wants the full
10964 // certificate chain.
10965 testCases = append(testCases, testCase{
10966 testType: serverTest,
10967 name: "RetainOnlySHA256-OnOff-" + ver.name,
10968 config: Config{
10969 MinVersion: ver.version,
10970 MaxVersion: ver.version,
10971 Certificates: []Certificate{rsaCertificate},
10972 },
10973 flags: []string{
10974 "-verify-peer",
10975 "-retain-only-sha256-client-cert-initial",
10976 "-expect-sha256-client-cert-initial",
10977 },
10978 resumeSession: true,
10979 expectResumeRejected: true,
10980 })
10981
10982 // Test that when the config changes from off to on, a
10983 // resumption is rejected because the server now wants just the
10984 // hash.
10985 testCases = append(testCases, testCase{
10986 testType: serverTest,
10987 name: "RetainOnlySHA256-OffOn-" + ver.name,
10988 config: Config{
10989 MinVersion: ver.version,
10990 MaxVersion: ver.version,
10991 Certificates: []Certificate{rsaCertificate},
10992 },
10993 flags: []string{
10994 "-verify-peer",
10995 "-retain-only-sha256-client-cert-resume",
10996 "-expect-sha256-client-cert-resume",
10997 },
10998 resumeSession: true,
10999 expectResumeRejected: true,
11000 })
11001 }
11002}
11003
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11004func addECDSAKeyUsageTests() {
11005 p256 := elliptic.P256()
11006 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
11007 if err != nil {
11008 panic(err)
11009 }
11010
11011 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
11012 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
11013 if err != nil {
11014 panic(err)
11015 }
11016
11017 template := x509.Certificate{
11018 SerialNumber: serialNumber,
11019 Subject: pkix.Name{
11020 Organization: []string{"Acme Co"},
11021 },
11022 NotBefore: time.Now(),
11023 NotAfter: time.Now(),
11024
11025 // An ECC certificate with only the keyAgreement key usgae may
11026 // be used with ECDH, but not ECDSA.
11027 KeyUsage: x509.KeyUsageKeyAgreement,
11028 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
11029 BasicConstraintsValid: true,
11030 }
11031
11032 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
11033 if err != nil {
11034 panic(err)
11035 }
11036
11037 cert := Certificate{
11038 Certificate: [][]byte{derBytes},
11039 PrivateKey: priv,
11040 }
11041
11042 for _, ver := range tlsVersions {
11043 if ver.version < VersionTLS12 {
11044 continue
11045 }
11046
11047 testCases = append(testCases, testCase{
11048 testType: clientTest,
11049 name: "ECDSAKeyUsage-" + ver.name,
11050 config: Config{
11051 MinVersion: ver.version,
11052 MaxVersion: ver.version,
11053 Certificates: []Certificate{cert},
11054 },
11055 shouldFail: true,
11056 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
11057 })
11058 }
11059}
11060
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11061func addExtraHandshakeTests() {
11062 // An extra SSL_do_handshake is normally a no-op. These tests use -async
11063 // to ensure there is no transport I/O.
11064 testCases = append(testCases, testCase{
11065 testType: clientTest,
11066 name: "ExtraHandshake-Client-TLS12",
11067 config: Config{
11068 MinVersion: VersionTLS12,
11069 MaxVersion: VersionTLS12,
11070 },
11071 flags: []string{
11072 "-async",
11073 "-no-op-extra-handshake",
11074 },
11075 })
11076 testCases = append(testCases, testCase{
11077 testType: serverTest,
11078 name: "ExtraHandshake-Server-TLS12",
11079 config: Config{
11080 MinVersion: VersionTLS12,
11081 MaxVersion: VersionTLS12,
11082 },
11083 flags: []string{
11084 "-async",
11085 "-no-op-extra-handshake",
11086 },
11087 })
11088 testCases = append(testCases, testCase{
11089 testType: clientTest,
11090 name: "ExtraHandshake-Client-TLS13",
11091 config: Config{
11092 MinVersion: VersionTLS13,
11093 MaxVersion: VersionTLS13,
11094 },
11095 flags: []string{
11096 "-async",
11097 "-no-op-extra-handshake",
11098 },
11099 })
11100 testCases = append(testCases, testCase{
11101 testType: serverTest,
11102 name: "ExtraHandshake-Server-TLS13",
11103 config: Config{
11104 MinVersion: VersionTLS13,
11105 MaxVersion: VersionTLS13,
11106 },
11107 flags: []string{
11108 "-async",
11109 "-no-op-extra-handshake",
11110 },
11111 })
11112
11113 // An extra SSL_do_handshake is a no-op in server 0-RTT.
11114 testCases = append(testCases, testCase{
11115 testType: serverTest,
11116 name: "ExtraHandshake-Server-EarlyData-TLS13",
11117 config: Config{
11118 MaxVersion: VersionTLS13,
11119 MinVersion: VersionTLS13,
11120 Bugs: ProtocolBugs{
11121 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11122 ExpectEarlyDataAccepted: true,
11123 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
11124 },
11125 },
11126 messageCount: 2,
11127 resumeSession: true,
11128 flags: []string{
11129 "-async",
11130 "-enable-early-data",
11131 "-expect-accept-early-data",
11132 "-no-op-extra-handshake",
11133 },
11134 })
11135
11136 // An extra SSL_do_handshake drives the handshake to completion in False
11137 // Start. We test this by handshaking twice and asserting the False
11138 // Start does not appear to happen. See AlertBeforeFalseStartTest for
11139 // how the test works.
11140 testCases = append(testCases, testCase{
11141 testType: clientTest,
11142 name: "ExtraHandshake-FalseStart",
11143 config: Config{
11144 MaxVersion: VersionTLS12,
11145 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
11146 NextProtos: []string{"foo"},
11147 Bugs: ProtocolBugs{
11148 ExpectFalseStart: true,
11149 AlertBeforeFalseStartTest: alertAccessDenied,
11150 },
11151 },
11152 flags: []string{
11153 "-handshake-twice",
11154 "-false-start",
11155 "-advertise-alpn", "\x03foo",
11156 },
11157 shimWritesFirst: true,
11158 shouldFail: true,
11159 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
11160 expectedLocalError: "tls: peer did not false start: EOF",
11161 })
11162}
11163
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11164func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11165 defer wg.Done()
11166
11167 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11168 var err error
11169
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11170 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11171 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
11172 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11173 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11174 if err != nil {
11175 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
11176 }
11177 break
11178 }
11179 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11180 } else if *repeatUntilFailure {
11181 for err == nil {
11182 statusChan <- statusMsg{test: test, started: true}
11183 err = runTest(test, shimPath, -1)
11184 }
11185 } else {
11186 statusChan <- statusMsg{test: test, started: true}
11187 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11188 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11189 statusChan <- statusMsg{test: test, err: err}
11190 }
11191}
11192
11193type statusMsg struct {
11194 test *testCase
11195 started bool
11196 err error
11197}
11198
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11199func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11200 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11201
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11202 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11203 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11204 if !*pipe {
11205 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]11206 var erase string
11207 for i := 0; i < lineLen; i++ {
11208 erase += "\b \b"
11209 }
11210 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11211 }
11212
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11213 if msg.started {
11214 started++
11215 } else {
11216 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11217
11218 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11219 if msg.err == errUnimplemented {
11220 if *pipe {
11221 // Print each test instead of a status line.
11222 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
11223 }
11224 unimplemented++
11225 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
11226 } else {
11227 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
11228 failed++
11229 testOutput.addResult(msg.test.name, "FAIL")
11230 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11231 } else {
11232 if *pipe {
11233 // Print each test instead of a status line.
11234 fmt.Printf("PASSED (%s)\n", msg.test.name)
11235 }
11236 testOutput.addResult(msg.test.name, "PASS")
11237 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11238 }
11239
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11240 if !*pipe {
11241 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11242 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11243 lineLen = len(line)
11244 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11245 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11246 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11247
11248 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11249}
11250
11251func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11252 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11253 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]11254 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11255
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11256 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11257 addCipherSuiteTests()
11258 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]11259 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]11260 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]11261 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]11262 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]11263 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]11264 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]11265 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]11266 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]11267 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]11268 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]11269 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]11270 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]11271 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]11272 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]11273 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]11274 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]11275 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]11276 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]11277 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]11278 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]11279 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]11280 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]11281 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]11282 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]11283 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]11284 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11285 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]11286 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11287 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]11288 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11289 addECDSAKeyUsageTests()
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11290 addExtraHandshakeTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11291
11292 var wg sync.WaitGroup
11293
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11294 statusChan := make(chan statusMsg, *numWorkers)
11295 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11296 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11297
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11298 if len(*shimConfigFile) != 0 {
11299 encoded, err := ioutil.ReadFile(*shimConfigFile)
11300 if err != nil {
11301 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
11302 os.Exit(1)
11303 }
11304
11305 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
11306 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
11307 os.Exit(1)
11308 }
11309 }
11310
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11311 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11312
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11313 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11314 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11315 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11316 }
11317
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11318 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11319 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11320 matched := true
11321 if len(*testToRun) != 0 {
11322 var err error
11323 matched, err = filepath.Match(*testToRun, testCases[i].name)
11324 if err != nil {
11325 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
11326 os.Exit(1)
11327 }
11328 }
11329
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11330 if !*includeDisabled {
11331 for pattern := range shimConfig.DisabledTests {
11332 isDisabled, err := filepath.Match(pattern, testCases[i].name)
11333 if err != nil {
11334 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
11335 os.Exit(1)
11336 }
11337
11338 if isDisabled {
11339 matched = false
11340 break
11341 }
11342 }
11343 }
11344
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11345 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11346 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11347 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11348
11349 // Only run one test if repeating until failure.
11350 if *repeatUntilFailure {
11351 break
11352 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11353 }
11354 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11355
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11356 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11357 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11358 os.Exit(1)
11359 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11360
11361 close(testChan)
11362 wg.Wait()
11363 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11364 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11365
11366 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11367
11368 if *jsonOutput != "" {
11369 if err := testOutput.writeTo(*jsonOutput); err != nil {
11370 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
11371 }
11372 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11373
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11374 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
11375 os.Exit(1)
11376 }
11377
11378 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11379 os.Exit(1)
11380 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11381}