Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 4d1f4ba08dcb4ec1ab2b641ae388d4a6bc7900c8 / . / ssl / test / runner / runner.go
blob: 0b661067b486bd34c9a073fa024b3f03f2b1429e [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]68 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]69)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]70
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]71// ShimConfigurations is used with the “json” package and represents a shim
72// config file.
73type ShimConfiguration struct {
74 // DisabledTests maps from a glob-based pattern to a freeform string.
75 // The glob pattern is used to exclude tests from being run and the
76 // freeform string is unparsed but expected to explain why the test is
77 // disabled.
78 DisabledTests map[string]string
79
80 // ErrorMap maps from expected error strings to the correct error
81 // string for the shim in question. For example, it might map
82 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
83 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
84 ErrorMap map[string]string
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]85
86 // HalfRTTTickets is the number of half-RTT tickets the client should
87 // expect before half-RTT data when testing 0-RTT.
88 HalfRTTTickets int
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]89}
90
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]91// Setup shimConfig defaults aligning with BoringSSL.
92var shimConfig ShimConfiguration = ShimConfiguration{
93 HalfRTTTickets: 2,
94}
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]95
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]96type testCert int
97
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]98const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]99 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]100 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]101 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]102 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]103 testCertECDSAP256
104 testCertECDSAP384
105 testCertECDSAP521
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]106 testCertEd25519
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]107)
108
109const (
110 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]111 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]112 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]113 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]114 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
115 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
116 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]117 ed25519CertificateFile = "ed25519_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]118)
119
120const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]121 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]122 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]123 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]124 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]125 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
126 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
127 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]128 ed25519KeyFile = "ed25519_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]129 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]130)
131
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]132var (
133 rsaCertificate Certificate
134 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]135 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]136 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]137 ecdsaP256Certificate Certificate
138 ecdsaP384Certificate Certificate
139 ecdsaP521Certificate Certificate
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]140 ed25519Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]141)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]142
143var testCerts = []struct {
144 id testCert
145 certFile, keyFile string
146 cert *Certificate
147}{
148 {
149 id: testCertRSA,
150 certFile: rsaCertificateFile,
151 keyFile: rsaKeyFile,
152 cert: &rsaCertificate,
153 },
154 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]155 id: testCertRSA1024,
156 certFile: rsa1024CertificateFile,
157 keyFile: rsa1024KeyFile,
158 cert: &rsa1024Certificate,
159 },
160 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]161 id: testCertRSAChain,
162 certFile: rsaChainCertificateFile,
163 keyFile: rsaChainKeyFile,
164 cert: &rsaChainCertificate,
165 },
166 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]167 id: testCertECDSAP224,
168 certFile: ecdsaP224CertificateFile,
169 keyFile: ecdsaP224KeyFile,
170 cert: &ecdsaP224Certificate,
171 },
172 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]173 id: testCertECDSAP256,
174 certFile: ecdsaP256CertificateFile,
175 keyFile: ecdsaP256KeyFile,
176 cert: &ecdsaP256Certificate,
177 },
178 {
179 id: testCertECDSAP384,
180 certFile: ecdsaP384CertificateFile,
181 keyFile: ecdsaP384KeyFile,
182 cert: &ecdsaP384Certificate,
183 },
184 {
185 id: testCertECDSAP521,
186 certFile: ecdsaP521CertificateFile,
187 keyFile: ecdsaP521KeyFile,
188 cert: &ecdsaP521Certificate,
189 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]190 {
191 id: testCertEd25519,
192 certFile: ed25519CertificateFile,
193 keyFile: ed25519KeyFile,
194 cert: &ed25519Certificate,
195 },
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]196}
197
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]198var channelIDKey *ecdsa.PrivateKey
199var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]200
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]201var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]202var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]203
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]204var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]205var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]206
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]207func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]208 for i := range testCerts {
209 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
210 if err != nil {
211 panic(err)
212 }
213 cert.OCSPStaple = testOCSPResponse
214 cert.SignedCertificateTimestampList = testSCTList
215 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]216 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]217
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]218 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]219 if err != nil {
220 panic(err)
221 }
222 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
223 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
224 panic("bad key type")
225 }
226 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
227 if err != nil {
228 panic(err)
229 }
230 if channelIDKey.Curve != elliptic.P256() {
231 panic("bad curve")
232 }
233
234 channelIDBytes = make([]byte, 64)
235 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
236 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]237}
238
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]239func getRunnerCertificate(t testCert) Certificate {
240 for _, cert := range testCerts {
241 if cert.id == t {
242 return *cert.cert
243 }
244 }
245 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]246}
247
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]248func getShimCertificate(t testCert) string {
249 for _, cert := range testCerts {
250 if cert.id == t {
251 return cert.certFile
252 }
253 }
254 panic("Unknown test certificate")
255}
256
257func getShimKey(t testCert) string {
258 for _, cert := range testCerts {
259 if cert.id == t {
260 return cert.keyFile
261 }
262 }
263 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]264}
265
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]266// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
267func encodeDERValues(values [][]byte) string {
268 var ret string
269 for i, v := range values {
270 if i > 0 {
271 ret += ","
272 }
273 ret += hex.EncodeToString(v)
274 }
275
276 return ret
277}
278
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]279type testType int
280
281const (
282 clientTest testType = iota
283 serverTest
284)
285
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]286type protocol int
287
288const (
289 tls protocol = iota
290 dtls
291)
292
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]293const (
294 alpn = 1
295 npn = 2
296)
297
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]298type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]299 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]300 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]301 name string
302 config Config
303 shouldFail bool
304 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]305 // expectedLocalError, if not empty, contains a substring that must be
306 // found in the local error.
307 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]308 // expectedVersion, if non-zero, specifies the TLS version that must be
309 // negotiated.
310 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]311 // expectedResumeVersion, if non-zero, specifies the TLS version that
312 // must be negotiated on resumption. If zero, expectedVersion is used.
313 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]314 // expectedCipher, if non-zero, specifies the TLS cipher suite that
315 // should be negotiated.
316 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]317 // expectChannelID controls whether the connection should have
318 // negotiated a Channel ID with channelIDKey.
319 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]320 // expectedNextProto controls whether the connection should
321 // negotiate a next protocol via NPN or ALPN.
322 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]323 // expectNoNextProto, if true, means that no next protocol should be
324 // negotiated.
325 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]326 // expectedNextProtoType, if non-zero, is the expected next
327 // protocol negotiation mechanism.
328 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]329 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
330 // should be negotiated. If zero, none should be negotiated.
331 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]332 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
333 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]334 // expectedSCTList, if not nil, is the expected SCT list to be received.
335 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]336 // expectedPeerSignatureAlgorithm, if not zero, is the signature
337 // algorithm that the peer should have used in the handshake.
338 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]339 // expectedCurveID, if not zero, is the curve that the handshake should
340 // have used.
341 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]342 // messageLen is the length, in bytes, of the test message that will be
343 // sent.
344 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]345 // messageCount is the number of test messages that will be sent.
346 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]347 // certFile is the path to the certificate to use for the server.
348 certFile string
349 // keyFile is the path to the private key to use for the server.
350 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]351 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]352 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]353 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]354 // resumeRenewedSession controls whether a third connection should be
355 // tested which attempts to resume the second connection's session.
356 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]357 // expectResumeRejected, if true, specifies that the attempted
358 // resumption must be rejected by the client. This is only valid for a
359 // serverTest.
360 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]361 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]362 // resumption. Unless newSessionsOnResume is set,
363 // SessionTicketKey, ServerSessionCache, and
364 // ClientSessionCache are copied from the initial connection's
365 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]366 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]367 // newSessionsOnResume, if true, will cause resumeConfig to
368 // use a different session resumption context.
369 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]370 // noSessionCache, if true, will cause the server to run without a
371 // session cache.
372 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]373 // sendPrefix sends a prefix on the socket before actually performing a
374 // handshake.
375 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]376 // shimWritesFirst controls whether the shim sends an initial "hello"
377 // message before doing a roundtrip with the runner.
378 shimWritesFirst bool
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]379 // readWithUnfinishedWrite behaves like shimWritesFirst, but the shim
380 // does not complete the write until responding to the first runner
381 // message.
382 readWithUnfinishedWrite bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]383 // shimShutsDown, if true, runs a test where the shim shuts down the
384 // connection immediately after the handshake rather than echoing
385 // messages from the runner.
386 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]387 // renegotiate indicates the number of times the connection should be
388 // renegotiated during the exchange.
389 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]390 // sendHalfHelloRequest, if true, causes the server to send half a
391 // HelloRequest when the handshake completes.
392 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]393 // renegotiateCiphers is a list of ciphersuite ids that will be
394 // switched in just before renegotiation.
395 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]396 // replayWrites, if true, configures the underlying transport
397 // to replay every write it makes in DTLS tests.
398 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]399 // damageFirstWrite, if true, configures the underlying transport to
400 // damage the final byte of the first application data write.
401 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]402 // exportKeyingMaterial, if non-zero, configures the test to exchange
403 // keying material and verify they match.
404 exportKeyingMaterial int
405 exportLabel string
406 exportContext string
407 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]408 // flags, if not empty, contains a list of command-line flags that will
409 // be passed to the shim program.
410 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]411 // testTLSUnique, if true, causes the shim to send the tls-unique value
412 // which will be compared against the expected value.
413 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]414 // sendEmptyRecords is the number of consecutive empty records to send
415 // before and after the test message.
416 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]417 // sendWarningAlerts is the number of consecutive warning alerts to send
418 // before and after the test message.
419 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]420 // sendKeyUpdates is the number of consecutive key updates to send
421 // before and after the test message.
422 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]423 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
424 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]425 // expectMessageDropped, if true, means the test message is expected to
426 // be dropped by the client rather than echoed back.
427 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]428 // expectPeerCertificate, if not nil, is the certificate chain the peer
429 // is expected to send.
430 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]431}
432
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]433var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]434
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]435func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]436 if len(data) == 0 {
437 return
438 }
439
440 protocol := "tls"
441 if test.protocol == dtls {
442 protocol = "dtls"
443 }
444
445 side := "client"
446 if test.testType == serverTest {
447 side = "server"
448 }
449
450 dir := path.Join(*transcriptDir, protocol, side)
451 if err := os.MkdirAll(dir, 0755); err != nil {
452 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
453 return
454 }
455
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]456 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]457 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
458 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
459 }
460}
461
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]462// A timeoutConn implements an idle timeout on each Read and Write operation.
463type timeoutConn struct {
464 net.Conn
465 timeout time.Duration
466}
467
468func (t *timeoutConn) Read(b []byte) (int, error) {
469 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
470 return 0, err
471 }
472 return t.Conn.Read(b)
473}
474
475func (t *timeoutConn) Write(b []byte) (int, error) {
476 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
477 return 0, err
478 }
479 return t.Conn.Write(b)
480}
481
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]482func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]483 if !test.noSessionCache {
484 if config.ClientSessionCache == nil {
485 config.ClientSessionCache = NewLRUClientSessionCache(1)
486 }
487 if config.ServerSessionCache == nil {
488 config.ServerSessionCache = NewLRUServerSessionCache(1)
489 }
490 }
491 if test.testType == clientTest {
492 if len(config.Certificates) == 0 {
493 config.Certificates = []Certificate{rsaCertificate}
494 }
495 } else {
496 // Supply a ServerName to ensure a constant session cache key,
497 // rather than falling back to net.Conn.RemoteAddr.
498 if len(config.ServerName) == 0 {
499 config.ServerName = "test"
500 }
501 }
502 if *fuzzer {
503 config.Bugs.NullAllCiphers = true
504 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]505 if *deterministic {
506 config.Time = func() time.Time { return time.Unix(1234, 1234) }
507 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]508
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]509 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]510
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]511 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]512 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
513 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]514 }
515
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]516 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]517 local, peer := "client", "server"
518 if test.testType == clientTest {
519 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]520 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]521 connDebug := &recordingConn{
522 Conn: conn,
523 isDatagram: test.protocol == dtls,
524 local: local,
525 peer: peer,
526 }
527 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]528 if *flagDebug {
529 defer connDebug.WriteTo(os.Stdout)
530 }
531 if len(*transcriptDir) != 0 {
532 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]533 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]534 }()
535 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]536
537 if config.Bugs.PacketAdaptor != nil {
538 config.Bugs.PacketAdaptor.debug = connDebug
539 }
540 }
541
542 if test.replayWrites {
543 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]544 }
545
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]546 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]547 if test.damageFirstWrite {
548 connDamage = newDamageAdaptor(conn)
549 conn = connDamage
550 }
551
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]552 if test.sendPrefix != "" {
553 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
554 return err
555 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]556 }
557
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]558 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]559 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]560 if test.protocol == dtls {
561 tlsConn = DTLSServer(conn, config)
562 } else {
563 tlsConn = Server(conn, config)
564 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]565 } else {
566 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]567 if test.protocol == dtls {
568 tlsConn = DTLSClient(conn, config)
569 } else {
570 tlsConn = Client(conn, config)
571 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]572 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]573 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]574
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]575 if err := tlsConn.Handshake(); err != nil {
576 return err
577 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]578
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]579 // TODO(davidben): move all per-connection expectations into a dedicated
580 // expectations struct that can be specified separately for the two
581 // legs.
582 expectedVersion := test.expectedVersion
583 if isResume && test.expectedResumeVersion != 0 {
584 expectedVersion = test.expectedResumeVersion
585 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]586 connState := tlsConn.ConnectionState()
587 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]588 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]589 }
590
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]591 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]592 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
593 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]594 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
595 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
596 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]597
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]598 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]599 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]600 if channelID == nil {
601 return fmt.Errorf("no channel ID negotiated")
602 }
603 if channelID.Curve != channelIDKey.Curve ||
604 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
605 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
606 return fmt.Errorf("incorrect channel ID")
607 }
608 }
609
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]610 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]611 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]612 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
613 }
614 }
615
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]616 if test.expectNoNextProto {
617 if actual := connState.NegotiatedProtocol; actual != "" {
618 return fmt.Errorf("got unexpected next proto %s", actual)
619 }
620 }
621
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]622 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]623 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]624 return fmt.Errorf("next proto type mismatch")
625 }
626 }
627
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]628 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]629 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
630 }
631
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]632 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]633 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]634 }
635
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]636 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
637 return fmt.Errorf("SCT list mismatch")
638 }
639
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]640 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
641 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]642 }
643
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]644 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
645 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
646 }
647
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]648 if test.expectPeerCertificate != nil {
649 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
650 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
651 }
652 for i, cert := range connState.PeerCertificates {
653 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
654 return fmt.Errorf("peer certificate %d did not match", i+1)
655 }
656 }
657 }
658
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]659 if test.exportKeyingMaterial > 0 {
660 actual := make([]byte, test.exportKeyingMaterial)
661 if _, err := io.ReadFull(tlsConn, actual); err != nil {
662 return err
663 }
664 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
665 if err != nil {
666 return err
667 }
668 if !bytes.Equal(actual, expected) {
669 return fmt.Errorf("keying material mismatch")
670 }
671 }
672
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]673 if test.testTLSUnique {
674 var peersValue [12]byte
675 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
676 return err
677 }
678 expected := tlsConn.ConnectionState().TLSUnique
679 if !bytes.Equal(peersValue[:], expected) {
680 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
681 }
682 }
683
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]684 if test.sendHalfHelloRequest {
685 tlsConn.SendHalfHelloRequest()
686 }
687
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]688 shimPrefixPending := test.shimWritesFirst || test.readWithUnfinishedWrite
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]689 if test.renegotiate > 0 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]690 // If readWithUnfinishedWrite is set, the shim prefix will be
691 // available later.
692 if shimPrefixPending && !test.readWithUnfinishedWrite {
693 var buf [5]byte
694 _, err := io.ReadFull(tlsConn, buf[:])
695 if err != nil {
696 return err
697 }
698 if string(buf[:]) != "hello" {
699 return fmt.Errorf("bad initial message")
700 }
701 shimPrefixPending = false
702 }
703
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]704 if test.renegotiateCiphers != nil {
705 config.CipherSuites = test.renegotiateCiphers
706 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]707 for i := 0; i < test.renegotiate; i++ {
708 if err := tlsConn.Renegotiate(); err != nil {
709 return err
710 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]711 }
712 } else if test.renegotiateCiphers != nil {
713 panic("renegotiateCiphers without renegotiate")
714 }
715
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]716 if test.damageFirstWrite {
717 connDamage.setDamage(true)
718 tlsConn.Write([]byte("DAMAGED WRITE"))
719 connDamage.setDamage(false)
720 }
721
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]722 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]723 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]724 if test.protocol == dtls {
725 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
726 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]727 // Read until EOF.
728 _, err := io.Copy(ioutil.Discard, tlsConn)
729 return err
730 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]731 if messageLen == 0 {
732 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]733 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]734
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]735 messageCount := test.messageCount
736 if messageCount == 0 {
737 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]738 }
739
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]740 for j := 0; j < messageCount; j++ {
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]741 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]742 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]743 }
744
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]745 for i := 0; i < test.sendEmptyRecords; i++ {
746 tlsConn.Write(nil)
747 }
748
749 for i := 0; i < test.sendWarningAlerts; i++ {
750 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
751 }
752
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]753 testMessage := make([]byte, messageLen)
754 for i := range testMessage {
755 testMessage[i] = 0x42 ^ byte(j)
756 }
757 tlsConn.Write(testMessage)
758
759 // Consume the shim prefix if needed.
760 if shimPrefixPending {
761 var buf [5]byte
762 _, err := io.ReadFull(tlsConn, buf[:])
763 if err != nil {
764 return err
765 }
766 if string(buf[:]) != "hello" {
767 return fmt.Errorf("bad initial message")
768 }
769 shimPrefixPending = false
770 }
771
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]772 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]773 // The shim will not respond.
774 continue
775 }
776
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]777 // Process the KeyUpdate ACK. However many KeyUpdates the runner
778 // sends, the shim should respond only once.
779 if test.sendKeyUpdates > 0 && test.keyUpdateRequest == keyUpdateRequested {
780 if err := tlsConn.ReadKeyUpdateACK(); err != nil {
781 return err
782 }
783 }
784
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]785 buf := make([]byte, len(testMessage))
786 if test.protocol == dtls {
787 bufTmp := make([]byte, len(buf)+1)
788 n, err := tlsConn.Read(bufTmp)
789 if err != nil {
790 return err
791 }
792 if n != len(buf) {
793 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
794 }
795 copy(buf, bufTmp)
796 } else {
797 _, err := io.ReadFull(tlsConn, buf)
798 if err != nil {
799 return err
800 }
801 }
802
803 for i, v := range buf {
804 if v != testMessage[i]^0xff {
805 return fmt.Errorf("bad reply contents at byte %d", i)
806 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]807 }
808 }
809
810 return nil
811}
812
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]813func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]814 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]815 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]816 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]817 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]818 valgrindArgs = append(valgrindArgs, path)
819 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]820
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]821 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]822}
823
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]824func gdbOf(path string, args ...string) *exec.Cmd {
825 xtermArgs := []string{"-e", "gdb", "--args"}
826 xtermArgs = append(xtermArgs, path)
827 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]828
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]829 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]830}
831
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]832func lldbOf(path string, args ...string) *exec.Cmd {
833 xtermArgs := []string{"-e", "lldb", "--"}
834 xtermArgs = append(xtermArgs, path)
835 xtermArgs = append(xtermArgs, args...)
836
837 return exec.Command("xterm", xtermArgs...)
838}
839
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]840var (
841 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
842 errUnimplemented = errors.New("child process does not implement needed flags")
843)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]844
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]845// accept accepts a connection from listener, unless waitChan signals a process
846// exit first.
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame^]847func acceptOrWait(listener *net.TCPListener, waitChan chan error) (net.Conn, error) {
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]848 type connOrError struct {
849 conn net.Conn
850 err error
851 }
852 connChan := make(chan connOrError, 1)
853 go func() {
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame^]854 listener.SetDeadline(time.Now().Add(*idleTimeout))
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]855 conn, err := listener.Accept()
856 connChan <- connOrError{conn, err}
857 close(connChan)
858 }()
859 select {
860 case result := <-connChan:
861 return result.conn, result.err
862 case childErr := <-waitChan:
863 waitChan <- childErr
864 return nil, fmt.Errorf("child exited early: %s", childErr)
865 }
866}
867
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]868func translateExpectedError(errorStr string) string {
869 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
870 return translated
871 }
872
873 if *looseErrors {
874 return ""
875 }
876
877 return errorStr
878}
879
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]880func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]881 // Help debugging panics on the Go side.
882 defer func() {
883 if r := recover(); r != nil {
884 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
885 panic(r)
886 }
887 }()
888
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]889 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
890 panic("Error expected without shouldFail in " + test.name)
891 }
892
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]893 if test.expectResumeRejected && !test.resumeSession {
894 panic("expectResumeRejected without resumeSession in " + test.name)
895 }
896
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]897 for _, ver := range tlsVersions {
898 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
899 continue
900 }
901
902 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
903 continue
904 }
905
906 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
907 }
908
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]909 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
910 if err != nil {
911 panic(err)
912 }
913 defer func() {
914 if listener != nil {
915 listener.Close()
916 }
917 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]918
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]919 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]920 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]921 flags = append(flags, "-server")
922
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]923 flags = append(flags, "-key-file")
924 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]925 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]926 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]927 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]928 }
929
930 flags = append(flags, "-cert-file")
931 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]932 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]933 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]934 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]935 }
936 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]937
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]938 if test.protocol == dtls {
939 flags = append(flags, "-dtls")
940 }
941
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]942 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]943 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]944 resumeCount++
945 if test.resumeRenewedSession {
946 resumeCount++
947 }
948 }
949
950 if resumeCount > 0 {
951 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]952 }
953
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]954 if test.shimWritesFirst {
955 flags = append(flags, "-shim-writes-first")
956 }
957
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]958 if test.readWithUnfinishedWrite {
959 flags = append(flags, "-read-with-unfinished-write")
960 }
961
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]962 if test.shimShutsDown {
963 flags = append(flags, "-shim-shuts-down")
964 }
965
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]966 if test.exportKeyingMaterial > 0 {
967 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
968 flags = append(flags, "-export-label", test.exportLabel)
969 flags = append(flags, "-export-context", test.exportContext)
970 if test.useExportContext {
971 flags = append(flags, "-use-export-context")
972 }
973 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]974 if test.expectResumeRejected {
975 flags = append(flags, "-expect-session-miss")
976 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]977
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]978 if test.testTLSUnique {
979 flags = append(flags, "-tls-unique")
980 }
981
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]982 flags = append(flags, test.flags...)
983
984 var shim *exec.Cmd
985 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]986 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]987 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]988 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]989 } else if *useLLDB {
990 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]991 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]992 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]993 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]994 shim.Stdin = os.Stdin
995 var stdoutBuf, stderrBuf bytes.Buffer
996 shim.Stdout = &stdoutBuf
997 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]998 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]999 shim.Env = os.Environ()
1000 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1001 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]1002 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1003 }
1004 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
1005 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1006
1007 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1008 panic(err)
1009 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1010 waitChan := make(chan error, 1)
1011 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1012
1013 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1014
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]1015 if *deterministic {
1016 config.Rand = &deterministicRand{}
1017 }
1018
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1019 conn, err := acceptOrWait(listener, waitChan)
1020 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1021 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1022 conn.Close()
1023 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]1024
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]1025 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1026 var resumeConfig Config
1027 if test.resumeConfig != nil {
1028 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]1029 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1030 resumeConfig.SessionTicketKey = config.SessionTicketKey
1031 resumeConfig.ClientSessionCache = config.ClientSessionCache
1032 resumeConfig.ServerSessionCache = config.ServerSessionCache
1033 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]1034 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1035 } else {
1036 resumeConfig = config
1037 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1038 var connResume net.Conn
1039 connResume, err = acceptOrWait(listener, waitChan)
1040 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1041 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1042 connResume.Close()
1043 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1044 }
1045
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1046 // Close the listener now. This is to avoid hangs should the shim try to
1047 // open more connections than expected.
1048 listener.Close()
1049 listener = nil
1050
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame^]1051 var shimKilledLock sync.Mutex
1052 var shimKilled bool
1053 waitTimeout := time.AfterFunc(*idleTimeout, func() {
1054 shimKilledLock.Lock()
1055 shimKilled = true
1056 shimKilledLock.Unlock()
1057 shim.Process.Kill()
1058 })
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1059 childErr := <-waitChan
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame^]1060 waitTimeout.Stop()
1061 shimKilledLock.Lock()
1062 if shimKilled && err == nil {
1063 err = errors.New("timeout waiting for the shim to exit.")
1064 }
1065 shimKilledLock.Unlock()
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1066 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1067 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1068 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1069 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1070 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1071 case 89:
1072 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1073 case 99:
1074 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1075 }
1076 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1077
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1078 // Account for Windows line endings.
1079 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1080 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1081
1082 // Separate the errors from the shim and those from tools like
1083 // AddressSanitizer.
1084 var extraStderr string
1085 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1086 stderr = stderrParts[0]
1087 extraStderr = stderrParts[1]
1088 }
1089
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1090 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1091 expectedError := translateExpectedError(test.expectedError)
1092 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1093
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1094 localError := "none"
1095 if err != nil {
1096 localError = err.Error()
1097 }
1098 if len(test.expectedLocalError) != 0 {
1099 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1100 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1101
1102 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1103 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1104 if childErr != nil {
1105 childError = childErr.Error()
1106 }
1107
1108 var msg string
1109 switch {
1110 case failed && !test.shouldFail:
1111 msg = "unexpected failure"
1112 case !failed && test.shouldFail:
1113 msg = "unexpected success"
1114 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1115 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1116 default:
1117 panic("internal error")
1118 }
1119
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1120 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1121 }
1122
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1123 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
Adam Langleyc88f2452017-04-27 14:15:37 -0700[diff] [blame]1124 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1125 }
1126
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1127 if *useValgrind && isValgrindError {
1128 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1129 }
1130
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1131 return nil
1132}
1133
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1134type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1135 name string
1136 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1137 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1138 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1139}
1140
1141var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1142 {"SSL3", VersionSSL30, "-no-ssl3", false},
1143 {"TLS1", VersionTLS10, "-no-tls1", true},
1144 {"TLS11", VersionTLS11, "-no-tls11", false},
1145 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1146 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1147}
1148
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1149type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1150 name string
1151 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1152}
1153
1154var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1155 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1156 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1157 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1158 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1159 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1160 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1161 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1162 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1163 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1164 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1165 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1166 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1167 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1168 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1169 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1170 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1171 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1172 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1173 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1174 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1175 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1176 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1177 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1178 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1179 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1180 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1181 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1182 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1183 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1184 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1185}
1186
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1187func hasComponent(suiteName, component string) bool {
1188 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1189}
1190
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1191func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1192 return hasComponent(suiteName, "GCM") ||
1193 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1194 hasComponent(suiteName, "SHA384") ||
1195 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1196}
1197
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1198func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1199 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1200}
1201
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1202func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1203 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1204}
1205
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1206func bigFromHex(hex string) *big.Int {
1207 ret, ok := new(big.Int).SetString(hex, 16)
1208 if !ok {
1209 panic("failed to parse hex number 0x" + hex)
1210 }
1211 return ret
1212}
1213
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1214func addBasicTests() {
1215 basicTests := []testCase{
1216 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1217 name: "NoFallbackSCSV",
1218 config: Config{
1219 Bugs: ProtocolBugs{
1220 FailIfNotFallbackSCSV: true,
1221 },
1222 },
1223 shouldFail: true,
1224 expectedLocalError: "no fallback SCSV found",
1225 },
1226 {
1227 name: "SendFallbackSCSV",
1228 config: Config{
1229 Bugs: ProtocolBugs{
1230 FailIfNotFallbackSCSV: true,
1231 },
1232 },
1233 flags: []string{"-fallback-scsv"},
1234 },
1235 {
1236 name: "ClientCertificateTypes",
1237 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1238 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1239 ClientAuth: RequestClientCert,
1240 ClientCertificateTypes: []byte{
1241 CertTypeDSSSign,
1242 CertTypeRSASign,
1243 CertTypeECDSASign,
1244 },
1245 },
1246 flags: []string{
1247 "-expect-certificate-types",
1248 base64.StdEncoding.EncodeToString([]byte{
1249 CertTypeDSSSign,
1250 CertTypeRSASign,
1251 CertTypeECDSASign,
1252 }),
1253 },
1254 },
1255 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1256 name: "UnauthenticatedECDH",
1257 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1258 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1259 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1260 Bugs: ProtocolBugs{
1261 UnauthenticatedECDH: true,
1262 },
1263 },
1264 shouldFail: true,
1265 expectedError: ":UNEXPECTED_MESSAGE:",
1266 },
1267 {
1268 name: "SkipCertificateStatus",
1269 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1270 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1271 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1272 Bugs: ProtocolBugs{
1273 SkipCertificateStatus: true,
1274 },
1275 },
1276 flags: []string{
1277 "-enable-ocsp-stapling",
1278 },
1279 },
1280 {
1281 name: "SkipServerKeyExchange",
1282 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1283 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1284 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1285 Bugs: ProtocolBugs{
1286 SkipServerKeyExchange: true,
1287 },
1288 },
1289 shouldFail: true,
1290 expectedError: ":UNEXPECTED_MESSAGE:",
1291 },
1292 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1293 testType: serverTest,
1294 name: "Alert",
1295 config: Config{
1296 Bugs: ProtocolBugs{
1297 SendSpuriousAlert: alertRecordOverflow,
1298 },
1299 },
1300 shouldFail: true,
1301 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1302 },
1303 {
1304 protocol: dtls,
1305 testType: serverTest,
1306 name: "Alert-DTLS",
1307 config: Config{
1308 Bugs: ProtocolBugs{
1309 SendSpuriousAlert: alertRecordOverflow,
1310 },
1311 },
1312 shouldFail: true,
1313 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1314 },
1315 {
1316 testType: serverTest,
1317 name: "FragmentAlert",
1318 config: Config{
1319 Bugs: ProtocolBugs{
1320 FragmentAlert: true,
1321 SendSpuriousAlert: alertRecordOverflow,
1322 },
1323 },
1324 shouldFail: true,
1325 expectedError: ":BAD_ALERT:",
1326 },
1327 {
1328 protocol: dtls,
1329 testType: serverTest,
1330 name: "FragmentAlert-DTLS",
1331 config: Config{
1332 Bugs: ProtocolBugs{
1333 FragmentAlert: true,
1334 SendSpuriousAlert: alertRecordOverflow,
1335 },
1336 },
1337 shouldFail: true,
1338 expectedError: ":BAD_ALERT:",
1339 },
1340 {
1341 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1342 name: "DoubleAlert",
1343 config: Config{
1344 Bugs: ProtocolBugs{
1345 DoubleAlert: true,
1346 SendSpuriousAlert: alertRecordOverflow,
1347 },
1348 },
1349 shouldFail: true,
1350 expectedError: ":BAD_ALERT:",
1351 },
1352 {
1353 protocol: dtls,
1354 testType: serverTest,
1355 name: "DoubleAlert-DTLS",
1356 config: Config{
1357 Bugs: ProtocolBugs{
1358 DoubleAlert: true,
1359 SendSpuriousAlert: alertRecordOverflow,
1360 },
1361 },
1362 shouldFail: true,
1363 expectedError: ":BAD_ALERT:",
1364 },
1365 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1366 name: "SkipNewSessionTicket",
1367 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1368 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1369 Bugs: ProtocolBugs{
1370 SkipNewSessionTicket: true,
1371 },
1372 },
1373 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1374 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1375 },
1376 {
1377 testType: serverTest,
1378 name: "FallbackSCSV",
1379 config: Config{
1380 MaxVersion: VersionTLS11,
1381 Bugs: ProtocolBugs{
1382 SendFallbackSCSV: true,
1383 },
1384 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1385 shouldFail: true,
1386 expectedError: ":INAPPROPRIATE_FALLBACK:",
1387 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1388 },
1389 {
1390 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1391 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1392 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1393 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1394 Bugs: ProtocolBugs{
1395 SendFallbackSCSV: true,
1396 },
1397 },
1398 },
1399 {
1400 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1401 name: "FallbackSCSV-VersionMatch-TLS12",
1402 config: Config{
1403 MaxVersion: VersionTLS12,
1404 Bugs: ProtocolBugs{
1405 SendFallbackSCSV: true,
1406 },
1407 },
1408 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1409 },
1410 {
1411 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1412 name: "FragmentedClientVersion",
1413 config: Config{
1414 Bugs: ProtocolBugs{
1415 MaxHandshakeRecordLength: 1,
1416 FragmentClientVersion: true,
1417 },
1418 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1419 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1420 },
1421 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1422 testType: serverTest,
1423 name: "HttpGET",
1424 sendPrefix: "GET / HTTP/1.0\n",
1425 shouldFail: true,
1426 expectedError: ":HTTP_REQUEST:",
1427 },
1428 {
1429 testType: serverTest,
1430 name: "HttpPOST",
1431 sendPrefix: "POST / HTTP/1.0\n",
1432 shouldFail: true,
1433 expectedError: ":HTTP_REQUEST:",
1434 },
1435 {
1436 testType: serverTest,
1437 name: "HttpHEAD",
1438 sendPrefix: "HEAD / HTTP/1.0\n",
1439 shouldFail: true,
1440 expectedError: ":HTTP_REQUEST:",
1441 },
1442 {
1443 testType: serverTest,
1444 name: "HttpPUT",
1445 sendPrefix: "PUT / HTTP/1.0\n",
1446 shouldFail: true,
1447 expectedError: ":HTTP_REQUEST:",
1448 },
1449 {
1450 testType: serverTest,
1451 name: "HttpCONNECT",
1452 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1453 shouldFail: true,
1454 expectedError: ":HTTPS_PROXY_REQUEST:",
1455 },
1456 {
1457 testType: serverTest,
1458 name: "Garbage",
1459 sendPrefix: "blah",
1460 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1461 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1462 },
1463 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1464 name: "RSAEphemeralKey",
1465 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1466 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1467 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1468 Bugs: ProtocolBugs{
1469 RSAEphemeralKey: true,
1470 },
1471 },
1472 shouldFail: true,
1473 expectedError: ":UNEXPECTED_MESSAGE:",
1474 },
1475 {
1476 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1477 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1478 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1479 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1480 },
1481 {
1482 protocol: dtls,
1483 name: "DisableEverything-DTLS",
1484 flags: []string{"-no-tls12", "-no-tls1"},
1485 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1486 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1487 },
1488 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1489 protocol: dtls,
1490 testType: serverTest,
1491 name: "MTU",
1492 config: Config{
1493 Bugs: ProtocolBugs{
1494 MaxPacketLength: 256,
1495 },
1496 },
1497 flags: []string{"-mtu", "256"},
1498 },
1499 {
1500 protocol: dtls,
1501 testType: serverTest,
1502 name: "MTUExceeded",
1503 config: Config{
1504 Bugs: ProtocolBugs{
1505 MaxPacketLength: 255,
1506 },
1507 },
1508 flags: []string{"-mtu", "256"},
1509 shouldFail: true,
1510 expectedLocalError: "dtls: exceeded maximum packet length",
1511 },
1512 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1513 name: "EmptyCertificateList",
1514 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1515 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1516 Bugs: ProtocolBugs{
1517 EmptyCertificateList: true,
1518 },
1519 },
1520 shouldFail: true,
1521 expectedError: ":DECODE_ERROR:",
1522 },
1523 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1524 name: "EmptyCertificateList-TLS13",
1525 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1526 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1527 Bugs: ProtocolBugs{
1528 EmptyCertificateList: true,
1529 },
1530 },
1531 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1532 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1533 },
1534 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1535 name: "TLSFatalBadPackets",
1536 damageFirstWrite: true,
1537 shouldFail: true,
1538 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1539 },
1540 {
1541 protocol: dtls,
1542 name: "DTLSIgnoreBadPackets",
1543 damageFirstWrite: true,
1544 },
1545 {
1546 protocol: dtls,
1547 name: "DTLSIgnoreBadPackets-Async",
1548 damageFirstWrite: true,
1549 flags: []string{"-async"},
1550 },
1551 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1552 name: "AppDataBeforeHandshake",
1553 config: Config{
1554 Bugs: ProtocolBugs{
1555 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1556 },
1557 },
1558 shouldFail: true,
1559 expectedError: ":UNEXPECTED_RECORD:",
1560 },
1561 {
1562 name: "AppDataBeforeHandshake-Empty",
1563 config: Config{
1564 Bugs: ProtocolBugs{
1565 AppDataBeforeHandshake: []byte{},
1566 },
1567 },
1568 shouldFail: true,
1569 expectedError: ":UNEXPECTED_RECORD:",
1570 },
1571 {
1572 protocol: dtls,
1573 name: "AppDataBeforeHandshake-DTLS",
1574 config: Config{
1575 Bugs: ProtocolBugs{
1576 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1577 },
1578 },
1579 shouldFail: true,
1580 expectedError: ":UNEXPECTED_RECORD:",
1581 },
1582 {
1583 protocol: dtls,
1584 name: "AppDataBeforeHandshake-DTLS-Empty",
1585 config: Config{
1586 Bugs: ProtocolBugs{
1587 AppDataBeforeHandshake: []byte{},
1588 },
1589 },
1590 shouldFail: true,
1591 expectedError: ":UNEXPECTED_RECORD:",
1592 },
1593 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1594 name: "AppDataAfterChangeCipherSpec",
1595 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1596 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1597 Bugs: ProtocolBugs{
1598 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1599 },
1600 },
1601 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1602 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1603 },
1604 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1605 name: "AppDataAfterChangeCipherSpec-Empty",
1606 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1607 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1608 Bugs: ProtocolBugs{
1609 AppDataAfterChangeCipherSpec: []byte{},
1610 },
1611 },
1612 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1613 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1614 },
1615 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1616 protocol: dtls,
1617 name: "AppDataAfterChangeCipherSpec-DTLS",
1618 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1619 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1620 Bugs: ProtocolBugs{
1621 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1622 },
1623 },
1624 // BoringSSL's DTLS implementation will drop the out-of-order
1625 // application data.
1626 },
1627 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1628 protocol: dtls,
1629 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1630 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1631 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1632 Bugs: ProtocolBugs{
1633 AppDataAfterChangeCipherSpec: []byte{},
1634 },
1635 },
1636 // BoringSSL's DTLS implementation will drop the out-of-order
1637 // application data.
1638 },
1639 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1640 name: "AlertAfterChangeCipherSpec",
1641 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1642 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1643 Bugs: ProtocolBugs{
1644 AlertAfterChangeCipherSpec: alertRecordOverflow,
1645 },
1646 },
1647 shouldFail: true,
1648 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1649 },
1650 {
1651 protocol: dtls,
1652 name: "AlertAfterChangeCipherSpec-DTLS",
1653 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1654 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1655 Bugs: ProtocolBugs{
1656 AlertAfterChangeCipherSpec: alertRecordOverflow,
1657 },
1658 },
1659 shouldFail: true,
1660 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1661 },
1662 {
1663 protocol: dtls,
1664 name: "ReorderHandshakeFragments-Small-DTLS",
1665 config: Config{
1666 Bugs: ProtocolBugs{
1667 ReorderHandshakeFragments: true,
1668 // Small enough that every handshake message is
1669 // fragmented.
1670 MaxHandshakeRecordLength: 2,
1671 },
1672 },
1673 },
1674 {
1675 protocol: dtls,
1676 name: "ReorderHandshakeFragments-Large-DTLS",
1677 config: Config{
1678 Bugs: ProtocolBugs{
1679 ReorderHandshakeFragments: true,
1680 // Large enough that no handshake message is
1681 // fragmented.
1682 MaxHandshakeRecordLength: 2048,
1683 },
1684 },
1685 },
1686 {
1687 protocol: dtls,
1688 name: "MixCompleteMessageWithFragments-DTLS",
1689 config: Config{
1690 Bugs: ProtocolBugs{
1691 ReorderHandshakeFragments: true,
1692 MixCompleteMessageWithFragments: true,
1693 MaxHandshakeRecordLength: 2,
1694 },
1695 },
1696 },
1697 {
1698 name: "SendInvalidRecordType",
1699 config: Config{
1700 Bugs: ProtocolBugs{
1701 SendInvalidRecordType: true,
1702 },
1703 },
1704 shouldFail: true,
1705 expectedError: ":UNEXPECTED_RECORD:",
1706 },
1707 {
1708 protocol: dtls,
1709 name: "SendInvalidRecordType-DTLS",
1710 config: Config{
1711 Bugs: ProtocolBugs{
1712 SendInvalidRecordType: true,
1713 },
1714 },
1715 shouldFail: true,
1716 expectedError: ":UNEXPECTED_RECORD:",
1717 },
1718 {
1719 name: "FalseStart-SkipServerSecondLeg",
1720 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1721 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1722 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1723 NextProtos: []string{"foo"},
1724 Bugs: ProtocolBugs{
1725 SkipNewSessionTicket: true,
1726 SkipChangeCipherSpec: true,
1727 SkipFinished: true,
1728 ExpectFalseStart: true,
1729 },
1730 },
1731 flags: []string{
1732 "-false-start",
1733 "-handshake-never-done",
1734 "-advertise-alpn", "\x03foo",
1735 },
1736 shimWritesFirst: true,
1737 shouldFail: true,
1738 expectedError: ":UNEXPECTED_RECORD:",
1739 },
1740 {
1741 name: "FalseStart-SkipServerSecondLeg-Implicit",
1742 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1743 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1744 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1745 NextProtos: []string{"foo"},
1746 Bugs: ProtocolBugs{
1747 SkipNewSessionTicket: true,
1748 SkipChangeCipherSpec: true,
1749 SkipFinished: true,
1750 },
1751 },
1752 flags: []string{
1753 "-implicit-handshake",
1754 "-false-start",
1755 "-handshake-never-done",
1756 "-advertise-alpn", "\x03foo",
1757 },
1758 shouldFail: true,
1759 expectedError: ":UNEXPECTED_RECORD:",
1760 },
1761 {
1762 testType: serverTest,
1763 name: "FailEarlyCallback",
1764 flags: []string{"-fail-early-callback"},
1765 shouldFail: true,
1766 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1767 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1768 },
1769 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1770 name: "FailCertCallback-Client-TLS12",
1771 config: Config{
1772 MaxVersion: VersionTLS12,
1773 ClientAuth: RequestClientCert,
1774 },
1775 flags: []string{"-fail-cert-callback"},
1776 shouldFail: true,
1777 expectedError: ":CERT_CB_ERROR:",
1778 expectedLocalError: "remote error: internal error",
1779 },
1780 {
1781 testType: serverTest,
1782 name: "FailCertCallback-Server-TLS12",
1783 config: Config{
1784 MaxVersion: VersionTLS12,
1785 },
1786 flags: []string{"-fail-cert-callback"},
1787 shouldFail: true,
1788 expectedError: ":CERT_CB_ERROR:",
1789 expectedLocalError: "remote error: internal error",
1790 },
1791 {
1792 name: "FailCertCallback-Client-TLS13",
1793 config: Config{
1794 MaxVersion: VersionTLS13,
1795 ClientAuth: RequestClientCert,
1796 },
1797 flags: []string{"-fail-cert-callback"},
1798 shouldFail: true,
1799 expectedError: ":CERT_CB_ERROR:",
1800 expectedLocalError: "remote error: internal error",
1801 },
1802 {
1803 testType: serverTest,
1804 name: "FailCertCallback-Server-TLS13",
1805 config: Config{
1806 MaxVersion: VersionTLS13,
1807 },
1808 flags: []string{"-fail-cert-callback"},
1809 shouldFail: true,
1810 expectedError: ":CERT_CB_ERROR:",
1811 expectedLocalError: "remote error: internal error",
1812 },
1813 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1814 protocol: dtls,
1815 name: "FragmentMessageTypeMismatch-DTLS",
1816 config: Config{
1817 Bugs: ProtocolBugs{
1818 MaxHandshakeRecordLength: 2,
1819 FragmentMessageTypeMismatch: true,
1820 },
1821 },
1822 shouldFail: true,
1823 expectedError: ":FRAGMENT_MISMATCH:",
1824 },
1825 {
1826 protocol: dtls,
1827 name: "FragmentMessageLengthMismatch-DTLS",
1828 config: Config{
1829 Bugs: ProtocolBugs{
1830 MaxHandshakeRecordLength: 2,
1831 FragmentMessageLengthMismatch: true,
1832 },
1833 },
1834 shouldFail: true,
1835 expectedError: ":FRAGMENT_MISMATCH:",
1836 },
1837 {
1838 protocol: dtls,
1839 name: "SplitFragments-Header-DTLS",
1840 config: Config{
1841 Bugs: ProtocolBugs{
1842 SplitFragments: 2,
1843 },
1844 },
1845 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1846 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1847 },
1848 {
1849 protocol: dtls,
1850 name: "SplitFragments-Boundary-DTLS",
1851 config: Config{
1852 Bugs: ProtocolBugs{
1853 SplitFragments: dtlsRecordHeaderLen,
1854 },
1855 },
1856 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1857 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1858 },
1859 {
1860 protocol: dtls,
1861 name: "SplitFragments-Body-DTLS",
1862 config: Config{
1863 Bugs: ProtocolBugs{
1864 SplitFragments: dtlsRecordHeaderLen + 1,
1865 },
1866 },
1867 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1868 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1869 },
1870 {
1871 protocol: dtls,
1872 name: "SendEmptyFragments-DTLS",
1873 config: Config{
1874 Bugs: ProtocolBugs{
1875 SendEmptyFragments: true,
1876 },
1877 },
1878 },
1879 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1880 name: "BadFinished-Client",
1881 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1882 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1883 Bugs: ProtocolBugs{
1884 BadFinished: true,
1885 },
1886 },
1887 shouldFail: true,
1888 expectedError: ":DIGEST_CHECK_FAILED:",
1889 },
1890 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1891 name: "BadFinished-Client-TLS13",
1892 config: Config{
1893 MaxVersion: VersionTLS13,
1894 Bugs: ProtocolBugs{
1895 BadFinished: true,
1896 },
1897 },
1898 shouldFail: true,
1899 expectedError: ":DIGEST_CHECK_FAILED:",
1900 },
1901 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1902 testType: serverTest,
1903 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1904 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1905 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1906 Bugs: ProtocolBugs{
1907 BadFinished: true,
1908 },
1909 },
1910 shouldFail: true,
1911 expectedError: ":DIGEST_CHECK_FAILED:",
1912 },
1913 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1914 testType: serverTest,
1915 name: "BadFinished-Server-TLS13",
1916 config: Config{
1917 MaxVersion: VersionTLS13,
1918 Bugs: ProtocolBugs{
1919 BadFinished: true,
1920 },
1921 },
1922 shouldFail: true,
1923 expectedError: ":DIGEST_CHECK_FAILED:",
1924 },
1925 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1926 name: "FalseStart-BadFinished",
1927 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1928 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1929 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1930 NextProtos: []string{"foo"},
1931 Bugs: ProtocolBugs{
1932 BadFinished: true,
1933 ExpectFalseStart: true,
1934 },
1935 },
1936 flags: []string{
1937 "-false-start",
1938 "-handshake-never-done",
1939 "-advertise-alpn", "\x03foo",
1940 },
1941 shimWritesFirst: true,
1942 shouldFail: true,
1943 expectedError: ":DIGEST_CHECK_FAILED:",
1944 },
1945 {
1946 name: "NoFalseStart-NoALPN",
1947 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1948 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1949 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1950 Bugs: ProtocolBugs{
1951 ExpectFalseStart: true,
1952 AlertBeforeFalseStartTest: alertAccessDenied,
1953 },
1954 },
1955 flags: []string{
1956 "-false-start",
1957 },
1958 shimWritesFirst: true,
1959 shouldFail: true,
1960 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1961 expectedLocalError: "tls: peer did not false start: EOF",
1962 },
1963 {
1964 name: "NoFalseStart-NoAEAD",
1965 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1966 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1967 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1968 NextProtos: []string{"foo"},
1969 Bugs: ProtocolBugs{
1970 ExpectFalseStart: true,
1971 AlertBeforeFalseStartTest: alertAccessDenied,
1972 },
1973 },
1974 flags: []string{
1975 "-false-start",
1976 "-advertise-alpn", "\x03foo",
1977 },
1978 shimWritesFirst: true,
1979 shouldFail: true,
1980 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1981 expectedLocalError: "tls: peer did not false start: EOF",
1982 },
1983 {
1984 name: "NoFalseStart-RSA",
1985 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1986 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1987 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1988 NextProtos: []string{"foo"},
1989 Bugs: ProtocolBugs{
1990 ExpectFalseStart: true,
1991 AlertBeforeFalseStartTest: alertAccessDenied,
1992 },
1993 },
1994 flags: []string{
1995 "-false-start",
1996 "-advertise-alpn", "\x03foo",
1997 },
1998 shimWritesFirst: true,
1999 shouldFail: true,
2000 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2001 expectedLocalError: "tls: peer did not false start: EOF",
2002 },
2003 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2004 protocol: dtls,
2005 name: "SendSplitAlert-Sync",
2006 config: Config{
2007 Bugs: ProtocolBugs{
2008 SendSplitAlert: true,
2009 },
2010 },
2011 },
2012 {
2013 protocol: dtls,
2014 name: "SendSplitAlert-Async",
2015 config: Config{
2016 Bugs: ProtocolBugs{
2017 SendSplitAlert: true,
2018 },
2019 },
2020 flags: []string{"-async"},
2021 },
2022 {
2023 protocol: dtls,
2024 name: "PackDTLSHandshake",
2025 config: Config{
2026 Bugs: ProtocolBugs{
2027 MaxHandshakeRecordLength: 2,
2028 PackHandshakeFragments: 20,
2029 PackHandshakeRecords: 200,
2030 },
2031 },
2032 },
2033 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2034 name: "SendEmptyRecords-Pass",
2035 sendEmptyRecords: 32,
2036 },
2037 {
2038 name: "SendEmptyRecords",
2039 sendEmptyRecords: 33,
2040 shouldFail: true,
2041 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2042 },
2043 {
2044 name: "SendEmptyRecords-Async",
2045 sendEmptyRecords: 33,
2046 flags: []string{"-async"},
2047 shouldFail: true,
2048 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2049 },
2050 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2051 name: "SendWarningAlerts-Pass",
2052 config: Config{
2053 MaxVersion: VersionTLS12,
2054 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2055 sendWarningAlerts: 4,
2056 },
2057 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2058 protocol: dtls,
2059 name: "SendWarningAlerts-DTLS-Pass",
2060 config: Config{
2061 MaxVersion: VersionTLS12,
2062 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2063 sendWarningAlerts: 4,
2064 },
2065 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2066 name: "SendWarningAlerts-TLS13",
2067 config: Config{
2068 MaxVersion: VersionTLS13,
2069 },
2070 sendWarningAlerts: 4,
2071 shouldFail: true,
2072 expectedError: ":BAD_ALERT:",
2073 expectedLocalError: "remote error: error decoding message",
2074 },
2075 {
2076 name: "SendWarningAlerts",
2077 config: Config{
2078 MaxVersion: VersionTLS12,
2079 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2080 sendWarningAlerts: 5,
2081 shouldFail: true,
2082 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2083 },
2084 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2085 name: "SendWarningAlerts-Async",
2086 config: Config{
2087 MaxVersion: VersionTLS12,
2088 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2089 sendWarningAlerts: 5,
2090 flags: []string{"-async"},
2091 shouldFail: true,
2092 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2093 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2094 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2095 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2096 config: Config{
2097 MaxVersion: VersionTLS13,
2098 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2099 sendKeyUpdates: 33,
2100 keyUpdateRequest: keyUpdateNotRequested,
2101 shouldFail: true,
2102 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2103 },
2104 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2105 name: "EmptySessionID",
2106 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2107 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2108 SessionTicketsDisabled: true,
2109 },
2110 noSessionCache: true,
2111 flags: []string{"-expect-no-session"},
2112 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2113 {
2114 name: "Unclean-Shutdown",
2115 config: Config{
2116 Bugs: ProtocolBugs{
2117 NoCloseNotify: true,
2118 ExpectCloseNotify: true,
2119 },
2120 },
2121 shimShutsDown: true,
2122 flags: []string{"-check-close-notify"},
2123 shouldFail: true,
2124 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2125 },
2126 {
2127 name: "Unclean-Shutdown-Ignored",
2128 config: Config{
2129 Bugs: ProtocolBugs{
2130 NoCloseNotify: true,
2131 },
2132 },
2133 shimShutsDown: true,
2134 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2135 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2136 name: "Unclean-Shutdown-Alert",
2137 config: Config{
2138 Bugs: ProtocolBugs{
2139 SendAlertOnShutdown: alertDecompressionFailure,
2140 ExpectCloseNotify: true,
2141 },
2142 },
2143 shimShutsDown: true,
2144 flags: []string{"-check-close-notify"},
2145 shouldFail: true,
2146 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2147 },
2148 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2149 name: "LargePlaintext",
2150 config: Config{
2151 Bugs: ProtocolBugs{
2152 SendLargeRecords: true,
2153 },
2154 },
2155 messageLen: maxPlaintext + 1,
2156 shouldFail: true,
2157 expectedError: ":DATA_LENGTH_TOO_LONG:",
2158 },
2159 {
2160 protocol: dtls,
2161 name: "LargePlaintext-DTLS",
2162 config: Config{
2163 Bugs: ProtocolBugs{
2164 SendLargeRecords: true,
2165 },
2166 },
2167 messageLen: maxPlaintext + 1,
2168 shouldFail: true,
2169 expectedError: ":DATA_LENGTH_TOO_LONG:",
2170 },
2171 {
2172 name: "LargeCiphertext",
2173 config: Config{
2174 Bugs: ProtocolBugs{
2175 SendLargeRecords: true,
2176 },
2177 },
2178 messageLen: maxPlaintext * 2,
2179 shouldFail: true,
2180 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2181 },
2182 {
2183 protocol: dtls,
2184 name: "LargeCiphertext-DTLS",
2185 config: Config{
2186 Bugs: ProtocolBugs{
2187 SendLargeRecords: true,
2188 },
2189 },
2190 messageLen: maxPlaintext * 2,
2191 // Unlike the other four cases, DTLS drops records which
2192 // are invalid before authentication, so the connection
2193 // does not fail.
2194 expectMessageDropped: true,
2195 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2196 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2197 name: "BadHelloRequest-1",
2198 renegotiate: 1,
2199 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2200 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2201 Bugs: ProtocolBugs{
2202 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2203 },
2204 },
2205 flags: []string{
2206 "-renegotiate-freely",
2207 "-expect-total-renegotiations", "1",
2208 },
2209 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2210 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2211 },
2212 {
2213 name: "BadHelloRequest-2",
2214 renegotiate: 1,
2215 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2216 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2217 Bugs: ProtocolBugs{
2218 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2219 },
2220 },
2221 flags: []string{
2222 "-renegotiate-freely",
2223 "-expect-total-renegotiations", "1",
2224 },
2225 shouldFail: true,
2226 expectedError: ":BAD_HELLO_REQUEST:",
2227 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2228 {
2229 testType: serverTest,
2230 name: "SupportTicketsWithSessionID",
2231 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2232 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2233 SessionTicketsDisabled: true,
2234 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2235 resumeConfig: &Config{
2236 MaxVersion: VersionTLS12,
2237 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2238 resumeSession: true,
2239 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2240 {
2241 protocol: dtls,
2242 name: "DTLS-SendExtraFinished",
2243 config: Config{
2244 Bugs: ProtocolBugs{
2245 SendExtraFinished: true,
2246 },
2247 },
2248 shouldFail: true,
2249 expectedError: ":UNEXPECTED_RECORD:",
2250 },
2251 {
2252 protocol: dtls,
2253 name: "DTLS-SendExtraFinished-Reordered",
2254 config: Config{
2255 Bugs: ProtocolBugs{
2256 MaxHandshakeRecordLength: 2,
2257 ReorderHandshakeFragments: true,
2258 SendExtraFinished: true,
2259 },
2260 },
2261 shouldFail: true,
2262 expectedError: ":UNEXPECTED_RECORD:",
2263 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2264 {
2265 testType: serverTest,
2266 name: "V2ClientHello-EmptyRecordPrefix",
2267 config: Config{
2268 // Choose a cipher suite that does not involve
2269 // elliptic curves, so no extensions are
2270 // involved.
2271 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2272 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2273 Bugs: ProtocolBugs{
2274 SendV2ClientHello: true,
2275 },
2276 },
2277 sendPrefix: string([]byte{
2278 byte(recordTypeHandshake),
2279 3, 1, // version
2280 0, 0, // length
2281 }),
2282 // A no-op empty record may not be sent before V2ClientHello.
2283 shouldFail: true,
2284 expectedError: ":WRONG_VERSION_NUMBER:",
2285 },
2286 {
2287 testType: serverTest,
2288 name: "V2ClientHello-WarningAlertPrefix",
2289 config: Config{
2290 // Choose a cipher suite that does not involve
2291 // elliptic curves, so no extensions are
2292 // involved.
2293 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2294 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2295 Bugs: ProtocolBugs{
2296 SendV2ClientHello: true,
2297 },
2298 },
2299 sendPrefix: string([]byte{
2300 byte(recordTypeAlert),
2301 3, 1, // version
2302 0, 2, // length
2303 alertLevelWarning, byte(alertDecompressionFailure),
2304 }),
2305 // A no-op warning alert may not be sent before V2ClientHello.
2306 shouldFail: true,
2307 expectedError: ":WRONG_VERSION_NUMBER:",
2308 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2309 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2310 name: "KeyUpdate-Client",
2311 config: Config{
2312 MaxVersion: VersionTLS13,
2313 },
2314 sendKeyUpdates: 1,
2315 keyUpdateRequest: keyUpdateNotRequested,
2316 },
2317 {
2318 testType: serverTest,
2319 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2320 config: Config{
2321 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2322 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2323 sendKeyUpdates: 1,
2324 keyUpdateRequest: keyUpdateNotRequested,
2325 },
2326 {
2327 name: "KeyUpdate-InvalidRequestMode",
2328 config: Config{
2329 MaxVersion: VersionTLS13,
2330 },
2331 sendKeyUpdates: 1,
2332 keyUpdateRequest: 42,
2333 shouldFail: true,
2334 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2335 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2336 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]2337 // Test that KeyUpdates are acknowledged properly.
2338 name: "KeyUpdate-RequestACK",
2339 config: Config{
2340 MaxVersion: VersionTLS13,
2341 Bugs: ProtocolBugs{
2342 RejectUnsolicitedKeyUpdate: true,
2343 },
2344 },
2345 // Test the shim receiving many KeyUpdates in a row.
2346 sendKeyUpdates: 5,
2347 messageCount: 5,
2348 keyUpdateRequest: keyUpdateRequested,
2349 },
2350 {
2351 // Test that KeyUpdates are acknowledged properly if the
2352 // peer's KeyUpdate is discovered while a write is
2353 // pending.
2354 name: "KeyUpdate-RequestACK-UnfinishedWrite",
2355 config: Config{
2356 MaxVersion: VersionTLS13,
2357 Bugs: ProtocolBugs{
2358 RejectUnsolicitedKeyUpdate: true,
2359 },
2360 },
2361 // Test the shim receiving many KeyUpdates in a row.
2362 sendKeyUpdates: 5,
2363 messageCount: 5,
2364 keyUpdateRequest: keyUpdateRequested,
2365 readWithUnfinishedWrite: true,
2366 flags: []string{"-async"},
2367 },
2368 {
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2369 name: "SendSNIWarningAlert",
2370 config: Config{
2371 MaxVersion: VersionTLS12,
2372 Bugs: ProtocolBugs{
2373 SendSNIWarningAlert: true,
2374 },
2375 },
2376 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2377 {
2378 testType: serverTest,
2379 name: "ExtraCompressionMethods-TLS12",
2380 config: Config{
2381 MaxVersion: VersionTLS12,
2382 Bugs: ProtocolBugs{
2383 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2384 },
2385 },
2386 },
2387 {
2388 testType: serverTest,
2389 name: "ExtraCompressionMethods-TLS13",
2390 config: Config{
2391 MaxVersion: VersionTLS13,
2392 Bugs: ProtocolBugs{
2393 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2394 },
2395 },
2396 shouldFail: true,
2397 expectedError: ":INVALID_COMPRESSION_LIST:",
2398 expectedLocalError: "remote error: illegal parameter",
2399 },
2400 {
2401 testType: serverTest,
2402 name: "NoNullCompression-TLS12",
2403 config: Config{
2404 MaxVersion: VersionTLS12,
2405 Bugs: ProtocolBugs{
2406 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2407 },
2408 },
2409 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2410 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2411 expectedLocalError: "remote error: illegal parameter",
2412 },
2413 {
2414 testType: serverTest,
2415 name: "NoNullCompression-TLS13",
2416 config: Config{
2417 MaxVersion: VersionTLS13,
2418 Bugs: ProtocolBugs{
2419 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2420 },
2421 },
2422 shouldFail: true,
2423 expectedError: ":INVALID_COMPRESSION_LIST:",
2424 expectedLocalError: "remote error: illegal parameter",
2425 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2426 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2427 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2428 config: Config{
2429 MaxVersion: VersionTLS12,
2430 Bugs: ProtocolBugs{
2431 ExpectGREASE: true,
2432 },
2433 },
2434 flags: []string{"-enable-grease"},
2435 },
2436 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2437 name: "GREASE-Client-TLS13",
2438 config: Config{
2439 MaxVersion: VersionTLS13,
2440 Bugs: ProtocolBugs{
2441 ExpectGREASE: true,
2442 },
2443 },
2444 flags: []string{"-enable-grease"},
2445 },
2446 {
2447 testType: serverTest,
2448 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2449 config: Config{
2450 MaxVersion: VersionTLS13,
2451 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2452 // TLS 1.3 servers are expected to
2453 // always enable GREASE. TLS 1.3 is new,
2454 // so there is no existing ecosystem to
2455 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2456 ExpectGREASE: true,
2457 },
2458 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2459 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2460 {
2461 // Test the server so there is a large certificate as
2462 // well as application data.
2463 testType: serverTest,
2464 name: "MaxSendFragment",
2465 config: Config{
2466 Bugs: ProtocolBugs{
2467 MaxReceivePlaintext: 512,
2468 },
2469 },
2470 messageLen: 1024,
2471 flags: []string{
2472 "-max-send-fragment", "512",
2473 "-read-size", "1024",
2474 },
2475 },
2476 {
2477 // Test the server so there is a large certificate as
2478 // well as application data.
2479 testType: serverTest,
2480 name: "MaxSendFragment-TooLarge",
2481 config: Config{
2482 Bugs: ProtocolBugs{
2483 // Ensure that some of the records are
2484 // 512.
2485 MaxReceivePlaintext: 511,
2486 },
2487 },
2488 messageLen: 1024,
2489 flags: []string{
2490 "-max-send-fragment", "512",
2491 "-read-size", "1024",
2492 },
2493 shouldFail: true,
2494 expectedLocalError: "local error: record overflow",
2495 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2496 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2497 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2498
2499 // Test that very large messages can be received.
2500 cert := rsaCertificate
2501 for i := 0; i < 50; i++ {
2502 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2503 }
2504 testCases = append(testCases, testCase{
2505 name: "LargeMessage",
2506 config: Config{
2507 Certificates: []Certificate{cert},
2508 },
2509 })
2510 testCases = append(testCases, testCase{
2511 protocol: dtls,
2512 name: "LargeMessage-DTLS",
2513 config: Config{
2514 Certificates: []Certificate{cert},
2515 },
2516 })
2517
2518 // They are rejected if the maximum certificate chain length is capped.
2519 testCases = append(testCases, testCase{
2520 name: "LargeMessage-Reject",
2521 config: Config{
2522 Certificates: []Certificate{cert},
2523 },
2524 flags: []string{"-max-cert-list", "16384"},
2525 shouldFail: true,
2526 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2527 })
2528 testCases = append(testCases, testCase{
2529 protocol: dtls,
2530 name: "LargeMessage-Reject-DTLS",
2531 config: Config{
2532 Certificates: []Certificate{cert},
2533 },
2534 flags: []string{"-max-cert-list", "16384"},
2535 shouldFail: true,
2536 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2537 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2538}
2539
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2540func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2541 const psk = "12345"
2542 const pskIdentity = "luggage combo"
2543
2544 var prefix string
2545 if protocol == dtls {
2546 if !ver.hasDTLS {
2547 return
2548 }
2549 prefix = "D"
2550 }
2551
2552 var cert Certificate
2553 var certFile string
2554 var keyFile string
2555 if hasComponent(suite.name, "ECDSA") {
2556 cert = ecdsaP256Certificate
2557 certFile = ecdsaP256CertificateFile
2558 keyFile = ecdsaP256KeyFile
2559 } else {
2560 cert = rsaCertificate
2561 certFile = rsaCertificateFile
2562 keyFile = rsaKeyFile
2563 }
2564
2565 var flags []string
2566 if hasComponent(suite.name, "PSK") {
2567 flags = append(flags,
2568 "-psk", psk,
2569 "-psk-identity", pskIdentity)
2570 }
2571 if hasComponent(suite.name, "NULL") {
2572 // NULL ciphers must be explicitly enabled.
2573 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2574 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2575
2576 var shouldServerFail, shouldClientFail bool
2577 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2578 // BoringSSL clients accept ECDHE on SSLv3, but
2579 // a BoringSSL server will never select it
2580 // because the extension is missing.
2581 shouldServerFail = true
2582 }
2583 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2584 shouldClientFail = true
2585 shouldServerFail = true
2586 }
2587 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2588 shouldClientFail = true
2589 shouldServerFail = true
2590 }
2591 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2592 shouldClientFail = true
2593 shouldServerFail = true
2594 }
2595 if !isDTLSCipher(suite.name) && protocol == dtls {
2596 shouldClientFail = true
2597 shouldServerFail = true
2598 }
2599
2600 var sendCipherSuite uint16
2601 var expectedServerError, expectedClientError string
2602 serverCipherSuites := []uint16{suite.id}
2603 if shouldServerFail {
2604 expectedServerError = ":NO_SHARED_CIPHER:"
2605 }
2606 if shouldClientFail {
2607 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2608 // Configure the server to select ciphers as normal but
2609 // select an incompatible cipher in ServerHello.
2610 serverCipherSuites = nil
2611 sendCipherSuite = suite.id
2612 }
2613
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2614 // For cipher suites and versions where exporters are defined, verify
2615 // that they interoperate.
2616 var exportKeyingMaterial int
2617 if ver.version > VersionSSL30 {
2618 exportKeyingMaterial = 1024
2619 }
2620
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2621 testCases = append(testCases, testCase{
2622 testType: serverTest,
2623 protocol: protocol,
2624 name: prefix + ver.name + "-" + suite.name + "-server",
2625 config: Config{
2626 MinVersion: ver.version,
2627 MaxVersion: ver.version,
2628 CipherSuites: []uint16{suite.id},
2629 Certificates: []Certificate{cert},
2630 PreSharedKey: []byte(psk),
2631 PreSharedKeyIdentity: pskIdentity,
2632 Bugs: ProtocolBugs{
2633 AdvertiseAllConfiguredCiphers: true,
2634 },
2635 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2636 certFile: certFile,
2637 keyFile: keyFile,
2638 flags: flags,
2639 resumeSession: true,
2640 shouldFail: shouldServerFail,
2641 expectedError: expectedServerError,
2642 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2643 })
2644
2645 testCases = append(testCases, testCase{
2646 testType: clientTest,
2647 protocol: protocol,
2648 name: prefix + ver.name + "-" + suite.name + "-client",
2649 config: Config{
2650 MinVersion: ver.version,
2651 MaxVersion: ver.version,
2652 CipherSuites: serverCipherSuites,
2653 Certificates: []Certificate{cert},
2654 PreSharedKey: []byte(psk),
2655 PreSharedKeyIdentity: pskIdentity,
2656 Bugs: ProtocolBugs{
2657 IgnorePeerCipherPreferences: shouldClientFail,
2658 SendCipherSuite: sendCipherSuite,
2659 },
2660 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2661 flags: flags,
2662 resumeSession: true,
2663 shouldFail: shouldClientFail,
2664 expectedError: expectedClientError,
2665 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2666 })
2667
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2668 if shouldClientFail {
2669 return
2670 }
2671
2672 // Ensure the maximum record size is accepted.
2673 testCases = append(testCases, testCase{
2674 protocol: protocol,
2675 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2676 config: Config{
2677 MinVersion: ver.version,
2678 MaxVersion: ver.version,
2679 CipherSuites: []uint16{suite.id},
2680 Certificates: []Certificate{cert},
2681 PreSharedKey: []byte(psk),
2682 PreSharedKeyIdentity: pskIdentity,
2683 },
2684 flags: flags,
2685 messageLen: maxPlaintext,
2686 })
2687
2688 // Test bad records for all ciphers. Bad records are fatal in TLS
2689 // and ignored in DTLS.
2690 var shouldFail bool
2691 var expectedError string
2692 if protocol == tls {
2693 shouldFail = true
2694 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2695 }
2696
2697 testCases = append(testCases, testCase{
2698 protocol: protocol,
2699 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2700 config: Config{
2701 MinVersion: ver.version,
2702 MaxVersion: ver.version,
2703 CipherSuites: []uint16{suite.id},
2704 Certificates: []Certificate{cert},
2705 PreSharedKey: []byte(psk),
2706 PreSharedKeyIdentity: pskIdentity,
2707 },
2708 flags: flags,
2709 damageFirstWrite: true,
2710 messageLen: maxPlaintext,
2711 shouldFail: shouldFail,
2712 expectedError: expectedError,
2713 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2714}
2715
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2716func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2717 const bogusCipher = 0xfe00
2718
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2719 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2720 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2721 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2722 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2723 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2724 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2725 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2726
2727 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2728 name: "NoSharedCipher",
2729 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2730 MaxVersion: VersionTLS12,
2731 CipherSuites: []uint16{},
2732 },
2733 shouldFail: true,
2734 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2735 })
2736
2737 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2738 name: "NoSharedCipher-TLS13",
2739 config: Config{
2740 MaxVersion: VersionTLS13,
2741 CipherSuites: []uint16{},
2742 },
2743 shouldFail: true,
2744 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2745 })
2746
2747 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2748 name: "UnsupportedCipherSuite",
2749 config: Config{
2750 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2751 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2752 Bugs: ProtocolBugs{
2753 IgnorePeerCipherPreferences: true,
2754 },
2755 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2756 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2757 shouldFail: true,
2758 expectedError: ":WRONG_CIPHER_RETURNED:",
2759 })
2760
2761 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2762 name: "ServerHelloBogusCipher",
2763 config: Config{
2764 MaxVersion: VersionTLS12,
2765 Bugs: ProtocolBugs{
2766 SendCipherSuite: bogusCipher,
2767 },
2768 },
2769 shouldFail: true,
2770 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2771 })
2772 testCases = append(testCases, testCase{
2773 name: "ServerHelloBogusCipher-TLS13",
2774 config: Config{
2775 MaxVersion: VersionTLS13,
2776 Bugs: ProtocolBugs{
2777 SendCipherSuite: bogusCipher,
2778 },
2779 },
2780 shouldFail: true,
2781 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2782 })
2783
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2784 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2785 testCases = append(testCases, testCase{
2786 testType: serverTest,
2787 name: "UnknownCipher",
2788 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2789 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2790 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2791 Bugs: ProtocolBugs{
2792 AdvertiseAllConfiguredCiphers: true,
2793 },
2794 },
2795 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2796
2797 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2798 testCases = append(testCases, testCase{
2799 testType: serverTest,
2800 name: "UnknownCipher-TLS13",
2801 config: Config{
2802 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2803 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2804 Bugs: ProtocolBugs{
2805 AdvertiseAllConfiguredCiphers: true,
2806 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2807 },
2808 })
2809
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2810 // Test empty ECDHE_PSK identity hints work as expected.
2811 testCases = append(testCases, testCase{
2812 name: "EmptyECDHEPSKHint",
2813 config: Config{
2814 MaxVersion: VersionTLS12,
2815 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2816 PreSharedKey: []byte("secret"),
2817 },
2818 flags: []string{"-psk", "secret"},
2819 })
2820
2821 // Test empty PSK identity hints work as expected, even if an explicit
2822 // ServerKeyExchange is sent.
2823 testCases = append(testCases, testCase{
2824 name: "ExplicitEmptyPSKHint",
2825 config: Config{
2826 MaxVersion: VersionTLS12,
2827 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2828 PreSharedKey: []byte("secret"),
2829 Bugs: ProtocolBugs{
2830 AlwaysSendPreSharedKeyIdentityHint: true,
2831 },
2832 },
2833 flags: []string{"-psk", "secret"},
2834 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]2835
2836 // Test that clients enforce that the server-sent certificate and cipher
2837 // suite match in TLS 1.2.
2838 testCases = append(testCases, testCase{
2839 name: "CertificateCipherMismatch-RSA",
2840 config: Config{
2841 MaxVersion: VersionTLS12,
2842 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2843 Certificates: []Certificate{rsaCertificate},
2844 Bugs: ProtocolBugs{
2845 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2846 },
2847 },
2848 shouldFail: true,
2849 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2850 })
2851 testCases = append(testCases, testCase{
2852 name: "CertificateCipherMismatch-ECDSA",
2853 config: Config{
2854 MaxVersion: VersionTLS12,
2855 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2856 Certificates: []Certificate{ecdsaP256Certificate},
2857 Bugs: ProtocolBugs{
2858 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2859 },
2860 },
2861 shouldFail: true,
2862 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2863 })
2864 testCases = append(testCases, testCase{
2865 name: "CertificateCipherMismatch-Ed25519",
2866 config: Config{
2867 MaxVersion: VersionTLS12,
2868 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2869 Certificates: []Certificate{ed25519Certificate},
2870 Bugs: ProtocolBugs{
2871 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2872 },
2873 },
2874 shouldFail: true,
2875 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2876 })
2877
2878 // Test that servers decline to select a cipher suite which is
2879 // inconsistent with their configured certificate.
2880 testCases = append(testCases, testCase{
2881 testType: serverTest,
2882 name: "ServerCipherFilter-RSA",
2883 config: Config{
2884 MaxVersion: VersionTLS12,
2885 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2886 },
2887 flags: []string{
2888 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2889 "-key-file", path.Join(*resourceDir, rsaKeyFile),
2890 },
2891 shouldFail: true,
2892 expectedError: ":NO_SHARED_CIPHER:",
2893 })
2894 testCases = append(testCases, testCase{
2895 testType: serverTest,
2896 name: "ServerCipherFilter-ECDSA",
2897 config: Config{
2898 MaxVersion: VersionTLS12,
2899 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2900 },
2901 flags: []string{
2902 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2903 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
2904 },
2905 shouldFail: true,
2906 expectedError: ":NO_SHARED_CIPHER:",
2907 })
2908 testCases = append(testCases, testCase{
2909 testType: serverTest,
2910 name: "ServerCipherFilter-Ed25519",
2911 config: Config{
2912 MaxVersion: VersionTLS12,
2913 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2914 },
2915 flags: []string{
2916 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
2917 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
2918 },
2919 shouldFail: true,
2920 expectedError: ":NO_SHARED_CIPHER:",
2921 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2922}
2923
2924func addBadECDSASignatureTests() {
2925 for badR := BadValue(1); badR < NumBadValues; badR++ {
2926 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2927 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2928 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2929 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2930 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2931 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2932 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2933 Bugs: ProtocolBugs{
2934 BadECDSAR: badR,
2935 BadECDSAS: badS,
2936 },
2937 },
2938 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2939 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2940 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2941 testCases = append(testCases, testCase{
2942 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2943 config: Config{
2944 MaxVersion: VersionTLS13,
2945 Certificates: []Certificate{ecdsaP256Certificate},
2946 Bugs: ProtocolBugs{
2947 BadECDSAR: badR,
2948 BadECDSAS: badS,
2949 },
2950 },
2951 shouldFail: true,
2952 expectedError: ":BAD_SIGNATURE:",
2953 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2954 }
2955 }
2956}
2957
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2958func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2959 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2960 name: "MaxCBCPadding",
2961 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2962 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2963 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2964 Bugs: ProtocolBugs{
2965 MaxPadding: true,
2966 },
2967 },
2968 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2969 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2970 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2971 name: "BadCBCPadding",
2972 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2973 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2974 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2975 Bugs: ProtocolBugs{
2976 PaddingFirstByteBad: true,
2977 },
2978 },
2979 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2980 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2981 })
2982 // OpenSSL previously had an issue where the first byte of padding in
2983 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2984 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2985 name: "BadCBCPadding255",
2986 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2987 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2988 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2989 Bugs: ProtocolBugs{
2990 MaxPadding: true,
2991 PaddingFirstByteBadIf255: true,
2992 },
2993 },
2994 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2995 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2996 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2997 })
2998}
2999
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3000func addCBCSplittingTests() {
3001 testCases = append(testCases, testCase{
3002 name: "CBCRecordSplitting",
3003 config: Config{
3004 MaxVersion: VersionTLS10,
3005 MinVersion: VersionTLS10,
3006 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3007 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]3008 messageLen: -1, // read until EOF
3009 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3010 flags: []string{
3011 "-async",
3012 "-write-different-record-sizes",
3013 "-cbc-record-splitting",
3014 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]3015 })
3016 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3017 name: "CBCRecordSplittingPartialWrite",
3018 config: Config{
3019 MaxVersion: VersionTLS10,
3020 MinVersion: VersionTLS10,
3021 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3022 },
3023 messageLen: -1, // read until EOF
3024 flags: []string{
3025 "-async",
3026 "-write-different-record-sizes",
3027 "-cbc-record-splitting",
3028 "-partial-write",
3029 },
3030 })
3031}
3032
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3033func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3034 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3035 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3036 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3037 cert, err := x509.ParseCertificate(cert.Certificate[0])
3038 if err != nil {
3039 panic(err)
3040 }
3041 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3042 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3043 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3044
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3045 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3046 testCases = append(testCases, testCase{
3047 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3048 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3049 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3050 MinVersion: ver.version,
3051 MaxVersion: ver.version,
3052 ClientAuth: RequireAnyClientCert,
3053 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3054 },
3055 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3056 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3057 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3058 },
3059 })
3060 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3061 testType: serverTest,
3062 name: ver.name + "-Server-ClientAuth-RSA",
3063 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3064 MinVersion: ver.version,
3065 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3066 Certificates: []Certificate{rsaCertificate},
3067 },
3068 flags: []string{"-require-any-client-certificate"},
3069 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3070 if ver.version != VersionSSL30 {
3071 testCases = append(testCases, testCase{
3072 testType: serverTest,
3073 name: ver.name + "-Server-ClientAuth-ECDSA",
3074 config: Config{
3075 MinVersion: ver.version,
3076 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3077 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3078 },
3079 flags: []string{"-require-any-client-certificate"},
3080 })
3081 testCases = append(testCases, testCase{
3082 testType: clientTest,
3083 name: ver.name + "-Client-ClientAuth-ECDSA",
3084 config: Config{
3085 MinVersion: ver.version,
3086 MaxVersion: ver.version,
3087 ClientAuth: RequireAnyClientCert,
3088 ClientCAs: certPool,
3089 },
3090 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3091 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3092 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3093 },
3094 })
3095 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3096
3097 testCases = append(testCases, testCase{
3098 name: "NoClientCertificate-" + ver.name,
3099 config: Config{
3100 MinVersion: ver.version,
3101 MaxVersion: ver.version,
3102 ClientAuth: RequireAnyClientCert,
3103 },
3104 shouldFail: true,
3105 expectedLocalError: "client didn't provide a certificate",
3106 })
3107
3108 testCases = append(testCases, testCase{
3109 // Even if not configured to expect a certificate, OpenSSL will
3110 // return X509_V_OK as the verify_result.
3111 testType: serverTest,
3112 name: "NoClientCertificateRequested-Server-" + ver.name,
3113 config: Config{
3114 MinVersion: ver.version,
3115 MaxVersion: ver.version,
3116 },
3117 flags: []string{
3118 "-expect-verify-result",
3119 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3120 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3121 })
3122
3123 testCases = append(testCases, testCase{
3124 // If a client certificate is not provided, OpenSSL will still
3125 // return X509_V_OK as the verify_result.
3126 testType: serverTest,
3127 name: "NoClientCertificate-Server-" + ver.name,
3128 config: Config{
3129 MinVersion: ver.version,
3130 MaxVersion: ver.version,
3131 },
3132 flags: []string{
3133 "-expect-verify-result",
3134 "-verify-peer",
3135 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3136 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3137 })
3138
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3139 certificateRequired := "remote error: certificate required"
3140 if ver.version < VersionTLS13 {
3141 // Prior to TLS 1.3, the generic handshake_failure alert
3142 // was used.
3143 certificateRequired = "remote error: handshake failure"
3144 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3145 testCases = append(testCases, testCase{
3146 testType: serverTest,
3147 name: "RequireAnyClientCertificate-" + ver.name,
3148 config: Config{
3149 MinVersion: ver.version,
3150 MaxVersion: ver.version,
3151 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3152 flags: []string{"-require-any-client-certificate"},
3153 shouldFail: true,
3154 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3155 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3156 })
3157
3158 if ver.version != VersionSSL30 {
3159 testCases = append(testCases, testCase{
3160 testType: serverTest,
3161 name: "SkipClientCertificate-" + ver.name,
3162 config: Config{
3163 MinVersion: ver.version,
3164 MaxVersion: ver.version,
3165 Bugs: ProtocolBugs{
3166 SkipClientCertificate: true,
3167 },
3168 },
3169 // Setting SSL_VERIFY_PEER allows anonymous clients.
3170 flags: []string{"-verify-peer"},
3171 shouldFail: true,
3172 expectedError: ":UNEXPECTED_MESSAGE:",
3173 })
3174 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3175
3176 testCases = append(testCases, testCase{
3177 testType: serverTest,
3178 name: ver.name + "-Server-CertReq-CA-List",
3179 config: Config{
3180 MinVersion: ver.version,
3181 MaxVersion: ver.version,
3182 Certificates: []Certificate{rsaCertificate},
3183 Bugs: ProtocolBugs{
3184 ExpectCertificateReqNames: caNames,
3185 },
3186 },
3187 flags: []string{
3188 "-require-any-client-certificate",
3189 "-use-client-ca-list", encodeDERValues(caNames),
3190 },
3191 })
3192
3193 testCases = append(testCases, testCase{
3194 testType: clientTest,
3195 name: ver.name + "-Client-CertReq-CA-List",
3196 config: Config{
3197 MinVersion: ver.version,
3198 MaxVersion: ver.version,
3199 Certificates: []Certificate{rsaCertificate},
3200 ClientAuth: RequireAnyClientCert,
3201 ClientCAs: certPool,
3202 },
3203 flags: []string{
3204 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3205 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3206 "-expect-client-ca-list", encodeDERValues(caNames),
3207 },
3208 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3209 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3210
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3211 // Client auth is only legal in certificate-based ciphers.
3212 testCases = append(testCases, testCase{
3213 testType: clientTest,
3214 name: "ClientAuth-PSK",
3215 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3216 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3217 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3218 PreSharedKey: []byte("secret"),
3219 ClientAuth: RequireAnyClientCert,
3220 },
3221 flags: []string{
3222 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3223 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3224 "-psk", "secret",
3225 },
3226 shouldFail: true,
3227 expectedError: ":UNEXPECTED_MESSAGE:",
3228 })
3229 testCases = append(testCases, testCase{
3230 testType: clientTest,
3231 name: "ClientAuth-ECDHE_PSK",
3232 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3233 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3234 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3235 PreSharedKey: []byte("secret"),
3236 ClientAuth: RequireAnyClientCert,
3237 },
3238 flags: []string{
3239 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3240 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3241 "-psk", "secret",
3242 },
3243 shouldFail: true,
3244 expectedError: ":UNEXPECTED_MESSAGE:",
3245 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3246
3247 // Regression test for a bug where the client CA list, if explicitly
3248 // set to NULL, was mis-encoded.
3249 testCases = append(testCases, testCase{
3250 testType: serverTest,
3251 name: "Null-Client-CA-List",
3252 config: Config{
3253 MaxVersion: VersionTLS12,
3254 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3255 Bugs: ProtocolBugs{
3256 ExpectCertificateReqNames: [][]byte{},
3257 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3258 },
3259 flags: []string{
3260 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3261 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3262 },
3263 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3264}
3265
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3266func addExtendedMasterSecretTests() {
3267 const expectEMSFlag = "-expect-extended-master-secret"
3268
3269 for _, with := range []bool{false, true} {
3270 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3271 if with {
3272 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3273 }
3274
3275 for _, isClient := range []bool{false, true} {
3276 suffix := "-Server"
3277 testType := serverTest
3278 if isClient {
3279 suffix = "-Client"
3280 testType = clientTest
3281 }
3282
3283 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3284 // In TLS 1.3, the extension is irrelevant and
3285 // always reports as enabled.
3286 var flags []string
3287 if with || ver.version >= VersionTLS13 {
3288 flags = []string{expectEMSFlag}
3289 }
3290
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3291 test := testCase{
3292 testType: testType,
3293 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3294 config: Config{
3295 MinVersion: ver.version,
3296 MaxVersion: ver.version,
3297 Bugs: ProtocolBugs{
3298 NoExtendedMasterSecret: !with,
3299 RequireExtendedMasterSecret: with,
3300 },
3301 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3302 flags: flags,
3303 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3304 }
3305 if test.shouldFail {
3306 test.expectedLocalError = "extended master secret required but not supported by peer"
3307 }
3308 testCases = append(testCases, test)
3309 }
3310 }
3311 }
3312
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3313 for _, isClient := range []bool{false, true} {
3314 for _, supportedInFirstConnection := range []bool{false, true} {
3315 for _, supportedInResumeConnection := range []bool{false, true} {
3316 boolToWord := func(b bool) string {
3317 if b {
3318 return "Yes"
3319 }
3320 return "No"
3321 }
3322 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3323 if isClient {
3324 suffix += "Client"
3325 } else {
3326 suffix += "Server"
3327 }
3328
3329 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3330 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3331 Bugs: ProtocolBugs{
3332 RequireExtendedMasterSecret: true,
3333 },
3334 }
3335
3336 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3337 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3338 Bugs: ProtocolBugs{
3339 NoExtendedMasterSecret: true,
3340 },
3341 }
3342
3343 test := testCase{
3344 name: "ExtendedMasterSecret-" + suffix,
3345 resumeSession: true,
3346 }
3347
3348 if !isClient {
3349 test.testType = serverTest
3350 }
3351
3352 if supportedInFirstConnection {
3353 test.config = supportedConfig
3354 } else {
3355 test.config = noSupportConfig
3356 }
3357
3358 if supportedInResumeConnection {
3359 test.resumeConfig = &supportedConfig
3360 } else {
3361 test.resumeConfig = &noSupportConfig
3362 }
3363
3364 switch suffix {
3365 case "YesToYes-Client", "YesToYes-Server":
3366 // When a session is resumed, it should
3367 // still be aware that its master
3368 // secret was generated via EMS and
3369 // thus it's safe to use tls-unique.
3370 test.flags = []string{expectEMSFlag}
3371 case "NoToYes-Server":
3372 // If an original connection did not
3373 // contain EMS, but a resumption
3374 // handshake does, then a server should
3375 // not resume the session.
3376 test.expectResumeRejected = true
3377 case "YesToNo-Server":
3378 // Resuming an EMS session without the
3379 // EMS extension should cause the
3380 // server to abort the connection.
3381 test.shouldFail = true
3382 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3383 case "NoToYes-Client":
3384 // A client should abort a connection
3385 // where the server resumed a non-EMS
3386 // session but echoed the EMS
3387 // extension.
3388 test.shouldFail = true
3389 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3390 case "YesToNo-Client":
3391 // A client should abort a connection
3392 // where the server didn't echo EMS
3393 // when the session used it.
3394 test.shouldFail = true
3395 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3396 }
3397
3398 testCases = append(testCases, test)
3399 }
3400 }
3401 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3402
3403 // Switching EMS on renegotiation is forbidden.
3404 testCases = append(testCases, testCase{
3405 name: "ExtendedMasterSecret-Renego-NoEMS",
3406 config: Config{
3407 MaxVersion: VersionTLS12,
3408 Bugs: ProtocolBugs{
3409 NoExtendedMasterSecret: true,
3410 NoExtendedMasterSecretOnRenegotiation: true,
3411 },
3412 },
3413 renegotiate: 1,
3414 flags: []string{
3415 "-renegotiate-freely",
3416 "-expect-total-renegotiations", "1",
3417 },
3418 })
3419
3420 testCases = append(testCases, testCase{
3421 name: "ExtendedMasterSecret-Renego-Upgrade",
3422 config: Config{
3423 MaxVersion: VersionTLS12,
3424 Bugs: ProtocolBugs{
3425 NoExtendedMasterSecret: true,
3426 },
3427 },
3428 renegotiate: 1,
3429 flags: []string{
3430 "-renegotiate-freely",
3431 "-expect-total-renegotiations", "1",
3432 },
3433 shouldFail: true,
3434 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3435 })
3436
3437 testCases = append(testCases, testCase{
3438 name: "ExtendedMasterSecret-Renego-Downgrade",
3439 config: Config{
3440 MaxVersion: VersionTLS12,
3441 Bugs: ProtocolBugs{
3442 NoExtendedMasterSecretOnRenegotiation: true,
3443 },
3444 },
3445 renegotiate: 1,
3446 flags: []string{
3447 "-renegotiate-freely",
3448 "-expect-total-renegotiations", "1",
3449 },
3450 shouldFail: true,
3451 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3452 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3453}
3454
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3455type stateMachineTestConfig struct {
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3456 protocol protocol
3457 async bool
3458 splitHandshake bool
3459 packHandshakeFlight bool
3460 implicitHandshake bool
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3461}
3462
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3463// Adds tests that try to cover the range of the handshake state machine, under
3464// various conditions. Some of these are redundant with other tests, but they
3465// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3466func addAllStateMachineCoverageTests() {
3467 for _, async := range []bool{false, true} {
3468 for _, protocol := range []protocol{tls, dtls} {
3469 addStateMachineCoverageTests(stateMachineTestConfig{
3470 protocol: protocol,
3471 async: async,
3472 })
3473 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3474 protocol: protocol,
3475 async: async,
3476 implicitHandshake: true,
3477 })
3478 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3479 protocol: protocol,
3480 async: async,
3481 splitHandshake: true,
3482 })
3483 if protocol == tls {
3484 addStateMachineCoverageTests(stateMachineTestConfig{
3485 protocol: protocol,
3486 async: async,
3487 packHandshakeFlight: true,
3488 })
3489 }
3490 }
3491 }
3492}
3493
3494func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3495 var tests []testCase
3496
3497 // Basic handshake, with resumption. Client and server,
3498 // session ID and session ticket.
3499 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3500 name: "Basic-Client",
3501 config: Config{
3502 MaxVersion: VersionTLS12,
3503 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3504 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3505 // Ensure session tickets are used, not session IDs.
3506 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3507 })
3508 tests = append(tests, testCase{
3509 name: "Basic-Client-RenewTicket",
3510 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3511 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3512 Bugs: ProtocolBugs{
3513 RenewTicketOnResume: true,
3514 },
3515 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3516 flags: []string{"-expect-ticket-renewal"},
3517 resumeSession: true,
3518 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3519 })
3520 tests = append(tests, testCase{
3521 name: "Basic-Client-NoTicket",
3522 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3523 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3524 SessionTicketsDisabled: true,
3525 },
3526 resumeSession: true,
3527 })
3528 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3529 testType: serverTest,
3530 name: "Basic-Server",
3531 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3532 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3533 Bugs: ProtocolBugs{
3534 RequireSessionTickets: true,
3535 },
3536 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3537 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3538 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3539 })
3540 tests = append(tests, testCase{
3541 testType: serverTest,
3542 name: "Basic-Server-NoTickets",
3543 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3544 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3545 SessionTicketsDisabled: true,
3546 },
3547 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3548 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3549 })
3550 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3551 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3552 name: "Basic-Server-EarlyCallback",
3553 config: Config{
3554 MaxVersion: VersionTLS12,
3555 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3556 flags: []string{"-use-early-callback"},
3557 resumeSession: true,
3558 })
3559
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3560 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3561 if config.protocol == tls {
3562 tests = append(tests, testCase{
3563 name: "TLS13-1RTT-Client",
3564 config: Config{
3565 MaxVersion: VersionTLS13,
3566 MinVersion: VersionTLS13,
3567 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3568 resumeSession: true,
3569 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3570 })
3571
3572 tests = append(tests, testCase{
3573 testType: serverTest,
3574 name: "TLS13-1RTT-Server",
3575 config: Config{
3576 MaxVersion: VersionTLS13,
3577 MinVersion: VersionTLS13,
3578 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3579 resumeSession: true,
3580 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3581 // TLS 1.3 uses tickets, so the session should not be
3582 // cached statefully.
3583 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3584 })
3585
3586 tests = append(tests, testCase{
3587 name: "TLS13-HelloRetryRequest-Client",
3588 config: Config{
3589 MaxVersion: VersionTLS13,
3590 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3591 // P-384 requires a HelloRetryRequest against BoringSSL's default
3592 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3593 CurvePreferences: []CurveID{CurveP384},
3594 Bugs: ProtocolBugs{
3595 ExpectMissingKeyShare: true,
3596 },
3597 },
3598 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3599 resumeSession: true,
3600 })
3601
3602 tests = append(tests, testCase{
3603 testType: serverTest,
3604 name: "TLS13-HelloRetryRequest-Server",
3605 config: Config{
3606 MaxVersion: VersionTLS13,
3607 MinVersion: VersionTLS13,
3608 // Require a HelloRetryRequest for every curve.
3609 DefaultCurves: []CurveID{},
3610 },
3611 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3612 resumeSession: true,
3613 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3614
3615 // TODO(svaldez): Send data on early data once implemented.
3616 tests = append(tests, testCase{
3617 testType: clientTest,
3618 name: "TLS13-EarlyData-Client",
3619 config: Config{
3620 MaxVersion: VersionTLS13,
3621 MinVersion: VersionTLS13,
3622 MaxEarlyDataSize: 16384,
3623 },
3624 resumeSession: true,
3625 flags: []string{
3626 "-enable-early-data",
3627 "-expect-early-data-info",
3628 "-expect-accept-early-data",
3629 },
3630 })
3631
3632 tests = append(tests, testCase{
3633 testType: serverTest,
3634 name: "TLS13-EarlyData-Server",
3635 config: Config{
3636 MaxVersion: VersionTLS13,
3637 MinVersion: VersionTLS13,
3638 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3639 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3640 ExpectEarlyDataAccepted: true,
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3641 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3642 },
3643 },
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3644 messageCount: 2,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3645 resumeSession: true,
3646 flags: []string{
3647 "-enable-early-data",
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3648 "-expect-accept-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3649 },
3650 })
Alessandro Ghedinide254b42017-04-17 19:12:33 +0100[diff] [blame]3651
3652 tests = append(tests, testCase{
3653 testType: serverTest,
3654 name: "TLS13-MaxEarlyData-Server",
3655 config: Config{
3656 MaxVersion: VersionTLS13,
3657 MinVersion: VersionTLS13,
3658 Bugs: ProtocolBugs{
David Benjamin29975892017-04-27 23:47:21 -0400[diff] [blame]3659 SendEarlyData: [][]byte{bytes.Repeat([]byte{1}, 14336+1)},
Alessandro Ghedinide254b42017-04-17 19:12:33 +0100[diff] [blame]3660 ExpectEarlyDataAccepted: true,
3661 },
3662 },
3663 messageCount: 2,
3664 resumeSession: true,
3665 flags: []string{
3666 "-enable-early-data",
3667 "-expect-accept-early-data",
3668 },
3669 shouldFail: true,
3670 expectedError: ":TOO_MUCH_READ_EARLY_DATA:",
3671 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3672 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3673
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3674 // TLS client auth.
3675 tests = append(tests, testCase{
3676 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3677 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3678 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3679 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3680 ClientAuth: RequestClientCert,
3681 },
3682 })
3683 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3684 testType: serverTest,
3685 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3686 config: Config{
3687 MaxVersion: VersionTLS12,
3688 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3689 // Setting SSL_VERIFY_PEER allows anonymous clients.
3690 flags: []string{"-verify-peer"},
3691 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3692 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3693 tests = append(tests, testCase{
3694 testType: clientTest,
3695 name: "ClientAuth-NoCertificate-Client-SSL3",
3696 config: Config{
3697 MaxVersion: VersionSSL30,
3698 ClientAuth: RequestClientCert,
3699 },
3700 })
3701 tests = append(tests, testCase{
3702 testType: serverTest,
3703 name: "ClientAuth-NoCertificate-Server-SSL3",
3704 config: Config{
3705 MaxVersion: VersionSSL30,
3706 },
3707 // Setting SSL_VERIFY_PEER allows anonymous clients.
3708 flags: []string{"-verify-peer"},
3709 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3710 tests = append(tests, testCase{
3711 testType: clientTest,
3712 name: "ClientAuth-NoCertificate-Client-TLS13",
3713 config: Config{
3714 MaxVersion: VersionTLS13,
3715 ClientAuth: RequestClientCert,
3716 },
3717 })
3718 tests = append(tests, testCase{
3719 testType: serverTest,
3720 name: "ClientAuth-NoCertificate-Server-TLS13",
3721 config: Config{
3722 MaxVersion: VersionTLS13,
3723 },
3724 // Setting SSL_VERIFY_PEER allows anonymous clients.
3725 flags: []string{"-verify-peer"},
3726 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3727 }
3728 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3729 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3730 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3731 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3732 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3733 ClientAuth: RequireAnyClientCert,
3734 },
3735 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3736 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3737 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3738 },
3739 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3740 tests = append(tests, testCase{
3741 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3742 name: "ClientAuth-RSA-Client-TLS13",
3743 config: Config{
3744 MaxVersion: VersionTLS13,
3745 ClientAuth: RequireAnyClientCert,
3746 },
3747 flags: []string{
3748 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3749 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3750 },
3751 })
3752 tests = append(tests, testCase{
3753 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3754 name: "ClientAuth-ECDSA-Client",
3755 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3756 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3757 ClientAuth: RequireAnyClientCert,
3758 },
3759 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3760 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3761 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3762 },
3763 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3764 tests = append(tests, testCase{
3765 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3766 name: "ClientAuth-ECDSA-Client-TLS13",
3767 config: Config{
3768 MaxVersion: VersionTLS13,
3769 ClientAuth: RequireAnyClientCert,
3770 },
3771 flags: []string{
3772 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3773 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3774 },
3775 })
3776 tests = append(tests, testCase{
3777 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3778 name: "ClientAuth-NoCertificate-OldCallback",
3779 config: Config{
3780 MaxVersion: VersionTLS12,
3781 ClientAuth: RequestClientCert,
3782 },
3783 flags: []string{"-use-old-client-cert-callback"},
3784 })
3785 tests = append(tests, testCase{
3786 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3787 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3788 config: Config{
3789 MaxVersion: VersionTLS13,
3790 ClientAuth: RequestClientCert,
3791 },
3792 flags: []string{"-use-old-client-cert-callback"},
3793 })
3794 tests = append(tests, testCase{
3795 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3796 name: "ClientAuth-OldCallback",
3797 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3798 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3799 ClientAuth: RequireAnyClientCert,
3800 },
3801 flags: []string{
3802 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3803 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3804 "-use-old-client-cert-callback",
3805 },
3806 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3807 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3808 testType: clientTest,
3809 name: "ClientAuth-OldCallback-TLS13",
3810 config: Config{
3811 MaxVersion: VersionTLS13,
3812 ClientAuth: RequireAnyClientCert,
3813 },
3814 flags: []string{
3815 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3816 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3817 "-use-old-client-cert-callback",
3818 },
3819 })
3820 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3821 testType: serverTest,
3822 name: "ClientAuth-Server",
3823 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3824 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3825 Certificates: []Certificate{rsaCertificate},
3826 },
3827 flags: []string{"-require-any-client-certificate"},
3828 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3829 tests = append(tests, testCase{
3830 testType: serverTest,
3831 name: "ClientAuth-Server-TLS13",
3832 config: Config{
3833 MaxVersion: VersionTLS13,
3834 Certificates: []Certificate{rsaCertificate},
3835 },
3836 flags: []string{"-require-any-client-certificate"},
3837 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3838
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3839 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3840 tests = append(tests, testCase{
3841 testType: serverTest,
3842 name: "Basic-Server-RSA",
3843 config: Config{
3844 MaxVersion: VersionTLS12,
3845 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3846 },
3847 flags: []string{
3848 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3849 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3850 },
3851 })
3852 tests = append(tests, testCase{
3853 testType: serverTest,
3854 name: "Basic-Server-ECDHE-RSA",
3855 config: Config{
3856 MaxVersion: VersionTLS12,
3857 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3858 },
3859 flags: []string{
3860 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3861 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3862 },
3863 })
3864 tests = append(tests, testCase{
3865 testType: serverTest,
3866 name: "Basic-Server-ECDHE-ECDSA",
3867 config: Config{
3868 MaxVersion: VersionTLS12,
3869 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3870 },
3871 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3872 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3873 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3874 },
3875 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]3876 tests = append(tests, testCase{
3877 testType: serverTest,
3878 name: "Basic-Server-Ed25519",
3879 config: Config{
3880 MaxVersion: VersionTLS12,
3881 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3882 },
3883 flags: []string{
3884 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3885 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
3886 "-enable-ed25519",
3887 },
3888 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3889
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3890 // No session ticket support; server doesn't send NewSessionTicket.
3891 tests = append(tests, testCase{
3892 name: "SessionTicketsDisabled-Client",
3893 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3894 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3895 SessionTicketsDisabled: true,
3896 },
3897 })
3898 tests = append(tests, testCase{
3899 testType: serverTest,
3900 name: "SessionTicketsDisabled-Server",
3901 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3902 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3903 SessionTicketsDisabled: true,
3904 },
3905 })
3906
3907 // Skip ServerKeyExchange in PSK key exchange if there's no
3908 // identity hint.
3909 tests = append(tests, testCase{
3910 name: "EmptyPSKHint-Client",
3911 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3912 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3913 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3914 PreSharedKey: []byte("secret"),
3915 },
3916 flags: []string{"-psk", "secret"},
3917 })
3918 tests = append(tests, testCase{
3919 testType: serverTest,
3920 name: "EmptyPSKHint-Server",
3921 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3922 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3923 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3924 PreSharedKey: []byte("secret"),
3925 },
3926 flags: []string{"-psk", "secret"},
3927 })
3928
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3929 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3930 tests = append(tests, testCase{
3931 testType: clientTest,
3932 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3933 config: Config{
3934 MaxVersion: VersionTLS12,
3935 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3936 flags: []string{
3937 "-enable-ocsp-stapling",
3938 "-expect-ocsp-response",
3939 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3940 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3941 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3942 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3943 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3944 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3945 testType: serverTest,
3946 name: "OCSPStapling-Server",
3947 config: Config{
3948 MaxVersion: VersionTLS12,
3949 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3950 expectedOCSPResponse: testOCSPResponse,
3951 flags: []string{
3952 "-ocsp-response",
3953 base64.StdEncoding.EncodeToString(testOCSPResponse),
3954 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3955 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3956 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3957 tests = append(tests, testCase{
3958 testType: clientTest,
3959 name: "OCSPStapling-Client-TLS13",
3960 config: Config{
3961 MaxVersion: VersionTLS13,
3962 },
3963 flags: []string{
3964 "-enable-ocsp-stapling",
3965 "-expect-ocsp-response",
3966 base64.StdEncoding.EncodeToString(testOCSPResponse),
3967 "-verify-peer",
3968 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3969 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3970 })
3971 tests = append(tests, testCase{
3972 testType: serverTest,
3973 name: "OCSPStapling-Server-TLS13",
3974 config: Config{
3975 MaxVersion: VersionTLS13,
3976 },
3977 expectedOCSPResponse: testOCSPResponse,
3978 flags: []string{
3979 "-ocsp-response",
3980 base64.StdEncoding.EncodeToString(testOCSPResponse),
3981 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3982 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3983 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3984
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3985 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3986 for _, vers := range tlsVersions {
3987 if config.protocol == dtls && !vers.hasDTLS {
3988 continue
3989 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3990 for _, testType := range []testType{clientTest, serverTest} {
3991 suffix := "-Client"
3992 if testType == serverTest {
3993 suffix = "-Server"
3994 }
3995 suffix += "-" + vers.name
3996
3997 flag := "-verify-peer"
3998 if testType == serverTest {
3999 flag = "-require-any-client-certificate"
4000 }
4001
4002 tests = append(tests, testCase{
4003 testType: testType,
4004 name: "CertificateVerificationSucceed" + suffix,
4005 config: Config{
4006 MaxVersion: vers.version,
4007 Certificates: []Certificate{rsaCertificate},
4008 },
4009 flags: []string{
4010 flag,
4011 "-expect-verify-result",
4012 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4013 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4014 })
4015 tests = append(tests, testCase{
4016 testType: testType,
4017 name: "CertificateVerificationFail" + suffix,
4018 config: Config{
4019 MaxVersion: vers.version,
4020 Certificates: []Certificate{rsaCertificate},
4021 },
4022 flags: []string{
4023 flag,
4024 "-verify-fail",
4025 },
4026 shouldFail: true,
4027 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
4028 })
4029 }
4030
4031 // By default, the client is in a soft fail mode where the peer
4032 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4033 tests = append(tests, testCase{
4034 testType: clientTest,
4035 name: "CertificateVerificationSoftFail-" + vers.name,
4036 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4037 MaxVersion: vers.version,
4038 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4039 },
4040 flags: []string{
4041 "-verify-fail",
4042 "-expect-verify-result",
4043 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4044 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4045 })
4046 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]4047
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]4048 tests = append(tests, testCase{
4049 name: "ShimSendAlert",
4050 flags: []string{"-send-alert"},
4051 shimWritesFirst: true,
4052 shouldFail: true,
4053 expectedLocalError: "remote error: decompression failure",
4054 })
4055
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4056 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4057 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4058 name: "Renegotiate-Client",
4059 config: Config{
4060 MaxVersion: VersionTLS12,
4061 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]4062 renegotiate: 1,
4063 flags: []string{
4064 "-renegotiate-freely",
4065 "-expect-total-renegotiations", "1",
4066 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4067 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4068
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]4069 tests = append(tests, testCase{
4070 name: "SendHalfHelloRequest",
4071 config: Config{
4072 MaxVersion: VersionTLS12,
4073 Bugs: ProtocolBugs{
4074 PackHelloRequestWithFinished: config.packHandshakeFlight,
4075 },
4076 },
4077 sendHalfHelloRequest: true,
4078 flags: []string{"-renegotiate-ignore"},
4079 shouldFail: true,
4080 expectedError: ":UNEXPECTED_RECORD:",
4081 })
4082
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4083 // NPN on client and server; results in post-handshake message.
4084 tests = append(tests, testCase{
4085 name: "NPN-Client",
4086 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4087 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4088 NextProtos: []string{"foo"},
4089 },
4090 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4091 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4092 expectedNextProto: "foo",
4093 expectedNextProtoType: npn,
4094 })
4095 tests = append(tests, testCase{
4096 testType: serverTest,
4097 name: "NPN-Server",
4098 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4099 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4100 NextProtos: []string{"bar"},
4101 },
4102 flags: []string{
4103 "-advertise-npn", "\x03foo\x03bar\x03baz",
4104 "-expect-next-proto", "bar",
4105 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4106 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4107 expectedNextProto: "bar",
4108 expectedNextProtoType: npn,
4109 })
4110
4111 // TODO(davidben): Add tests for when False Start doesn't trigger.
4112
4113 // Client does False Start and negotiates NPN.
4114 tests = append(tests, testCase{
4115 name: "FalseStart",
4116 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4117 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4118 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4119 NextProtos: []string{"foo"},
4120 Bugs: ProtocolBugs{
4121 ExpectFalseStart: true,
4122 },
4123 },
4124 flags: []string{
4125 "-false-start",
4126 "-select-next-proto", "foo",
4127 },
4128 shimWritesFirst: true,
4129 resumeSession: true,
4130 })
4131
4132 // Client does False Start and negotiates ALPN.
4133 tests = append(tests, testCase{
4134 name: "FalseStart-ALPN",
4135 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4136 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4137 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4138 NextProtos: []string{"foo"},
4139 Bugs: ProtocolBugs{
4140 ExpectFalseStart: true,
4141 },
4142 },
4143 flags: []string{
4144 "-false-start",
4145 "-advertise-alpn", "\x03foo",
4146 },
4147 shimWritesFirst: true,
4148 resumeSession: true,
4149 })
4150
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4151 // False Start without session tickets.
4152 tests = append(tests, testCase{
4153 name: "FalseStart-SessionTicketsDisabled",
4154 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4155 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4156 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4157 NextProtos: []string{"foo"},
4158 SessionTicketsDisabled: true,
4159 Bugs: ProtocolBugs{
4160 ExpectFalseStart: true,
4161 },
4162 },
4163 flags: []string{
4164 "-false-start",
4165 "-select-next-proto", "foo",
4166 },
4167 shimWritesFirst: true,
4168 })
4169
4170 // Server parses a V2ClientHello.
4171 tests = append(tests, testCase{
4172 testType: serverTest,
4173 name: "SendV2ClientHello",
4174 config: Config{
4175 // Choose a cipher suite that does not involve
4176 // elliptic curves, so no extensions are
4177 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4178 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4179 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4180 Bugs: ProtocolBugs{
4181 SendV2ClientHello: true,
4182 },
4183 },
4184 })
4185
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4186 // Test Channel ID
4187 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4188 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4189 continue
4190 }
4191 // Client sends a Channel ID.
4192 tests = append(tests, testCase{
4193 name: "ChannelID-Client-" + ver.name,
4194 config: Config{
4195 MaxVersion: ver.version,
4196 RequestChannelID: true,
4197 },
4198 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4199 resumeSession: true,
4200 expectChannelID: true,
4201 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4202
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4203 // Server accepts a Channel ID.
4204 tests = append(tests, testCase{
4205 testType: serverTest,
4206 name: "ChannelID-Server-" + ver.name,
4207 config: Config{
4208 MaxVersion: ver.version,
4209 ChannelID: channelIDKey,
4210 },
4211 flags: []string{
4212 "-expect-channel-id",
4213 base64.StdEncoding.EncodeToString(channelIDBytes),
4214 },
4215 resumeSession: true,
4216 expectChannelID: true,
4217 })
4218
4219 tests = append(tests, testCase{
4220 testType: serverTest,
4221 name: "InvalidChannelIDSignature-" + ver.name,
4222 config: Config{
4223 MaxVersion: ver.version,
4224 ChannelID: channelIDKey,
4225 Bugs: ProtocolBugs{
4226 InvalidChannelIDSignature: true,
4227 },
4228 },
4229 flags: []string{"-enable-channel-id"},
4230 shouldFail: true,
4231 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4232 })
4233 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4234
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4235 // Channel ID and NPN at the same time, to ensure their relative
4236 // ordering is correct.
4237 tests = append(tests, testCase{
4238 name: "ChannelID-NPN-Client",
4239 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4240 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4241 RequestChannelID: true,
4242 NextProtos: []string{"foo"},
4243 },
4244 flags: []string{
4245 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4246 "-select-next-proto", "foo",
4247 },
4248 resumeSession: true,
4249 expectChannelID: true,
4250 expectedNextProto: "foo",
4251 expectedNextProtoType: npn,
4252 })
4253 tests = append(tests, testCase{
4254 testType: serverTest,
4255 name: "ChannelID-NPN-Server",
4256 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4257 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4258 ChannelID: channelIDKey,
4259 NextProtos: []string{"bar"},
4260 },
4261 flags: []string{
4262 "-expect-channel-id",
4263 base64.StdEncoding.EncodeToString(channelIDBytes),
4264 "-advertise-npn", "\x03foo\x03bar\x03baz",
4265 "-expect-next-proto", "bar",
4266 },
4267 resumeSession: true,
4268 expectChannelID: true,
4269 expectedNextProto: "bar",
4270 expectedNextProtoType: npn,
4271 })
4272
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4273 // Bidirectional shutdown with the runner initiating.
4274 tests = append(tests, testCase{
4275 name: "Shutdown-Runner",
4276 config: Config{
4277 Bugs: ProtocolBugs{
4278 ExpectCloseNotify: true,
4279 },
4280 },
4281 flags: []string{"-check-close-notify"},
4282 })
4283
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4284 if !config.implicitHandshake {
4285 // Bidirectional shutdown with the shim initiating. The runner,
4286 // in the meantime, sends garbage before the close_notify which
4287 // the shim must ignore. This test is disabled under implicit
4288 // handshake tests because the shim never reads or writes.
4289 tests = append(tests, testCase{
4290 name: "Shutdown-Shim",
4291 config: Config{
4292 MaxVersion: VersionTLS12,
4293 Bugs: ProtocolBugs{
4294 ExpectCloseNotify: true,
4295 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4296 },
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4297 shimShutsDown: true,
4298 sendEmptyRecords: 1,
4299 sendWarningAlerts: 1,
4300 flags: []string{"-check-close-notify"},
4301 })
4302 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4303 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4304 // TODO(davidben): DTLS 1.3 will want a similar thing for
4305 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4306 tests = append(tests, testCase{
4307 name: "SkipHelloVerifyRequest",
4308 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4309 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4310 Bugs: ProtocolBugs{
4311 SkipHelloVerifyRequest: true,
4312 },
4313 },
4314 })
4315 }
4316
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4317 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4318 test.protocol = config.protocol
4319 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4320 test.name += "-DTLS"
4321 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4322 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4323 test.name += "-Async"
4324 test.flags = append(test.flags, "-async")
4325 } else {
4326 test.name += "-Sync"
4327 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4328 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4329 test.name += "-SplitHandshakeRecords"
4330 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4331 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4332 test.config.Bugs.MaxPacketLength = 256
4333 test.flags = append(test.flags, "-mtu", "256")
4334 }
4335 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4336 if config.packHandshakeFlight {
4337 test.name += "-PackHandshakeFlight"
4338 test.config.Bugs.PackHandshakeFlight = true
4339 }
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4340 if config.implicitHandshake {
4341 test.name += "-ImplicitHandshake"
4342 test.flags = append(test.flags, "-implicit-handshake")
4343 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4344 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4345 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4346}
4347
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4348func addDDoSCallbackTests() {
4349 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4350 for _, resume := range []bool{false, true} {
4351 suffix := "Resume"
4352 if resume {
4353 suffix = "No" + suffix
4354 }
4355
4356 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4357 testType: serverTest,
4358 name: "Server-DDoS-OK-" + suffix,
4359 config: Config{
4360 MaxVersion: VersionTLS12,
4361 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4362 flags: []string{"-install-ddos-callback"},
4363 resumeSession: resume,
4364 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4365 testCases = append(testCases, testCase{
4366 testType: serverTest,
4367 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4368 config: Config{
4369 MaxVersion: VersionTLS13,
4370 },
4371 flags: []string{"-install-ddos-callback"},
4372 resumeSession: resume,
4373 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4374
4375 failFlag := "-fail-ddos-callback"
4376 if resume {
4377 failFlag = "-fail-second-ddos-callback"
4378 }
4379 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4380 testType: serverTest,
4381 name: "Server-DDoS-Reject-" + suffix,
4382 config: Config{
4383 MaxVersion: VersionTLS12,
4384 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4385 flags: []string{"-install-ddos-callback", failFlag},
4386 resumeSession: resume,
4387 shouldFail: true,
4388 expectedError: ":CONNECTION_REJECTED:",
4389 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4390 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4391 testCases = append(testCases, testCase{
4392 testType: serverTest,
4393 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4394 config: Config{
4395 MaxVersion: VersionTLS13,
4396 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4397 flags: []string{"-install-ddos-callback", failFlag},
4398 resumeSession: resume,
4399 shouldFail: true,
4400 expectedError: ":CONNECTION_REJECTED:",
4401 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4402 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4403 }
4404}
4405
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4406func addVersionNegotiationTests() {
4407 for i, shimVers := range tlsVersions {
4408 // Assemble flags to disable all newer versions on the shim.
4409 var flags []string
4410 for _, vers := range tlsVersions[i+1:] {
4411 flags = append(flags, vers.flag)
4412 }
4413
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4414 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4415 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4416 protocols := []protocol{tls}
4417 if runnerVers.hasDTLS && shimVers.hasDTLS {
4418 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4419 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4420 for _, protocol := range protocols {
4421 expectedVersion := shimVers.version
4422 if runnerVers.version < shimVers.version {
4423 expectedVersion = runnerVers.version
4424 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4425
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4426 suffix := shimVers.name + "-" + runnerVers.name
4427 if protocol == dtls {
4428 suffix += "-DTLS"
4429 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4430
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4431 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4432
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4433 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4434 clientVers := shimVers.version
4435 if clientVers > VersionTLS10 {
4436 clientVers = VersionTLS10
4437 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4438 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4439 serverVers := expectedVersion
4440 if expectedVersion >= VersionTLS13 {
4441 serverVers = VersionTLS10
4442 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4443 serverVers = versionToWire(serverVers, protocol == dtls)
4444
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4445 testCases = append(testCases, testCase{
4446 protocol: protocol,
4447 testType: clientTest,
4448 name: "VersionNegotiation-Client-" + suffix,
4449 config: Config{
4450 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4451 Bugs: ProtocolBugs{
4452 ExpectInitialRecordVersion: clientVers,
4453 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4454 },
4455 flags: flags,
4456 expectedVersion: expectedVersion,
4457 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4458 testCases = append(testCases, testCase{
4459 protocol: protocol,
4460 testType: clientTest,
4461 name: "VersionNegotiation-Client2-" + suffix,
4462 config: Config{
4463 MaxVersion: runnerVers.version,
4464 Bugs: ProtocolBugs{
4465 ExpectInitialRecordVersion: clientVers,
4466 },
4467 },
4468 flags: []string{"-max-version", shimVersFlag},
4469 expectedVersion: expectedVersion,
4470 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4471
4472 testCases = append(testCases, testCase{
4473 protocol: protocol,
4474 testType: serverTest,
4475 name: "VersionNegotiation-Server-" + suffix,
4476 config: Config{
4477 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4478 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4479 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4480 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4481 },
4482 flags: flags,
4483 expectedVersion: expectedVersion,
4484 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4485 testCases = append(testCases, testCase{
4486 protocol: protocol,
4487 testType: serverTest,
4488 name: "VersionNegotiation-Server2-" + suffix,
4489 config: Config{
4490 MaxVersion: runnerVers.version,
4491 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4492 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4493 },
4494 },
4495 flags: []string{"-max-version", shimVersFlag},
4496 expectedVersion: expectedVersion,
4497 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4498 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4499 }
4500 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4501
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4502 // Test the version extension at all versions.
4503 for _, vers := range tlsVersions {
4504 protocols := []protocol{tls}
4505 if vers.hasDTLS {
4506 protocols = append(protocols, dtls)
4507 }
4508 for _, protocol := range protocols {
4509 suffix := vers.name
4510 if protocol == dtls {
4511 suffix += "-DTLS"
4512 }
4513
4514 wireVersion := versionToWire(vers.version, protocol == dtls)
4515 testCases = append(testCases, testCase{
4516 protocol: protocol,
4517 testType: serverTest,
4518 name: "VersionNegotiationExtension-" + suffix,
4519 config: Config{
4520 Bugs: ProtocolBugs{
4521 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4522 },
4523 },
4524 expectedVersion: vers.version,
4525 })
4526 }
4527
4528 }
4529
4530 // If all versions are unknown, negotiation fails.
4531 testCases = append(testCases, testCase{
4532 testType: serverTest,
4533 name: "NoSupportedVersions",
4534 config: Config{
4535 Bugs: ProtocolBugs{
4536 SendSupportedVersions: []uint16{0x1111},
4537 },
4538 },
4539 shouldFail: true,
4540 expectedError: ":UNSUPPORTED_PROTOCOL:",
4541 })
4542 testCases = append(testCases, testCase{
4543 protocol: dtls,
4544 testType: serverTest,
4545 name: "NoSupportedVersions-DTLS",
4546 config: Config{
4547 Bugs: ProtocolBugs{
4548 SendSupportedVersions: []uint16{0x1111},
4549 },
4550 },
4551 shouldFail: true,
4552 expectedError: ":UNSUPPORTED_PROTOCOL:",
4553 })
4554
4555 testCases = append(testCases, testCase{
4556 testType: serverTest,
4557 name: "ClientHelloVersionTooHigh",
4558 config: Config{
4559 MaxVersion: VersionTLS13,
4560 Bugs: ProtocolBugs{
4561 SendClientVersion: 0x0304,
4562 OmitSupportedVersions: true,
4563 },
4564 },
4565 expectedVersion: VersionTLS12,
4566 })
4567
4568 testCases = append(testCases, testCase{
4569 testType: serverTest,
4570 name: "ConflictingVersionNegotiation",
4571 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4572 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4573 SendClientVersion: VersionTLS12,
4574 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4575 },
4576 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4577 // The extension takes precedence over the ClientHello version.
4578 expectedVersion: VersionTLS11,
4579 })
4580
4581 testCases = append(testCases, testCase{
4582 testType: serverTest,
4583 name: "ConflictingVersionNegotiation-2",
4584 config: Config{
4585 Bugs: ProtocolBugs{
4586 SendClientVersion: VersionTLS11,
4587 SendSupportedVersions: []uint16{VersionTLS12},
4588 },
4589 },
4590 // The extension takes precedence over the ClientHello version.
4591 expectedVersion: VersionTLS12,
4592 })
4593
4594 testCases = append(testCases, testCase{
4595 testType: serverTest,
4596 name: "RejectFinalTLS13",
4597 config: Config{
4598 Bugs: ProtocolBugs{
4599 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4600 },
4601 },
4602 // We currently implement a draft TLS 1.3 version. Ensure that
4603 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4604 expectedVersion: VersionTLS12,
4605 })
4606
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4607 // Test that the maximum version is selected regardless of the
4608 // client-sent order.
4609 testCases = append(testCases, testCase{
4610 testType: serverTest,
4611 name: "IgnoreClientVersionOrder",
4612 config: Config{
4613 Bugs: ProtocolBugs{
4614 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4615 },
4616 },
4617 expectedVersion: VersionTLS13,
4618 })
4619
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4620 // Test for version tolerance.
4621 testCases = append(testCases, testCase{
4622 testType: serverTest,
4623 name: "MinorVersionTolerance",
4624 config: Config{
4625 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4626 SendClientVersion: 0x03ff,
4627 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4628 },
4629 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4630 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4631 })
4632 testCases = append(testCases, testCase{
4633 testType: serverTest,
4634 name: "MajorVersionTolerance",
4635 config: Config{
4636 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4637 SendClientVersion: 0x0400,
4638 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4639 },
4640 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4641 // TLS 1.3 must be negotiated with the supported_versions
4642 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4643 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4644 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4645 testCases = append(testCases, testCase{
4646 testType: serverTest,
4647 name: "VersionTolerance-TLS13",
4648 config: Config{
4649 Bugs: ProtocolBugs{
4650 // Although TLS 1.3 does not use
4651 // ClientHello.version, it still tolerates high
4652 // values there.
4653 SendClientVersion: 0x0400,
4654 },
4655 },
4656 expectedVersion: VersionTLS13,
4657 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4658
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4659 testCases = append(testCases, testCase{
4660 protocol: dtls,
4661 testType: serverTest,
4662 name: "MinorVersionTolerance-DTLS",
4663 config: Config{
4664 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4665 SendClientVersion: 0xfe00,
4666 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4667 },
4668 },
4669 expectedVersion: VersionTLS12,
4670 })
4671 testCases = append(testCases, testCase{
4672 protocol: dtls,
4673 testType: serverTest,
4674 name: "MajorVersionTolerance-DTLS",
4675 config: Config{
4676 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4677 SendClientVersion: 0xfdff,
4678 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4679 },
4680 },
4681 expectedVersion: VersionTLS12,
4682 })
4683
4684 // Test that versions below 3.0 are rejected.
4685 testCases = append(testCases, testCase{
4686 testType: serverTest,
4687 name: "VersionTooLow",
4688 config: Config{
4689 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4690 SendClientVersion: 0x0200,
4691 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4692 },
4693 },
4694 shouldFail: true,
4695 expectedError: ":UNSUPPORTED_PROTOCOL:",
4696 })
4697 testCases = append(testCases, testCase{
4698 protocol: dtls,
4699 testType: serverTest,
4700 name: "VersionTooLow-DTLS",
4701 config: Config{
4702 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4703 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4704 },
4705 },
4706 shouldFail: true,
4707 expectedError: ":UNSUPPORTED_PROTOCOL:",
4708 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4709
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4710 testCases = append(testCases, testCase{
4711 name: "ServerBogusVersion",
4712 config: Config{
4713 Bugs: ProtocolBugs{
4714 SendServerHelloVersion: 0x1234,
4715 },
4716 },
4717 shouldFail: true,
4718 expectedError: ":UNSUPPORTED_PROTOCOL:",
4719 })
4720
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4721 // Test TLS 1.3's downgrade signal.
4722 testCases = append(testCases, testCase{
4723 name: "Downgrade-TLS12-Client",
4724 config: Config{
4725 Bugs: ProtocolBugs{
4726 NegotiateVersion: VersionTLS12,
4727 },
4728 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4729 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4730 // TODO(davidben): This test should fail once TLS 1.3 is final
4731 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4732 })
4733 testCases = append(testCases, testCase{
4734 testType: serverTest,
4735 name: "Downgrade-TLS12-Server",
4736 config: Config{
4737 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4738 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4739 },
4740 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4741 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4742 // TODO(davidben): This test should fail once TLS 1.3 is final
4743 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4744 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4745}
4746
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4747func addMinimumVersionTests() {
4748 for i, shimVers := range tlsVersions {
4749 // Assemble flags to disable all older versions on the shim.
4750 var flags []string
4751 for _, vers := range tlsVersions[:i] {
4752 flags = append(flags, vers.flag)
4753 }
4754
4755 for _, runnerVers := range tlsVersions {
4756 protocols := []protocol{tls}
4757 if runnerVers.hasDTLS && shimVers.hasDTLS {
4758 protocols = append(protocols, dtls)
4759 }
4760 for _, protocol := range protocols {
4761 suffix := shimVers.name + "-" + runnerVers.name
4762 if protocol == dtls {
4763 suffix += "-DTLS"
4764 }
4765 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4766
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4767 var expectedVersion uint16
4768 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4769 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4770 if runnerVers.version >= shimVers.version {
4771 expectedVersion = runnerVers.version
4772 } else {
4773 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4774 expectedError = ":UNSUPPORTED_PROTOCOL:"
4775 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4776 }
4777
4778 testCases = append(testCases, testCase{
4779 protocol: protocol,
4780 testType: clientTest,
4781 name: "MinimumVersion-Client-" + suffix,
4782 config: Config{
4783 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4784 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4785 // Ensure the server does not decline to
4786 // select a version (versions extension) or
4787 // cipher (some ciphers depend on versions).
4788 NegotiateVersion: runnerVers.version,
4789 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4790 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4791 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4792 flags: flags,
4793 expectedVersion: expectedVersion,
4794 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4795 expectedError: expectedError,
4796 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4797 })
4798 testCases = append(testCases, testCase{
4799 protocol: protocol,
4800 testType: clientTest,
4801 name: "MinimumVersion-Client2-" + suffix,
4802 config: Config{
4803 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4804 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4805 // Ensure the server does not decline to
4806 // select a version (versions extension) or
4807 // cipher (some ciphers depend on versions).
4808 NegotiateVersion: runnerVers.version,
4809 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4810 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4811 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4812 flags: []string{"-min-version", shimVersFlag},
4813 expectedVersion: expectedVersion,
4814 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4815 expectedError: expectedError,
4816 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4817 })
4818
4819 testCases = append(testCases, testCase{
4820 protocol: protocol,
4821 testType: serverTest,
4822 name: "MinimumVersion-Server-" + suffix,
4823 config: Config{
4824 MaxVersion: runnerVers.version,
4825 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4826 flags: flags,
4827 expectedVersion: expectedVersion,
4828 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4829 expectedError: expectedError,
4830 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4831 })
4832 testCases = append(testCases, testCase{
4833 protocol: protocol,
4834 testType: serverTest,
4835 name: "MinimumVersion-Server2-" + suffix,
4836 config: Config{
4837 MaxVersion: runnerVers.version,
4838 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4839 flags: []string{"-min-version", shimVersFlag},
4840 expectedVersion: expectedVersion,
4841 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4842 expectedError: expectedError,
4843 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4844 })
4845 }
4846 }
4847 }
4848}
4849
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4850func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4851 // TODO(davidben): Extensions, where applicable, all move their server
4852 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4853 // tests for both. Also test interaction with 0-RTT when implemented.
4854
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4855 // Repeat extensions tests all versions except SSL 3.0.
4856 for _, ver := range tlsVersions {
4857 if ver.version == VersionSSL30 {
4858 continue
4859 }
4860
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4861 // Test that duplicate extensions are rejected.
4862 testCases = append(testCases, testCase{
4863 testType: clientTest,
4864 name: "DuplicateExtensionClient-" + ver.name,
4865 config: Config{
4866 MaxVersion: ver.version,
4867 Bugs: ProtocolBugs{
4868 DuplicateExtension: true,
4869 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4870 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4871 shouldFail: true,
4872 expectedLocalError: "remote error: error decoding message",
4873 })
4874 testCases = append(testCases, testCase{
4875 testType: serverTest,
4876 name: "DuplicateExtensionServer-" + ver.name,
4877 config: Config{
4878 MaxVersion: ver.version,
4879 Bugs: ProtocolBugs{
4880 DuplicateExtension: true,
4881 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4882 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4883 shouldFail: true,
4884 expectedLocalError: "remote error: error decoding message",
4885 })
4886
4887 // Test SNI.
4888 testCases = append(testCases, testCase{
4889 testType: clientTest,
4890 name: "ServerNameExtensionClient-" + ver.name,
4891 config: Config{
4892 MaxVersion: ver.version,
4893 Bugs: ProtocolBugs{
4894 ExpectServerName: "example.com",
4895 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4896 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4897 flags: []string{"-host-name", "example.com"},
4898 })
4899 testCases = append(testCases, testCase{
4900 testType: clientTest,
4901 name: "ServerNameExtensionClientMismatch-" + ver.name,
4902 config: Config{
4903 MaxVersion: ver.version,
4904 Bugs: ProtocolBugs{
4905 ExpectServerName: "mismatch.com",
4906 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4907 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4908 flags: []string{"-host-name", "example.com"},
4909 shouldFail: true,
4910 expectedLocalError: "tls: unexpected server name",
4911 })
4912 testCases = append(testCases, testCase{
4913 testType: clientTest,
4914 name: "ServerNameExtensionClientMissing-" + ver.name,
4915 config: Config{
4916 MaxVersion: ver.version,
4917 Bugs: ProtocolBugs{
4918 ExpectServerName: "missing.com",
4919 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4920 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4921 shouldFail: true,
4922 expectedLocalError: "tls: unexpected server name",
4923 })
4924 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]4925 testType: clientTest,
4926 name: "TolerateServerNameAck-" + ver.name,
4927 config: Config{
4928 MaxVersion: ver.version,
4929 Bugs: ProtocolBugs{
4930 SendServerNameAck: true,
4931 },
4932 },
4933 flags: []string{"-host-name", "example.com"},
4934 resumeSession: true,
4935 })
4936 testCases = append(testCases, testCase{
4937 testType: clientTest,
4938 name: "UnsolicitedServerNameAck-" + ver.name,
4939 config: Config{
4940 MaxVersion: ver.version,
4941 Bugs: ProtocolBugs{
4942 SendServerNameAck: true,
4943 },
4944 },
4945 shouldFail: true,
4946 expectedError: ":UNEXPECTED_EXTENSION:",
4947 expectedLocalError: "remote error: unsupported extension",
4948 })
4949 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4950 testType: serverTest,
4951 name: "ServerNameExtensionServer-" + ver.name,
4952 config: Config{
4953 MaxVersion: ver.version,
4954 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4955 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4956 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4957 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4958 })
4959
4960 // Test ALPN.
4961 testCases = append(testCases, testCase{
4962 testType: clientTest,
4963 name: "ALPNClient-" + ver.name,
4964 config: Config{
4965 MaxVersion: ver.version,
4966 NextProtos: []string{"foo"},
4967 },
4968 flags: []string{
4969 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4970 "-expect-alpn", "foo",
4971 },
4972 expectedNextProto: "foo",
4973 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4974 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4975 })
4976 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4977 testType: clientTest,
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4978 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4979 config: Config{
4980 MaxVersion: ver.version,
4981 Bugs: ProtocolBugs{
4982 SendALPN: "baz",
4983 },
4984 },
4985 flags: []string{
4986 "-advertise-alpn", "\x03foo\x03bar",
4987 },
4988 shouldFail: true,
4989 expectedError: ":INVALID_ALPN_PROTOCOL:",
4990 expectedLocalError: "remote error: illegal parameter",
4991 })
4992 testCases = append(testCases, testCase{
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4993 testType: clientTest,
4994 name: "ALPNClient-AllowUnknown-" + ver.name,
4995 config: Config{
4996 MaxVersion: ver.version,
4997 Bugs: ProtocolBugs{
4998 SendALPN: "baz",
4999 },
5000 },
5001 flags: []string{
5002 "-advertise-alpn", "\x03foo\x03bar",
5003 "-allow-unknown-alpn-protos",
5004 },
5005 })
5006 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5007 testType: serverTest,
5008 name: "ALPNServer-" + ver.name,
5009 config: Config{
5010 MaxVersion: ver.version,
5011 NextProtos: []string{"foo", "bar", "baz"},
5012 },
5013 flags: []string{
5014 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5015 "-select-alpn", "foo",
5016 },
5017 expectedNextProto: "foo",
5018 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5019 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5020 })
5021 testCases = append(testCases, testCase{
5022 testType: serverTest,
5023 name: "ALPNServer-Decline-" + ver.name,
5024 config: Config{
5025 MaxVersion: ver.version,
5026 NextProtos: []string{"foo", "bar", "baz"},
5027 },
5028 flags: []string{"-decline-alpn"},
5029 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5030 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5031 })
5032
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5033 // Test ALPN in async mode as well to ensure that extensions callbacks are only
5034 // called once.
5035 testCases = append(testCases, testCase{
5036 testType: serverTest,
5037 name: "ALPNServer-Async-" + ver.name,
5038 config: Config{
5039 MaxVersion: ver.version,
5040 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]5041 // Prior to TLS 1.3, exercise the asynchronous session callback.
5042 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5043 },
5044 flags: []string{
5045 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5046 "-select-alpn", "foo",
5047 "-async",
5048 },
5049 expectedNextProto: "foo",
5050 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5051 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5052 })
5053
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5054 var emptyString string
5055 testCases = append(testCases, testCase{
5056 testType: clientTest,
5057 name: "ALPNClient-EmptyProtocolName-" + ver.name,
5058 config: Config{
5059 MaxVersion: ver.version,
5060 NextProtos: []string{""},
5061 Bugs: ProtocolBugs{
5062 // A server returning an empty ALPN protocol
5063 // should be rejected.
5064 ALPNProtocol: &emptyString,
5065 },
5066 },
5067 flags: []string{
5068 "-advertise-alpn", "\x03foo",
5069 },
5070 shouldFail: true,
5071 expectedError: ":PARSE_TLSEXT:",
5072 })
5073 testCases = append(testCases, testCase{
5074 testType: serverTest,
5075 name: "ALPNServer-EmptyProtocolName-" + ver.name,
5076 config: Config{
5077 MaxVersion: ver.version,
5078 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5079 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5080 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5081 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5082 flags: []string{
5083 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5084 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5085 shouldFail: true,
5086 expectedError: ":PARSE_TLSEXT:",
5087 })
5088
5089 // Test NPN and the interaction with ALPN.
5090 if ver.version < VersionTLS13 {
5091 // Test that the server prefers ALPN over NPN.
5092 testCases = append(testCases, testCase{
5093 testType: serverTest,
5094 name: "ALPNServer-Preferred-" + ver.name,
5095 config: Config{
5096 MaxVersion: ver.version,
5097 NextProtos: []string{"foo", "bar", "baz"},
5098 },
5099 flags: []string{
5100 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5101 "-select-alpn", "foo",
5102 "-advertise-npn", "\x03foo\x03bar\x03baz",
5103 },
5104 expectedNextProto: "foo",
5105 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5106 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5107 })
5108 testCases = append(testCases, testCase{
5109 testType: serverTest,
5110 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5111 config: Config{
5112 MaxVersion: ver.version,
5113 NextProtos: []string{"foo", "bar", "baz"},
5114 Bugs: ProtocolBugs{
5115 SwapNPNAndALPN: true,
5116 },
5117 },
5118 flags: []string{
5119 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5120 "-select-alpn", "foo",
5121 "-advertise-npn", "\x03foo\x03bar\x03baz",
5122 },
5123 expectedNextProto: "foo",
5124 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5125 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5126 })
5127
5128 // Test that negotiating both NPN and ALPN is forbidden.
5129 testCases = append(testCases, testCase{
5130 name: "NegotiateALPNAndNPN-" + ver.name,
5131 config: Config{
5132 MaxVersion: ver.version,
5133 NextProtos: []string{"foo", "bar", "baz"},
5134 Bugs: ProtocolBugs{
5135 NegotiateALPNAndNPN: true,
5136 },
5137 },
5138 flags: []string{
5139 "-advertise-alpn", "\x03foo",
5140 "-select-next-proto", "foo",
5141 },
5142 shouldFail: true,
5143 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5144 })
5145 testCases = append(testCases, testCase{
5146 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5147 config: Config{
5148 MaxVersion: ver.version,
5149 NextProtos: []string{"foo", "bar", "baz"},
5150 Bugs: ProtocolBugs{
5151 NegotiateALPNAndNPN: true,
5152 SwapNPNAndALPN: true,
5153 },
5154 },
5155 flags: []string{
5156 "-advertise-alpn", "\x03foo",
5157 "-select-next-proto", "foo",
5158 },
5159 shouldFail: true,
5160 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5161 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5162 }
5163
5164 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5165
5166 // Resume with a corrupt ticket.
5167 testCases = append(testCases, testCase{
5168 testType: serverTest,
5169 name: "CorruptTicket-" + ver.name,
5170 config: Config{
5171 MaxVersion: ver.version,
5172 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5173 FilterTicket: func(in []byte) ([]byte, error) {
5174 in[len(in)-1] ^= 1
5175 return in, nil
5176 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5177 },
5178 },
5179 resumeSession: true,
5180 expectResumeRejected: true,
5181 })
5182 // Test the ticket callback, with and without renewal.
5183 testCases = append(testCases, testCase{
5184 testType: serverTest,
5185 name: "TicketCallback-" + ver.name,
5186 config: Config{
5187 MaxVersion: ver.version,
5188 },
5189 resumeSession: true,
5190 flags: []string{"-use-ticket-callback"},
5191 })
5192 testCases = append(testCases, testCase{
5193 testType: serverTest,
5194 name: "TicketCallback-Renew-" + ver.name,
5195 config: Config{
5196 MaxVersion: ver.version,
5197 Bugs: ProtocolBugs{
5198 ExpectNewTicket: true,
5199 },
5200 },
5201 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5202 resumeSession: true,
5203 })
5204
5205 // Test that the ticket callback is only called once when everything before
5206 // it in the ClientHello is asynchronous. This corrupts the ticket so
5207 // certificate selection callbacks run.
5208 testCases = append(testCases, testCase{
5209 testType: serverTest,
5210 name: "TicketCallback-SingleCall-" + ver.name,
5211 config: Config{
5212 MaxVersion: ver.version,
5213 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5214 FilterTicket: func(in []byte) ([]byte, error) {
5215 in[len(in)-1] ^= 1
5216 return in, nil
5217 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5218 },
5219 },
5220 resumeSession: true,
5221 expectResumeRejected: true,
5222 flags: []string{
5223 "-use-ticket-callback",
5224 "-async",
5225 },
5226 })
5227
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5228 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5229 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5230 testCases = append(testCases, testCase{
5231 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5232 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5233 config: Config{
5234 MaxVersion: ver.version,
5235 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5236 EmptyTicketSessionID: true,
5237 },
5238 },
5239 resumeSession: true,
5240 })
5241 testCases = append(testCases, testCase{
5242 testType: serverTest,
5243 name: "TicketSessionIDLength-16-" + ver.name,
5244 config: Config{
5245 MaxVersion: ver.version,
5246 Bugs: ProtocolBugs{
5247 TicketSessionIDLength: 16,
5248 },
5249 },
5250 resumeSession: true,
5251 })
5252 testCases = append(testCases, testCase{
5253 testType: serverTest,
5254 name: "TicketSessionIDLength-32-" + ver.name,
5255 config: Config{
5256 MaxVersion: ver.version,
5257 Bugs: ProtocolBugs{
5258 TicketSessionIDLength: 32,
5259 },
5260 },
5261 resumeSession: true,
5262 })
5263 testCases = append(testCases, testCase{
5264 testType: serverTest,
5265 name: "TicketSessionIDLength-33-" + ver.name,
5266 config: Config{
5267 MaxVersion: ver.version,
5268 Bugs: ProtocolBugs{
5269 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5270 },
5271 },
5272 resumeSession: true,
5273 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5274 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5275 expectedError: ":DECODE_ERROR:",
5276 })
5277 }
5278
5279 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5280 // are ignored.
5281 if ver.hasDTLS {
5282 testCases = append(testCases, testCase{
5283 protocol: dtls,
5284 name: "SRTP-Client-" + ver.name,
5285 config: Config{
5286 MaxVersion: ver.version,
5287 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5288 },
5289 flags: []string{
5290 "-srtp-profiles",
5291 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5292 },
5293 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5294 })
5295 testCases = append(testCases, testCase{
5296 protocol: dtls,
5297 testType: serverTest,
5298 name: "SRTP-Server-" + ver.name,
5299 config: Config{
5300 MaxVersion: ver.version,
5301 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5302 },
5303 flags: []string{
5304 "-srtp-profiles",
5305 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5306 },
5307 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5308 })
5309 // Test that the MKI is ignored.
5310 testCases = append(testCases, testCase{
5311 protocol: dtls,
5312 testType: serverTest,
5313 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5314 config: Config{
5315 MaxVersion: ver.version,
5316 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5317 Bugs: ProtocolBugs{
5318 SRTPMasterKeyIdentifer: "bogus",
5319 },
5320 },
5321 flags: []string{
5322 "-srtp-profiles",
5323 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5324 },
5325 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5326 })
5327 // Test that SRTP isn't negotiated on the server if there were
5328 // no matching profiles.
5329 testCases = append(testCases, testCase{
5330 protocol: dtls,
5331 testType: serverTest,
5332 name: "SRTP-Server-NoMatch-" + ver.name,
5333 config: Config{
5334 MaxVersion: ver.version,
5335 SRTPProtectionProfiles: []uint16{100, 101, 102},
5336 },
5337 flags: []string{
5338 "-srtp-profiles",
5339 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5340 },
5341 expectedSRTPProtectionProfile: 0,
5342 })
5343 // Test that the server returning an invalid SRTP profile is
5344 // flagged as an error by the client.
5345 testCases = append(testCases, testCase{
5346 protocol: dtls,
5347 name: "SRTP-Client-NoMatch-" + ver.name,
5348 config: Config{
5349 MaxVersion: ver.version,
5350 Bugs: ProtocolBugs{
5351 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5352 },
5353 },
5354 flags: []string{
5355 "-srtp-profiles",
5356 "SRTP_AES128_CM_SHA1_80",
5357 },
5358 shouldFail: true,
5359 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5360 })
5361 }
5362
5363 // Test SCT list.
5364 testCases = append(testCases, testCase{
5365 name: "SignedCertificateTimestampList-Client-" + ver.name,
5366 testType: clientTest,
5367 config: Config{
5368 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5369 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5370 flags: []string{
5371 "-enable-signed-cert-timestamps",
5372 "-expect-signed-cert-timestamps",
5373 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5374 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5375 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5376 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5377
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5378 var differentSCTList []byte
5379 differentSCTList = append(differentSCTList, testSCTList...)
5380 differentSCTList[len(differentSCTList)-1] ^= 1
5381
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5382 // The SCT extension did not specify that it must only be sent on resumption as it
5383 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5384 testCases = append(testCases, testCase{
5385 name: "SendSCTListOnResume-" + ver.name,
5386 config: Config{
5387 MaxVersion: ver.version,
5388 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5389 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5390 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5391 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5392 flags: []string{
5393 "-enable-signed-cert-timestamps",
5394 "-expect-signed-cert-timestamps",
5395 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5396 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5397 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5398 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5399
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5400 testCases = append(testCases, testCase{
5401 name: "SignedCertificateTimestampList-Server-" + ver.name,
5402 testType: serverTest,
5403 config: Config{
5404 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5405 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5406 flags: []string{
5407 "-signed-cert-timestamps",
5408 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5409 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5410 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5411 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5412 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5413
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5414 emptySCTListCert := *testCerts[0].cert
5415 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5416
5417 // Test empty SCT list.
5418 testCases = append(testCases, testCase{
5419 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5420 testType: clientTest,
5421 config: Config{
5422 MaxVersion: ver.version,
5423 Certificates: []Certificate{emptySCTListCert},
5424 },
5425 flags: []string{
5426 "-enable-signed-cert-timestamps",
5427 },
5428 shouldFail: true,
5429 expectedError: ":ERROR_PARSING_EXTENSION:",
5430 })
5431
5432 emptySCTCert := *testCerts[0].cert
5433 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5434
5435 // Test empty SCT in non-empty list.
5436 testCases = append(testCases, testCase{
5437 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5438 testType: clientTest,
5439 config: Config{
5440 MaxVersion: ver.version,
5441 Certificates: []Certificate{emptySCTCert},
5442 },
5443 flags: []string{
5444 "-enable-signed-cert-timestamps",
5445 },
5446 shouldFail: true,
5447 expectedError: ":ERROR_PARSING_EXTENSION:",
5448 })
5449
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5450 // Test that certificate-related extensions are not sent unsolicited.
5451 testCases = append(testCases, testCase{
5452 testType: serverTest,
5453 name: "UnsolicitedCertificateExtensions-" + ver.name,
5454 config: Config{
5455 MaxVersion: ver.version,
5456 Bugs: ProtocolBugs{
5457 NoOCSPStapling: true,
5458 NoSignedCertificateTimestamps: true,
5459 },
5460 },
5461 flags: []string{
5462 "-ocsp-response",
5463 base64.StdEncoding.EncodeToString(testOCSPResponse),
5464 "-signed-cert-timestamps",
5465 base64.StdEncoding.EncodeToString(testSCTList),
5466 },
5467 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5468 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5469
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5470 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5471 testType: clientTest,
5472 name: "ClientHelloPadding",
5473 config: Config{
5474 Bugs: ProtocolBugs{
5475 RequireClientHelloSize: 512,
5476 },
5477 },
5478 // This hostname just needs to be long enough to push the
5479 // ClientHello into F5's danger zone between 256 and 511 bytes
5480 // long.
5481 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5482 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5483
5484 // Extensions should not function in SSL 3.0.
5485 testCases = append(testCases, testCase{
5486 testType: serverTest,
5487 name: "SSLv3Extensions-NoALPN",
5488 config: Config{
5489 MaxVersion: VersionSSL30,
5490 NextProtos: []string{"foo", "bar", "baz"},
5491 },
5492 flags: []string{
5493 "-select-alpn", "foo",
5494 },
5495 expectNoNextProto: true,
5496 })
5497
5498 // Test session tickets separately as they follow a different codepath.
5499 testCases = append(testCases, testCase{
5500 testType: serverTest,
5501 name: "SSLv3Extensions-NoTickets",
5502 config: Config{
5503 MaxVersion: VersionSSL30,
5504 Bugs: ProtocolBugs{
5505 // Historically, session tickets in SSL 3.0
5506 // failed in different ways depending on whether
5507 // the client supported renegotiation_info.
5508 NoRenegotiationInfo: true,
5509 },
5510 },
5511 resumeSession: true,
5512 })
5513 testCases = append(testCases, testCase{
5514 testType: serverTest,
5515 name: "SSLv3Extensions-NoTickets2",
5516 config: Config{
5517 MaxVersion: VersionSSL30,
5518 },
5519 resumeSession: true,
5520 })
5521
5522 // But SSL 3.0 does send and process renegotiation_info.
5523 testCases = append(testCases, testCase{
5524 testType: serverTest,
5525 name: "SSLv3Extensions-RenegotiationInfo",
5526 config: Config{
5527 MaxVersion: VersionSSL30,
5528 Bugs: ProtocolBugs{
5529 RequireRenegotiationInfo: true,
5530 },
5531 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5532 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5533 })
5534 testCases = append(testCases, testCase{
5535 testType: serverTest,
5536 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5537 config: Config{
5538 MaxVersion: VersionSSL30,
5539 Bugs: ProtocolBugs{
5540 NoRenegotiationInfo: true,
5541 SendRenegotiationSCSV: true,
5542 RequireRenegotiationInfo: true,
5543 },
5544 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5545 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5546 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5547
5548 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5549 // in ServerHello.
5550 testCases = append(testCases, testCase{
5551 name: "NPN-Forbidden-TLS13",
5552 config: Config{
5553 MaxVersion: VersionTLS13,
5554 NextProtos: []string{"foo"},
5555 Bugs: ProtocolBugs{
5556 NegotiateNPNAtAllVersions: true,
5557 },
5558 },
5559 flags: []string{"-select-next-proto", "foo"},
5560 shouldFail: true,
5561 expectedError: ":ERROR_PARSING_EXTENSION:",
5562 })
5563 testCases = append(testCases, testCase{
5564 name: "EMS-Forbidden-TLS13",
5565 config: Config{
5566 MaxVersion: VersionTLS13,
5567 Bugs: ProtocolBugs{
5568 NegotiateEMSAtAllVersions: true,
5569 },
5570 },
5571 shouldFail: true,
5572 expectedError: ":ERROR_PARSING_EXTENSION:",
5573 })
5574 testCases = append(testCases, testCase{
5575 name: "RenegotiationInfo-Forbidden-TLS13",
5576 config: Config{
5577 MaxVersion: VersionTLS13,
5578 Bugs: ProtocolBugs{
5579 NegotiateRenegotiationInfoAtAllVersions: true,
5580 },
5581 },
5582 shouldFail: true,
5583 expectedError: ":ERROR_PARSING_EXTENSION:",
5584 })
5585 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5586 name: "Ticket-Forbidden-TLS13",
5587 config: Config{
5588 MaxVersion: VersionTLS12,
5589 },
5590 resumeConfig: &Config{
5591 MaxVersion: VersionTLS13,
5592 Bugs: ProtocolBugs{
5593 AdvertiseTicketExtension: true,
5594 },
5595 },
5596 resumeSession: true,
5597 shouldFail: true,
5598 expectedError: ":ERROR_PARSING_EXTENSION:",
5599 })
5600
5601 // Test that illegal extensions in TLS 1.3 are declined by the server if
5602 // offered in ClientHello. The runner's server will fail if this occurs,
5603 // so we exercise the offering path. (EMS and Renegotiation Info are
5604 // implicit in every test.)
5605 testCases = append(testCases, testCase{
5606 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5607 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5608 config: Config{
5609 MaxVersion: VersionTLS13,
5610 NextProtos: []string{"bar"},
5611 },
5612 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5613 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5614
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5615 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5616 // tolerated.
5617 testCases = append(testCases, testCase{
5618 name: "SendOCSPResponseOnResume-TLS12",
5619 config: Config{
5620 MaxVersion: VersionTLS12,
5621 Bugs: ProtocolBugs{
5622 SendOCSPResponseOnResume: []byte("bogus"),
5623 },
5624 },
5625 flags: []string{
5626 "-enable-ocsp-stapling",
5627 "-expect-ocsp-response",
5628 base64.StdEncoding.EncodeToString(testOCSPResponse),
5629 },
5630 resumeSession: true,
5631 })
5632
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5633 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5634 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5635 config: Config{
5636 MaxVersion: VersionTLS13,
5637 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5638 SendExtensionOnCertificate: testOCSPExtension,
5639 },
5640 },
5641 shouldFail: true,
5642 expectedError: ":UNEXPECTED_EXTENSION:",
5643 })
5644
5645 testCases = append(testCases, testCase{
5646 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5647 config: Config{
5648 MaxVersion: VersionTLS13,
5649 Bugs: ProtocolBugs{
5650 SendExtensionOnCertificate: testSCTExtension,
5651 },
5652 },
5653 shouldFail: true,
5654 expectedError: ":UNEXPECTED_EXTENSION:",
5655 })
5656
5657 // Test that extensions on client certificates are never accepted.
5658 testCases = append(testCases, testCase{
5659 name: "SendExtensionOnClientCertificate-TLS13",
5660 testType: serverTest,
5661 config: Config{
5662 MaxVersion: VersionTLS13,
5663 Certificates: []Certificate{rsaCertificate},
5664 Bugs: ProtocolBugs{
5665 SendExtensionOnCertificate: testOCSPExtension,
5666 },
5667 },
5668 flags: []string{
5669 "-enable-ocsp-stapling",
5670 "-require-any-client-certificate",
5671 },
5672 shouldFail: true,
5673 expectedError: ":UNEXPECTED_EXTENSION:",
5674 })
5675
5676 testCases = append(testCases, testCase{
5677 name: "SendUnknownExtensionOnCertificate-TLS13",
5678 config: Config{
5679 MaxVersion: VersionTLS13,
5680 Bugs: ProtocolBugs{
5681 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5682 },
5683 },
5684 shouldFail: true,
5685 expectedError: ":UNEXPECTED_EXTENSION:",
5686 })
5687
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5688 var differentSCTList []byte
5689 differentSCTList = append(differentSCTList, testSCTList...)
5690 differentSCTList[len(differentSCTList)-1] ^= 1
5691
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5692 // Test that extensions on intermediates are allowed but ignored.
5693 testCases = append(testCases, testCase{
5694 name: "IgnoreExtensionsOnIntermediates-TLS13",
5695 config: Config{
5696 MaxVersion: VersionTLS13,
5697 Certificates: []Certificate{rsaChainCertificate},
5698 Bugs: ProtocolBugs{
5699 // Send different values on the intermediate. This tests
5700 // the intermediate's extensions do not override the
5701 // leaf's.
5702 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5703 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5704 },
5705 },
5706 flags: []string{
5707 "-enable-ocsp-stapling",
5708 "-expect-ocsp-response",
5709 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5710 "-enable-signed-cert-timestamps",
5711 "-expect-signed-cert-timestamps",
5712 base64.StdEncoding.EncodeToString(testSCTList),
5713 },
5714 resumeSession: true,
5715 })
5716
5717 // Test that extensions are not sent on intermediates when configured
5718 // only for a leaf.
5719 testCases = append(testCases, testCase{
5720 testType: serverTest,
5721 name: "SendNoExtensionsOnIntermediate-TLS13",
5722 config: Config{
5723 MaxVersion: VersionTLS13,
5724 Bugs: ProtocolBugs{
5725 ExpectNoExtensionsOnIntermediate: true,
5726 },
5727 },
5728 flags: []string{
5729 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5730 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5731 "-ocsp-response",
5732 base64.StdEncoding.EncodeToString(testOCSPResponse),
5733 "-signed-cert-timestamps",
5734 base64.StdEncoding.EncodeToString(testSCTList),
5735 },
5736 })
5737
5738 // Test that extensions are not sent on client certificates.
5739 testCases = append(testCases, testCase{
5740 name: "SendNoClientCertificateExtensions-TLS13",
5741 config: Config{
5742 MaxVersion: VersionTLS13,
5743 ClientAuth: RequireAnyClientCert,
5744 },
5745 flags: []string{
5746 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5747 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5748 "-ocsp-response",
5749 base64.StdEncoding.EncodeToString(testOCSPResponse),
5750 "-signed-cert-timestamps",
5751 base64.StdEncoding.EncodeToString(testSCTList),
5752 },
5753 })
5754
5755 testCases = append(testCases, testCase{
5756 name: "SendDuplicateExtensionsOnCerts-TLS13",
5757 config: Config{
5758 MaxVersion: VersionTLS13,
5759 Bugs: ProtocolBugs{
5760 SendDuplicateCertExtensions: true,
5761 },
5762 },
5763 flags: []string{
5764 "-enable-ocsp-stapling",
5765 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5766 },
5767 resumeSession: true,
5768 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5769 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5770 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5771
5772 testCases = append(testCases, testCase{
5773 name: "SignedCertificateTimestampListInvalid-Server",
5774 testType: serverTest,
5775 flags: []string{
5776 "-signed-cert-timestamps",
5777 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5778 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5779 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5780 expectedError: ":INVALID_SCT_LIST:",
5781 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5782}
5783
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5784func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5785 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5786 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5787 // SSL 3.0 does not have tickets and TLS 1.3 does not
5788 // have session IDs, so skip their cross-resumption
5789 // tests.
5790 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5791 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5792 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5793 }
5794
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5795 protocols := []protocol{tls}
5796 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5797 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5798 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5799 for _, protocol := range protocols {
5800 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5801 if protocol == dtls {
5802 suffix += "-DTLS"
5803 }
5804
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5805 if sessionVers.version == resumeVers.version {
5806 testCases = append(testCases, testCase{
5807 protocol: protocol,
5808 name: "Resume-Client" + suffix,
5809 resumeSession: true,
5810 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5811 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5812 Bugs: ProtocolBugs{
5813 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5814 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5815 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5816 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5817 expectedVersion: sessionVers.version,
5818 expectedResumeVersion: resumeVers.version,
5819 })
5820 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5821 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5822
5823 // Offering a TLS 1.3 session sends an empty session ID, so
5824 // there is no way to convince a non-lookahead client the
5825 // session was resumed. It will appear to the client that a
5826 // stray ChangeCipherSpec was sent.
5827 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5828 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5829 }
5830
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5831 testCases = append(testCases, testCase{
5832 protocol: protocol,
5833 name: "Resume-Client-Mismatch" + suffix,
5834 resumeSession: true,
5835 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5836 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5837 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5838 expectedVersion: sessionVers.version,
5839 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5840 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5841 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5842 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5843 },
5844 },
5845 expectedResumeVersion: resumeVers.version,
5846 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5847 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5848 })
5849 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5850
5851 testCases = append(testCases, testCase{
5852 protocol: protocol,
5853 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5854 resumeSession: true,
5855 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5856 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5857 },
5858 expectedVersion: sessionVers.version,
5859 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5860 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5861 },
5862 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5863 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5864 expectedResumeVersion: resumeVers.version,
5865 })
5866
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5867 testCases = append(testCases, testCase{
5868 protocol: protocol,
5869 testType: serverTest,
5870 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5871 resumeSession: true,
5872 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5873 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5874 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5875 expectedVersion: sessionVers.version,
5876 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5877 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5878 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5879 Bugs: ProtocolBugs{
5880 SendBothTickets: true,
5881 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5882 },
5883 expectedResumeVersion: resumeVers.version,
5884 })
5885 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5886 }
5887 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5888
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5889 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5890 testCases = append(testCases, testCase{
5891 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5892 name: "ShimTicketRewritable",
5893 resumeSession: true,
5894 config: Config{
5895 MaxVersion: VersionTLS12,
5896 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5897 Bugs: ProtocolBugs{
5898 FilterTicket: func(in []byte) ([]byte, error) {
5899 in, err := SetShimTicketVersion(in, VersionTLS12)
5900 if err != nil {
5901 return nil, err
5902 }
5903 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5904 },
5905 },
5906 },
5907 flags: []string{
5908 "-ticket-key",
5909 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5910 },
5911 })
5912
5913 // Resumptions are declined if the version does not match.
5914 testCases = append(testCases, testCase{
5915 testType: serverTest,
5916 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5917 resumeSession: true,
5918 config: Config{
5919 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5920 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5921 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5922 FilterTicket: func(in []byte) ([]byte, error) {
5923 return SetShimTicketVersion(in, VersionTLS13)
5924 },
5925 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5926 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5927 flags: []string{
5928 "-ticket-key",
5929 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5930 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5931 expectResumeRejected: true,
5932 })
5933
5934 testCases = append(testCases, testCase{
5935 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5936 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5937 resumeSession: true,
5938 config: Config{
5939 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5940 Bugs: ProtocolBugs{
5941 FilterTicket: func(in []byte) ([]byte, error) {
5942 return SetShimTicketVersion(in, VersionTLS12)
5943 },
5944 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5945 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5946 flags: []string{
5947 "-ticket-key",
5948 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5949 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5950 expectResumeRejected: true,
5951 })
5952
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5953 // Resumptions are declined if the cipher is invalid or disabled.
5954 testCases = append(testCases, testCase{
5955 testType: serverTest,
5956 name: "Resume-Server-DeclineBadCipher",
5957 resumeSession: true,
5958 config: Config{
5959 MaxVersion: VersionTLS12,
5960 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5961 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5962 FilterTicket: func(in []byte) ([]byte, error) {
5963 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5964 },
5965 },
5966 },
5967 flags: []string{
5968 "-ticket-key",
5969 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5970 },
5971 expectResumeRejected: true,
5972 })
5973
5974 testCases = append(testCases, testCase{
5975 testType: serverTest,
5976 name: "Resume-Server-DeclineBadCipher-2",
5977 resumeSession: true,
5978 config: Config{
5979 MaxVersion: VersionTLS12,
5980 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5981 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5982 FilterTicket: func(in []byte) ([]byte, error) {
5983 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5984 },
5985 },
5986 },
5987 flags: []string{
5988 "-cipher", "AES128",
5989 "-ticket-key",
5990 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5991 },
5992 expectResumeRejected: true,
5993 })
5994
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5995 // Sessions are not resumed if they do not use the preferred cipher.
5996 testCases = append(testCases, testCase{
5997 testType: serverTest,
5998 name: "Resume-Server-CipherNotPreferred",
5999 resumeSession: true,
6000 config: Config{
6001 MaxVersion: VersionTLS12,
6002 Bugs: ProtocolBugs{
6003 ExpectNewTicket: true,
6004 FilterTicket: func(in []byte) ([]byte, error) {
6005 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
6006 },
6007 },
6008 },
6009 flags: []string{
6010 "-ticket-key",
6011 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6012 },
6013 shouldFail: false,
6014 expectResumeRejected: true,
6015 })
6016
6017 // TLS 1.3 allows sessions to be resumed at a different cipher if their
6018 // PRF hashes match, but BoringSSL will always decline such resumptions.
6019 testCases = append(testCases, testCase{
6020 testType: serverTest,
6021 name: "Resume-Server-CipherNotPreferred-TLS13",
6022 resumeSession: true,
6023 config: Config{
6024 MaxVersion: VersionTLS13,
6025 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
6026 Bugs: ProtocolBugs{
6027 FilterTicket: func(in []byte) ([]byte, error) {
6028 // If the client (runner) offers ChaCha20-Poly1305 first, the
6029 // server (shim) always prefers it. Switch it to AES-GCM.
6030 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
6031 },
6032 },
6033 },
6034 flags: []string{
6035 "-ticket-key",
6036 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6037 },
6038 shouldFail: false,
6039 expectResumeRejected: true,
6040 })
6041
6042 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6043 testCases = append(testCases, testCase{
6044 testType: serverTest,
6045 name: "Resume-Server-DeclineBadCipher-TLS13",
6046 resumeSession: true,
6047 config: Config{
6048 MaxVersion: VersionTLS13,
6049 Bugs: ProtocolBugs{
6050 FilterTicket: func(in []byte) ([]byte, error) {
6051 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
6052 },
6053 },
6054 },
6055 flags: []string{
6056 "-ticket-key",
6057 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6058 },
6059 expectResumeRejected: true,
6060 })
6061
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6062 // If the client does not offer the cipher from the session, decline to
6063 // resume. Clients are forbidden from doing this, but BoringSSL selects
6064 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6065 testCases = append(testCases, testCase{
6066 testType: serverTest,
6067 name: "Resume-Server-UnofferedCipher",
6068 resumeSession: true,
6069 config: Config{
6070 MaxVersion: VersionTLS12,
6071 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6072 },
6073 resumeConfig: &Config{
6074 MaxVersion: VersionTLS12,
6075 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6076 Bugs: ProtocolBugs{
6077 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6078 },
6079 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6080 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6081 })
6082
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6083 // In TLS 1.3, clients may advertise a cipher list which does not
6084 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]6085 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
6086 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6087 testCases = append(testCases, testCase{
6088 testType: serverTest,
6089 name: "Resume-Server-UnofferedCipher-TLS13",
6090 resumeSession: true,
6091 config: Config{
6092 MaxVersion: VersionTLS13,
6093 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6094 },
6095 resumeConfig: &Config{
6096 MaxVersion: VersionTLS13,
6097 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6098 Bugs: ProtocolBugs{
6099 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6100 },
6101 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6102 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6103 })
6104
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6105 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6106 testCases = append(testCases, testCase{
6107 name: "Resume-Client-CipherMismatch",
6108 resumeSession: true,
6109 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6110 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6111 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6112 },
6113 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6114 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6115 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6116 Bugs: ProtocolBugs{
6117 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6118 },
6119 },
6120 shouldFail: true,
6121 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6122 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6123
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6124 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6125 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6126 testCases = append(testCases, testCase{
6127 name: "Resume-Client-CipherMismatch-TLS13",
6128 resumeSession: true,
6129 config: Config{
6130 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6131 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6132 },
6133 resumeConfig: &Config{
6134 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6135 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6136 },
6137 })
6138
6139 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6140 testCases = append(testCases, testCase{
6141 name: "Resume-Client-PRFMismatch-TLS13",
6142 resumeSession: true,
6143 config: Config{
6144 MaxVersion: VersionTLS13,
6145 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6146 },
6147 resumeConfig: &Config{
6148 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6149 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6150 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6151 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6152 },
6153 },
6154 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6155 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6156 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6157
6158 testCases = append(testCases, testCase{
6159 testType: serverTest,
6160 name: "Resume-Server-BinderWrongLength",
6161 resumeSession: true,
6162 config: Config{
6163 MaxVersion: VersionTLS13,
6164 Bugs: ProtocolBugs{
6165 SendShortPSKBinder: true,
6166 },
6167 },
6168 shouldFail: true,
6169 expectedLocalError: "remote error: error decrypting message",
6170 expectedError: ":DIGEST_CHECK_FAILED:",
6171 })
6172
6173 testCases = append(testCases, testCase{
6174 testType: serverTest,
6175 name: "Resume-Server-NoPSKBinder",
6176 resumeSession: true,
6177 config: Config{
6178 MaxVersion: VersionTLS13,
6179 Bugs: ProtocolBugs{
6180 SendNoPSKBinder: true,
6181 },
6182 },
6183 shouldFail: true,
6184 expectedLocalError: "remote error: error decoding message",
6185 expectedError: ":DECODE_ERROR:",
6186 })
6187
6188 testCases = append(testCases, testCase{
6189 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6190 name: "Resume-Server-ExtraPSKBinder",
6191 resumeSession: true,
6192 config: Config{
6193 MaxVersion: VersionTLS13,
6194 Bugs: ProtocolBugs{
6195 SendExtraPSKBinder: true,
6196 },
6197 },
6198 shouldFail: true,
6199 expectedLocalError: "remote error: illegal parameter",
6200 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6201 })
6202
6203 testCases = append(testCases, testCase{
6204 testType: serverTest,
6205 name: "Resume-Server-ExtraIdentityNoBinder",
6206 resumeSession: true,
6207 config: Config{
6208 MaxVersion: VersionTLS13,
6209 Bugs: ProtocolBugs{
6210 ExtraPSKIdentity: true,
6211 },
6212 },
6213 shouldFail: true,
6214 expectedLocalError: "remote error: illegal parameter",
6215 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6216 })
6217
6218 testCases = append(testCases, testCase{
6219 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6220 name: "Resume-Server-InvalidPSKBinder",
6221 resumeSession: true,
6222 config: Config{
6223 MaxVersion: VersionTLS13,
6224 Bugs: ProtocolBugs{
6225 SendInvalidPSKBinder: true,
6226 },
6227 },
6228 shouldFail: true,
6229 expectedLocalError: "remote error: error decrypting message",
6230 expectedError: ":DIGEST_CHECK_FAILED:",
6231 })
6232
6233 testCases = append(testCases, testCase{
6234 testType: serverTest,
6235 name: "Resume-Server-PSKBinderFirstExtension",
6236 resumeSession: true,
6237 config: Config{
6238 MaxVersion: VersionTLS13,
6239 Bugs: ProtocolBugs{
6240 PSKBinderFirst: true,
6241 },
6242 },
6243 shouldFail: true,
6244 expectedLocalError: "remote error: illegal parameter",
6245 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6246 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6247}
6248
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6249func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6250 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6251 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6252 testType: serverTest,
6253 name: "Renegotiate-Server-Forbidden",
6254 config: Config{
6255 MaxVersion: VersionTLS12,
6256 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6257 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6258 shouldFail: true,
6259 expectedError: ":NO_RENEGOTIATION:",
6260 expectedLocalError: "remote error: no renegotiation",
6261 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6262 // The server shouldn't echo the renegotiation extension unless
6263 // requested by the client.
6264 testCases = append(testCases, testCase{
6265 testType: serverTest,
6266 name: "Renegotiate-Server-NoExt",
6267 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6268 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6269 Bugs: ProtocolBugs{
6270 NoRenegotiationInfo: true,
6271 RequireRenegotiationInfo: true,
6272 },
6273 },
6274 shouldFail: true,
6275 expectedLocalError: "renegotiation extension missing",
6276 })
6277 // The renegotiation SCSV should be sufficient for the server to echo
6278 // the extension.
6279 testCases = append(testCases, testCase{
6280 testType: serverTest,
6281 name: "Renegotiate-Server-NoExt-SCSV",
6282 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6283 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6284 Bugs: ProtocolBugs{
6285 NoRenegotiationInfo: true,
6286 SendRenegotiationSCSV: true,
6287 RequireRenegotiationInfo: true,
6288 },
6289 },
6290 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6291 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6292 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6293 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6294 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6295 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6296 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6297 },
6298 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6299 renegotiate: 1,
6300 flags: []string{
6301 "-renegotiate-freely",
6302 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6303 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6304 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6305 })
6306 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6307 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6308 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6309 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6310 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6311 Bugs: ProtocolBugs{
6312 EmptyRenegotiationInfo: true,
6313 },
6314 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6315 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6316 shouldFail: true,
6317 expectedError: ":RENEGOTIATION_MISMATCH:",
6318 })
6319 testCases = append(testCases, testCase{
6320 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6321 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6322 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6323 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6324 Bugs: ProtocolBugs{
6325 BadRenegotiationInfo: true,
6326 },
6327 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6328 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6329 shouldFail: true,
6330 expectedError: ":RENEGOTIATION_MISMATCH:",
6331 })
6332 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6333 name: "Renegotiate-Client-Downgrade",
6334 renegotiate: 1,
6335 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6336 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6337 Bugs: ProtocolBugs{
6338 NoRenegotiationInfoAfterInitial: true,
6339 },
6340 },
6341 flags: []string{"-renegotiate-freely"},
6342 shouldFail: true,
6343 expectedError: ":RENEGOTIATION_MISMATCH:",
6344 })
6345 testCases = append(testCases, testCase{
6346 name: "Renegotiate-Client-Upgrade",
6347 renegotiate: 1,
6348 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6349 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6350 Bugs: ProtocolBugs{
6351 NoRenegotiationInfoInInitial: true,
6352 },
6353 },
6354 flags: []string{"-renegotiate-freely"},
6355 shouldFail: true,
6356 expectedError: ":RENEGOTIATION_MISMATCH:",
6357 })
6358 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6359 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6360 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6361 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6362 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6363 Bugs: ProtocolBugs{
6364 NoRenegotiationInfo: true,
6365 },
6366 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6367 flags: []string{
6368 "-renegotiate-freely",
6369 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6370 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6371 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6372 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6373
6374 // Test that the server may switch ciphers on renegotiation without
6375 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6376 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6377 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6378 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6379 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6380 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6381 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6382 },
6383 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6384 flags: []string{
6385 "-renegotiate-freely",
6386 "-expect-total-renegotiations", "1",
6387 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6388 })
6389 testCases = append(testCases, testCase{
6390 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6391 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6392 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6393 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6394 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6395 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6396 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6397 flags: []string{
6398 "-renegotiate-freely",
6399 "-expect-total-renegotiations", "1",
6400 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6401 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6402
6403 // Test that the server may not switch versions on renegotiation.
6404 testCases = append(testCases, testCase{
6405 name: "Renegotiate-Client-SwitchVersion",
6406 config: Config{
6407 MaxVersion: VersionTLS12,
6408 // Pick a cipher which exists at both versions.
6409 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6410 Bugs: ProtocolBugs{
6411 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6412 // Avoid failing early at the record layer.
6413 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6414 },
6415 },
6416 renegotiate: 1,
6417 flags: []string{
6418 "-renegotiate-freely",
6419 "-expect-total-renegotiations", "1",
6420 },
6421 shouldFail: true,
6422 expectedError: ":WRONG_SSL_VERSION:",
6423 })
6424
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6425 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6426 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6427 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6428 config: Config{
6429 MaxVersion: VersionTLS10,
6430 Bugs: ProtocolBugs{
6431 RequireSameRenegoClientVersion: true,
6432 },
6433 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6434 flags: []string{
6435 "-renegotiate-freely",
6436 "-expect-total-renegotiations", "1",
6437 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6438 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6439 testCases = append(testCases, testCase{
6440 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6441 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6442 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6443 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6444 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6445 NextProtos: []string{"foo"},
6446 },
6447 flags: []string{
6448 "-false-start",
6449 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6450 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6451 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6452 },
6453 shimWritesFirst: true,
6454 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6455
6456 // Client-side renegotiation controls.
6457 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6458 name: "Renegotiate-Client-Forbidden-1",
6459 config: Config{
6460 MaxVersion: VersionTLS12,
6461 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6462 renegotiate: 1,
6463 shouldFail: true,
6464 expectedError: ":NO_RENEGOTIATION:",
6465 expectedLocalError: "remote error: no renegotiation",
6466 })
6467 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6468 name: "Renegotiate-Client-Once-1",
6469 config: Config{
6470 MaxVersion: VersionTLS12,
6471 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6472 renegotiate: 1,
6473 flags: []string{
6474 "-renegotiate-once",
6475 "-expect-total-renegotiations", "1",
6476 },
6477 })
6478 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6479 name: "Renegotiate-Client-Freely-1",
6480 config: Config{
6481 MaxVersion: VersionTLS12,
6482 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6483 renegotiate: 1,
6484 flags: []string{
6485 "-renegotiate-freely",
6486 "-expect-total-renegotiations", "1",
6487 },
6488 })
6489 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6490 name: "Renegotiate-Client-Once-2",
6491 config: Config{
6492 MaxVersion: VersionTLS12,
6493 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6494 renegotiate: 2,
6495 flags: []string{"-renegotiate-once"},
6496 shouldFail: true,
6497 expectedError: ":NO_RENEGOTIATION:",
6498 expectedLocalError: "remote error: no renegotiation",
6499 })
6500 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6501 name: "Renegotiate-Client-Freely-2",
6502 config: Config{
6503 MaxVersion: VersionTLS12,
6504 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6505 renegotiate: 2,
6506 flags: []string{
6507 "-renegotiate-freely",
6508 "-expect-total-renegotiations", "2",
6509 },
6510 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6511 testCases = append(testCases, testCase{
6512 name: "Renegotiate-Client-NoIgnore",
6513 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6514 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6515 Bugs: ProtocolBugs{
6516 SendHelloRequestBeforeEveryAppDataRecord: true,
6517 },
6518 },
6519 shouldFail: true,
6520 expectedError: ":NO_RENEGOTIATION:",
6521 })
6522 testCases = append(testCases, testCase{
6523 name: "Renegotiate-Client-Ignore",
6524 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6525 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6526 Bugs: ProtocolBugs{
6527 SendHelloRequestBeforeEveryAppDataRecord: true,
6528 },
6529 },
6530 flags: []string{
6531 "-renegotiate-ignore",
6532 "-expect-total-renegotiations", "0",
6533 },
6534 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6535
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6536 // Renegotiation is not allowed at SSL 3.0.
6537 testCases = append(testCases, testCase{
6538 name: "Renegotiate-Client-SSL3",
6539 config: Config{
6540 MaxVersion: VersionSSL30,
6541 },
6542 renegotiate: 1,
6543 flags: []string{
6544 "-renegotiate-freely",
6545 "-expect-total-renegotiations", "1",
6546 },
6547 shouldFail: true,
6548 expectedError: ":NO_RENEGOTIATION:",
6549 expectedLocalError: "remote error: no renegotiation",
6550 })
6551
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6552 // Renegotiation is not allowed when there is an unfinished write.
6553 testCases = append(testCases, testCase{
6554 name: "Renegotiate-Client-UnfinishedWrite",
6555 config: Config{
6556 MaxVersion: VersionTLS12,
6557 },
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]6558 renegotiate: 1,
6559 readWithUnfinishedWrite: true,
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6560 flags: []string{
6561 "-async",
6562 "-renegotiate-freely",
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6563 },
6564 shouldFail: true,
6565 expectedError: ":NO_RENEGOTIATION:",
6566 // We do not successfully send the no_renegotiation alert in
6567 // this case. https://crbug.com/boringssl/130
6568 })
6569
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6570 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6571 testCases = append(testCases, testCase{
6572 name: "StrayHelloRequest",
6573 config: Config{
6574 MaxVersion: VersionTLS12,
6575 Bugs: ProtocolBugs{
6576 SendHelloRequestBeforeEveryHandshakeMessage: true,
6577 },
6578 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6579 shouldFail: true,
6580 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6581 })
6582 testCases = append(testCases, testCase{
6583 name: "StrayHelloRequest-Packed",
6584 config: Config{
6585 MaxVersion: VersionTLS12,
6586 Bugs: ProtocolBugs{
6587 PackHandshakeFlight: true,
6588 SendHelloRequestBeforeEveryHandshakeMessage: true,
6589 },
6590 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6591 shouldFail: true,
6592 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6593 })
6594
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6595 // Test renegotiation works if HelloRequest and server Finished come in
6596 // the same record.
6597 testCases = append(testCases, testCase{
6598 name: "Renegotiate-Client-Packed",
6599 config: Config{
6600 MaxVersion: VersionTLS12,
6601 Bugs: ProtocolBugs{
6602 PackHandshakeFlight: true,
6603 PackHelloRequestWithFinished: true,
6604 },
6605 },
6606 renegotiate: 1,
6607 flags: []string{
6608 "-renegotiate-freely",
6609 "-expect-total-renegotiations", "1",
6610 },
6611 })
6612
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6613 // Renegotiation is forbidden in TLS 1.3.
6614 testCases = append(testCases, testCase{
6615 name: "Renegotiate-Client-TLS13",
6616 config: Config{
6617 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6618 Bugs: ProtocolBugs{
6619 SendHelloRequestBeforeEveryAppDataRecord: true,
6620 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6621 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6622 flags: []string{
6623 "-renegotiate-freely",
6624 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6625 shouldFail: true,
6626 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6627 })
6628
6629 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6630 testCases = append(testCases, testCase{
6631 name: "StrayHelloRequest-TLS13",
6632 config: Config{
6633 MaxVersion: VersionTLS13,
6634 Bugs: ProtocolBugs{
6635 SendHelloRequestBeforeEveryHandshakeMessage: true,
6636 },
6637 },
6638 shouldFail: true,
6639 expectedError: ":UNEXPECTED_MESSAGE:",
6640 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6641
6642 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6643 // always reads as supporting it, regardless of whether it was
6644 // negotiated.
6645 testCases = append(testCases, testCase{
6646 name: "AlwaysReportRenegotiationInfo-TLS13",
6647 config: Config{
6648 MaxVersion: VersionTLS13,
6649 Bugs: ProtocolBugs{
6650 NoRenegotiationInfo: true,
6651 },
6652 },
6653 flags: []string{
6654 "-expect-secure-renegotiation",
6655 },
6656 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]6657
6658 // Certificates may not change on renegotiation.
6659 testCases = append(testCases, testCase{
6660 name: "Renegotiation-CertificateChange",
6661 config: Config{
6662 MaxVersion: VersionTLS12,
6663 Certificates: []Certificate{rsaCertificate},
6664 Bugs: ProtocolBugs{
6665 RenegotiationCertificate: &rsaChainCertificate,
6666 },
6667 },
6668 renegotiate: 1,
6669 flags: []string{"-renegotiate-freely"},
6670 shouldFail: true,
6671 expectedError: ":SERVER_CERT_CHANGED:",
6672 })
6673 testCases = append(testCases, testCase{
6674 name: "Renegotiation-CertificateChange-2",
6675 config: Config{
6676 MaxVersion: VersionTLS12,
6677 Certificates: []Certificate{rsaCertificate},
6678 Bugs: ProtocolBugs{
6679 RenegotiationCertificate: &rsa1024Certificate,
6680 },
6681 },
6682 renegotiate: 1,
6683 flags: []string{"-renegotiate-freely"},
6684 shouldFail: true,
6685 expectedError: ":SERVER_CERT_CHANGED:",
6686 })
David Benjaminbbf42462017-03-14 21:27:10 -0400[diff] [blame]6687
6688 // We do not negotiate ALPN after the initial handshake. This is
6689 // error-prone and only risks bugs in consumers.
6690 testCases = append(testCases, testCase{
6691 testType: clientTest,
6692 name: "Renegotiation-ForbidALPN",
6693 config: Config{
6694 MaxVersion: VersionTLS12,
6695 Bugs: ProtocolBugs{
6696 // Forcibly negotiate ALPN on both initial and
6697 // renegotiation handshakes. The test stack will
6698 // internally check the client does not offer
6699 // it.
6700 SendALPN: "foo",
6701 },
6702 },
6703 flags: []string{
6704 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6705 "-expect-alpn", "foo",
6706 "-renegotiate-freely",
6707 },
6708 renegotiate: 1,
6709 shouldFail: true,
6710 expectedError: ":UNEXPECTED_EXTENSION:",
6711 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6712}
6713
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6714func addDTLSReplayTests() {
6715 // Test that sequence number replays are detected.
6716 testCases = append(testCases, testCase{
6717 protocol: dtls,
6718 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6719 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6720 replayWrites: true,
6721 })
6722
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6723 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6724 // than the retransmit window.
6725 testCases = append(testCases, testCase{
6726 protocol: dtls,
6727 name: "DTLS-Replay-LargeGaps",
6728 config: Config{
6729 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6730 SequenceNumberMapping: func(in uint64) uint64 {
6731 return in * 127
6732 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6733 },
6734 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6735 messageCount: 200,
6736 replayWrites: true,
6737 })
6738
6739 // Test the incoming sequence number changing non-monotonically.
6740 testCases = append(testCases, testCase{
6741 protocol: dtls,
6742 name: "DTLS-Replay-NonMonotonic",
6743 config: Config{
6744 Bugs: ProtocolBugs{
6745 SequenceNumberMapping: func(in uint64) uint64 {
6746 return in ^ 31
6747 },
6748 },
6749 },
6750 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6751 replayWrites: true,
6752 })
6753}
6754
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6755var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6756 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6757 id signatureAlgorithm
6758 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6759}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6760 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6761 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6762 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6763 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6764 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6765 // The “P256” in the following line is not a mistake. In TLS 1.2 the
6766 // hash function doesn't have to match the curve and so the same
6767 // signature algorithm works with P-224.
6768 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6769 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6770 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6771 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6772 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6773 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6774 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6775 {"Ed25519", signatureEd25519, testCertEd25519},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6776 // Tests for key types prior to TLS 1.2.
6777 {"RSA", 0, testCertRSA},
6778 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6779}
6780
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6781const fakeSigAlg1 signatureAlgorithm = 0x2a01
6782const fakeSigAlg2 signatureAlgorithm = 0xff01
6783
6784func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6785 // Not all ciphers involve a signature. Advertise a list which gives all
6786 // versions a signing cipher.
6787 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6788 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6789 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6790 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6791 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6792 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6793 }
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6794
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6795 var allAlgorithms []signatureAlgorithm
6796 for _, alg := range testSignatureAlgorithms {
6797 if alg.id != 0 {
6798 allAlgorithms = append(allAlgorithms, alg.id)
6799 }
6800 }
6801
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6802 // Make sure each signature algorithm works. Include some fake values in
6803 // the list and ensure they're ignored.
6804 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6805 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6806 if (ver.version < VersionTLS12) != (alg.id == 0) {
6807 continue
6808 }
6809
6810 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6811 // or remove it in C.
6812 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6813 continue
6814 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6815
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6816 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6817 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6818 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6819 shouldSignFail = true
6820 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6821 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6822 // RSA-PKCS1 does not exist in TLS 1.3.
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6823 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
6824 shouldSignFail = true
6825 shouldVerifyFail = true
6826 }
6827 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
6828 // the curve has to match the hash size.
6829 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6830 shouldSignFail = true
6831 shouldVerifyFail = true
6832 }
6833
6834 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6835 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6836 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6837 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6838
6839 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6840 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6841 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6842 }
6843 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6844 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6845 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6846
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6847 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6848
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6849 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6850 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6851 config: Config{
6852 MaxVersion: ver.version,
6853 ClientAuth: RequireAnyClientCert,
6854 VerifySignatureAlgorithms: []signatureAlgorithm{
6855 fakeSigAlg1,
6856 alg.id,
6857 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6858 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6859 },
6860 flags: []string{
6861 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6862 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6863 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6864 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6865 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6866 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6867 expectedError: signError,
6868 expectedPeerSignatureAlgorithm: alg.id,
6869 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6870
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6871 testCases = append(testCases, testCase{
6872 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6873 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6874 config: Config{
6875 MaxVersion: ver.version,
6876 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6877 SignSignatureAlgorithms: []signatureAlgorithm{
6878 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6879 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6880 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6881 SkipECDSACurveCheck: shouldVerifyFail,
6882 IgnoreSignatureVersionChecks: shouldVerifyFail,
6883 // Some signature algorithms may not be advertised.
6884 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6885 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6886 },
6887 flags: []string{
6888 "-require-any-client-certificate",
6889 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6890 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6891 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6892 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6893 // Resume the session to assert the peer signature
6894 // algorithm is reported on both handshakes.
6895 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6896 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6897 expectedError: verifyError,
6898 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6899
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6900 // No signing cipher for SSL 3.0.
David Benjamin96bc12a2017-04-14 16:48:08 -0400[diff] [blame]6901 if ver.version > VersionSSL30 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6902 testCases = append(testCases, testCase{
6903 testType: serverTest,
6904 name: "ServerAuth-Sign" + suffix,
6905 config: Config{
6906 MaxVersion: ver.version,
6907 CipherSuites: signingCiphers,
6908 VerifySignatureAlgorithms: []signatureAlgorithm{
6909 fakeSigAlg1,
6910 alg.id,
6911 fakeSigAlg2,
6912 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6913 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6914 flags: []string{
6915 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6916 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6917 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6918 "-enable-ed25519",
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6919 },
6920 shouldFail: shouldSignFail,
6921 expectedError: signError,
6922 expectedPeerSignatureAlgorithm: alg.id,
6923 })
6924 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6925
6926 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6927 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6928 config: Config{
6929 MaxVersion: ver.version,
6930 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6931 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6932 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6933 alg.id,
6934 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6935 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6936 SkipECDSACurveCheck: shouldVerifyFail,
6937 IgnoreSignatureVersionChecks: shouldVerifyFail,
6938 // Some signature algorithms may not be advertised.
6939 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6940 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6941 },
6942 flags: []string{
6943 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6944 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6945 "-enable-ed25519",
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6946 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6947 // Resume the session to assert the peer signature
6948 // algorithm is reported on both handshakes.
6949 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6950 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6951 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6952 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6953
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6954 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6955 testCases = append(testCases, testCase{
6956 testType: serverTest,
6957 name: "ClientAuth-InvalidSignature" + suffix,
6958 config: Config{
6959 MaxVersion: ver.version,
6960 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6961 SignSignatureAlgorithms: []signatureAlgorithm{
6962 alg.id,
6963 },
6964 Bugs: ProtocolBugs{
6965 InvalidSignature: true,
6966 },
6967 },
6968 flags: []string{
6969 "-require-any-client-certificate",
6970 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6971 "-enable-ed25519",
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6972 },
6973 shouldFail: true,
6974 expectedError: ":BAD_SIGNATURE:",
6975 })
6976
6977 testCases = append(testCases, testCase{
6978 name: "ServerAuth-InvalidSignature" + suffix,
6979 config: Config{
6980 MaxVersion: ver.version,
6981 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6982 CipherSuites: signingCiphers,
6983 SignSignatureAlgorithms: []signatureAlgorithm{
6984 alg.id,
6985 },
6986 Bugs: ProtocolBugs{
6987 InvalidSignature: true,
6988 },
6989 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6990 flags: []string{
6991 "-enable-all-curves",
6992 "-enable-ed25519",
6993 },
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6994 shouldFail: true,
6995 expectedError: ":BAD_SIGNATURE:",
6996 })
6997 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6998
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6999 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7000 testCases = append(testCases, testCase{
7001 name: "ClientAuth-Sign-Negotiate" + suffix,
7002 config: Config{
7003 MaxVersion: ver.version,
7004 ClientAuth: RequireAnyClientCert,
7005 VerifySignatureAlgorithms: allAlgorithms,
7006 },
7007 flags: []string{
7008 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7009 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7010 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7011 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7012 "-signing-prefs", strconv.Itoa(int(alg.id)),
7013 },
7014 expectedPeerSignatureAlgorithm: alg.id,
7015 })
7016
7017 testCases = append(testCases, testCase{
7018 testType: serverTest,
7019 name: "ServerAuth-Sign-Negotiate" + suffix,
7020 config: Config{
7021 MaxVersion: ver.version,
7022 CipherSuites: signingCiphers,
7023 VerifySignatureAlgorithms: allAlgorithms,
7024 },
7025 flags: []string{
7026 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7027 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7028 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7029 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7030 "-signing-prefs", strconv.Itoa(int(alg.id)),
7031 },
7032 expectedPeerSignatureAlgorithm: alg.id,
7033 })
7034 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7035 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7036 }
7037
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7038 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7039 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7040 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7041 config: Config{
7042 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7043 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7044 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7045 signatureECDSAWithP521AndSHA512,
7046 signatureRSAPKCS1WithSHA384,
7047 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7048 },
7049 },
7050 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7051 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7052 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7053 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7054 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7055 })
7056
7057 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7058 name: "ClientAuth-SignatureType-TLS13",
7059 config: Config{
7060 ClientAuth: RequireAnyClientCert,
7061 MaxVersion: VersionTLS13,
7062 VerifySignatureAlgorithms: []signatureAlgorithm{
7063 signatureECDSAWithP521AndSHA512,
7064 signatureRSAPKCS1WithSHA384,
7065 signatureRSAPSSWithSHA384,
7066 signatureECDSAWithSHA1,
7067 },
7068 },
7069 flags: []string{
7070 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7071 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7072 },
7073 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7074 })
7075
7076 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7077 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7078 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7079 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7080 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7081 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7082 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7083 signatureECDSAWithP521AndSHA512,
7084 signatureRSAPKCS1WithSHA384,
7085 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7086 },
7087 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7088 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7089 })
7090
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7091 testCases = append(testCases, testCase{
7092 testType: serverTest,
7093 name: "ServerAuth-SignatureType-TLS13",
7094 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7095 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7096 VerifySignatureAlgorithms: []signatureAlgorithm{
7097 signatureECDSAWithP521AndSHA512,
7098 signatureRSAPKCS1WithSHA384,
7099 signatureRSAPSSWithSHA384,
7100 signatureECDSAWithSHA1,
7101 },
7102 },
7103 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7104 })
7105
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7106 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7107 testCases = append(testCases, testCase{
7108 testType: serverTest,
7109 name: "Verify-ClientAuth-SignatureType",
7110 config: Config{
7111 MaxVersion: VersionTLS12,
7112 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7113 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7114 signatureRSAPKCS1WithSHA256,
7115 },
7116 Bugs: ProtocolBugs{
7117 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7118 },
7119 },
7120 flags: []string{
7121 "-require-any-client-certificate",
7122 },
7123 shouldFail: true,
7124 expectedError: ":WRONG_SIGNATURE_TYPE:",
7125 })
7126
7127 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7128 testType: serverTest,
7129 name: "Verify-ClientAuth-SignatureType-TLS13",
7130 config: Config{
7131 MaxVersion: VersionTLS13,
7132 Certificates: []Certificate{rsaCertificate},
7133 SignSignatureAlgorithms: []signatureAlgorithm{
7134 signatureRSAPSSWithSHA256,
7135 },
7136 Bugs: ProtocolBugs{
7137 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7138 },
7139 },
7140 flags: []string{
7141 "-require-any-client-certificate",
7142 },
7143 shouldFail: true,
7144 expectedError: ":WRONG_SIGNATURE_TYPE:",
7145 })
7146
7147 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7148 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7149 config: Config{
7150 MaxVersion: VersionTLS12,
7151 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7152 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7153 signatureRSAPKCS1WithSHA256,
7154 },
7155 Bugs: ProtocolBugs{
7156 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7157 },
7158 },
7159 shouldFail: true,
7160 expectedError: ":WRONG_SIGNATURE_TYPE:",
7161 })
7162
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7163 testCases = append(testCases, testCase{
7164 name: "Verify-ServerAuth-SignatureType-TLS13",
7165 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7166 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7167 SignSignatureAlgorithms: []signatureAlgorithm{
7168 signatureRSAPSSWithSHA256,
7169 },
7170 Bugs: ProtocolBugs{
7171 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7172 },
7173 },
7174 shouldFail: true,
7175 expectedError: ":WRONG_SIGNATURE_TYPE:",
7176 })
7177
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7178 // Test that, if the list is missing, the peer falls back to SHA-1 in
7179 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7180 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7181 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7182 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7183 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7184 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7185 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7186 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7187 },
7188 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7189 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7190 },
7191 },
7192 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7193 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7194 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7195 },
7196 })
7197
7198 testCases = append(testCases, testCase{
7199 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7200 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7201 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7202 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7203 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7204 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7205 },
7206 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7207 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7208 },
7209 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7210 flags: []string{
7211 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7212 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7213 },
7214 })
7215
7216 testCases = append(testCases, testCase{
7217 name: "ClientAuth-SHA1-Fallback-ECDSA",
7218 config: Config{
7219 MaxVersion: VersionTLS12,
7220 ClientAuth: RequireAnyClientCert,
7221 VerifySignatureAlgorithms: []signatureAlgorithm{
7222 signatureECDSAWithSHA1,
7223 },
7224 Bugs: ProtocolBugs{
7225 NoSignatureAlgorithms: true,
7226 },
7227 },
7228 flags: []string{
7229 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7230 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7231 },
7232 })
7233
7234 testCases = append(testCases, testCase{
7235 testType: serverTest,
7236 name: "ServerAuth-SHA1-Fallback-ECDSA",
7237 config: Config{
7238 MaxVersion: VersionTLS12,
7239 VerifySignatureAlgorithms: []signatureAlgorithm{
7240 signatureECDSAWithSHA1,
7241 },
7242 Bugs: ProtocolBugs{
7243 NoSignatureAlgorithms: true,
7244 },
7245 },
7246 flags: []string{
7247 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7248 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7249 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7250 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7251
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7252 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7253 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7254 config: Config{
7255 MaxVersion: VersionTLS13,
7256 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7257 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7258 signatureRSAPKCS1WithSHA1,
7259 },
7260 Bugs: ProtocolBugs{
7261 NoSignatureAlgorithms: true,
7262 },
7263 },
7264 flags: []string{
7265 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7266 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7267 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7268 shouldFail: true,
7269 // An empty CertificateRequest signature algorithm list is a
7270 // syntax error in TLS 1.3.
7271 expectedError: ":DECODE_ERROR:",
7272 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7273 })
7274
7275 testCases = append(testCases, testCase{
7276 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7277 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7278 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7279 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7280 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7281 signatureRSAPKCS1WithSHA1,
7282 },
7283 Bugs: ProtocolBugs{
7284 NoSignatureAlgorithms: true,
7285 },
7286 },
7287 shouldFail: true,
7288 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7289 })
7290
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7291 // Test that hash preferences are enforced. BoringSSL does not implement
7292 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7293 testCases = append(testCases, testCase{
7294 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7295 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7296 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7297 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7298 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7299 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7300 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7301 },
7302 Bugs: ProtocolBugs{
7303 IgnorePeerSignatureAlgorithmPreferences: true,
7304 },
7305 },
7306 flags: []string{"-require-any-client-certificate"},
7307 shouldFail: true,
7308 expectedError: ":WRONG_SIGNATURE_TYPE:",
7309 })
7310
7311 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7312 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7313 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7314 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7315 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7316 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7317 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7318 },
7319 Bugs: ProtocolBugs{
7320 IgnorePeerSignatureAlgorithmPreferences: true,
7321 },
7322 },
7323 shouldFail: true,
7324 expectedError: ":WRONG_SIGNATURE_TYPE:",
7325 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7326 testCases = append(testCases, testCase{
7327 testType: serverTest,
7328 name: "ClientAuth-Enforced-TLS13",
7329 config: Config{
7330 MaxVersion: VersionTLS13,
7331 Certificates: []Certificate{rsaCertificate},
7332 SignSignatureAlgorithms: []signatureAlgorithm{
7333 signatureRSAPKCS1WithMD5,
7334 },
7335 Bugs: ProtocolBugs{
7336 IgnorePeerSignatureAlgorithmPreferences: true,
7337 IgnoreSignatureVersionChecks: true,
7338 },
7339 },
7340 flags: []string{"-require-any-client-certificate"},
7341 shouldFail: true,
7342 expectedError: ":WRONG_SIGNATURE_TYPE:",
7343 })
7344
7345 testCases = append(testCases, testCase{
7346 name: "ServerAuth-Enforced-TLS13",
7347 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7348 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7349 SignSignatureAlgorithms: []signatureAlgorithm{
7350 signatureRSAPKCS1WithMD5,
7351 },
7352 Bugs: ProtocolBugs{
7353 IgnorePeerSignatureAlgorithmPreferences: true,
7354 IgnoreSignatureVersionChecks: true,
7355 },
7356 },
7357 shouldFail: true,
7358 expectedError: ":WRONG_SIGNATURE_TYPE:",
7359 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7360
7361 // Test that the agreed upon digest respects the client preferences and
7362 // the server digests.
7363 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7364 name: "NoCommonAlgorithms-Digests",
7365 config: Config{
7366 MaxVersion: VersionTLS12,
7367 ClientAuth: RequireAnyClientCert,
7368 VerifySignatureAlgorithms: []signatureAlgorithm{
7369 signatureRSAPKCS1WithSHA512,
7370 signatureRSAPKCS1WithSHA1,
7371 },
7372 },
7373 flags: []string{
7374 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7375 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7376 "-digest-prefs", "SHA256",
7377 },
7378 shouldFail: true,
7379 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7380 })
7381 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7382 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7383 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7384 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7385 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7386 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7387 signatureRSAPKCS1WithSHA512,
7388 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7389 },
7390 },
7391 flags: []string{
7392 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7393 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7394 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7395 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7396 shouldFail: true,
7397 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7398 })
7399 testCases = append(testCases, testCase{
7400 name: "NoCommonAlgorithms-TLS13",
7401 config: Config{
7402 MaxVersion: VersionTLS13,
7403 ClientAuth: RequireAnyClientCert,
7404 VerifySignatureAlgorithms: []signatureAlgorithm{
7405 signatureRSAPSSWithSHA512,
7406 signatureRSAPSSWithSHA384,
7407 },
7408 },
7409 flags: []string{
7410 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7411 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7412 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7413 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7414 shouldFail: true,
7415 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7416 })
7417 testCases = append(testCases, testCase{
7418 name: "Agree-Digest-SHA256",
7419 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7420 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7421 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7422 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7423 signatureRSAPKCS1WithSHA1,
7424 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7425 },
7426 },
7427 flags: []string{
7428 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7429 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7430 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7431 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7432 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7433 })
7434 testCases = append(testCases, testCase{
7435 name: "Agree-Digest-SHA1",
7436 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7437 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7438 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7439 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7440 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7441 },
7442 },
7443 flags: []string{
7444 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7445 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7446 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7447 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7448 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7449 })
7450 testCases = append(testCases, testCase{
7451 name: "Agree-Digest-Default",
7452 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7453 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7454 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7455 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7456 signatureRSAPKCS1WithSHA256,
7457 signatureECDSAWithP256AndSHA256,
7458 signatureRSAPKCS1WithSHA1,
7459 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7460 },
7461 },
7462 flags: []string{
7463 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7464 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7465 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7466 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7467 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7468
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7469 // Test that the signing preference list may include extra algorithms
7470 // without negotiation problems.
7471 testCases = append(testCases, testCase{
7472 testType: serverTest,
7473 name: "FilterExtraAlgorithms",
7474 config: Config{
7475 MaxVersion: VersionTLS12,
7476 VerifySignatureAlgorithms: []signatureAlgorithm{
7477 signatureRSAPKCS1WithSHA256,
7478 },
7479 },
7480 flags: []string{
7481 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7482 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7483 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7484 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7485 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7486 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7487 },
7488 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7489 })
7490
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7491 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7492 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7493 testCases = append(testCases, testCase{
7494 name: "CheckLeafCurve",
7495 config: Config{
7496 MaxVersion: VersionTLS12,
7497 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7498 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7499 },
7500 flags: []string{"-p384-only"},
7501 shouldFail: true,
7502 expectedError: ":BAD_ECC_CERT:",
7503 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7504
7505 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7506 testCases = append(testCases, testCase{
7507 name: "CheckLeafCurve-TLS13",
7508 config: Config{
7509 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7510 Certificates: []Certificate{ecdsaP256Certificate},
7511 },
7512 flags: []string{"-p384-only"},
7513 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7514
7515 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7516 testCases = append(testCases, testCase{
7517 name: "ECDSACurveMismatch-Verify-TLS12",
7518 config: Config{
7519 MaxVersion: VersionTLS12,
7520 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7521 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7522 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7523 signatureECDSAWithP384AndSHA384,
7524 },
7525 },
7526 })
7527
7528 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7529 testCases = append(testCases, testCase{
7530 name: "ECDSACurveMismatch-Verify-TLS13",
7531 config: Config{
7532 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7533 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7534 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7535 signatureECDSAWithP384AndSHA384,
7536 },
7537 Bugs: ProtocolBugs{
7538 SkipECDSACurveCheck: true,
7539 },
7540 },
7541 shouldFail: true,
7542 expectedError: ":WRONG_SIGNATURE_TYPE:",
7543 })
7544
7545 // Signature algorithm selection in TLS 1.3 should take the curve into
7546 // account.
7547 testCases = append(testCases, testCase{
7548 testType: serverTest,
7549 name: "ECDSACurveMismatch-Sign-TLS13",
7550 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7551 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7552 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7553 signatureECDSAWithP384AndSHA384,
7554 signatureECDSAWithP256AndSHA256,
7555 },
7556 },
7557 flags: []string{
7558 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7559 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7560 },
7561 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7562 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7563
7564 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7565 // server does not attempt to sign in that case.
7566 testCases = append(testCases, testCase{
7567 testType: serverTest,
7568 name: "RSA-PSS-Large",
7569 config: Config{
7570 MaxVersion: VersionTLS13,
7571 VerifySignatureAlgorithms: []signatureAlgorithm{
7572 signatureRSAPSSWithSHA512,
7573 },
7574 },
7575 flags: []string{
7576 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7577 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7578 },
7579 shouldFail: true,
7580 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7581 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7582
7583 // Test that RSA-PSS is enabled by default for TLS 1.2.
7584 testCases = append(testCases, testCase{
7585 testType: clientTest,
7586 name: "RSA-PSS-Default-Verify",
7587 config: Config{
7588 MaxVersion: VersionTLS12,
7589 SignSignatureAlgorithms: []signatureAlgorithm{
7590 signatureRSAPSSWithSHA256,
7591 },
7592 },
7593 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7594 })
7595
7596 testCases = append(testCases, testCase{
7597 testType: serverTest,
7598 name: "RSA-PSS-Default-Sign",
7599 config: Config{
7600 MaxVersion: VersionTLS12,
7601 VerifySignatureAlgorithms: []signatureAlgorithm{
7602 signatureRSAPSSWithSHA256,
7603 },
7604 },
7605 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7606 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7607
7608 // TLS 1.1 and below has no way to advertise support for or negotiate
7609 // Ed25519's signature algorithm.
7610 testCases = append(testCases, testCase{
7611 testType: clientTest,
7612 name: "NoEd25519-TLS11-ServerAuth-Verify",
7613 config: Config{
7614 MaxVersion: VersionTLS11,
7615 Certificates: []Certificate{ed25519Certificate},
7616 Bugs: ProtocolBugs{
7617 // Sign with Ed25519 even though it is TLS 1.1.
7618 UseLegacySigningAlgorithm: signatureEd25519,
7619 },
7620 },
7621 flags: []string{"-enable-ed25519"},
7622 shouldFail: true,
7623 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7624 })
7625 testCases = append(testCases, testCase{
7626 testType: serverTest,
7627 name: "NoEd25519-TLS11-ServerAuth-Sign",
7628 config: Config{
7629 MaxVersion: VersionTLS11,
7630 },
7631 flags: []string{
7632 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7633 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7634 },
7635 shouldFail: true,
7636 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7637 })
7638 testCases = append(testCases, testCase{
7639 testType: serverTest,
7640 name: "NoEd25519-TLS11-ClientAuth-Verify",
7641 config: Config{
7642 MaxVersion: VersionTLS11,
7643 Certificates: []Certificate{ed25519Certificate},
7644 Bugs: ProtocolBugs{
7645 // Sign with Ed25519 even though it is TLS 1.1.
7646 UseLegacySigningAlgorithm: signatureEd25519,
7647 },
7648 },
7649 flags: []string{
7650 "-enable-ed25519",
7651 "-require-any-client-certificate",
7652 },
7653 shouldFail: true,
7654 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7655 })
7656 testCases = append(testCases, testCase{
7657 testType: clientTest,
7658 name: "NoEd25519-TLS11-ClientAuth-Sign",
7659 config: Config{
7660 MaxVersion: VersionTLS11,
7661 ClientAuth: RequireAnyClientCert,
7662 },
7663 flags: []string{
7664 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7665 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7666 },
7667 shouldFail: true,
7668 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7669 })
7670
7671 // Test Ed25519 is not advertised by default.
7672 testCases = append(testCases, testCase{
7673 testType: clientTest,
7674 name: "Ed25519DefaultDisable-NoAdvertise",
7675 config: Config{
7676 Certificates: []Certificate{ed25519Certificate},
7677 },
7678 shouldFail: true,
7679 expectedLocalError: "tls: no common signature algorithms",
7680 })
7681
7682 // Test Ed25519, when disabled, is not accepted if the peer ignores our
7683 // preferences.
7684 testCases = append(testCases, testCase{
7685 testType: clientTest,
7686 name: "Ed25519DefaultDisable-NoAccept",
7687 config: Config{
7688 Certificates: []Certificate{ed25519Certificate},
7689 Bugs: ProtocolBugs{
7690 IgnorePeerSignatureAlgorithmPreferences: true,
7691 },
7692 },
7693 shouldFail: true,
7694 expectedLocalError: "remote error: illegal parameter",
7695 expectedError: ":WRONG_SIGNATURE_TYPE:",
7696 })
David Benjamin71c21b42017-04-14 17:05:40 -0400[diff] [blame]7697
7698 // Test that configuring verify preferences changes what the client
7699 // advertises.
7700 testCases = append(testCases, testCase{
7701 name: "VerifyPreferences-Advertised",
7702 config: Config{
7703 Certificates: []Certificate{rsaCertificate},
7704 SignSignatureAlgorithms: []signatureAlgorithm{
7705 signatureRSAPSSWithSHA256,
7706 signatureRSAPSSWithSHA384,
7707 signatureRSAPSSWithSHA512,
7708 },
7709 },
7710 flags: []string{
7711 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7712 "-expect-peer-signature-algorithm", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7713 },
7714 })
7715
7716 // Test that the client advertises a set which the runner can find
7717 // nothing in common with.
7718 testCases = append(testCases, testCase{
7719 name: "VerifyPreferences-NoCommonAlgorithms",
7720 config: Config{
7721 Certificates: []Certificate{rsaCertificate},
7722 SignSignatureAlgorithms: []signatureAlgorithm{
7723 signatureRSAPSSWithSHA256,
7724 signatureRSAPSSWithSHA512,
7725 },
7726 },
7727 flags: []string{
7728 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7729 },
7730 shouldFail: true,
7731 expectedLocalError: "tls: no common signature algorithms",
7732 })
7733
7734 // Test that the client enforces its preferences when configured.
7735 testCases = append(testCases, testCase{
7736 name: "VerifyPreferences-Enforced",
7737 config: Config{
7738 Certificates: []Certificate{rsaCertificate},
7739 SignSignatureAlgorithms: []signatureAlgorithm{
7740 signatureRSAPSSWithSHA256,
7741 signatureRSAPSSWithSHA512,
7742 },
7743 Bugs: ProtocolBugs{
7744 IgnorePeerSignatureAlgorithmPreferences: true,
7745 },
7746 },
7747 flags: []string{
7748 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7749 },
7750 shouldFail: true,
7751 expectedLocalError: "remote error: illegal parameter",
7752 expectedError: ":WRONG_SIGNATURE_TYPE:",
7753 })
7754
7755 // Test that explicitly configuring Ed25519 is as good as changing the
7756 // boolean toggle.
7757 testCases = append(testCases, testCase{
7758 name: "VerifyPreferences-Ed25519",
7759 config: Config{
7760 Certificates: []Certificate{ed25519Certificate},
7761 },
7762 flags: []string{
7763 "-verify-prefs", strconv.Itoa(int(signatureEd25519)),
7764 },
7765 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7766}
7767
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7768// timeouts is the retransmit schedule for BoringSSL. It doubles and
7769// caps at 60 seconds. On the 13th timeout, it gives up.
7770var timeouts = []time.Duration{
7771 1 * time.Second,
7772 2 * time.Second,
7773 4 * time.Second,
7774 8 * time.Second,
7775 16 * time.Second,
7776 32 * time.Second,
7777 60 * time.Second,
7778 60 * time.Second,
7779 60 * time.Second,
7780 60 * time.Second,
7781 60 * time.Second,
7782 60 * time.Second,
7783 60 * time.Second,
7784}
7785
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7786// shortTimeouts is an alternate set of timeouts which would occur if the
7787// initial timeout duration was set to 250ms.
7788var shortTimeouts = []time.Duration{
7789 250 * time.Millisecond,
7790 500 * time.Millisecond,
7791 1 * time.Second,
7792 2 * time.Second,
7793 4 * time.Second,
7794 8 * time.Second,
7795 16 * time.Second,
7796 32 * time.Second,
7797 60 * time.Second,
7798 60 * time.Second,
7799 60 * time.Second,
7800 60 * time.Second,
7801 60 * time.Second,
7802}
7803
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7804func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7805 // These tests work by coordinating some behavior on both the shim and
7806 // the runner.
7807 //
7808 // TimeoutSchedule configures the runner to send a series of timeout
7809 // opcodes to the shim (see packetAdaptor) immediately before reading
7810 // each peer handshake flight N. The timeout opcode both simulates a
7811 // timeout in the shim and acts as a synchronization point to help the
7812 // runner bracket each handshake flight.
7813 //
7814 // We assume the shim does not read from the channel eagerly. It must
7815 // first wait until it has sent flight N and is ready to receive
7816 // handshake flight N+1. At this point, it will process the timeout
7817 // opcode. It must then immediately respond with a timeout ACK and act
7818 // as if the shim was idle for the specified amount of time.
7819 //
7820 // The runner then drops all packets received before the ACK and
7821 // continues waiting for flight N. This ordering results in one attempt
7822 // at sending flight N to be dropped. For the test to complete, the
7823 // shim must send flight N again, testing that the shim implements DTLS
7824 // retransmit on a timeout.
7825
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7826 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7827 // likely be more epochs to cross and the final message's retransmit may
7828 // be more complex.
7829
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7830 // Test that this is indeed the timeout schedule. Stress all
7831 // four patterns of handshake.
7832 for i := 1; i < len(timeouts); i++ {
7833 number := strconv.Itoa(i)
7834 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7835 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7836 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7837 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7838 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7839 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7840 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7841 },
7842 },
7843 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7844 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7845 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7846 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7847 protocol: dtls,
7848 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7849 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7850 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7851 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7852 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7853 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7854 },
7855 },
7856 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7857 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7858 })
7859 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7860
7861 // Test that exceeding the timeout schedule hits a read
7862 // timeout.
7863 testCases = append(testCases, testCase{
7864 protocol: dtls,
7865 name: "DTLS-Retransmit-Timeout",
7866 config: Config{
7867 MaxVersion: VersionTLS12,
7868 Bugs: ProtocolBugs{
7869 TimeoutSchedule: timeouts,
7870 },
7871 },
7872 resumeSession: true,
7873 flags: []string{"-async"},
7874 shouldFail: true,
7875 expectedError: ":READ_TIMEOUT_EXPIRED:",
7876 })
7877
7878 // Test that timeout handling has a fudge factor, due to API
7879 // problems.
7880 testCases = append(testCases, testCase{
7881 protocol: dtls,
7882 name: "DTLS-Retransmit-Fudge",
7883 config: Config{
7884 MaxVersion: VersionTLS12,
7885 Bugs: ProtocolBugs{
7886 TimeoutSchedule: []time.Duration{
7887 timeouts[0] - 10*time.Millisecond,
7888 },
7889 },
7890 },
7891 resumeSession: true,
7892 flags: []string{"-async"},
7893 })
7894
7895 // Test that the final Finished retransmitting isn't
7896 // duplicated if the peer badly fragments everything.
7897 testCases = append(testCases, testCase{
7898 testType: serverTest,
7899 protocol: dtls,
7900 name: "DTLS-Retransmit-Fragmented",
7901 config: Config{
7902 MaxVersion: VersionTLS12,
7903 Bugs: ProtocolBugs{
7904 TimeoutSchedule: []time.Duration{timeouts[0]},
7905 MaxHandshakeRecordLength: 2,
7906 },
7907 },
7908 flags: []string{"-async"},
7909 })
7910
7911 // Test the timeout schedule when a shorter initial timeout duration is set.
7912 testCases = append(testCases, testCase{
7913 protocol: dtls,
7914 name: "DTLS-Retransmit-Short-Client",
7915 config: Config{
7916 MaxVersion: VersionTLS12,
7917 Bugs: ProtocolBugs{
7918 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7919 },
7920 },
7921 resumeSession: true,
7922 flags: []string{
7923 "-async",
7924 "-initial-timeout-duration-ms", "250",
7925 },
7926 })
7927 testCases = append(testCases, testCase{
7928 protocol: dtls,
7929 testType: serverTest,
7930 name: "DTLS-Retransmit-Short-Server",
7931 config: Config{
7932 MaxVersion: VersionTLS12,
7933 Bugs: ProtocolBugs{
7934 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7935 },
7936 },
7937 resumeSession: true,
7938 flags: []string{
7939 "-async",
7940 "-initial-timeout-duration-ms", "250",
7941 },
7942 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7943}
7944
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7945func addExportKeyingMaterialTests() {
7946 for _, vers := range tlsVersions {
7947 if vers.version == VersionSSL30 {
7948 continue
7949 }
7950 testCases = append(testCases, testCase{
7951 name: "ExportKeyingMaterial-" + vers.name,
7952 config: Config{
7953 MaxVersion: vers.version,
7954 },
7955 exportKeyingMaterial: 1024,
7956 exportLabel: "label",
7957 exportContext: "context",
7958 useExportContext: true,
7959 })
7960 testCases = append(testCases, testCase{
7961 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7962 config: Config{
7963 MaxVersion: vers.version,
7964 },
7965 exportKeyingMaterial: 1024,
7966 })
7967 testCases = append(testCases, testCase{
7968 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7969 config: Config{
7970 MaxVersion: vers.version,
7971 },
7972 exportKeyingMaterial: 1024,
7973 useExportContext: true,
7974 })
7975 testCases = append(testCases, testCase{
7976 name: "ExportKeyingMaterial-Small-" + vers.name,
7977 config: Config{
7978 MaxVersion: vers.version,
7979 },
7980 exportKeyingMaterial: 1,
7981 exportLabel: "label",
7982 exportContext: "context",
7983 useExportContext: true,
7984 })
7985 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7986
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7987 testCases = append(testCases, testCase{
7988 name: "ExportKeyingMaterial-SSL3",
7989 config: Config{
7990 MaxVersion: VersionSSL30,
7991 },
7992 exportKeyingMaterial: 1024,
7993 exportLabel: "label",
7994 exportContext: "context",
7995 useExportContext: true,
7996 shouldFail: true,
7997 expectedError: "failed to export keying material",
7998 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7999
8000 // Exporters work during a False Start.
8001 testCases = append(testCases, testCase{
8002 name: "ExportKeyingMaterial-FalseStart",
8003 config: Config{
8004 MaxVersion: VersionTLS12,
8005 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8006 NextProtos: []string{"foo"},
8007 Bugs: ProtocolBugs{
8008 ExpectFalseStart: true,
8009 },
8010 },
8011 flags: []string{
8012 "-false-start",
8013 "-advertise-alpn", "\x03foo",
8014 },
8015 shimWritesFirst: true,
8016 exportKeyingMaterial: 1024,
8017 exportLabel: "label",
8018 exportContext: "context",
8019 useExportContext: true,
8020 })
8021
8022 // Exporters do not work in the middle of a renegotiation. Test this by
8023 // triggering the exporter after every SSL_read call and configuring the
8024 // shim to run asynchronously.
8025 testCases = append(testCases, testCase{
8026 name: "ExportKeyingMaterial-Renegotiate",
8027 config: Config{
8028 MaxVersion: VersionTLS12,
8029 },
8030 renegotiate: 1,
8031 flags: []string{
8032 "-async",
8033 "-use-exporter-between-reads",
8034 "-renegotiate-freely",
8035 "-expect-total-renegotiations", "1",
8036 },
8037 shouldFail: true,
8038 expectedError: "failed to export keying material",
8039 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]8040}
8041
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8042func addTLSUniqueTests() {
8043 for _, isClient := range []bool{false, true} {
8044 for _, isResumption := range []bool{false, true} {
8045 for _, hasEMS := range []bool{false, true} {
8046 var suffix string
8047 if isResumption {
8048 suffix = "Resume-"
8049 } else {
8050 suffix = "Full-"
8051 }
8052
8053 if hasEMS {
8054 suffix += "EMS-"
8055 } else {
8056 suffix += "NoEMS-"
8057 }
8058
8059 if isClient {
8060 suffix += "Client"
8061 } else {
8062 suffix += "Server"
8063 }
8064
8065 test := testCase{
8066 name: "TLSUnique-" + suffix,
8067 testTLSUnique: true,
8068 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8069 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8070 Bugs: ProtocolBugs{
8071 NoExtendedMasterSecret: !hasEMS,
8072 },
8073 },
8074 }
8075
8076 if isResumption {
8077 test.resumeSession = true
8078 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8079 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8080 Bugs: ProtocolBugs{
8081 NoExtendedMasterSecret: !hasEMS,
8082 },
8083 }
8084 }
8085
8086 if isResumption && !hasEMS {
8087 test.shouldFail = true
8088 test.expectedError = "failed to get tls-unique"
8089 }
8090
8091 testCases = append(testCases, test)
8092 }
8093 }
8094 }
8095}
8096
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8097func addCustomExtensionTests() {
8098 expectedContents := "custom extension"
8099 emptyString := ""
8100
8101 for _, isClient := range []bool{false, true} {
8102 suffix := "Server"
8103 flag := "-enable-server-custom-extension"
8104 testType := serverTest
8105 if isClient {
8106 suffix = "Client"
8107 flag = "-enable-client-custom-extension"
8108 testType = clientTest
8109 }
8110
8111 testCases = append(testCases, testCase{
8112 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8113 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8114 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8115 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8116 Bugs: ProtocolBugs{
8117 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8118 ExpectedCustomExtension: &expectedContents,
8119 },
8120 },
8121 flags: []string{flag},
8122 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8123 testCases = append(testCases, testCase{
8124 testType: testType,
8125 name: "CustomExtensions-" + suffix + "-TLS13",
8126 config: Config{
8127 MaxVersion: VersionTLS13,
8128 Bugs: ProtocolBugs{
8129 CustomExtension: expectedContents,
8130 ExpectedCustomExtension: &expectedContents,
8131 },
8132 },
8133 flags: []string{flag},
8134 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8135
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]8136 // 0-RTT is not currently supported with Custom Extensions.
8137 testCases = append(testCases, testCase{
8138 testType: testType,
8139 name: "CustomExtensions-" + suffix + "-EarlyData",
8140 config: Config{
8141 MaxVersion: VersionTLS13,
8142 Bugs: ProtocolBugs{
8143 CustomExtension: expectedContents,
8144 ExpectedCustomExtension: &expectedContents,
8145 },
8146 },
8147 shouldFail: true,
8148 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8149 flags: []string{flag, "-enable-early-data"},
8150 })
8151
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8152 // If the parse callback fails, the handshake should also fail.
8153 testCases = append(testCases, testCase{
8154 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8155 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8156 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8157 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8158 Bugs: ProtocolBugs{
8159 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8160 ExpectedCustomExtension: &expectedContents,
8161 },
8162 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8163 flags: []string{flag},
8164 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8165 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8166 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8167 testCases = append(testCases, testCase{
8168 testType: testType,
8169 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
8170 config: Config{
8171 MaxVersion: VersionTLS13,
8172 Bugs: ProtocolBugs{
8173 CustomExtension: expectedContents + "foo",
8174 ExpectedCustomExtension: &expectedContents,
8175 },
8176 },
8177 flags: []string{flag},
8178 shouldFail: true,
8179 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8180 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8181
8182 // If the add callback fails, the handshake should also fail.
8183 testCases = append(testCases, testCase{
8184 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8185 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8186 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8187 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8188 Bugs: ProtocolBugs{
8189 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8190 ExpectedCustomExtension: &expectedContents,
8191 },
8192 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8193 flags: []string{flag, "-custom-extension-fail-add"},
8194 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8195 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8196 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8197 testCases = append(testCases, testCase{
8198 testType: testType,
8199 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
8200 config: Config{
8201 MaxVersion: VersionTLS13,
8202 Bugs: ProtocolBugs{
8203 CustomExtension: expectedContents,
8204 ExpectedCustomExtension: &expectedContents,
8205 },
8206 },
8207 flags: []string{flag, "-custom-extension-fail-add"},
8208 shouldFail: true,
8209 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8210 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8211
8212 // If the add callback returns zero, no extension should be
8213 // added.
8214 skipCustomExtension := expectedContents
8215 if isClient {
8216 // For the case where the client skips sending the
8217 // custom extension, the server must not “echo” it.
8218 skipCustomExtension = ""
8219 }
8220 testCases = append(testCases, testCase{
8221 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8222 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8223 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8224 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8225 Bugs: ProtocolBugs{
8226 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8227 ExpectedCustomExtension: &emptyString,
8228 },
8229 },
8230 flags: []string{flag, "-custom-extension-skip"},
8231 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8232 testCases = append(testCases, testCase{
8233 testType: testType,
8234 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
8235 config: Config{
8236 MaxVersion: VersionTLS13,
8237 Bugs: ProtocolBugs{
8238 CustomExtension: skipCustomExtension,
8239 ExpectedCustomExtension: &emptyString,
8240 },
8241 },
8242 flags: []string{flag, "-custom-extension-skip"},
8243 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8244 }
8245
8246 // The custom extension add callback should not be called if the client
8247 // doesn't send the extension.
8248 testCases = append(testCases, testCase{
8249 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8250 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8251 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8252 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8253 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8254 ExpectedCustomExtension: &emptyString,
8255 },
8256 },
8257 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8258 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8259
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8260 testCases = append(testCases, testCase{
8261 testType: serverTest,
8262 name: "CustomExtensions-NotCalled-Server-TLS13",
8263 config: Config{
8264 MaxVersion: VersionTLS13,
8265 Bugs: ProtocolBugs{
8266 ExpectedCustomExtension: &emptyString,
8267 },
8268 },
8269 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8270 })
8271
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8272 // Test an unknown extension from the server.
8273 testCases = append(testCases, testCase{
8274 testType: clientTest,
8275 name: "UnknownExtension-Client",
8276 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8277 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8278 Bugs: ProtocolBugs{
8279 CustomExtension: expectedContents,
8280 },
8281 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8282 shouldFail: true,
8283 expectedError: ":UNEXPECTED_EXTENSION:",
8284 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8285 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8286 testCases = append(testCases, testCase{
8287 testType: clientTest,
8288 name: "UnknownExtension-Client-TLS13",
8289 config: Config{
8290 MaxVersion: VersionTLS13,
8291 Bugs: ProtocolBugs{
8292 CustomExtension: expectedContents,
8293 },
8294 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8295 shouldFail: true,
8296 expectedError: ":UNEXPECTED_EXTENSION:",
8297 expectedLocalError: "remote error: unsupported extension",
8298 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8299 testCases = append(testCases, testCase{
8300 testType: clientTest,
8301 name: "UnknownUnencryptedExtension-Client-TLS13",
8302 config: Config{
8303 MaxVersion: VersionTLS13,
8304 Bugs: ProtocolBugs{
8305 CustomUnencryptedExtension: expectedContents,
8306 },
8307 },
8308 shouldFail: true,
8309 expectedError: ":UNEXPECTED_EXTENSION:",
8310 // The shim must send an alert, but alerts at this point do not
8311 // get successfully decrypted by the runner.
8312 expectedLocalError: "local error: bad record MAC",
8313 })
8314 testCases = append(testCases, testCase{
8315 testType: clientTest,
8316 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8317 config: Config{
8318 MaxVersion: VersionTLS13,
8319 Bugs: ProtocolBugs{
8320 SendUnencryptedALPN: "foo",
8321 },
8322 },
8323 flags: []string{
8324 "-advertise-alpn", "\x03foo\x03bar",
8325 },
8326 shouldFail: true,
8327 expectedError: ":UNEXPECTED_EXTENSION:",
8328 // The shim must send an alert, but alerts at this point do not
8329 // get successfully decrypted by the runner.
8330 expectedLocalError: "local error: bad record MAC",
8331 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8332
8333 // Test a known but unoffered extension from the server.
8334 testCases = append(testCases, testCase{
8335 testType: clientTest,
8336 name: "UnofferedExtension-Client",
8337 config: Config{
8338 MaxVersion: VersionTLS12,
8339 Bugs: ProtocolBugs{
8340 SendALPN: "alpn",
8341 },
8342 },
8343 shouldFail: true,
8344 expectedError: ":UNEXPECTED_EXTENSION:",
8345 expectedLocalError: "remote error: unsupported extension",
8346 })
8347 testCases = append(testCases, testCase{
8348 testType: clientTest,
8349 name: "UnofferedExtension-Client-TLS13",
8350 config: Config{
8351 MaxVersion: VersionTLS13,
8352 Bugs: ProtocolBugs{
8353 SendALPN: "alpn",
8354 },
8355 },
8356 shouldFail: true,
8357 expectedError: ":UNEXPECTED_EXTENSION:",
8358 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8359 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8360}
8361
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8362func addRSAClientKeyExchangeTests() {
8363 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8364 testCases = append(testCases, testCase{
8365 testType: serverTest,
8366 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8367 config: Config{
8368 // Ensure the ClientHello version and final
8369 // version are different, to detect if the
8370 // server uses the wrong one.
8371 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8372 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8373 Bugs: ProtocolBugs{
8374 BadRSAClientKeyExchange: bad,
8375 },
8376 },
8377 shouldFail: true,
8378 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8379 })
8380 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8381
8382 // The server must compare whatever was in ClientHello.version for the
8383 // RSA premaster.
8384 testCases = append(testCases, testCase{
8385 testType: serverTest,
8386 name: "SendClientVersion-RSA",
8387 config: Config{
8388 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8389 Bugs: ProtocolBugs{
8390 SendClientVersion: 0x1234,
8391 },
8392 },
8393 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8394 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8395}
8396
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8397var testCurves = []struct {
8398 name string
8399 id CurveID
8400}{
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]8401 {"P-224", CurveP224},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8402 {"P-256", CurveP256},
8403 {"P-384", CurveP384},
8404 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8405 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8406}
8407
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8408const bogusCurve = 0x1234
8409
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8410func addCurveTests() {
8411 for _, curve := range testCurves {
8412 testCases = append(testCases, testCase{
8413 name: "CurveTest-Client-" + curve.name,
8414 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8415 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8416 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8417 CurvePreferences: []CurveID{curve.id},
8418 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8419 flags: []string{
8420 "-enable-all-curves",
8421 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8422 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8423 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8424 })
8425 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8426 name: "CurveTest-Client-" + curve.name + "-TLS13",
8427 config: Config{
8428 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8429 CurvePreferences: []CurveID{curve.id},
8430 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8431 flags: []string{
8432 "-enable-all-curves",
8433 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8434 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8435 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8436 })
8437 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8438 testType: serverTest,
8439 name: "CurveTest-Server-" + curve.name,
8440 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8441 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8442 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8443 CurvePreferences: []CurveID{curve.id},
8444 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8445 flags: []string{
8446 "-enable-all-curves",
8447 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8448 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8449 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8450 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8451 testCases = append(testCases, testCase{
8452 testType: serverTest,
8453 name: "CurveTest-Server-" + curve.name + "-TLS13",
8454 config: Config{
8455 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8456 CurvePreferences: []CurveID{curve.id},
8457 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8458 flags: []string{
8459 "-enable-all-curves",
8460 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8461 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8462 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8463 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8464 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8465
8466 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8467 testCases = append(testCases, testCase{
8468 testType: serverTest,
8469 name: "UnknownCurve",
8470 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8471 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8472 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8473 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8474 },
8475 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8476
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8477 // The server must be tolerant to bogus curves.
8478 testCases = append(testCases, testCase{
8479 testType: serverTest,
8480 name: "UnknownCurve-TLS13",
8481 config: Config{
8482 MaxVersion: VersionTLS13,
8483 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8484 },
8485 })
8486
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8487 // The server must not consider ECDHE ciphers when there are no
8488 // supported curves.
8489 testCases = append(testCases, testCase{
8490 testType: serverTest,
8491 name: "NoSupportedCurves",
8492 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8493 MaxVersion: VersionTLS12,
8494 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8495 Bugs: ProtocolBugs{
8496 NoSupportedCurves: true,
8497 },
8498 },
8499 shouldFail: true,
8500 expectedError: ":NO_SHARED_CIPHER:",
8501 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8502 testCases = append(testCases, testCase{
8503 testType: serverTest,
8504 name: "NoSupportedCurves-TLS13",
8505 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8506 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8507 Bugs: ProtocolBugs{
8508 NoSupportedCurves: true,
8509 },
8510 },
8511 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8512 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8513 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8514
8515 // The server must fall back to another cipher when there are no
8516 // supported curves.
8517 testCases = append(testCases, testCase{
8518 testType: serverTest,
8519 name: "NoCommonCurves",
8520 config: Config{
8521 MaxVersion: VersionTLS12,
8522 CipherSuites: []uint16{
8523 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8524 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8525 },
8526 CurvePreferences: []CurveID{CurveP224},
8527 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8528 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8529 })
8530
8531 // The client must reject bogus curves and disabled curves.
8532 testCases = append(testCases, testCase{
8533 name: "BadECDHECurve",
8534 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8535 MaxVersion: VersionTLS12,
8536 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8537 Bugs: ProtocolBugs{
8538 SendCurve: bogusCurve,
8539 },
8540 },
8541 shouldFail: true,
8542 expectedError: ":WRONG_CURVE:",
8543 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8544 testCases = append(testCases, testCase{
8545 name: "BadECDHECurve-TLS13",
8546 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8547 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8548 Bugs: ProtocolBugs{
8549 SendCurve: bogusCurve,
8550 },
8551 },
8552 shouldFail: true,
8553 expectedError: ":WRONG_CURVE:",
8554 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8555
8556 testCases = append(testCases, testCase{
8557 name: "UnsupportedCurve",
8558 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8559 MaxVersion: VersionTLS12,
8560 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8561 CurvePreferences: []CurveID{CurveP256},
8562 Bugs: ProtocolBugs{
8563 IgnorePeerCurvePreferences: true,
8564 },
8565 },
8566 flags: []string{"-p384-only"},
8567 shouldFail: true,
8568 expectedError: ":WRONG_CURVE:",
8569 })
8570
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8571 testCases = append(testCases, testCase{
8572 // TODO(davidben): Add a TLS 1.3 version where
8573 // HelloRetryRequest requests an unsupported curve.
8574 name: "UnsupportedCurve-ServerHello-TLS13",
8575 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8576 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8577 CurvePreferences: []CurveID{CurveP384},
8578 Bugs: ProtocolBugs{
8579 SendCurve: CurveP256,
8580 },
8581 },
8582 flags: []string{"-p384-only"},
8583 shouldFail: true,
8584 expectedError: ":WRONG_CURVE:",
8585 })
8586
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8587 // Test invalid curve points.
8588 testCases = append(testCases, testCase{
8589 name: "InvalidECDHPoint-Client",
8590 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8591 MaxVersion: VersionTLS12,
8592 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8593 CurvePreferences: []CurveID{CurveP256},
8594 Bugs: ProtocolBugs{
8595 InvalidECDHPoint: true,
8596 },
8597 },
8598 shouldFail: true,
8599 expectedError: ":INVALID_ENCODING:",
8600 })
8601 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8602 name: "InvalidECDHPoint-Client-TLS13",
8603 config: Config{
8604 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8605 CurvePreferences: []CurveID{CurveP256},
8606 Bugs: ProtocolBugs{
8607 InvalidECDHPoint: true,
8608 },
8609 },
8610 shouldFail: true,
8611 expectedError: ":INVALID_ENCODING:",
8612 })
8613 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8614 testType: serverTest,
8615 name: "InvalidECDHPoint-Server",
8616 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8617 MaxVersion: VersionTLS12,
8618 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8619 CurvePreferences: []CurveID{CurveP256},
8620 Bugs: ProtocolBugs{
8621 InvalidECDHPoint: true,
8622 },
8623 },
8624 shouldFail: true,
8625 expectedError: ":INVALID_ENCODING:",
8626 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8627 testCases = append(testCases, testCase{
8628 testType: serverTest,
8629 name: "InvalidECDHPoint-Server-TLS13",
8630 config: Config{
8631 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8632 CurvePreferences: []CurveID{CurveP256},
8633 Bugs: ProtocolBugs{
8634 InvalidECDHPoint: true,
8635 },
8636 },
8637 shouldFail: true,
8638 expectedError: ":INVALID_ENCODING:",
8639 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8640
8641 // The previous curve ID should be reported on TLS 1.2 resumption.
8642 testCases = append(testCases, testCase{
8643 name: "CurveID-Resume-Client",
8644 config: Config{
8645 MaxVersion: VersionTLS12,
8646 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8647 CurvePreferences: []CurveID{CurveX25519},
8648 },
8649 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8650 resumeSession: true,
8651 })
8652 testCases = append(testCases, testCase{
8653 testType: serverTest,
8654 name: "CurveID-Resume-Server",
8655 config: Config{
8656 MaxVersion: VersionTLS12,
8657 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8658 CurvePreferences: []CurveID{CurveX25519},
8659 },
8660 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8661 resumeSession: true,
8662 })
8663
8664 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8665 // one should be reported.
8666 testCases = append(testCases, testCase{
8667 name: "CurveID-Resume-Client-TLS13",
8668 config: Config{
8669 MaxVersion: VersionTLS13,
8670 CurvePreferences: []CurveID{CurveX25519},
8671 },
8672 resumeConfig: &Config{
8673 MaxVersion: VersionTLS13,
8674 CurvePreferences: []CurveID{CurveP256},
8675 },
8676 flags: []string{
8677 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8678 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8679 },
8680 resumeSession: true,
8681 })
8682 testCases = append(testCases, testCase{
8683 testType: serverTest,
8684 name: "CurveID-Resume-Server-TLS13",
8685 config: Config{
8686 MaxVersion: VersionTLS13,
8687 CurvePreferences: []CurveID{CurveX25519},
8688 },
8689 resumeConfig: &Config{
8690 MaxVersion: VersionTLS13,
8691 CurvePreferences: []CurveID{CurveP256},
8692 },
8693 flags: []string{
8694 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8695 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8696 },
8697 resumeSession: true,
8698 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8699
8700 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8701 testCases = append(testCases, testCase{
8702 name: "PointFormat-ServerHello-TLS12",
8703 config: Config{
8704 MaxVersion: VersionTLS12,
8705 Bugs: ProtocolBugs{
8706 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8707 },
8708 },
8709 })
8710 testCases = append(testCases, testCase{
8711 name: "PointFormat-EncryptedExtensions-TLS13",
8712 config: Config{
8713 MaxVersion: VersionTLS13,
8714 Bugs: ProtocolBugs{
8715 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8716 },
8717 },
8718 shouldFail: true,
8719 expectedError: ":ERROR_PARSING_EXTENSION:",
8720 })
8721
8722 // Test that we tolerate unknown point formats, as long as
8723 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8724 // check they are still functional.
8725 testCases = append(testCases, testCase{
8726 name: "PointFormat-Client-Tolerance",
8727 config: Config{
8728 MaxVersion: VersionTLS12,
8729 Bugs: ProtocolBugs{
8730 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8731 },
8732 },
8733 })
8734 testCases = append(testCases, testCase{
8735 testType: serverTest,
8736 name: "PointFormat-Server-Tolerance",
8737 config: Config{
8738 MaxVersion: VersionTLS12,
8739 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8740 Bugs: ProtocolBugs{
8741 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8742 },
8743 },
8744 })
8745
8746 // Test TLS 1.2 does not require the point format extension to be
8747 // present.
8748 testCases = append(testCases, testCase{
8749 name: "PointFormat-Client-Missing",
8750 config: Config{
8751 MaxVersion: VersionTLS12,
8752 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8753 Bugs: ProtocolBugs{
8754 SendSupportedPointFormats: []byte{},
8755 },
8756 },
8757 })
8758 testCases = append(testCases, testCase{
8759 testType: serverTest,
8760 name: "PointFormat-Server-Missing",
8761 config: Config{
8762 MaxVersion: VersionTLS12,
8763 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8764 Bugs: ProtocolBugs{
8765 SendSupportedPointFormats: []byte{},
8766 },
8767 },
8768 })
8769
8770 // If the point format extension is present, uncompressed points must be
8771 // offered. BoringSSL requires this whether or not ECDHE is used.
8772 testCases = append(testCases, testCase{
8773 name: "PointFormat-Client-MissingUncompressed",
8774 config: Config{
8775 MaxVersion: VersionTLS12,
8776 Bugs: ProtocolBugs{
8777 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8778 },
8779 },
8780 shouldFail: true,
8781 expectedError: ":ERROR_PARSING_EXTENSION:",
8782 })
8783 testCases = append(testCases, testCase{
8784 testType: serverTest,
8785 name: "PointFormat-Server-MissingUncompressed",
8786 config: Config{
8787 MaxVersion: VersionTLS12,
8788 Bugs: ProtocolBugs{
8789 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8790 },
8791 },
8792 shouldFail: true,
8793 expectedError: ":ERROR_PARSING_EXTENSION:",
8794 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8795}
8796
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8797func addTLS13RecordTests() {
8798 testCases = append(testCases, testCase{
8799 name: "TLS13-RecordPadding",
8800 config: Config{
8801 MaxVersion: VersionTLS13,
8802 MinVersion: VersionTLS13,
8803 Bugs: ProtocolBugs{
8804 RecordPadding: 10,
8805 },
8806 },
8807 })
8808
8809 testCases = append(testCases, testCase{
8810 name: "TLS13-EmptyRecords",
8811 config: Config{
8812 MaxVersion: VersionTLS13,
8813 MinVersion: VersionTLS13,
8814 Bugs: ProtocolBugs{
8815 OmitRecordContents: true,
8816 },
8817 },
8818 shouldFail: true,
8819 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8820 })
8821
8822 testCases = append(testCases, testCase{
8823 name: "TLS13-OnlyPadding",
8824 config: Config{
8825 MaxVersion: VersionTLS13,
8826 MinVersion: VersionTLS13,
8827 Bugs: ProtocolBugs{
8828 OmitRecordContents: true,
8829 RecordPadding: 10,
8830 },
8831 },
8832 shouldFail: true,
8833 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8834 })
8835
8836 testCases = append(testCases, testCase{
8837 name: "TLS13-WrongOuterRecord",
8838 config: Config{
8839 MaxVersion: VersionTLS13,
8840 MinVersion: VersionTLS13,
8841 Bugs: ProtocolBugs{
8842 OuterRecordType: recordTypeHandshake,
8843 },
8844 },
8845 shouldFail: true,
8846 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8847 })
8848}
8849
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8850func addSessionTicketTests() {
8851 testCases = append(testCases, testCase{
8852 // In TLS 1.2 and below, empty NewSessionTicket messages
8853 // mean the server changed its mind on sending a ticket.
8854 name: "SendEmptySessionTicket",
8855 config: Config{
8856 MaxVersion: VersionTLS12,
8857 Bugs: ProtocolBugs{
8858 SendEmptySessionTicket: true,
8859 },
8860 },
8861 flags: []string{"-expect-no-session"},
8862 })
8863
8864 // Test that the server ignores unknown PSK modes.
8865 testCases = append(testCases, testCase{
8866 testType: serverTest,
8867 name: "TLS13-SendUnknownModeSessionTicket-Server",
8868 config: Config{
8869 MaxVersion: VersionTLS13,
8870 Bugs: ProtocolBugs{
8871 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8872 },
8873 },
8874 resumeSession: true,
8875 expectedResumeVersion: VersionTLS13,
8876 })
8877
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8878 // Test that the server does not send session tickets with no matching key exchange mode.
8879 testCases = append(testCases, testCase{
8880 testType: serverTest,
8881 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8882 config: Config{
8883 MaxVersion: VersionTLS13,
8884 Bugs: ProtocolBugs{
8885 SendPSKKeyExchangeModes: []byte{0x1a},
8886 ExpectNoNewSessionTicket: true,
8887 },
8888 },
8889 })
8890
8891 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8892 testCases = append(testCases, testCase{
8893 testType: serverTest,
8894 name: "TLS13-SendBadKEModeSessionTicket-Server",
8895 config: Config{
8896 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8897 },
8898 resumeConfig: &Config{
8899 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8900 Bugs: ProtocolBugs{
8901 SendPSKKeyExchangeModes: []byte{0x1a},
8902 },
8903 },
8904 resumeSession: true,
8905 expectResumeRejected: true,
8906 })
8907
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8908 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8909 testCases = append(testCases, testCase{
8910 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8911 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8912 config: Config{
8913 MaxVersion: VersionTLS13,
8914 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8915 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8916 },
8917 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8918 resumeSession: true,
8919 flags: []string{
8920 "-resumption-delay", "10",
8921 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8922 })
8923
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8924 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8925 testCases = append(testCases, testCase{
8926 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8927 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8928 config: Config{
8929 MaxVersion: VersionTLS13,
8930 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8931 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8932 },
8933 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8934 resumeSession: true,
8935 shouldFail: true,
8936 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8937 })
8938
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8939 // Test that the server's ticket age skew reporting works.
8940 testCases = append(testCases, testCase{
8941 testType: serverTest,
8942 name: "TLS13-TicketAgeSkew-Forward",
8943 config: Config{
8944 MaxVersion: VersionTLS13,
8945 Bugs: ProtocolBugs{
8946 SendTicketAge: 15 * time.Second,
8947 },
8948 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8949 resumeSession: true,
8950 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8951 flags: []string{
8952 "-resumption-delay", "10",
8953 "-expect-ticket-age-skew", "5",
8954 },
8955 })
8956 testCases = append(testCases, testCase{
8957 testType: serverTest,
8958 name: "TLS13-TicketAgeSkew-Backward",
8959 config: Config{
8960 MaxVersion: VersionTLS13,
8961 Bugs: ProtocolBugs{
8962 SendTicketAge: 5 * time.Second,
8963 },
8964 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8965 resumeSession: true,
8966 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8967 flags: []string{
8968 "-resumption-delay", "10",
8969 "-expect-ticket-age-skew", "-5",
8970 },
8971 })
8972
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8973 testCases = append(testCases, testCase{
8974 testType: clientTest,
8975 name: "TLS13-SendTicketEarlyDataInfo",
8976 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8977 MaxVersion: VersionTLS13,
8978 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8979 },
8980 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8981 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8982 "-expect-early-data-info",
8983 },
8984 })
8985
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8986 // Test that 0-RTT tickets are ignored in clients unless opted in.
8987 testCases = append(testCases, testCase{
8988 testType: clientTest,
8989 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8990 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8991 MaxVersion: VersionTLS13,
8992 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8993 },
8994 })
8995
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8996 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8997 testType: clientTest,
8998 name: "TLS13-DuplicateTicketEarlyDataInfo",
8999 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]9000 MaxVersion: VersionTLS13,
9001 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9002 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9003 DuplicateTicketEarlyDataInfo: true,
9004 },
9005 },
9006 shouldFail: true,
9007 expectedError: ":DUPLICATE_EXTENSION:",
9008 expectedLocalError: "remote error: illegal parameter",
9009 })
9010
9011 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9012 testType: serverTest,
9013 name: "TLS13-ExpectTicketEarlyDataInfo",
9014 config: Config{
9015 MaxVersion: VersionTLS13,
9016 Bugs: ProtocolBugs{
9017 ExpectTicketEarlyDataInfo: true,
9018 },
9019 },
9020 flags: []string{
9021 "-enable-early-data",
9022 },
9023 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9024
9025 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
9026 // is honored.
9027 testCases = append(testCases, testCase{
9028 testType: clientTest,
9029 name: "TLS13-HonorServerSessionTicketLifetime",
9030 config: Config{
9031 MaxVersion: VersionTLS13,
9032 Bugs: ProtocolBugs{
9033 SendTicketLifetime: 20 * time.Second,
9034 },
9035 },
9036 flags: []string{
9037 "-resumption-delay", "19",
9038 },
9039 resumeSession: true,
9040 })
9041 testCases = append(testCases, testCase{
9042 testType: clientTest,
9043 name: "TLS13-HonorServerSessionTicketLifetime-2",
9044 config: Config{
9045 MaxVersion: VersionTLS13,
9046 Bugs: ProtocolBugs{
9047 SendTicketLifetime: 20 * time.Second,
9048 // The client should not offer the expired session.
9049 ExpectNoTLS13PSK: true,
9050 },
9051 },
9052 flags: []string{
9053 "-resumption-delay", "21",
9054 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]9055 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9056 expectResumeRejected: true,
9057 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9058}
9059
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9060func addChangeCipherSpecTests() {
9061 // Test missing ChangeCipherSpecs.
9062 testCases = append(testCases, testCase{
9063 name: "SkipChangeCipherSpec-Client",
9064 config: Config{
9065 MaxVersion: VersionTLS12,
9066 Bugs: ProtocolBugs{
9067 SkipChangeCipherSpec: true,
9068 },
9069 },
9070 shouldFail: true,
9071 expectedError: ":UNEXPECTED_RECORD:",
9072 })
9073 testCases = append(testCases, testCase{
9074 testType: serverTest,
9075 name: "SkipChangeCipherSpec-Server",
9076 config: Config{
9077 MaxVersion: VersionTLS12,
9078 Bugs: ProtocolBugs{
9079 SkipChangeCipherSpec: true,
9080 },
9081 },
9082 shouldFail: true,
9083 expectedError: ":UNEXPECTED_RECORD:",
9084 })
9085 testCases = append(testCases, testCase{
9086 testType: serverTest,
9087 name: "SkipChangeCipherSpec-Server-NPN",
9088 config: Config{
9089 MaxVersion: VersionTLS12,
9090 NextProtos: []string{"bar"},
9091 Bugs: ProtocolBugs{
9092 SkipChangeCipherSpec: true,
9093 },
9094 },
9095 flags: []string{
9096 "-advertise-npn", "\x03foo\x03bar\x03baz",
9097 },
9098 shouldFail: true,
9099 expectedError: ":UNEXPECTED_RECORD:",
9100 })
9101
9102 // Test synchronization between the handshake and ChangeCipherSpec.
9103 // Partial post-CCS handshake messages before ChangeCipherSpec should be
9104 // rejected. Test both with and without handshake packing to handle both
9105 // when the partial post-CCS message is in its own record and when it is
9106 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9107 for _, packed := range []bool{false, true} {
9108 var suffix string
9109 if packed {
9110 suffix = "-Packed"
9111 }
9112
9113 testCases = append(testCases, testCase{
9114 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
9115 config: Config{
9116 MaxVersion: VersionTLS12,
9117 Bugs: ProtocolBugs{
9118 FragmentAcrossChangeCipherSpec: true,
9119 PackHandshakeFlight: packed,
9120 },
9121 },
9122 shouldFail: true,
9123 expectedError: ":UNEXPECTED_RECORD:",
9124 })
9125 testCases = append(testCases, testCase{
9126 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
9127 config: Config{
9128 MaxVersion: VersionTLS12,
9129 },
9130 resumeSession: true,
9131 resumeConfig: &Config{
9132 MaxVersion: VersionTLS12,
9133 Bugs: ProtocolBugs{
9134 FragmentAcrossChangeCipherSpec: true,
9135 PackHandshakeFlight: packed,
9136 },
9137 },
9138 shouldFail: true,
9139 expectedError: ":UNEXPECTED_RECORD:",
9140 })
9141 testCases = append(testCases, testCase{
9142 testType: serverTest,
9143 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
9144 config: Config{
9145 MaxVersion: VersionTLS12,
9146 Bugs: ProtocolBugs{
9147 FragmentAcrossChangeCipherSpec: true,
9148 PackHandshakeFlight: packed,
9149 },
9150 },
9151 shouldFail: true,
9152 expectedError: ":UNEXPECTED_RECORD:",
9153 })
9154 testCases = append(testCases, testCase{
9155 testType: serverTest,
9156 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
9157 config: Config{
9158 MaxVersion: VersionTLS12,
9159 },
9160 resumeSession: true,
9161 resumeConfig: &Config{
9162 MaxVersion: VersionTLS12,
9163 Bugs: ProtocolBugs{
9164 FragmentAcrossChangeCipherSpec: true,
9165 PackHandshakeFlight: packed,
9166 },
9167 },
9168 shouldFail: true,
9169 expectedError: ":UNEXPECTED_RECORD:",
9170 })
9171 testCases = append(testCases, testCase{
9172 testType: serverTest,
9173 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
9174 config: Config{
9175 MaxVersion: VersionTLS12,
9176 NextProtos: []string{"bar"},
9177 Bugs: ProtocolBugs{
9178 FragmentAcrossChangeCipherSpec: true,
9179 PackHandshakeFlight: packed,
9180 },
9181 },
9182 flags: []string{
9183 "-advertise-npn", "\x03foo\x03bar\x03baz",
9184 },
9185 shouldFail: true,
9186 expectedError: ":UNEXPECTED_RECORD:",
9187 })
9188 }
9189
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]9190 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
9191 // messages in the handshake queue. Do this by testing the server
9192 // reading the client Finished, reversing the flight so Finished comes
9193 // first.
9194 testCases = append(testCases, testCase{
9195 protocol: dtls,
9196 testType: serverTest,
9197 name: "SendUnencryptedFinished-DTLS",
9198 config: Config{
9199 MaxVersion: VersionTLS12,
9200 Bugs: ProtocolBugs{
9201 SendUnencryptedFinished: true,
9202 ReverseHandshakeFragments: true,
9203 },
9204 },
9205 shouldFail: true,
9206 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9207 })
9208
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9209 // Test synchronization between encryption changes and the handshake in
9210 // TLS 1.3, where ChangeCipherSpec is implicit.
9211 testCases = append(testCases, testCase{
9212 name: "PartialEncryptedExtensionsWithServerHello",
9213 config: Config{
9214 MaxVersion: VersionTLS13,
9215 Bugs: ProtocolBugs{
9216 PartialEncryptedExtensionsWithServerHello: true,
9217 },
9218 },
9219 shouldFail: true,
9220 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9221 })
9222 testCases = append(testCases, testCase{
9223 testType: serverTest,
9224 name: "PartialClientFinishedWithClientHello",
9225 config: Config{
9226 MaxVersion: VersionTLS13,
9227 Bugs: ProtocolBugs{
9228 PartialClientFinishedWithClientHello: true,
9229 },
9230 },
9231 shouldFail: true,
9232 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9233 })
9234
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9235 // Test that early ChangeCipherSpecs are handled correctly.
9236 testCases = append(testCases, testCase{
9237 testType: serverTest,
9238 name: "EarlyChangeCipherSpec-server-1",
9239 config: Config{
9240 MaxVersion: VersionTLS12,
9241 Bugs: ProtocolBugs{
9242 EarlyChangeCipherSpec: 1,
9243 },
9244 },
9245 shouldFail: true,
9246 expectedError: ":UNEXPECTED_RECORD:",
9247 })
9248 testCases = append(testCases, testCase{
9249 testType: serverTest,
9250 name: "EarlyChangeCipherSpec-server-2",
9251 config: Config{
9252 MaxVersion: VersionTLS12,
9253 Bugs: ProtocolBugs{
9254 EarlyChangeCipherSpec: 2,
9255 },
9256 },
9257 shouldFail: true,
9258 expectedError: ":UNEXPECTED_RECORD:",
9259 })
9260 testCases = append(testCases, testCase{
9261 protocol: dtls,
9262 name: "StrayChangeCipherSpec",
9263 config: Config{
9264 // TODO(davidben): Once DTLS 1.3 exists, test
9265 // that stray ChangeCipherSpec messages are
9266 // rejected.
9267 MaxVersion: VersionTLS12,
9268 Bugs: ProtocolBugs{
9269 StrayChangeCipherSpec: true,
9270 },
9271 },
9272 })
9273
9274 // Test that the contents of ChangeCipherSpec are checked.
9275 testCases = append(testCases, testCase{
9276 name: "BadChangeCipherSpec-1",
9277 config: Config{
9278 MaxVersion: VersionTLS12,
9279 Bugs: ProtocolBugs{
9280 BadChangeCipherSpec: []byte{2},
9281 },
9282 },
9283 shouldFail: true,
9284 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9285 })
9286 testCases = append(testCases, testCase{
9287 name: "BadChangeCipherSpec-2",
9288 config: Config{
9289 MaxVersion: VersionTLS12,
9290 Bugs: ProtocolBugs{
9291 BadChangeCipherSpec: []byte{1, 1},
9292 },
9293 },
9294 shouldFail: true,
9295 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9296 })
9297 testCases = append(testCases, testCase{
9298 protocol: dtls,
9299 name: "BadChangeCipherSpec-DTLS-1",
9300 config: Config{
9301 MaxVersion: VersionTLS12,
9302 Bugs: ProtocolBugs{
9303 BadChangeCipherSpec: []byte{2},
9304 },
9305 },
9306 shouldFail: true,
9307 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9308 })
9309 testCases = append(testCases, testCase{
9310 protocol: dtls,
9311 name: "BadChangeCipherSpec-DTLS-2",
9312 config: Config{
9313 MaxVersion: VersionTLS12,
9314 Bugs: ProtocolBugs{
9315 BadChangeCipherSpec: []byte{1, 1},
9316 },
9317 },
9318 shouldFail: true,
9319 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9320 })
9321}
9322
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9323type perMessageTest struct {
9324 messageType uint8
9325 test testCase
9326}
9327
9328// makePerMessageTests returns a series of test templates which cover each
9329// message in the TLS handshake. These may be used with bugs like
9330// WrongMessageType to fully test a per-message bug.
9331func makePerMessageTests() []perMessageTest {
9332 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9333 for _, protocol := range []protocol{tls, dtls} {
9334 var suffix string
9335 if protocol == dtls {
9336 suffix = "-DTLS"
9337 }
9338
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9339 ret = append(ret, perMessageTest{
9340 messageType: typeClientHello,
9341 test: testCase{
9342 protocol: protocol,
9343 testType: serverTest,
9344 name: "ClientHello" + suffix,
9345 config: Config{
9346 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9347 },
9348 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9349 })
9350
9351 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9352 ret = append(ret, perMessageTest{
9353 messageType: typeHelloVerifyRequest,
9354 test: testCase{
9355 protocol: protocol,
9356 name: "HelloVerifyRequest" + suffix,
9357 config: Config{
9358 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9359 },
9360 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9361 })
9362 }
9363
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9364 ret = append(ret, perMessageTest{
9365 messageType: typeServerHello,
9366 test: testCase{
9367 protocol: protocol,
9368 name: "ServerHello" + suffix,
9369 config: Config{
9370 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9371 },
9372 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9373 })
9374
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9375 ret = append(ret, perMessageTest{
9376 messageType: typeCertificate,
9377 test: testCase{
9378 protocol: protocol,
9379 name: "ServerCertificate" + suffix,
9380 config: Config{
9381 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9382 },
9383 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9384 })
9385
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9386 ret = append(ret, perMessageTest{
9387 messageType: typeCertificateStatus,
9388 test: testCase{
9389 protocol: protocol,
9390 name: "CertificateStatus" + suffix,
9391 config: Config{
9392 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9393 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9394 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9395 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9396 })
9397
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9398 ret = append(ret, perMessageTest{
9399 messageType: typeServerKeyExchange,
9400 test: testCase{
9401 protocol: protocol,
9402 name: "ServerKeyExchange" + suffix,
9403 config: Config{
9404 MaxVersion: VersionTLS12,
9405 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9406 },
9407 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9408 })
9409
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9410 ret = append(ret, perMessageTest{
9411 messageType: typeCertificateRequest,
9412 test: testCase{
9413 protocol: protocol,
9414 name: "CertificateRequest" + suffix,
9415 config: Config{
9416 MaxVersion: VersionTLS12,
9417 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9418 },
9419 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9420 })
9421
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9422 ret = append(ret, perMessageTest{
9423 messageType: typeServerHelloDone,
9424 test: testCase{
9425 protocol: protocol,
9426 name: "ServerHelloDone" + suffix,
9427 config: Config{
9428 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9429 },
9430 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9431 })
9432
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9433 ret = append(ret, perMessageTest{
9434 messageType: typeCertificate,
9435 test: testCase{
9436 testType: serverTest,
9437 protocol: protocol,
9438 name: "ClientCertificate" + suffix,
9439 config: Config{
9440 Certificates: []Certificate{rsaCertificate},
9441 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9442 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9443 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9444 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9445 })
9446
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9447 ret = append(ret, perMessageTest{
9448 messageType: typeCertificateVerify,
9449 test: testCase{
9450 testType: serverTest,
9451 protocol: protocol,
9452 name: "CertificateVerify" + suffix,
9453 config: Config{
9454 Certificates: []Certificate{rsaCertificate},
9455 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9456 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9457 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9458 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9459 })
9460
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9461 ret = append(ret, perMessageTest{
9462 messageType: typeClientKeyExchange,
9463 test: testCase{
9464 testType: serverTest,
9465 protocol: protocol,
9466 name: "ClientKeyExchange" + suffix,
9467 config: Config{
9468 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9469 },
9470 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9471 })
9472
9473 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9474 ret = append(ret, perMessageTest{
9475 messageType: typeNextProtocol,
9476 test: testCase{
9477 testType: serverTest,
9478 protocol: protocol,
9479 name: "NextProtocol" + suffix,
9480 config: Config{
9481 MaxVersion: VersionTLS12,
9482 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9483 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9484 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9485 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9486 })
9487
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9488 ret = append(ret, perMessageTest{
9489 messageType: typeChannelID,
9490 test: testCase{
9491 testType: serverTest,
9492 protocol: protocol,
9493 name: "ChannelID" + suffix,
9494 config: Config{
9495 MaxVersion: VersionTLS12,
9496 ChannelID: channelIDKey,
9497 },
9498 flags: []string{
9499 "-expect-channel-id",
9500 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9501 },
9502 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9503 })
9504 }
9505
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9506 ret = append(ret, perMessageTest{
9507 messageType: typeFinished,
9508 test: testCase{
9509 testType: serverTest,
9510 protocol: protocol,
9511 name: "ClientFinished" + suffix,
9512 config: Config{
9513 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9514 },
9515 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9516 })
9517
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9518 ret = append(ret, perMessageTest{
9519 messageType: typeNewSessionTicket,
9520 test: testCase{
9521 protocol: protocol,
9522 name: "NewSessionTicket" + suffix,
9523 config: Config{
9524 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9525 },
9526 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9527 })
9528
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9529 ret = append(ret, perMessageTest{
9530 messageType: typeFinished,
9531 test: testCase{
9532 protocol: protocol,
9533 name: "ServerFinished" + suffix,
9534 config: Config{
9535 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9536 },
9537 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9538 })
9539
9540 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9541
9542 ret = append(ret, perMessageTest{
9543 messageType: typeClientHello,
9544 test: testCase{
9545 testType: serverTest,
9546 name: "TLS13-ClientHello",
9547 config: Config{
9548 MaxVersion: VersionTLS13,
9549 },
9550 },
9551 })
9552
9553 ret = append(ret, perMessageTest{
9554 messageType: typeServerHello,
9555 test: testCase{
9556 name: "TLS13-ServerHello",
9557 config: Config{
9558 MaxVersion: VersionTLS13,
9559 },
9560 },
9561 })
9562
9563 ret = append(ret, perMessageTest{
9564 messageType: typeEncryptedExtensions,
9565 test: testCase{
9566 name: "TLS13-EncryptedExtensions",
9567 config: Config{
9568 MaxVersion: VersionTLS13,
9569 },
9570 },
9571 })
9572
9573 ret = append(ret, perMessageTest{
9574 messageType: typeCertificateRequest,
9575 test: testCase{
9576 name: "TLS13-CertificateRequest",
9577 config: Config{
9578 MaxVersion: VersionTLS13,
9579 ClientAuth: RequireAnyClientCert,
9580 },
9581 },
9582 })
9583
9584 ret = append(ret, perMessageTest{
9585 messageType: typeCertificate,
9586 test: testCase{
9587 name: "TLS13-ServerCertificate",
9588 config: Config{
9589 MaxVersion: VersionTLS13,
9590 },
9591 },
9592 })
9593
9594 ret = append(ret, perMessageTest{
9595 messageType: typeCertificateVerify,
9596 test: testCase{
9597 name: "TLS13-ServerCertificateVerify",
9598 config: Config{
9599 MaxVersion: VersionTLS13,
9600 },
9601 },
9602 })
9603
9604 ret = append(ret, perMessageTest{
9605 messageType: typeFinished,
9606 test: testCase{
9607 name: "TLS13-ServerFinished",
9608 config: Config{
9609 MaxVersion: VersionTLS13,
9610 },
9611 },
9612 })
9613
9614 ret = append(ret, perMessageTest{
9615 messageType: typeCertificate,
9616 test: testCase{
9617 testType: serverTest,
9618 name: "TLS13-ClientCertificate",
9619 config: Config{
9620 Certificates: []Certificate{rsaCertificate},
9621 MaxVersion: VersionTLS13,
9622 },
9623 flags: []string{"-require-any-client-certificate"},
9624 },
9625 })
9626
9627 ret = append(ret, perMessageTest{
9628 messageType: typeCertificateVerify,
9629 test: testCase{
9630 testType: serverTest,
9631 name: "TLS13-ClientCertificateVerify",
9632 config: Config{
9633 Certificates: []Certificate{rsaCertificate},
9634 MaxVersion: VersionTLS13,
9635 },
9636 flags: []string{"-require-any-client-certificate"},
9637 },
9638 })
9639
9640 ret = append(ret, perMessageTest{
9641 messageType: typeFinished,
9642 test: testCase{
9643 testType: serverTest,
9644 name: "TLS13-ClientFinished",
9645 config: Config{
9646 MaxVersion: VersionTLS13,
9647 },
9648 },
9649 })
9650
9651 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9652}
9653
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9654func addWrongMessageTypeTests() {
9655 for _, t := range makePerMessageTests() {
9656 t.test.name = "WrongMessageType-" + t.test.name
9657 t.test.config.Bugs.SendWrongMessageType = t.messageType
9658 t.test.shouldFail = true
9659 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9660 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9661
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9662 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9663 // In TLS 1.3, a bad ServerHello means the client sends
9664 // an unencrypted alert while the server expects
9665 // encryption, so the alert is not readable by runner.
9666 t.test.expectedLocalError = "local error: bad record MAC"
9667 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9668
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9669 testCases = append(testCases, t.test)
9670 }
David Benjaminebacdee2017-04-08 11:00:45 -0400[diff] [blame]9671
9672 // The processing order for TLS 1.3 version negotiation is such that one
9673 // may accidentally accept a HelloRetryRequest in lieu of ServerHello in
9674 // TLS 1.2. Test that we do not do this.
9675 testCases = append(testCases, testCase{
9676 name: "SendServerHelloAsHelloRetryRequest",
9677 config: Config{
9678 MaxVersion: VersionTLS12,
9679 Bugs: ProtocolBugs{
9680 SendServerHelloAsHelloRetryRequest: true,
9681 },
9682 },
9683 shouldFail: true,
9684 expectedError: ":UNEXPECTED_MESSAGE:",
9685 expectedLocalError: "remote error: unexpected message",
9686 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9687}
9688
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9689func addTrailingMessageDataTests() {
9690 for _, t := range makePerMessageTests() {
9691 t.test.name = "TrailingMessageData-" + t.test.name
9692 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9693 t.test.shouldFail = true
9694 t.test.expectedError = ":DECODE_ERROR:"
9695 t.test.expectedLocalError = "remote error: error decoding message"
9696
9697 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9698 // In TLS 1.3, a bad ServerHello means the client sends
9699 // an unencrypted alert while the server expects
9700 // encryption, so the alert is not readable by runner.
9701 t.test.expectedLocalError = "local error: bad record MAC"
9702 }
9703
9704 if t.messageType == typeFinished {
9705 // Bad Finished messages read as the verify data having
9706 // the wrong length.
9707 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9708 t.test.expectedLocalError = "remote error: error decrypting message"
9709 }
9710
9711 testCases = append(testCases, t.test)
9712 }
9713}
9714
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9715func addTLS13HandshakeTests() {
9716 testCases = append(testCases, testCase{
9717 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9718 name: "NegotiatePSKResumption-TLS13",
9719 config: Config{
9720 MaxVersion: VersionTLS13,
9721 Bugs: ProtocolBugs{
9722 NegotiatePSKResumption: true,
9723 },
9724 },
9725 resumeSession: true,
9726 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9727 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9728 })
9729
9730 testCases = append(testCases, testCase{
9731 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9732 name: "MissingKeyShare-Client",
9733 config: Config{
9734 MaxVersion: VersionTLS13,
9735 Bugs: ProtocolBugs{
9736 MissingKeyShare: true,
9737 },
9738 },
9739 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9740 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9741 })
9742
9743 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9744 testType: serverTest,
9745 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9746 config: Config{
9747 MaxVersion: VersionTLS13,
9748 Bugs: ProtocolBugs{
9749 MissingKeyShare: true,
9750 },
9751 },
9752 shouldFail: true,
9753 expectedError: ":MISSING_KEY_SHARE:",
9754 })
9755
9756 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9757 testType: serverTest,
9758 name: "DuplicateKeyShares",
9759 config: Config{
9760 MaxVersion: VersionTLS13,
9761 Bugs: ProtocolBugs{
9762 DuplicateKeyShares: true,
9763 },
9764 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9765 shouldFail: true,
9766 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9767 })
9768
9769 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9770 testType: serverTest,
9771 name: "SkipEarlyData",
9772 config: Config{
9773 MaxVersion: VersionTLS13,
9774 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9775 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9776 },
9777 },
9778 })
9779
9780 testCases = append(testCases, testCase{
9781 testType: serverTest,
9782 name: "SkipEarlyData-OmitEarlyDataExtension",
9783 config: Config{
9784 MaxVersion: VersionTLS13,
9785 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9786 SendFakeEarlyDataLength: 4,
9787 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9788 },
9789 },
9790 shouldFail: true,
9791 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9792 })
9793
9794 testCases = append(testCases, testCase{
9795 testType: serverTest,
9796 name: "SkipEarlyData-TooMuchData",
9797 config: Config{
9798 MaxVersion: VersionTLS13,
9799 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9800 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9801 },
9802 },
9803 shouldFail: true,
9804 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9805 })
9806
9807 testCases = append(testCases, testCase{
9808 testType: serverTest,
9809 name: "SkipEarlyData-Interleaved",
9810 config: Config{
9811 MaxVersion: VersionTLS13,
9812 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9813 SendFakeEarlyDataLength: 4,
9814 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9815 },
9816 },
9817 shouldFail: true,
9818 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9819 })
9820
9821 testCases = append(testCases, testCase{
9822 testType: serverTest,
9823 name: "SkipEarlyData-EarlyDataInTLS12",
9824 config: Config{
9825 MaxVersion: VersionTLS13,
9826 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9827 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9828 },
9829 },
9830 shouldFail: true,
9831 expectedError: ":UNEXPECTED_RECORD:",
9832 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9833 })
9834
9835 testCases = append(testCases, testCase{
9836 testType: serverTest,
9837 name: "SkipEarlyData-HRR",
9838 config: Config{
9839 MaxVersion: VersionTLS13,
9840 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9841 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9842 },
9843 DefaultCurves: []CurveID{},
9844 },
9845 })
9846
9847 testCases = append(testCases, testCase{
9848 testType: serverTest,
9849 name: "SkipEarlyData-HRR-Interleaved",
9850 config: Config{
9851 MaxVersion: VersionTLS13,
9852 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9853 SendFakeEarlyDataLength: 4,
9854 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9855 },
9856 DefaultCurves: []CurveID{},
9857 },
9858 shouldFail: true,
9859 expectedError: ":UNEXPECTED_RECORD:",
9860 })
9861
9862 testCases = append(testCases, testCase{
9863 testType: serverTest,
9864 name: "SkipEarlyData-HRR-TooMuchData",
9865 config: Config{
9866 MaxVersion: VersionTLS13,
9867 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9868 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9869 },
9870 DefaultCurves: []CurveID{},
9871 },
9872 shouldFail: true,
9873 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9874 })
9875
9876 // Test that skipping early data looking for cleartext correctly
9877 // processes an alert record.
9878 testCases = append(testCases, testCase{
9879 testType: serverTest,
9880 name: "SkipEarlyData-HRR-FatalAlert",
9881 config: Config{
9882 MaxVersion: VersionTLS13,
9883 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9884 SendEarlyAlert: true,
9885 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9886 },
9887 DefaultCurves: []CurveID{},
9888 },
9889 shouldFail: true,
9890 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9891 })
9892
9893 testCases = append(testCases, testCase{
9894 testType: serverTest,
9895 name: "SkipEarlyData-SecondClientHelloEarlyData",
9896 config: Config{
9897 MaxVersion: VersionTLS13,
9898 Bugs: ProtocolBugs{
9899 SendEarlyDataOnSecondClientHello: true,
9900 },
9901 DefaultCurves: []CurveID{},
9902 },
9903 shouldFail: true,
9904 expectedLocalError: "remote error: bad record MAC",
9905 })
9906
9907 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9908 testType: clientTest,
9909 name: "EmptyEncryptedExtensions",
9910 config: Config{
9911 MaxVersion: VersionTLS13,
9912 Bugs: ProtocolBugs{
9913 EmptyEncryptedExtensions: true,
9914 },
9915 },
9916 shouldFail: true,
9917 expectedLocalError: "remote error: error decoding message",
9918 })
9919
9920 testCases = append(testCases, testCase{
9921 testType: clientTest,
9922 name: "EncryptedExtensionsWithKeyShare",
9923 config: Config{
9924 MaxVersion: VersionTLS13,
9925 Bugs: ProtocolBugs{
9926 EncryptedExtensionsWithKeyShare: true,
9927 },
9928 },
9929 shouldFail: true,
9930 expectedLocalError: "remote error: unsupported extension",
9931 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9932
9933 testCases = append(testCases, testCase{
9934 testType: serverTest,
9935 name: "SendHelloRetryRequest",
9936 config: Config{
9937 MaxVersion: VersionTLS13,
9938 // Require a HelloRetryRequest for every curve.
9939 DefaultCurves: []CurveID{},
9940 },
9941 expectedCurveID: CurveX25519,
9942 })
9943
9944 testCases = append(testCases, testCase{
9945 testType: serverTest,
9946 name: "SendHelloRetryRequest-2",
9947 config: Config{
9948 MaxVersion: VersionTLS13,
9949 DefaultCurves: []CurveID{CurveP384},
9950 },
9951 // Although the ClientHello did not predict our preferred curve,
9952 // we always select it whether it is predicted or not.
9953 expectedCurveID: CurveX25519,
9954 })
9955
9956 testCases = append(testCases, testCase{
9957 name: "UnknownCurve-HelloRetryRequest",
9958 config: Config{
9959 MaxVersion: VersionTLS13,
9960 // P-384 requires HelloRetryRequest in BoringSSL.
9961 CurvePreferences: []CurveID{CurveP384},
9962 Bugs: ProtocolBugs{
9963 SendHelloRetryRequestCurve: bogusCurve,
9964 },
9965 },
9966 shouldFail: true,
9967 expectedError: ":WRONG_CURVE:",
9968 })
9969
9970 testCases = append(testCases, testCase{
9971 name: "DisabledCurve-HelloRetryRequest",
9972 config: Config{
9973 MaxVersion: VersionTLS13,
9974 CurvePreferences: []CurveID{CurveP256},
9975 Bugs: ProtocolBugs{
9976 IgnorePeerCurvePreferences: true,
9977 },
9978 },
9979 flags: []string{"-p384-only"},
9980 shouldFail: true,
9981 expectedError: ":WRONG_CURVE:",
9982 })
9983
9984 testCases = append(testCases, testCase{
9985 name: "UnnecessaryHelloRetryRequest",
9986 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9987 MaxVersion: VersionTLS13,
9988 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9989 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9990 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9991 },
9992 },
9993 shouldFail: true,
9994 expectedError: ":WRONG_CURVE:",
9995 })
9996
9997 testCases = append(testCases, testCase{
9998 name: "SecondHelloRetryRequest",
9999 config: Config{
10000 MaxVersion: VersionTLS13,
10001 // P-384 requires HelloRetryRequest in BoringSSL.
10002 CurvePreferences: []CurveID{CurveP384},
10003 Bugs: ProtocolBugs{
10004 SecondHelloRetryRequest: true,
10005 },
10006 },
10007 shouldFail: true,
10008 expectedError: ":UNEXPECTED_MESSAGE:",
10009 })
10010
10011 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]10012 name: "HelloRetryRequest-Empty",
10013 config: Config{
10014 MaxVersion: VersionTLS13,
10015 Bugs: ProtocolBugs{
10016 AlwaysSendHelloRetryRequest: true,
10017 },
10018 },
10019 shouldFail: true,
10020 expectedError: ":DECODE_ERROR:",
10021 })
10022
10023 testCases = append(testCases, testCase{
10024 name: "HelloRetryRequest-DuplicateCurve",
10025 config: Config{
10026 MaxVersion: VersionTLS13,
10027 // P-384 requires a HelloRetryRequest against BoringSSL's default
10028 // configuration. Assert this ExpectMissingKeyShare.
10029 CurvePreferences: []CurveID{CurveP384},
10030 Bugs: ProtocolBugs{
10031 ExpectMissingKeyShare: true,
10032 DuplicateHelloRetryRequestExtensions: true,
10033 },
10034 },
10035 shouldFail: true,
10036 expectedError: ":DUPLICATE_EXTENSION:",
10037 expectedLocalError: "remote error: illegal parameter",
10038 })
10039
10040 testCases = append(testCases, testCase{
10041 name: "HelloRetryRequest-Cookie",
10042 config: Config{
10043 MaxVersion: VersionTLS13,
10044 Bugs: ProtocolBugs{
10045 SendHelloRetryRequestCookie: []byte("cookie"),
10046 },
10047 },
10048 })
10049
10050 testCases = append(testCases, testCase{
10051 name: "HelloRetryRequest-DuplicateCookie",
10052 config: Config{
10053 MaxVersion: VersionTLS13,
10054 Bugs: ProtocolBugs{
10055 SendHelloRetryRequestCookie: []byte("cookie"),
10056 DuplicateHelloRetryRequestExtensions: true,
10057 },
10058 },
10059 shouldFail: true,
10060 expectedError: ":DUPLICATE_EXTENSION:",
10061 expectedLocalError: "remote error: illegal parameter",
10062 })
10063
10064 testCases = append(testCases, testCase{
10065 name: "HelloRetryRequest-EmptyCookie",
10066 config: Config{
10067 MaxVersion: VersionTLS13,
10068 Bugs: ProtocolBugs{
10069 SendHelloRetryRequestCookie: []byte{},
10070 },
10071 },
10072 shouldFail: true,
10073 expectedError: ":DECODE_ERROR:",
10074 })
10075
10076 testCases = append(testCases, testCase{
10077 name: "HelloRetryRequest-Cookie-Curve",
10078 config: Config{
10079 MaxVersion: VersionTLS13,
10080 // P-384 requires HelloRetryRequest in BoringSSL.
10081 CurvePreferences: []CurveID{CurveP384},
10082 Bugs: ProtocolBugs{
10083 SendHelloRetryRequestCookie: []byte("cookie"),
10084 ExpectMissingKeyShare: true,
10085 },
10086 },
10087 })
10088
10089 testCases = append(testCases, testCase{
10090 name: "HelloRetryRequest-Unknown",
10091 config: Config{
10092 MaxVersion: VersionTLS13,
10093 Bugs: ProtocolBugs{
10094 CustomHelloRetryRequestExtension: "extension",
10095 },
10096 },
10097 shouldFail: true,
10098 expectedError: ":UNEXPECTED_EXTENSION:",
10099 expectedLocalError: "remote error: unsupported extension",
10100 })
10101
10102 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10103 testType: serverTest,
10104 name: "SecondClientHelloMissingKeyShare",
10105 config: Config{
10106 MaxVersion: VersionTLS13,
10107 DefaultCurves: []CurveID{},
10108 Bugs: ProtocolBugs{
10109 SecondClientHelloMissingKeyShare: true,
10110 },
10111 },
10112 shouldFail: true,
10113 expectedError: ":MISSING_KEY_SHARE:",
10114 })
10115
10116 testCases = append(testCases, testCase{
10117 testType: serverTest,
10118 name: "SecondClientHelloWrongCurve",
10119 config: Config{
10120 MaxVersion: VersionTLS13,
10121 DefaultCurves: []CurveID{},
10122 Bugs: ProtocolBugs{
10123 MisinterpretHelloRetryRequestCurve: CurveP521,
10124 },
10125 },
10126 shouldFail: true,
10127 expectedError: ":WRONG_CURVE:",
10128 })
10129
10130 testCases = append(testCases, testCase{
10131 name: "HelloRetryRequestVersionMismatch",
10132 config: Config{
10133 MaxVersion: VersionTLS13,
10134 // P-384 requires HelloRetryRequest in BoringSSL.
10135 CurvePreferences: []CurveID{CurveP384},
10136 Bugs: ProtocolBugs{
10137 SendServerHelloVersion: 0x0305,
10138 },
10139 },
10140 shouldFail: true,
10141 expectedError: ":WRONG_VERSION_NUMBER:",
10142 })
10143
10144 testCases = append(testCases, testCase{
10145 name: "HelloRetryRequestCurveMismatch",
10146 config: Config{
10147 MaxVersion: VersionTLS13,
10148 // P-384 requires HelloRetryRequest in BoringSSL.
10149 CurvePreferences: []CurveID{CurveP384},
10150 Bugs: ProtocolBugs{
10151 // Send P-384 (correct) in the HelloRetryRequest.
10152 SendHelloRetryRequestCurve: CurveP384,
10153 // But send P-256 in the ServerHello.
10154 SendCurve: CurveP256,
10155 },
10156 },
10157 shouldFail: true,
10158 expectedError: ":WRONG_CURVE:",
10159 })
10160
10161 // Test the server selecting a curve that requires a HelloRetryRequest
10162 // without sending it.
10163 testCases = append(testCases, testCase{
10164 name: "SkipHelloRetryRequest",
10165 config: Config{
10166 MaxVersion: VersionTLS13,
10167 // P-384 requires HelloRetryRequest in BoringSSL.
10168 CurvePreferences: []CurveID{CurveP384},
10169 Bugs: ProtocolBugs{
10170 SkipHelloRetryRequest: true,
10171 },
10172 },
10173 shouldFail: true,
10174 expectedError: ":WRONG_CURVE:",
10175 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]10176
10177 testCases = append(testCases, testCase{
10178 name: "TLS13-RequestContextInHandshake",
10179 config: Config{
10180 MaxVersion: VersionTLS13,
10181 MinVersion: VersionTLS13,
10182 ClientAuth: RequireAnyClientCert,
10183 Bugs: ProtocolBugs{
10184 SendRequestContext: []byte("request context"),
10185 },
10186 },
10187 flags: []string{
10188 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10189 "-key-file", path.Join(*resourceDir, rsaKeyFile),
10190 },
10191 shouldFail: true,
10192 expectedError: ":DECODE_ERROR:",
10193 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]10194
10195 testCases = append(testCases, testCase{
10196 testType: serverTest,
10197 name: "TLS13-TrailingKeyShareData",
10198 config: Config{
10199 MaxVersion: VersionTLS13,
10200 Bugs: ProtocolBugs{
10201 TrailingKeyShareData: true,
10202 },
10203 },
10204 shouldFail: true,
10205 expectedError: ":DECODE_ERROR:",
10206 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]10207
10208 testCases = append(testCases, testCase{
10209 name: "TLS13-AlwaysSelectPSKIdentity",
10210 config: Config{
10211 MaxVersion: VersionTLS13,
10212 Bugs: ProtocolBugs{
10213 AlwaysSelectPSKIdentity: true,
10214 },
10215 },
10216 shouldFail: true,
10217 expectedError: ":UNEXPECTED_EXTENSION:",
10218 })
10219
10220 testCases = append(testCases, testCase{
10221 name: "TLS13-InvalidPSKIdentity",
10222 config: Config{
10223 MaxVersion: VersionTLS13,
10224 Bugs: ProtocolBugs{
10225 SelectPSKIdentityOnResume: 1,
10226 },
10227 },
10228 resumeSession: true,
10229 shouldFail: true,
10230 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
10231 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10232
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10233 testCases = append(testCases, testCase{
10234 testType: serverTest,
10235 name: "TLS13-ExtraPSKIdentity",
10236 config: Config{
10237 MaxVersion: VersionTLS13,
10238 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]10239 ExtraPSKIdentity: true,
10240 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10241 },
10242 },
10243 resumeSession: true,
10244 })
10245
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10246 // Test that unknown NewSessionTicket extensions are tolerated.
10247 testCases = append(testCases, testCase{
10248 name: "TLS13-CustomTicketExtension",
10249 config: Config{
10250 MaxVersion: VersionTLS13,
10251 Bugs: ProtocolBugs{
10252 CustomTicketExtension: "1234",
10253 },
10254 },
10255 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10256
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10257 testCases = append(testCases, testCase{
10258 testType: clientTest,
10259 name: "TLS13-DataLessEarlyData-Reject-Client",
10260 config: Config{
10261 MaxVersion: VersionTLS13,
10262 MaxEarlyDataSize: 16384,
10263 },
10264 resumeConfig: &Config{
10265 MaxVersion: VersionTLS13,
10266 MaxEarlyDataSize: 16384,
10267 Bugs: ProtocolBugs{
10268 AlwaysRejectEarlyData: true,
10269 },
10270 },
10271 resumeSession: true,
10272 flags: []string{
10273 "-enable-early-data",
10274 "-expect-early-data-info",
10275 "-expect-reject-early-data",
10276 },
10277 })
10278
10279 testCases = append(testCases, testCase{
10280 testType: clientTest,
10281 name: "TLS13-DataLessEarlyData-HRR-Client",
10282 config: Config{
10283 MaxVersion: VersionTLS13,
10284 MaxEarlyDataSize: 16384,
10285 },
10286 resumeConfig: &Config{
10287 MaxVersion: VersionTLS13,
10288 MaxEarlyDataSize: 16384,
10289 Bugs: ProtocolBugs{
10290 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10291 },
10292 },
10293 resumeSession: true,
10294 flags: []string{
10295 "-enable-early-data",
10296 "-expect-early-data-info",
10297 "-expect-reject-early-data",
10298 },
10299 })
10300
10301 // The client must check the server does not send the early_data
10302 // extension while rejecting the session.
10303 testCases = append(testCases, testCase{
10304 testType: clientTest,
10305 name: "TLS13-EarlyDataWithoutResume-Client",
10306 config: Config{
10307 MaxVersion: VersionTLS13,
10308 MaxEarlyDataSize: 16384,
10309 },
10310 resumeConfig: &Config{
10311 MaxVersion: VersionTLS13,
10312 SessionTicketsDisabled: true,
10313 Bugs: ProtocolBugs{
10314 SendEarlyDataExtension: true,
10315 },
10316 },
10317 resumeSession: true,
10318 flags: []string{
10319 "-enable-early-data",
10320 "-expect-early-data-info",
10321 },
10322 shouldFail: true,
10323 expectedError: ":UNEXPECTED_EXTENSION:",
10324 })
10325
10326 // The client must fail with a dedicated error code if the server
10327 // responds with TLS 1.2 when offering 0-RTT.
10328 testCases = append(testCases, testCase{
10329 testType: clientTest,
10330 name: "TLS13-EarlyDataVersionDowngrade-Client",
10331 config: Config{
10332 MaxVersion: VersionTLS13,
10333 MaxEarlyDataSize: 16384,
10334 },
10335 resumeConfig: &Config{
10336 MaxVersion: VersionTLS12,
10337 },
10338 resumeSession: true,
10339 flags: []string{
10340 "-enable-early-data",
10341 "-expect-early-data-info",
10342 },
10343 shouldFail: true,
10344 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10345 })
10346
10347 // Test that the client rejects an (unsolicited) early_data extension if
10348 // the server sent an HRR.
10349 testCases = append(testCases, testCase{
10350 testType: clientTest,
10351 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10352 config: Config{
10353 MaxVersion: VersionTLS13,
10354 MaxEarlyDataSize: 16384,
10355 },
10356 resumeConfig: &Config{
10357 MaxVersion: VersionTLS13,
10358 MaxEarlyDataSize: 16384,
10359 Bugs: ProtocolBugs{
10360 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10361 SendEarlyDataExtension: true,
10362 },
10363 },
10364 resumeSession: true,
10365 flags: []string{
10366 "-enable-early-data",
10367 "-expect-early-data-info",
10368 },
10369 shouldFail: true,
10370 expectedError: ":UNEXPECTED_EXTENSION:",
10371 })
10372
10373 fooString := "foo"
10374 barString := "bar"
10375
10376 // Test that the client reports the correct ALPN after a 0-RTT reject
10377 // that changed it.
10378 testCases = append(testCases, testCase{
10379 testType: clientTest,
10380 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10381 config: Config{
10382 MaxVersion: VersionTLS13,
10383 MaxEarlyDataSize: 16384,
10384 Bugs: ProtocolBugs{
10385 ALPNProtocol: &fooString,
10386 },
10387 },
10388 resumeConfig: &Config{
10389 MaxVersion: VersionTLS13,
10390 MaxEarlyDataSize: 16384,
10391 Bugs: ProtocolBugs{
10392 ALPNProtocol: &barString,
10393 },
10394 },
10395 resumeSession: true,
10396 flags: []string{
10397 "-advertise-alpn", "\x03foo\x03bar",
10398 "-enable-early-data",
10399 "-expect-early-data-info",
10400 "-expect-reject-early-data",
10401 "-expect-alpn", "foo",
10402 "-expect-resume-alpn", "bar",
10403 },
10404 })
10405
10406 // Test that the client reports the correct ALPN after a 0-RTT reject if
10407 // ALPN was omitted from the first connection.
10408 testCases = append(testCases, testCase{
10409 testType: clientTest,
10410 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10411 config: Config{
10412 MaxVersion: VersionTLS13,
10413 MaxEarlyDataSize: 16384,
10414 },
10415 resumeConfig: &Config{
10416 MaxVersion: VersionTLS13,
10417 MaxEarlyDataSize: 16384,
10418 NextProtos: []string{"foo"},
10419 },
10420 resumeSession: true,
10421 flags: []string{
10422 "-advertise-alpn", "\x03foo\x03bar",
10423 "-enable-early-data",
10424 "-expect-early-data-info",
10425 "-expect-reject-early-data",
10426 "-expect-no-alpn",
10427 "-expect-resume-alpn", "foo",
10428 },
10429 })
10430
10431 // Test that the client reports the correct ALPN after a 0-RTT reject if
10432 // ALPN was omitted from the second connection.
10433 testCases = append(testCases, testCase{
10434 testType: clientTest,
10435 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10436 config: Config{
10437 MaxVersion: VersionTLS13,
10438 MaxEarlyDataSize: 16384,
10439 NextProtos: []string{"foo"},
10440 },
10441 resumeConfig: &Config{
10442 MaxVersion: VersionTLS13,
10443 MaxEarlyDataSize: 16384,
10444 },
10445 resumeSession: true,
10446 flags: []string{
10447 "-advertise-alpn", "\x03foo\x03bar",
10448 "-enable-early-data",
10449 "-expect-early-data-info",
10450 "-expect-reject-early-data",
10451 "-expect-alpn", "foo",
10452 "-expect-no-resume-alpn",
10453 },
10454 })
10455
10456 // Test that the client enforces ALPN match on 0-RTT accept.
10457 testCases = append(testCases, testCase{
10458 testType: clientTest,
10459 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10460 config: Config{
10461 MaxVersion: VersionTLS13,
10462 MaxEarlyDataSize: 16384,
10463 Bugs: ProtocolBugs{
10464 ALPNProtocol: &fooString,
10465 },
10466 },
10467 resumeConfig: &Config{
10468 MaxVersion: VersionTLS13,
10469 MaxEarlyDataSize: 16384,
10470 Bugs: ProtocolBugs{
10471 AlwaysAcceptEarlyData: true,
10472 ALPNProtocol: &barString,
10473 },
10474 },
10475 resumeSession: true,
10476 flags: []string{
10477 "-advertise-alpn", "\x03foo\x03bar",
10478 "-enable-early-data",
10479 "-expect-early-data-info",
10480 },
10481 shouldFail: true,
10482 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10483 })
10484
10485 // Test that the server correctly rejects 0-RTT when the previous
10486 // session did not allow early data on resumption.
10487 testCases = append(testCases, testCase{
10488 testType: serverTest,
10489 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10490 config: Config{
10491 MaxVersion: VersionTLS13,
10492 },
10493 resumeConfig: &Config{
10494 MaxVersion: VersionTLS13,
10495 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10496 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10497 ExpectEarlyDataAccepted: false,
10498 },
10499 },
10500 resumeSession: true,
10501 flags: []string{
10502 "-enable-resume-early-data",
10503 "-expect-reject-early-data",
10504 },
10505 })
10506
10507 // Test that we reject early data where ALPN is omitted from the first
10508 // connection.
10509 testCases = append(testCases, testCase{
10510 testType: serverTest,
10511 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10512 config: Config{
10513 MaxVersion: VersionTLS13,
10514 NextProtos: []string{},
10515 },
10516 resumeConfig: &Config{
10517 MaxVersion: VersionTLS13,
10518 NextProtos: []string{"foo"},
10519 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10520 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10521 ExpectEarlyDataAccepted: false,
10522 },
10523 },
10524 resumeSession: true,
10525 flags: []string{
10526 "-enable-early-data",
10527 "-select-alpn", "",
10528 "-select-resume-alpn", "foo",
10529 },
10530 })
10531
10532 // Test that we reject early data where ALPN is omitted from the second
10533 // connection.
10534 testCases = append(testCases, testCase{
10535 testType: serverTest,
10536 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10537 config: Config{
10538 MaxVersion: VersionTLS13,
10539 NextProtos: []string{"foo"},
10540 },
10541 resumeConfig: &Config{
10542 MaxVersion: VersionTLS13,
10543 NextProtos: []string{},
10544 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10545 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10546 ExpectEarlyDataAccepted: false,
10547 },
10548 },
10549 resumeSession: true,
10550 flags: []string{
10551 "-enable-early-data",
10552 "-select-alpn", "foo",
10553 "-select-resume-alpn", "",
10554 },
10555 })
10556
10557 // Test that we reject early data with mismatched ALPN.
10558 testCases = append(testCases, testCase{
10559 testType: serverTest,
10560 name: "TLS13-EarlyData-ALPNMismatch-Server",
10561 config: Config{
10562 MaxVersion: VersionTLS13,
10563 NextProtos: []string{"foo"},
10564 },
10565 resumeConfig: &Config{
10566 MaxVersion: VersionTLS13,
10567 NextProtos: []string{"bar"},
10568 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10569 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10570 ExpectEarlyDataAccepted: false,
10571 },
10572 },
10573 resumeSession: true,
10574 flags: []string{
10575 "-enable-early-data",
10576 "-select-alpn", "foo",
10577 "-select-resume-alpn", "bar",
10578 },
10579 })
10580
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10581 // Test that the client offering 0-RTT and Channel ID forbids the server
10582 // from accepting both.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10583 testCases = append(testCases, testCase{
10584 testType: clientTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10585 name: "TLS13-EarlyDataChannelID-AcceptBoth-Client",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10586 config: Config{
10587 MaxVersion: VersionTLS13,
10588 MaxEarlyDataSize: 16384,
10589 RequestChannelID: true,
10590 },
10591 resumeSession: true,
10592 expectChannelID: true,
10593 shouldFail: true,
10594 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
10595 flags: []string{
10596 "-enable-early-data",
10597 "-expect-early-data-info",
10598 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10599 },
10600 })
10601
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10602 // Test that the client offering Channel ID and 0-RTT allows the server
10603 // to decline 0-RTT.
10604 testCases = append(testCases, testCase{
10605 testType: clientTest,
10606 name: "TLS13-EarlyDataChannelID-AcceptChannelID-Client",
10607 config: Config{
10608 MaxVersion: VersionTLS13,
10609 MaxEarlyDataSize: 16384,
10610 RequestChannelID: true,
10611 Bugs: ProtocolBugs{
10612 AlwaysRejectEarlyData: true,
10613 },
10614 },
10615 resumeSession: true,
10616 expectChannelID: true,
10617 flags: []string{
10618 "-enable-early-data",
10619 "-expect-early-data-info",
10620 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10621 "-expect-reject-early-data",
10622 },
10623 })
10624
10625 // Test that the client offering Channel ID and 0-RTT allows the server
10626 // to decline Channel ID.
10627 testCases = append(testCases, testCase{
10628 testType: clientTest,
10629 name: "TLS13-EarlyDataChannelID-AcceptEarlyData-Client",
10630 config: Config{
10631 MaxVersion: VersionTLS13,
10632 MaxEarlyDataSize: 16384,
10633 },
10634 resumeSession: true,
10635 flags: []string{
10636 "-enable-early-data",
10637 "-expect-early-data-info",
10638 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10639 "-expect-accept-early-data",
10640 },
10641 })
10642
10643 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
10644 // if it would negotiate Channel ID.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10645 testCases = append(testCases, testCase{
10646 testType: serverTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10647 name: "TLS13-EarlyDataChannelID-OfferBoth-Server",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10648 config: Config{
10649 MaxVersion: VersionTLS13,
10650 ChannelID: channelIDKey,
10651 Bugs: ProtocolBugs{
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10652 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10653 ExpectEarlyDataAccepted: false,
10654 },
10655 },
10656 resumeSession: true,
10657 expectChannelID: true,
10658 flags: []string{
10659 "-enable-early-data",
10660 "-expect-reject-early-data",
10661 "-expect-channel-id",
10662 base64.StdEncoding.EncodeToString(channelIDBytes),
10663 },
10664 })
10665
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10666 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
10667 // if not offered Channel ID.
10668 testCases = append(testCases, testCase{
10669 testType: serverTest,
10670 name: "TLS13-EarlyDataChannelID-OfferEarlyData-Server",
10671 config: Config{
10672 MaxVersion: VersionTLS13,
10673 Bugs: ProtocolBugs{
10674 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10675 ExpectEarlyDataAccepted: true,
10676 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
10677 },
10678 },
10679 resumeSession: true,
10680 expectChannelID: false,
10681 flags: []string{
10682 "-enable-early-data",
10683 "-expect-accept-early-data",
10684 "-enable-channel-id",
10685 },
10686 })
10687
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10688 // Test that the server rejects 0-RTT streams without end_of_early_data.
10689 // The subsequent records should fail to decrypt.
10690 testCases = append(testCases, testCase{
10691 testType: serverTest,
10692 name: "TLS13-EarlyData-SkipEndOfEarlyData",
10693 config: Config{
10694 MaxVersion: VersionTLS13,
10695 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10696 SendEarlyData: [][]byte{{1, 2, 3, 4}},
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10697 ExpectEarlyDataAccepted: true,
10698 SkipEndOfEarlyData: true,
10699 },
10700 },
10701 resumeSession: true,
10702 flags: []string{"-enable-early-data"},
10703 shouldFail: true,
10704 expectedLocalError: "remote error: bad record MAC",
10705 expectedError: ":BAD_DECRYPT:",
10706 })
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10707
10708 testCases = append(testCases, testCase{
10709 testType: serverTest,
10710 name: "TLS13-EarlyData-UnexpectedHandshake-Server",
10711 config: Config{
10712 MaxVersion: VersionTLS13,
10713 },
10714 resumeConfig: &Config{
10715 MaxVersion: VersionTLS13,
10716 Bugs: ProtocolBugs{
10717 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10718 SendStrayEarlyHandshake: true,
10719 ExpectEarlyDataAccepted: true},
10720 },
10721 resumeSession: true,
10722 shouldFail: true,
10723 expectedError: ":UNEXPECTED_RECORD:",
10724 expectedLocalError: "remote error: unexpected message",
10725 flags: []string{
10726 "-enable-early-data",
10727 },
10728 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10729}
10730
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10731func addTLS13CipherPreferenceTests() {
10732 // Test that client preference is honored if the shim has AES hardware
10733 // and ChaCha20-Poly1305 is preferred otherwise.
10734 testCases = append(testCases, testCase{
10735 testType: serverTest,
10736 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10737 config: Config{
10738 MaxVersion: VersionTLS13,
10739 CipherSuites: []uint16{
10740 TLS_CHACHA20_POLY1305_SHA256,
10741 TLS_AES_128_GCM_SHA256,
10742 },
10743 },
10744 flags: []string{
10745 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10746 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10747 },
10748 })
10749
10750 testCases = append(testCases, testCase{
10751 testType: serverTest,
10752 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10753 config: Config{
10754 MaxVersion: VersionTLS13,
10755 CipherSuites: []uint16{
10756 TLS_AES_128_GCM_SHA256,
10757 TLS_CHACHA20_POLY1305_SHA256,
10758 },
10759 },
10760 flags: []string{
10761 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10762 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10763 },
10764 })
10765
10766 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10767 // whether it has AES hardware.
10768 testCases = append(testCases, testCase{
10769 name: "TLS13-CipherPreference-Client",
10770 config: Config{
10771 MaxVersion: VersionTLS13,
10772 // Use the client cipher order. (This is the default but
10773 // is listed to be explicit.)
10774 PreferServerCipherSuites: false,
10775 },
10776 flags: []string{
10777 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10778 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10779 },
10780 })
10781}
10782
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10783func addPeekTests() {
10784 // Test SSL_peek works, including on empty records.
10785 testCases = append(testCases, testCase{
10786 name: "Peek-Basic",
10787 sendEmptyRecords: 1,
10788 flags: []string{"-peek-then-read"},
10789 })
10790
10791 // Test SSL_peek can drive the initial handshake.
10792 testCases = append(testCases, testCase{
10793 name: "Peek-ImplicitHandshake",
10794 flags: []string{
10795 "-peek-then-read",
10796 "-implicit-handshake",
10797 },
10798 })
10799
10800 // Test SSL_peek can discover and drive a renegotiation.
10801 testCases = append(testCases, testCase{
10802 name: "Peek-Renegotiate",
10803 config: Config{
10804 MaxVersion: VersionTLS12,
10805 },
10806 renegotiate: 1,
10807 flags: []string{
10808 "-peek-then-read",
10809 "-renegotiate-freely",
10810 "-expect-total-renegotiations", "1",
10811 },
10812 })
10813
10814 // Test SSL_peek can discover a close_notify.
10815 testCases = append(testCases, testCase{
10816 name: "Peek-Shutdown",
10817 config: Config{
10818 Bugs: ProtocolBugs{
10819 ExpectCloseNotify: true,
10820 },
10821 },
10822 flags: []string{
10823 "-peek-then-read",
10824 "-check-close-notify",
10825 },
10826 })
10827
10828 // Test SSL_peek can discover an alert.
10829 testCases = append(testCases, testCase{
10830 name: "Peek-Alert",
10831 config: Config{
10832 Bugs: ProtocolBugs{
10833 SendSpuriousAlert: alertRecordOverflow,
10834 },
10835 },
10836 flags: []string{"-peek-then-read"},
10837 shouldFail: true,
10838 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10839 })
10840
10841 // Test SSL_peek can handle KeyUpdate.
10842 testCases = append(testCases, testCase{
10843 name: "Peek-KeyUpdate",
10844 config: Config{
10845 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10846 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]10847 sendKeyUpdates: 1,
10848 keyUpdateRequest: keyUpdateNotRequested,
10849 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10850 })
10851}
10852
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10853func addRecordVersionTests() {
10854 for _, ver := range tlsVersions {
10855 // Test that the record version is enforced.
10856 testCases = append(testCases, testCase{
10857 name: "CheckRecordVersion-" + ver.name,
10858 config: Config{
10859 MinVersion: ver.version,
10860 MaxVersion: ver.version,
10861 Bugs: ProtocolBugs{
10862 SendRecordVersion: 0x03ff,
10863 },
10864 },
10865 shouldFail: true,
10866 expectedError: ":WRONG_VERSION_NUMBER:",
10867 })
10868
10869 // Test that the ClientHello may use any record version, for
10870 // compatibility reasons.
10871 testCases = append(testCases, testCase{
10872 testType: serverTest,
10873 name: "LooseInitialRecordVersion-" + ver.name,
10874 config: Config{
10875 MinVersion: ver.version,
10876 MaxVersion: ver.version,
10877 Bugs: ProtocolBugs{
10878 SendInitialRecordVersion: 0x03ff,
10879 },
10880 },
10881 })
10882
10883 // Test that garbage ClientHello record versions are rejected.
10884 testCases = append(testCases, testCase{
10885 testType: serverTest,
10886 name: "GarbageInitialRecordVersion-" + ver.name,
10887 config: Config{
10888 MinVersion: ver.version,
10889 MaxVersion: ver.version,
10890 Bugs: ProtocolBugs{
10891 SendInitialRecordVersion: 0xffff,
10892 },
10893 },
10894 shouldFail: true,
10895 expectedError: ":WRONG_VERSION_NUMBER:",
10896 })
10897 }
10898}
10899
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10900func addCertificateTests() {
10901 // Test that a certificate chain with intermediate may be sent and
10902 // received as both client and server.
10903 for _, ver := range tlsVersions {
10904 testCases = append(testCases, testCase{
10905 testType: clientTest,
10906 name: "SendReceiveIntermediate-Client-" + ver.name,
10907 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10908 MinVersion: ver.version,
10909 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10910 Certificates: []Certificate{rsaChainCertificate},
10911 ClientAuth: RequireAnyClientCert,
10912 },
10913 expectPeerCertificate: &rsaChainCertificate,
10914 flags: []string{
10915 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10916 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10917 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10918 },
10919 })
10920
10921 testCases = append(testCases, testCase{
10922 testType: serverTest,
10923 name: "SendReceiveIntermediate-Server-" + ver.name,
10924 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10925 MinVersion: ver.version,
10926 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10927 Certificates: []Certificate{rsaChainCertificate},
10928 },
10929 expectPeerCertificate: &rsaChainCertificate,
10930 flags: []string{
10931 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10932 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10933 "-require-any-client-certificate",
10934 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10935 },
10936 })
10937 }
10938}
10939
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10940func addRetainOnlySHA256ClientCertTests() {
10941 for _, ver := range tlsVersions {
10942 // Test that enabling
10943 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10944 // actually requesting a client certificate is a no-op.
10945 testCases = append(testCases, testCase{
10946 testType: serverTest,
10947 name: "RetainOnlySHA256-NoCert-" + ver.name,
10948 config: Config{
10949 MinVersion: ver.version,
10950 MaxVersion: ver.version,
10951 },
10952 flags: []string{
10953 "-retain-only-sha256-client-cert-initial",
10954 "-retain-only-sha256-client-cert-resume",
10955 },
10956 resumeSession: true,
10957 })
10958
10959 // Test that when retaining only a SHA-256 certificate is
10960 // enabled, the hash appears as expected.
10961 testCases = append(testCases, testCase{
10962 testType: serverTest,
10963 name: "RetainOnlySHA256-Cert-" + ver.name,
10964 config: Config{
10965 MinVersion: ver.version,
10966 MaxVersion: ver.version,
10967 Certificates: []Certificate{rsaCertificate},
10968 },
10969 flags: []string{
10970 "-verify-peer",
10971 "-retain-only-sha256-client-cert-initial",
10972 "-retain-only-sha256-client-cert-resume",
10973 "-expect-sha256-client-cert-initial",
10974 "-expect-sha256-client-cert-resume",
10975 },
10976 resumeSession: true,
10977 })
10978
10979 // Test that when the config changes from on to off, a
10980 // resumption is rejected because the server now wants the full
10981 // certificate chain.
10982 testCases = append(testCases, testCase{
10983 testType: serverTest,
10984 name: "RetainOnlySHA256-OnOff-" + ver.name,
10985 config: Config{
10986 MinVersion: ver.version,
10987 MaxVersion: ver.version,
10988 Certificates: []Certificate{rsaCertificate},
10989 },
10990 flags: []string{
10991 "-verify-peer",
10992 "-retain-only-sha256-client-cert-initial",
10993 "-expect-sha256-client-cert-initial",
10994 },
10995 resumeSession: true,
10996 expectResumeRejected: true,
10997 })
10998
10999 // Test that when the config changes from off to on, a
11000 // resumption is rejected because the server now wants just the
11001 // hash.
11002 testCases = append(testCases, testCase{
11003 testType: serverTest,
11004 name: "RetainOnlySHA256-OffOn-" + ver.name,
11005 config: Config{
11006 MinVersion: ver.version,
11007 MaxVersion: ver.version,
11008 Certificates: []Certificate{rsaCertificate},
11009 },
11010 flags: []string{
11011 "-verify-peer",
11012 "-retain-only-sha256-client-cert-resume",
11013 "-expect-sha256-client-cert-resume",
11014 },
11015 resumeSession: true,
11016 expectResumeRejected: true,
11017 })
11018 }
11019}
11020
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11021func addECDSAKeyUsageTests() {
11022 p256 := elliptic.P256()
11023 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
11024 if err != nil {
11025 panic(err)
11026 }
11027
11028 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
11029 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
11030 if err != nil {
11031 panic(err)
11032 }
11033
11034 template := x509.Certificate{
11035 SerialNumber: serialNumber,
11036 Subject: pkix.Name{
11037 Organization: []string{"Acme Co"},
11038 },
11039 NotBefore: time.Now(),
11040 NotAfter: time.Now(),
11041
11042 // An ECC certificate with only the keyAgreement key usgae may
11043 // be used with ECDH, but not ECDSA.
11044 KeyUsage: x509.KeyUsageKeyAgreement,
11045 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
11046 BasicConstraintsValid: true,
11047 }
11048
11049 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
11050 if err != nil {
11051 panic(err)
11052 }
11053
11054 cert := Certificate{
11055 Certificate: [][]byte{derBytes},
11056 PrivateKey: priv,
11057 }
11058
11059 for _, ver := range tlsVersions {
11060 if ver.version < VersionTLS12 {
11061 continue
11062 }
11063
11064 testCases = append(testCases, testCase{
11065 testType: clientTest,
11066 name: "ECDSAKeyUsage-" + ver.name,
11067 config: Config{
11068 MinVersion: ver.version,
11069 MaxVersion: ver.version,
11070 Certificates: []Certificate{cert},
11071 },
11072 shouldFail: true,
11073 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
11074 })
11075 }
11076}
11077
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11078func addExtraHandshakeTests() {
11079 // An extra SSL_do_handshake is normally a no-op. These tests use -async
11080 // to ensure there is no transport I/O.
11081 testCases = append(testCases, testCase{
11082 testType: clientTest,
11083 name: "ExtraHandshake-Client-TLS12",
11084 config: Config{
11085 MinVersion: VersionTLS12,
11086 MaxVersion: VersionTLS12,
11087 },
11088 flags: []string{
11089 "-async",
11090 "-no-op-extra-handshake",
11091 },
11092 })
11093 testCases = append(testCases, testCase{
11094 testType: serverTest,
11095 name: "ExtraHandshake-Server-TLS12",
11096 config: Config{
11097 MinVersion: VersionTLS12,
11098 MaxVersion: VersionTLS12,
11099 },
11100 flags: []string{
11101 "-async",
11102 "-no-op-extra-handshake",
11103 },
11104 })
11105 testCases = append(testCases, testCase{
11106 testType: clientTest,
11107 name: "ExtraHandshake-Client-TLS13",
11108 config: Config{
11109 MinVersion: VersionTLS13,
11110 MaxVersion: VersionTLS13,
11111 },
11112 flags: []string{
11113 "-async",
11114 "-no-op-extra-handshake",
11115 },
11116 })
11117 testCases = append(testCases, testCase{
11118 testType: serverTest,
11119 name: "ExtraHandshake-Server-TLS13",
11120 config: Config{
11121 MinVersion: VersionTLS13,
11122 MaxVersion: VersionTLS13,
11123 },
11124 flags: []string{
11125 "-async",
11126 "-no-op-extra-handshake",
11127 },
11128 })
11129
11130 // An extra SSL_do_handshake is a no-op in server 0-RTT.
11131 testCases = append(testCases, testCase{
11132 testType: serverTest,
11133 name: "ExtraHandshake-Server-EarlyData-TLS13",
11134 config: Config{
11135 MaxVersion: VersionTLS13,
11136 MinVersion: VersionTLS13,
11137 Bugs: ProtocolBugs{
11138 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11139 ExpectEarlyDataAccepted: true,
11140 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
11141 },
11142 },
11143 messageCount: 2,
11144 resumeSession: true,
11145 flags: []string{
11146 "-async",
11147 "-enable-early-data",
11148 "-expect-accept-early-data",
11149 "-no-op-extra-handshake",
11150 },
11151 })
11152
11153 // An extra SSL_do_handshake drives the handshake to completion in False
11154 // Start. We test this by handshaking twice and asserting the False
11155 // Start does not appear to happen. See AlertBeforeFalseStartTest for
11156 // how the test works.
11157 testCases = append(testCases, testCase{
11158 testType: clientTest,
11159 name: "ExtraHandshake-FalseStart",
11160 config: Config{
11161 MaxVersion: VersionTLS12,
11162 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
11163 NextProtos: []string{"foo"},
11164 Bugs: ProtocolBugs{
11165 ExpectFalseStart: true,
11166 AlertBeforeFalseStartTest: alertAccessDenied,
11167 },
11168 },
11169 flags: []string{
11170 "-handshake-twice",
11171 "-false-start",
11172 "-advertise-alpn", "\x03foo",
11173 },
11174 shimWritesFirst: true,
11175 shouldFail: true,
11176 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
11177 expectedLocalError: "tls: peer did not false start: EOF",
11178 })
11179}
11180
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11181func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11182 defer wg.Done()
11183
11184 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11185 var err error
11186
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11187 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11188 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
11189 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11190 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11191 if err != nil {
11192 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
11193 }
11194 break
11195 }
11196 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11197 } else if *repeatUntilFailure {
11198 for err == nil {
11199 statusChan <- statusMsg{test: test, started: true}
11200 err = runTest(test, shimPath, -1)
11201 }
11202 } else {
11203 statusChan <- statusMsg{test: test, started: true}
11204 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11205 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11206 statusChan <- statusMsg{test: test, err: err}
11207 }
11208}
11209
11210type statusMsg struct {
11211 test *testCase
11212 started bool
11213 err error
11214}
11215
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11216func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11217 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11218
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11219 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11220 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11221 if !*pipe {
11222 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]11223 var erase string
11224 for i := 0; i < lineLen; i++ {
11225 erase += "\b \b"
11226 }
11227 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11228 }
11229
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11230 if msg.started {
11231 started++
11232 } else {
11233 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11234
11235 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11236 if msg.err == errUnimplemented {
11237 if *pipe {
11238 // Print each test instead of a status line.
11239 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
11240 }
11241 unimplemented++
11242 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
11243 } else {
11244 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
11245 failed++
11246 testOutput.addResult(msg.test.name, "FAIL")
11247 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11248 } else {
11249 if *pipe {
11250 // Print each test instead of a status line.
11251 fmt.Printf("PASSED (%s)\n", msg.test.name)
11252 }
11253 testOutput.addResult(msg.test.name, "PASS")
11254 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11255 }
11256
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11257 if !*pipe {
11258 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11259 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11260 lineLen = len(line)
11261 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11262 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11263 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11264
11265 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11266}
11267
11268func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11269 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11270 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]11271 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11272
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11273 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11274 addCipherSuiteTests()
11275 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]11276 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]11277 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]11278 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]11279 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]11280 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]11281 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]11282 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]11283 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]11284 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]11285 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]11286 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]11287 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]11288 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]11289 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]11290 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]11291 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]11292 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]11293 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]11294 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]11295 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]11296 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]11297 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]11298 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]11299 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]11300 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]11301 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11302 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]11303 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11304 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]11305 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11306 addECDSAKeyUsageTests()
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11307 addExtraHandshakeTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11308
11309 var wg sync.WaitGroup
11310
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11311 statusChan := make(chan statusMsg, *numWorkers)
11312 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11313 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11314
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11315 if len(*shimConfigFile) != 0 {
11316 encoded, err := ioutil.ReadFile(*shimConfigFile)
11317 if err != nil {
11318 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
11319 os.Exit(1)
11320 }
11321
11322 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
11323 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
11324 os.Exit(1)
11325 }
11326 }
11327
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11328 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11329
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11330 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11331 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11332 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11333 }
11334
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11335 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11336 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11337 matched := true
11338 if len(*testToRun) != 0 {
11339 var err error
11340 matched, err = filepath.Match(*testToRun, testCases[i].name)
11341 if err != nil {
11342 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
11343 os.Exit(1)
11344 }
11345 }
11346
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11347 if !*includeDisabled {
11348 for pattern := range shimConfig.DisabledTests {
11349 isDisabled, err := filepath.Match(pattern, testCases[i].name)
11350 if err != nil {
11351 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
11352 os.Exit(1)
11353 }
11354
11355 if isDisabled {
11356 matched = false
11357 break
11358 }
11359 }
11360 }
11361
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11362 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11363 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11364 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11365
11366 // Only run one test if repeating until failure.
11367 if *repeatUntilFailure {
11368 break
11369 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11370 }
11371 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11372
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11373 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11374 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11375 os.Exit(1)
11376 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11377
11378 close(testChan)
11379 wg.Wait()
11380 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11381 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11382
11383 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11384
11385 if *jsonOutput != "" {
11386 if err := testOutput.writeTo(*jsonOutput); err != nil {
11387 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
11388 }
11389 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11390
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11391 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
11392 os.Exit(1)
11393 }
11394
11395 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11396 os.Exit(1)
11397 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11398}