Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 520e1220bb7557b491627ebbef96ce2d3a0c6368 / . / ssl / test / runner / runner.go
blob: acf1fa8dc6144cf4261ff9fd63e34daa891de03e [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]68 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]69)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]70
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]71// ShimConfigurations is used with the “json” package and represents a shim
72// config file.
73type ShimConfiguration struct {
74 // DisabledTests maps from a glob-based pattern to a freeform string.
75 // The glob pattern is used to exclude tests from being run and the
76 // freeform string is unparsed but expected to explain why the test is
77 // disabled.
78 DisabledTests map[string]string
79
80 // ErrorMap maps from expected error strings to the correct error
81 // string for the shim in question. For example, it might map
82 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
83 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
84 ErrorMap map[string]string
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]85
86 // HalfRTTTickets is the number of half-RTT tickets the client should
87 // expect before half-RTT data when testing 0-RTT.
88 HalfRTTTickets int
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]89}
90
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]91// Setup shimConfig defaults aligning with BoringSSL.
92var shimConfig ShimConfiguration = ShimConfiguration{
93 HalfRTTTickets: 2,
94}
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]95
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]96type testCert int
97
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]98const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]99 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]100 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]101 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]102 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]103 testCertECDSAP256
104 testCertECDSAP384
105 testCertECDSAP521
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]106 testCertEd25519
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]107)
108
109const (
110 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]111 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]112 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]113 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]114 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
115 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
116 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]117 ed25519CertificateFile = "ed25519_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]118)
119
120const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]121 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]122 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]123 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]124 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]125 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
126 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
127 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]128 ed25519KeyFile = "ed25519_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]129 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]130)
131
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]132var (
133 rsaCertificate Certificate
134 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]135 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]136 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]137 ecdsaP256Certificate Certificate
138 ecdsaP384Certificate Certificate
139 ecdsaP521Certificate Certificate
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]140 ed25519Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]141)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]142
143var testCerts = []struct {
144 id testCert
145 certFile, keyFile string
146 cert *Certificate
147}{
148 {
149 id: testCertRSA,
150 certFile: rsaCertificateFile,
151 keyFile: rsaKeyFile,
152 cert: &rsaCertificate,
153 },
154 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]155 id: testCertRSA1024,
156 certFile: rsa1024CertificateFile,
157 keyFile: rsa1024KeyFile,
158 cert: &rsa1024Certificate,
159 },
160 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]161 id: testCertRSAChain,
162 certFile: rsaChainCertificateFile,
163 keyFile: rsaChainKeyFile,
164 cert: &rsaChainCertificate,
165 },
166 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]167 id: testCertECDSAP224,
168 certFile: ecdsaP224CertificateFile,
169 keyFile: ecdsaP224KeyFile,
170 cert: &ecdsaP224Certificate,
171 },
172 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]173 id: testCertECDSAP256,
174 certFile: ecdsaP256CertificateFile,
175 keyFile: ecdsaP256KeyFile,
176 cert: &ecdsaP256Certificate,
177 },
178 {
179 id: testCertECDSAP384,
180 certFile: ecdsaP384CertificateFile,
181 keyFile: ecdsaP384KeyFile,
182 cert: &ecdsaP384Certificate,
183 },
184 {
185 id: testCertECDSAP521,
186 certFile: ecdsaP521CertificateFile,
187 keyFile: ecdsaP521KeyFile,
188 cert: &ecdsaP521Certificate,
189 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]190 {
191 id: testCertEd25519,
192 certFile: ed25519CertificateFile,
193 keyFile: ed25519KeyFile,
194 cert: &ed25519Certificate,
195 },
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]196}
197
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]198var channelIDKey *ecdsa.PrivateKey
199var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]200
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]201var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]202var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]203
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]204var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]205var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]206
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]207func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]208 for i := range testCerts {
209 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
210 if err != nil {
211 panic(err)
212 }
213 cert.OCSPStaple = testOCSPResponse
214 cert.SignedCertificateTimestampList = testSCTList
215 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]216 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]217
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]218 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]219 if err != nil {
220 panic(err)
221 }
222 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
223 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
224 panic("bad key type")
225 }
226 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
227 if err != nil {
228 panic(err)
229 }
230 if channelIDKey.Curve != elliptic.P256() {
231 panic("bad curve")
232 }
233
234 channelIDBytes = make([]byte, 64)
235 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
236 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]237}
238
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]239func getRunnerCertificate(t testCert) Certificate {
240 for _, cert := range testCerts {
241 if cert.id == t {
242 return *cert.cert
243 }
244 }
245 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]246}
247
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]248func getShimCertificate(t testCert) string {
249 for _, cert := range testCerts {
250 if cert.id == t {
251 return cert.certFile
252 }
253 }
254 panic("Unknown test certificate")
255}
256
257func getShimKey(t testCert) string {
258 for _, cert := range testCerts {
259 if cert.id == t {
260 return cert.keyFile
261 }
262 }
263 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]264}
265
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]266// recordVersionToWire maps a record-layer protocol version to its wire
267// representation.
268func recordVersionToWire(vers uint16, protocol protocol) uint16 {
Steven Valdezc94998a2017-06-20 10:55:02 -0400[diff] [blame]269 if protocol == dtls {
270 switch vers {
271 case VersionTLS12:
272 return VersionDTLS12
273 case VersionTLS10:
274 return VersionDTLS10
275 }
276 } else {
277 switch vers {
278 case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12:
279 return vers
Steven Valdezc94998a2017-06-20 10:55:02 -0400[diff] [blame]280 }
281 }
282
283 panic("unknown version")
284}
285
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]286// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
287func encodeDERValues(values [][]byte) string {
288 var ret string
289 for i, v := range values {
290 if i > 0 {
291 ret += ","
292 }
293 ret += hex.EncodeToString(v)
294 }
295
296 return ret
297}
298
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]299type testType int
300
301const (
302 clientTest testType = iota
303 serverTest
304)
305
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]306type protocol int
307
308const (
309 tls protocol = iota
310 dtls
311)
312
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]313const (
314 alpn = 1
315 npn = 2
316)
317
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]318type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]319 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]320 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]321 name string
322 config Config
323 shouldFail bool
324 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]325 // expectedLocalError, if not empty, contains a substring that must be
326 // found in the local error.
327 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]328 // expectedVersion, if non-zero, specifies the TLS version that must be
329 // negotiated.
330 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]331 // expectedResumeVersion, if non-zero, specifies the TLS version that
332 // must be negotiated on resumption. If zero, expectedVersion is used.
333 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]334 // expectedCipher, if non-zero, specifies the TLS cipher suite that
335 // should be negotiated.
336 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]337 // expectChannelID controls whether the connection should have
338 // negotiated a Channel ID with channelIDKey.
339 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]340 // expectedNextProto controls whether the connection should
341 // negotiate a next protocol via NPN or ALPN.
342 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]343 // expectNoNextProto, if true, means that no next protocol should be
344 // negotiated.
345 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]346 // expectedNextProtoType, if non-zero, is the expected next
347 // protocol negotiation mechanism.
348 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]349 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
350 // should be negotiated. If zero, none should be negotiated.
351 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]352 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
353 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]354 // expectedSCTList, if not nil, is the expected SCT list to be received.
355 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]356 // expectedPeerSignatureAlgorithm, if not zero, is the signature
357 // algorithm that the peer should have used in the handshake.
358 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]359 // expectedCurveID, if not zero, is the curve that the handshake should
360 // have used.
361 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]362 // messageLen is the length, in bytes, of the test message that will be
363 // sent.
364 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]365 // messageCount is the number of test messages that will be sent.
366 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]367 // certFile is the path to the certificate to use for the server.
368 certFile string
369 // keyFile is the path to the private key to use for the server.
370 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]371 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]372 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]373 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]374 // resumeRenewedSession controls whether a third connection should be
375 // tested which attempts to resume the second connection's session.
376 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]377 // expectResumeRejected, if true, specifies that the attempted
378 // resumption must be rejected by the client. This is only valid for a
379 // serverTest.
380 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]381 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]382 // resumption. Unless newSessionsOnResume is set,
383 // SessionTicketKey, ServerSessionCache, and
384 // ClientSessionCache are copied from the initial connection's
385 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]386 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]387 // newSessionsOnResume, if true, will cause resumeConfig to
388 // use a different session resumption context.
389 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]390 // noSessionCache, if true, will cause the server to run without a
391 // session cache.
392 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]393 // sendPrefix sends a prefix on the socket before actually performing a
394 // handshake.
395 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]396 // shimWritesFirst controls whether the shim sends an initial "hello"
397 // message before doing a roundtrip with the runner.
398 shimWritesFirst bool
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]399 // readWithUnfinishedWrite behaves like shimWritesFirst, but the shim
400 // does not complete the write until responding to the first runner
401 // message.
402 readWithUnfinishedWrite bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]403 // shimShutsDown, if true, runs a test where the shim shuts down the
404 // connection immediately after the handshake rather than echoing
405 // messages from the runner.
406 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]407 // renegotiate indicates the number of times the connection should be
408 // renegotiated during the exchange.
409 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]410 // sendHalfHelloRequest, if true, causes the server to send half a
411 // HelloRequest when the handshake completes.
412 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]413 // renegotiateCiphers is a list of ciphersuite ids that will be
414 // switched in just before renegotiation.
415 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]416 // replayWrites, if true, configures the underlying transport
417 // to replay every write it makes in DTLS tests.
418 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]419 // damageFirstWrite, if true, configures the underlying transport to
420 // damage the final byte of the first application data write.
421 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]422 // exportKeyingMaterial, if non-zero, configures the test to exchange
423 // keying material and verify they match.
424 exportKeyingMaterial int
425 exportLabel string
426 exportContext string
427 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]428 // flags, if not empty, contains a list of command-line flags that will
429 // be passed to the shim program.
430 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]431 // testTLSUnique, if true, causes the shim to send the tls-unique value
432 // which will be compared against the expected value.
433 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]434 // sendEmptyRecords is the number of consecutive empty records to send
David Benjamin24e58862017-06-14 18:45:29 -0400[diff] [blame]435 // before each test message.
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]436 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]437 // sendWarningAlerts is the number of consecutive warning alerts to send
David Benjamin24e58862017-06-14 18:45:29 -0400[diff] [blame]438 // before each test message.
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]439 sendWarningAlerts int
David Benjamin24e58862017-06-14 18:45:29 -0400[diff] [blame]440 // sendBogusAlertType, if true, causes a bogus alert of invalid type to
441 // be sent before each test message.
442 sendBogusAlertType bool
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]443 // sendKeyUpdates is the number of consecutive key updates to send
444 // before and after the test message.
445 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]446 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
447 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]448 // expectMessageDropped, if true, means the test message is expected to
449 // be dropped by the client rather than echoed back.
450 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]451 // expectPeerCertificate, if not nil, is the certificate chain the peer
452 // is expected to send.
453 expectPeerCertificate *Certificate
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]454 // shimPrefix is the prefix that the shim will send to the server.
455 shimPrefix string
456 // resumeShimPrefix is the prefix that the shim will send to the server on a
457 // resumption.
458 resumeShimPrefix string
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]459}
460
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]461var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]462
David Benjamin0fde2eb2017-06-30 19:11:22 -0400[diff] [blame]463func writeTranscript(test *testCase, path string, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]464 if len(data) == 0 {
465 return
466 }
467
David Benjamin0fde2eb2017-06-30 19:11:22 -0400[diff] [blame]468 settings, err := ioutil.ReadFile(path)
469 if err != nil {
470 fmt.Fprintf(os.Stderr, "Error reading %s: %s.\n", path, err)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]471 return
472 }
473
David Benjamin0fde2eb2017-06-30 19:11:22 -0400[diff] [blame]474 settings = append(settings, data...)
475 if err := ioutil.WriteFile(path, settings, 0644); err != nil {
476 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", path, err)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]477 }
478}
479
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]480// A timeoutConn implements an idle timeout on each Read and Write operation.
481type timeoutConn struct {
482 net.Conn
483 timeout time.Duration
484}
485
486func (t *timeoutConn) Read(b []byte) (int, error) {
487 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
488 return 0, err
489 }
490 return t.Conn.Read(b)
491}
492
493func (t *timeoutConn) Write(b []byte) (int, error) {
494 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
495 return 0, err
496 }
497 return t.Conn.Write(b)
498}
499
David Benjamin0fde2eb2017-06-30 19:11:22 -0400[diff] [blame]500func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, transcriptPrefix string, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]501 if !test.noSessionCache {
502 if config.ClientSessionCache == nil {
503 config.ClientSessionCache = NewLRUClientSessionCache(1)
504 }
505 if config.ServerSessionCache == nil {
506 config.ServerSessionCache = NewLRUServerSessionCache(1)
507 }
508 }
509 if test.testType == clientTest {
510 if len(config.Certificates) == 0 {
511 config.Certificates = []Certificate{rsaCertificate}
512 }
513 } else {
514 // Supply a ServerName to ensure a constant session cache key,
515 // rather than falling back to net.Conn.RemoteAddr.
516 if len(config.ServerName) == 0 {
517 config.ServerName = "test"
518 }
519 }
520 if *fuzzer {
521 config.Bugs.NullAllCiphers = true
522 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]523 if *deterministic {
524 config.Time = func() time.Time { return time.Unix(1234, 1234) }
525 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]526
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]527 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]528
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]529 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]530 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
531 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]532 }
533
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]534 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]535 local, peer := "client", "server"
536 if test.testType == clientTest {
537 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]538 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]539 connDebug := &recordingConn{
540 Conn: conn,
541 isDatagram: test.protocol == dtls,
542 local: local,
543 peer: peer,
544 }
545 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]546 if *flagDebug {
547 defer connDebug.WriteTo(os.Stdout)
548 }
David Benjamin0fde2eb2017-06-30 19:11:22 -0400[diff] [blame]549 if len(transcriptPrefix) != 0 {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]550 defer func() {
David Benjamin0fde2eb2017-06-30 19:11:22 -0400[diff] [blame]551 path := transcriptPrefix + strconv.Itoa(num)
552 writeTranscript(test, path, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]553 }()
554 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]555
556 if config.Bugs.PacketAdaptor != nil {
557 config.Bugs.PacketAdaptor.debug = connDebug
558 }
559 }
560
561 if test.replayWrites {
562 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]563 }
564
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]565 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]566 if test.damageFirstWrite {
567 connDamage = newDamageAdaptor(conn)
568 conn = connDamage
569 }
570
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]571 if test.sendPrefix != "" {
572 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
573 return err
574 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]575 }
576
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]577 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]578 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]579 if test.protocol == dtls {
580 tlsConn = DTLSServer(conn, config)
581 } else {
582 tlsConn = Server(conn, config)
583 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]584 } else {
585 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]586 if test.protocol == dtls {
587 tlsConn = DTLSClient(conn, config)
588 } else {
589 tlsConn = Client(conn, config)
590 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]591 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]592 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]593
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]594 if err := tlsConn.Handshake(); err != nil {
595 return err
596 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]597
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]598 // TODO(davidben): move all per-connection expectations into a dedicated
599 // expectations struct that can be specified separately for the two
600 // legs.
601 expectedVersion := test.expectedVersion
602 if isResume && test.expectedResumeVersion != 0 {
603 expectedVersion = test.expectedResumeVersion
604 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]605 connState := tlsConn.ConnectionState()
606 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]607 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]608 }
609
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]610 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]611 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
612 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]613 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
614 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
615 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]616
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]617 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]618 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]619 if channelID == nil {
620 return fmt.Errorf("no channel ID negotiated")
621 }
622 if channelID.Curve != channelIDKey.Curve ||
623 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
624 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
625 return fmt.Errorf("incorrect channel ID")
626 }
David Benjamin634f4752017-07-01 11:08:41 -0400[diff] [blame]627 } else if connState.ChannelID != nil {
628 return fmt.Errorf("channel ID unexpectedly negotiated")
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]629 }
630
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]631 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]632 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]633 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
634 }
635 }
636
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]637 if test.expectNoNextProto {
638 if actual := connState.NegotiatedProtocol; actual != "" {
639 return fmt.Errorf("got unexpected next proto %s", actual)
640 }
641 }
642
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]643 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]644 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]645 return fmt.Errorf("next proto type mismatch")
646 }
647 }
648
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]649 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]650 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
651 }
652
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]653 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]654 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]655 }
656
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]657 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
658 return fmt.Errorf("SCT list mismatch")
659 }
660
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]661 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
662 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]663 }
664
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]665 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
666 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
667 }
668
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]669 if test.expectPeerCertificate != nil {
670 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
671 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
672 }
673 for i, cert := range connState.PeerCertificates {
674 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
675 return fmt.Errorf("peer certificate %d did not match", i+1)
676 }
677 }
678 }
679
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]680 if test.exportKeyingMaterial > 0 {
681 actual := make([]byte, test.exportKeyingMaterial)
682 if _, err := io.ReadFull(tlsConn, actual); err != nil {
683 return err
684 }
685 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
686 if err != nil {
687 return err
688 }
689 if !bytes.Equal(actual, expected) {
690 return fmt.Errorf("keying material mismatch")
691 }
692 }
693
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]694 if test.testTLSUnique {
695 var peersValue [12]byte
696 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
697 return err
698 }
699 expected := tlsConn.ConnectionState().TLSUnique
700 if !bytes.Equal(peersValue[:], expected) {
701 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
702 }
703 }
704
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]705 if test.sendHalfHelloRequest {
706 tlsConn.SendHalfHelloRequest()
707 }
708
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]709 shimPrefix := test.shimPrefix
710 if isResume {
711 shimPrefix = test.resumeShimPrefix
712 }
713 if test.shimWritesFirst || test.readWithUnfinishedWrite {
714 shimPrefix = "hello"
715 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]716 if test.renegotiate > 0 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]717 // If readWithUnfinishedWrite is set, the shim prefix will be
718 // available later.
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]719 if shimPrefix != "" && !test.readWithUnfinishedWrite {
720 var buf = make([]byte, len(shimPrefix))
721 _, err := io.ReadFull(tlsConn, buf)
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]722 if err != nil {
723 return err
724 }
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]725 if string(buf) != shimPrefix {
726 return fmt.Errorf("bad initial message %v vs %v", string(buf), shimPrefix)
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]727 }
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]728 shimPrefix = ""
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]729 }
730
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]731 if test.renegotiateCiphers != nil {
732 config.CipherSuites = test.renegotiateCiphers
733 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]734 for i := 0; i < test.renegotiate; i++ {
735 if err := tlsConn.Renegotiate(); err != nil {
736 return err
737 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]738 }
739 } else if test.renegotiateCiphers != nil {
740 panic("renegotiateCiphers without renegotiate")
741 }
742
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]743 if test.damageFirstWrite {
744 connDamage.setDamage(true)
745 tlsConn.Write([]byte("DAMAGED WRITE"))
746 connDamage.setDamage(false)
747 }
748
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]749 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]750 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]751 if test.protocol == dtls {
752 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
753 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]754 // Read until EOF.
755 _, err := io.Copy(ioutil.Discard, tlsConn)
756 return err
757 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]758 if messageLen == 0 {
759 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]760 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]761
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]762 messageCount := test.messageCount
763 if messageCount == 0 {
764 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]765 }
766
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]767 for j := 0; j < messageCount; j++ {
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]768 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]769 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]770 }
771
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]772 for i := 0; i < test.sendEmptyRecords; i++ {
773 tlsConn.Write(nil)
774 }
775
776 for i := 0; i < test.sendWarningAlerts; i++ {
777 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
778 }
779
David Benjamin24e58862017-06-14 18:45:29 -0400[diff] [blame]780 if test.sendBogusAlertType {
781 tlsConn.SendAlert(0x42, alertUnexpectedMessage)
782 }
783
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]784 testMessage := make([]byte, messageLen)
785 for i := range testMessage {
786 testMessage[i] = 0x42 ^ byte(j)
787 }
788 tlsConn.Write(testMessage)
789
790 // Consume the shim prefix if needed.
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]791 if shimPrefix != "" {
792 var buf = make([]byte, len(shimPrefix))
793 _, err := io.ReadFull(tlsConn, buf)
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]794 if err != nil {
795 return err
796 }
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]797 if string(buf) != shimPrefix {
798 return fmt.Errorf("bad initial message %v vs %v", string(buf), shimPrefix)
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]799 }
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]800 shimPrefix = ""
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]801 }
802
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]803 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]804 // The shim will not respond.
805 continue
806 }
807
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]808 // Process the KeyUpdate ACK. However many KeyUpdates the runner
809 // sends, the shim should respond only once.
810 if test.sendKeyUpdates > 0 && test.keyUpdateRequest == keyUpdateRequested {
811 if err := tlsConn.ReadKeyUpdateACK(); err != nil {
812 return err
813 }
814 }
815
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]816 buf := make([]byte, len(testMessage))
817 if test.protocol == dtls {
818 bufTmp := make([]byte, len(buf)+1)
819 n, err := tlsConn.Read(bufTmp)
820 if err != nil {
821 return err
822 }
823 if n != len(buf) {
824 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
825 }
826 copy(buf, bufTmp)
827 } else {
828 _, err := io.ReadFull(tlsConn, buf)
829 if err != nil {
830 return err
831 }
832 }
833
834 for i, v := range buf {
835 if v != testMessage[i]^0xff {
836 return fmt.Errorf("bad reply contents at byte %d", i)
837 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]838 }
839 }
840
841 return nil
842}
843
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]844func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]845 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]846 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]847 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]848 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]849 valgrindArgs = append(valgrindArgs, path)
850 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]851
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]852 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]853}
854
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]855func gdbOf(path string, args ...string) *exec.Cmd {
856 xtermArgs := []string{"-e", "gdb", "--args"}
857 xtermArgs = append(xtermArgs, path)
858 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]859
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]860 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]861}
862
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]863func lldbOf(path string, args ...string) *exec.Cmd {
864 xtermArgs := []string{"-e", "lldb", "--"}
865 xtermArgs = append(xtermArgs, path)
866 xtermArgs = append(xtermArgs, args...)
867
868 return exec.Command("xterm", xtermArgs...)
869}
870
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]871var (
872 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
873 errUnimplemented = errors.New("child process does not implement needed flags")
874)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]875
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]876// accept accepts a connection from listener, unless waitChan signals a process
877// exit first.
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]878func acceptOrWait(listener *net.TCPListener, waitChan chan error) (net.Conn, error) {
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]879 type connOrError struct {
880 conn net.Conn
881 err error
882 }
883 connChan := make(chan connOrError, 1)
884 go func() {
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]885 listener.SetDeadline(time.Now().Add(*idleTimeout))
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]886 conn, err := listener.Accept()
887 connChan <- connOrError{conn, err}
888 close(connChan)
889 }()
890 select {
891 case result := <-connChan:
892 return result.conn, result.err
893 case childErr := <-waitChan:
894 waitChan <- childErr
895 return nil, fmt.Errorf("child exited early: %s", childErr)
896 }
897}
898
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]899func translateExpectedError(errorStr string) string {
900 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
901 return translated
902 }
903
904 if *looseErrors {
905 return ""
906 }
907
908 return errorStr
909}
910
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]911func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]912 // Help debugging panics on the Go side.
913 defer func() {
914 if r := recover(); r != nil {
915 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
916 panic(r)
917 }
918 }()
919
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]920 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
921 panic("Error expected without shouldFail in " + test.name)
922 }
923
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]924 if test.expectResumeRejected && !test.resumeSession {
925 panic("expectResumeRejected without resumeSession in " + test.name)
926 }
927
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]928 for _, ver := range tlsVersions {
929 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
930 continue
931 }
932
933 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
934 continue
935 }
936
937 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
938 }
939
Matthew Braithwaite2d04cf02017-05-19 18:13:25 -0700[diff] [blame]940 listener, err := net.ListenTCP("tcp", &net.TCPAddr{IP: net.IPv6loopback})
941 if err != nil {
942 listener, err = net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
943 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]944 if err != nil {
945 panic(err)
946 }
947 defer func() {
948 if listener != nil {
949 listener.Close()
950 }
951 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]952
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]953 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]954 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]955 flags = append(flags, "-server")
956
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]957 flags = append(flags, "-key-file")
958 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]959 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]960 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]961 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]962 }
963
964 flags = append(flags, "-cert-file")
965 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]966 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]967 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]968 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]969 }
970 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]971
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]972 if test.protocol == dtls {
973 flags = append(flags, "-dtls")
974 }
975
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]976 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]977 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]978 resumeCount++
979 if test.resumeRenewedSession {
980 resumeCount++
981 }
982 }
983
984 if resumeCount > 0 {
985 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]986 }
987
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]988 if test.shimWritesFirst {
989 flags = append(flags, "-shim-writes-first")
990 }
991
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]992 if test.readWithUnfinishedWrite {
993 flags = append(flags, "-read-with-unfinished-write")
994 }
995
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]996 if test.shimShutsDown {
997 flags = append(flags, "-shim-shuts-down")
998 }
999
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]1000 if test.exportKeyingMaterial > 0 {
1001 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
1002 flags = append(flags, "-export-label", test.exportLabel)
1003 flags = append(flags, "-export-context", test.exportContext)
1004 if test.useExportContext {
1005 flags = append(flags, "-use-export-context")
1006 }
1007 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]1008 if test.expectResumeRejected {
1009 flags = append(flags, "-expect-session-miss")
1010 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]1011
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1012 if test.testTLSUnique {
1013 flags = append(flags, "-tls-unique")
1014 }
1015
David Benjamin0fde2eb2017-06-30 19:11:22 -0400[diff] [blame]1016 var transcriptPrefix string
1017 if len(*transcriptDir) != 0 {
1018 protocol := "tls"
1019 if test.protocol == dtls {
1020 protocol = "dtls"
1021 }
1022
1023 side := "client"
1024 if test.testType == serverTest {
1025 side = "server"
1026 }
1027
1028 dir := filepath.Join(*transcriptDir, protocol, side)
1029 if err := os.MkdirAll(dir, 0755); err != nil {
1030 return err
1031 }
1032 transcriptPrefix = filepath.Join(dir, test.name+"-")
1033 flags = append(flags, "-write-settings", transcriptPrefix)
1034 }
1035
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1036 flags = append(flags, test.flags...)
1037
1038 var shim *exec.Cmd
1039 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1040 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]1041 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1042 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]1043 } else if *useLLDB {
1044 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1045 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1046 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1047 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1048 shim.Stdin = os.Stdin
1049 var stdoutBuf, stderrBuf bytes.Buffer
1050 shim.Stdout = &stdoutBuf
1051 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1052 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]1053 shim.Env = os.Environ()
1054 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1055 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]1056 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1057 }
1058 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
1059 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1060
1061 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1062 panic(err)
1063 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1064 waitChan := make(chan error, 1)
1065 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1066
1067 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1068
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]1069 if *deterministic {
1070 config.Rand = &deterministicRand{}
1071 }
1072
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1073 conn, err := acceptOrWait(listener, waitChan)
1074 if err == nil {
David Benjamin0fde2eb2017-06-30 19:11:22 -0400[diff] [blame]1075 err = doExchange(test, &config, conn, false /* not a resumption */, transcriptPrefix, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1076 conn.Close()
1077 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]1078
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]1079 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1080 var resumeConfig Config
1081 if test.resumeConfig != nil {
1082 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]1083 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1084 resumeConfig.SessionTicketKey = config.SessionTicketKey
1085 resumeConfig.ClientSessionCache = config.ClientSessionCache
1086 resumeConfig.ServerSessionCache = config.ServerSessionCache
1087 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]1088 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1089 } else {
1090 resumeConfig = config
1091 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1092 var connResume net.Conn
1093 connResume, err = acceptOrWait(listener, waitChan)
1094 if err == nil {
David Benjamin0fde2eb2017-06-30 19:11:22 -0400[diff] [blame]1095 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, transcriptPrefix, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1096 connResume.Close()
1097 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1098 }
1099
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1100 // Close the listener now. This is to avoid hangs should the shim try to
1101 // open more connections than expected.
1102 listener.Close()
1103 listener = nil
1104
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]1105 var shimKilledLock sync.Mutex
1106 var shimKilled bool
1107 waitTimeout := time.AfterFunc(*idleTimeout, func() {
1108 shimKilledLock.Lock()
1109 shimKilled = true
1110 shimKilledLock.Unlock()
1111 shim.Process.Kill()
1112 })
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1113 childErr := <-waitChan
David Benjamin4d1f4ba2017-05-08 15:54:39 -0400[diff] [blame]1114 waitTimeout.Stop()
1115 shimKilledLock.Lock()
1116 if shimKilled && err == nil {
1117 err = errors.New("timeout waiting for the shim to exit.")
1118 }
1119 shimKilledLock.Unlock()
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1120 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1121 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1122 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1123 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1124 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1125 case 89:
1126 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1127 case 99:
1128 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1129 }
1130 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1131
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1132 // Account for Windows line endings.
1133 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1134 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1135
1136 // Separate the errors from the shim and those from tools like
1137 // AddressSanitizer.
1138 var extraStderr string
1139 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1140 stderr = stderrParts[0]
1141 extraStderr = stderrParts[1]
1142 }
1143
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1144 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1145 expectedError := translateExpectedError(test.expectedError)
1146 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1147
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1148 localError := "none"
1149 if err != nil {
1150 localError = err.Error()
1151 }
1152 if len(test.expectedLocalError) != 0 {
1153 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1154 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1155
1156 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1157 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1158 if childErr != nil {
1159 childError = childErr.Error()
1160 }
1161
1162 var msg string
1163 switch {
1164 case failed && !test.shouldFail:
1165 msg = "unexpected failure"
1166 case !failed && test.shouldFail:
1167 msg = "unexpected success"
1168 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1169 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1170 default:
1171 panic("internal error")
1172 }
1173
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1174 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1175 }
1176
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1177 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
Adam Langleyc88f2452017-04-27 14:15:37 -0700[diff] [blame]1178 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1179 }
1180
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1181 if *useValgrind && isValgrindError {
1182 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1183 }
1184
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1185 return nil
1186}
1187
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1188type tlsVersion struct {
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]1189 name string
1190 // version is the protocol version.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1191 version uint16
David Benjamin353577c2017-06-29 15:54:58 -0400[diff] [blame]1192 // excludeFlag is the legacy shim flag to disable the version.
1193 excludeFlag string
1194 hasDTLS bool
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]1195 // versionDTLS, if non-zero, is the DTLS-specific representation of the version.
1196 versionDTLS uint16
1197 // versionWire, if non-zero, is the wire representation of the
1198 // version. Otherwise the wire version is the protocol version or
1199 // versionDTLS.
1200 versionWire uint16
1201 tls13Variant int
David Benjamin353577c2017-06-29 15:54:58 -0400[diff] [blame]1202}
1203
1204func (vers tlsVersion) shimFlag(protocol protocol) string {
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]1205 // The shim uses the protocol version in its public API, but uses the
1206 // DTLS-specific version if it exists.
1207 if protocol == dtls && vers.versionDTLS != 0 {
1208 return strconv.Itoa(int(vers.versionDTLS))
David Benjamin353577c2017-06-29 15:54:58 -0400[diff] [blame]1209 }
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]1210 return strconv.Itoa(int(vers.version))
1211}
1212
1213func (vers tlsVersion) wire(protocol protocol) uint16 {
1214 if protocol == dtls && vers.versionDTLS != 0 {
1215 return vers.versionDTLS
1216 }
1217 if vers.versionWire != 0 {
1218 return vers.versionWire
1219 }
1220 return vers.version
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1221}
1222
1223var tlsVersions = []tlsVersion{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]1224 {
1225 name: "SSL3",
1226 version: VersionSSL30,
1227 excludeFlag: "-no-ssl3",
1228 },
1229 {
1230 name: "TLS1",
1231 version: VersionTLS10,
1232 excludeFlag: "-no-tls1",
1233 hasDTLS: true,
1234 versionDTLS: VersionDTLS10,
1235 },
1236 {
1237 name: "TLS11",
1238 version: VersionTLS11,
1239 excludeFlag: "-no-tls11",
1240 },
1241 {
1242 name: "TLS12",
1243 version: VersionTLS12,
1244 excludeFlag: "-no-tls12",
1245 hasDTLS: true,
1246 versionDTLS: VersionDTLS12,
1247 },
1248 {
1249 name: "TLS13",
1250 version: VersionTLS13,
1251 excludeFlag: "-no-tls13",
1252 versionWire: tls13DraftVersion,
1253 tls13Variant: TLS13Default,
1254 },
1255 {
1256 name: "TLS13Experiment",
1257 version: VersionTLS13,
1258 excludeFlag: "-no-tls13",
1259 versionWire: tls13ExperimentVersion,
1260 tls13Variant: TLS13Experiment,
1261 },
1262}
1263
1264func allVersions(protocol protocol) []tlsVersion {
1265 if protocol == tls {
1266 return tlsVersions
1267 }
1268
1269 var ret []tlsVersion
1270 for _, vers := range tlsVersions {
1271 if vers.hasDTLS {
1272 ret = append(ret, vers)
1273 }
1274 }
1275 return ret
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1276}
1277
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1278type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1279 name string
1280 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1281}
1282
1283var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1284 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1285 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1286 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1287 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1288 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1289 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1290 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1291 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1292 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1293 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1294 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1295 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1296 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1297 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1298 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1299 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1300 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1301 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1302 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1303 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1304 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1305 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1306 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1307 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1308 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1309 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1310 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1311 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1312 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1313 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1314}
1315
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1316func hasComponent(suiteName, component string) bool {
1317 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1318}
1319
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1320func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1321 return hasComponent(suiteName, "GCM") ||
1322 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1323 hasComponent(suiteName, "SHA384") ||
1324 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1325}
1326
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1327func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1328 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1329}
1330
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1331func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1332 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1333}
1334
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1335func bigFromHex(hex string) *big.Int {
1336 ret, ok := new(big.Int).SetString(hex, 16)
1337 if !ok {
1338 panic("failed to parse hex number 0x" + hex)
1339 }
1340 return ret
1341}
1342
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1343func addBasicTests() {
1344 basicTests := []testCase{
1345 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1346 name: "NoFallbackSCSV",
1347 config: Config{
1348 Bugs: ProtocolBugs{
1349 FailIfNotFallbackSCSV: true,
1350 },
1351 },
1352 shouldFail: true,
1353 expectedLocalError: "no fallback SCSV found",
1354 },
1355 {
1356 name: "SendFallbackSCSV",
1357 config: Config{
1358 Bugs: ProtocolBugs{
1359 FailIfNotFallbackSCSV: true,
1360 },
1361 },
1362 flags: []string{"-fallback-scsv"},
1363 },
1364 {
1365 name: "ClientCertificateTypes",
1366 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1367 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1368 ClientAuth: RequestClientCert,
1369 ClientCertificateTypes: []byte{
1370 CertTypeDSSSign,
1371 CertTypeRSASign,
1372 CertTypeECDSASign,
1373 },
1374 },
1375 flags: []string{
1376 "-expect-certificate-types",
1377 base64.StdEncoding.EncodeToString([]byte{
1378 CertTypeDSSSign,
1379 CertTypeRSASign,
1380 CertTypeECDSASign,
1381 }),
1382 },
1383 },
1384 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1385 name: "UnauthenticatedECDH",
1386 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1387 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1388 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1389 Bugs: ProtocolBugs{
1390 UnauthenticatedECDH: true,
1391 },
1392 },
1393 shouldFail: true,
1394 expectedError: ":UNEXPECTED_MESSAGE:",
1395 },
1396 {
1397 name: "SkipCertificateStatus",
1398 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1399 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1400 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1401 Bugs: ProtocolBugs{
1402 SkipCertificateStatus: true,
1403 },
1404 },
1405 flags: []string{
1406 "-enable-ocsp-stapling",
1407 },
1408 },
1409 {
1410 name: "SkipServerKeyExchange",
1411 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1412 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1413 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1414 Bugs: ProtocolBugs{
1415 SkipServerKeyExchange: true,
1416 },
1417 },
1418 shouldFail: true,
1419 expectedError: ":UNEXPECTED_MESSAGE:",
1420 },
1421 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1422 testType: serverTest,
1423 name: "Alert",
1424 config: Config{
1425 Bugs: ProtocolBugs{
1426 SendSpuriousAlert: alertRecordOverflow,
1427 },
1428 },
1429 shouldFail: true,
1430 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1431 },
1432 {
1433 protocol: dtls,
1434 testType: serverTest,
1435 name: "Alert-DTLS",
1436 config: Config{
1437 Bugs: ProtocolBugs{
1438 SendSpuriousAlert: alertRecordOverflow,
1439 },
1440 },
1441 shouldFail: true,
1442 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1443 },
1444 {
1445 testType: serverTest,
1446 name: "FragmentAlert",
1447 config: Config{
1448 Bugs: ProtocolBugs{
1449 FragmentAlert: true,
1450 SendSpuriousAlert: alertRecordOverflow,
1451 },
1452 },
1453 shouldFail: true,
1454 expectedError: ":BAD_ALERT:",
1455 },
1456 {
1457 protocol: dtls,
1458 testType: serverTest,
1459 name: "FragmentAlert-DTLS",
1460 config: Config{
1461 Bugs: ProtocolBugs{
1462 FragmentAlert: true,
1463 SendSpuriousAlert: alertRecordOverflow,
1464 },
1465 },
1466 shouldFail: true,
1467 expectedError: ":BAD_ALERT:",
1468 },
1469 {
1470 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1471 name: "DoubleAlert",
1472 config: Config{
1473 Bugs: ProtocolBugs{
1474 DoubleAlert: true,
1475 SendSpuriousAlert: alertRecordOverflow,
1476 },
1477 },
1478 shouldFail: true,
1479 expectedError: ":BAD_ALERT:",
1480 },
1481 {
1482 protocol: dtls,
1483 testType: serverTest,
1484 name: "DoubleAlert-DTLS",
1485 config: Config{
1486 Bugs: ProtocolBugs{
1487 DoubleAlert: true,
1488 SendSpuriousAlert: alertRecordOverflow,
1489 },
1490 },
1491 shouldFail: true,
1492 expectedError: ":BAD_ALERT:",
1493 },
1494 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1495 name: "SkipNewSessionTicket",
1496 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1497 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1498 Bugs: ProtocolBugs{
1499 SkipNewSessionTicket: true,
1500 },
1501 },
1502 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1503 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1504 },
1505 {
1506 testType: serverTest,
1507 name: "FallbackSCSV",
1508 config: Config{
1509 MaxVersion: VersionTLS11,
1510 Bugs: ProtocolBugs{
1511 SendFallbackSCSV: true,
1512 },
1513 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1514 shouldFail: true,
1515 expectedError: ":INAPPROPRIATE_FALLBACK:",
1516 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1517 },
1518 {
1519 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1520 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1521 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1522 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1523 Bugs: ProtocolBugs{
1524 SendFallbackSCSV: true,
1525 },
1526 },
1527 },
1528 {
1529 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1530 name: "FallbackSCSV-VersionMatch-TLS12",
1531 config: Config{
1532 MaxVersion: VersionTLS12,
1533 Bugs: ProtocolBugs{
1534 SendFallbackSCSV: true,
1535 },
1536 },
1537 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1538 },
1539 {
1540 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1541 name: "FragmentedClientVersion",
1542 config: Config{
1543 Bugs: ProtocolBugs{
1544 MaxHandshakeRecordLength: 1,
1545 FragmentClientVersion: true,
1546 },
1547 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1548 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1549 },
1550 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1551 testType: serverTest,
1552 name: "HttpGET",
1553 sendPrefix: "GET / HTTP/1.0\n",
1554 shouldFail: true,
1555 expectedError: ":HTTP_REQUEST:",
1556 },
1557 {
1558 testType: serverTest,
1559 name: "HttpPOST",
1560 sendPrefix: "POST / HTTP/1.0\n",
1561 shouldFail: true,
1562 expectedError: ":HTTP_REQUEST:",
1563 },
1564 {
1565 testType: serverTest,
1566 name: "HttpHEAD",
1567 sendPrefix: "HEAD / HTTP/1.0\n",
1568 shouldFail: true,
1569 expectedError: ":HTTP_REQUEST:",
1570 },
1571 {
1572 testType: serverTest,
1573 name: "HttpPUT",
1574 sendPrefix: "PUT / HTTP/1.0\n",
1575 shouldFail: true,
1576 expectedError: ":HTTP_REQUEST:",
1577 },
1578 {
1579 testType: serverTest,
1580 name: "HttpCONNECT",
1581 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1582 shouldFail: true,
1583 expectedError: ":HTTPS_PROXY_REQUEST:",
1584 },
1585 {
1586 testType: serverTest,
1587 name: "Garbage",
1588 sendPrefix: "blah",
1589 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1590 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1591 },
1592 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1593 name: "RSAEphemeralKey",
1594 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1595 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1596 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1597 Bugs: ProtocolBugs{
1598 RSAEphemeralKey: true,
1599 },
1600 },
1601 shouldFail: true,
1602 expectedError: ":UNEXPECTED_MESSAGE:",
1603 },
1604 {
1605 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1606 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1607 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1608 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1609 },
1610 {
1611 protocol: dtls,
1612 name: "DisableEverything-DTLS",
1613 flags: []string{"-no-tls12", "-no-tls1"},
1614 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1615 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1616 },
1617 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1618 protocol: dtls,
1619 testType: serverTest,
1620 name: "MTU",
1621 config: Config{
1622 Bugs: ProtocolBugs{
1623 MaxPacketLength: 256,
1624 },
1625 },
1626 flags: []string{"-mtu", "256"},
1627 },
1628 {
1629 protocol: dtls,
1630 testType: serverTest,
1631 name: "MTUExceeded",
1632 config: Config{
1633 Bugs: ProtocolBugs{
1634 MaxPacketLength: 255,
1635 },
1636 },
1637 flags: []string{"-mtu", "256"},
1638 shouldFail: true,
1639 expectedLocalError: "dtls: exceeded maximum packet length",
1640 },
1641 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1642 name: "EmptyCertificateList",
1643 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1644 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1645 Bugs: ProtocolBugs{
1646 EmptyCertificateList: true,
1647 },
1648 },
1649 shouldFail: true,
1650 expectedError: ":DECODE_ERROR:",
1651 },
1652 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1653 name: "EmptyCertificateList-TLS13",
1654 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1655 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1656 Bugs: ProtocolBugs{
1657 EmptyCertificateList: true,
1658 },
1659 },
1660 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1661 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1662 },
1663 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1664 name: "TLSFatalBadPackets",
1665 damageFirstWrite: true,
1666 shouldFail: true,
1667 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1668 },
1669 {
1670 protocol: dtls,
1671 name: "DTLSIgnoreBadPackets",
1672 damageFirstWrite: true,
1673 },
1674 {
1675 protocol: dtls,
1676 name: "DTLSIgnoreBadPackets-Async",
1677 damageFirstWrite: true,
1678 flags: []string{"-async"},
1679 },
1680 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1681 name: "AppDataBeforeHandshake",
1682 config: Config{
1683 Bugs: ProtocolBugs{
1684 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1685 },
1686 },
1687 shouldFail: true,
David Benjamin5aaaa982017-06-22 15:03:18 -0400[diff] [blame]1688 expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1689 },
1690 {
1691 name: "AppDataBeforeHandshake-Empty",
1692 config: Config{
1693 Bugs: ProtocolBugs{
1694 AppDataBeforeHandshake: []byte{},
1695 },
1696 },
1697 shouldFail: true,
David Benjamin5aaaa982017-06-22 15:03:18 -0400[diff] [blame]1698 expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1699 },
1700 {
1701 protocol: dtls,
1702 name: "AppDataBeforeHandshake-DTLS",
1703 config: Config{
1704 Bugs: ProtocolBugs{
1705 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1706 },
1707 },
1708 shouldFail: true,
1709 expectedError: ":UNEXPECTED_RECORD:",
1710 },
1711 {
1712 protocol: dtls,
1713 name: "AppDataBeforeHandshake-DTLS-Empty",
1714 config: Config{
1715 Bugs: ProtocolBugs{
1716 AppDataBeforeHandshake: []byte{},
1717 },
1718 },
1719 shouldFail: true,
1720 expectedError: ":UNEXPECTED_RECORD:",
1721 },
1722 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1723 name: "AppDataAfterChangeCipherSpec",
1724 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1725 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1726 Bugs: ProtocolBugs{
1727 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1728 },
1729 },
1730 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1731 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1732 },
1733 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1734 name: "AppDataAfterChangeCipherSpec-Empty",
1735 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1736 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1737 Bugs: ProtocolBugs{
1738 AppDataAfterChangeCipherSpec: []byte{},
1739 },
1740 },
1741 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1742 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1743 },
1744 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1745 protocol: dtls,
1746 name: "AppDataAfterChangeCipherSpec-DTLS",
1747 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1748 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1749 Bugs: ProtocolBugs{
1750 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1751 },
1752 },
1753 // BoringSSL's DTLS implementation will drop the out-of-order
1754 // application data.
1755 },
1756 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1757 protocol: dtls,
1758 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1759 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1760 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1761 Bugs: ProtocolBugs{
1762 AppDataAfterChangeCipherSpec: []byte{},
1763 },
1764 },
1765 // BoringSSL's DTLS implementation will drop the out-of-order
1766 // application data.
1767 },
1768 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1769 name: "AlertAfterChangeCipherSpec",
1770 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1771 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1772 Bugs: ProtocolBugs{
1773 AlertAfterChangeCipherSpec: alertRecordOverflow,
1774 },
1775 },
1776 shouldFail: true,
1777 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1778 },
1779 {
1780 protocol: dtls,
1781 name: "AlertAfterChangeCipherSpec-DTLS",
1782 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1783 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1784 Bugs: ProtocolBugs{
1785 AlertAfterChangeCipherSpec: alertRecordOverflow,
1786 },
1787 },
1788 shouldFail: true,
1789 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1790 },
1791 {
1792 protocol: dtls,
1793 name: "ReorderHandshakeFragments-Small-DTLS",
1794 config: Config{
1795 Bugs: ProtocolBugs{
1796 ReorderHandshakeFragments: true,
1797 // Small enough that every handshake message is
1798 // fragmented.
1799 MaxHandshakeRecordLength: 2,
1800 },
1801 },
1802 },
1803 {
1804 protocol: dtls,
1805 name: "ReorderHandshakeFragments-Large-DTLS",
1806 config: Config{
1807 Bugs: ProtocolBugs{
1808 ReorderHandshakeFragments: true,
1809 // Large enough that no handshake message is
1810 // fragmented.
1811 MaxHandshakeRecordLength: 2048,
1812 },
1813 },
1814 },
1815 {
1816 protocol: dtls,
1817 name: "MixCompleteMessageWithFragments-DTLS",
1818 config: Config{
1819 Bugs: ProtocolBugs{
1820 ReorderHandshakeFragments: true,
1821 MixCompleteMessageWithFragments: true,
1822 MaxHandshakeRecordLength: 2,
1823 },
1824 },
1825 },
1826 {
1827 name: "SendInvalidRecordType",
1828 config: Config{
1829 Bugs: ProtocolBugs{
1830 SendInvalidRecordType: true,
1831 },
1832 },
1833 shouldFail: true,
1834 expectedError: ":UNEXPECTED_RECORD:",
1835 },
1836 {
1837 protocol: dtls,
1838 name: "SendInvalidRecordType-DTLS",
1839 config: Config{
1840 Bugs: ProtocolBugs{
1841 SendInvalidRecordType: true,
1842 },
1843 },
1844 shouldFail: true,
1845 expectedError: ":UNEXPECTED_RECORD:",
1846 },
1847 {
1848 name: "FalseStart-SkipServerSecondLeg",
1849 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1850 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1851 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1852 NextProtos: []string{"foo"},
1853 Bugs: ProtocolBugs{
1854 SkipNewSessionTicket: true,
1855 SkipChangeCipherSpec: true,
1856 SkipFinished: true,
1857 ExpectFalseStart: true,
1858 },
1859 },
1860 flags: []string{
1861 "-false-start",
1862 "-handshake-never-done",
1863 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]1864 "-expect-alpn", "foo",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1865 },
1866 shimWritesFirst: true,
1867 shouldFail: true,
David Benjamin5aaaa982017-06-22 15:03:18 -0400[diff] [blame]1868 expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1869 },
1870 {
1871 name: "FalseStart-SkipServerSecondLeg-Implicit",
1872 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1873 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1874 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1875 NextProtos: []string{"foo"},
1876 Bugs: ProtocolBugs{
1877 SkipNewSessionTicket: true,
1878 SkipChangeCipherSpec: true,
1879 SkipFinished: true,
1880 },
1881 },
1882 flags: []string{
1883 "-implicit-handshake",
1884 "-false-start",
1885 "-handshake-never-done",
1886 "-advertise-alpn", "\x03foo",
1887 },
1888 shouldFail: true,
David Benjamin5aaaa982017-06-22 15:03:18 -0400[diff] [blame]1889 expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1890 },
1891 {
1892 testType: serverTest,
1893 name: "FailEarlyCallback",
1894 flags: []string{"-fail-early-callback"},
1895 shouldFail: true,
1896 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1897 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1898 },
1899 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1900 name: "FailCertCallback-Client-TLS12",
1901 config: Config{
1902 MaxVersion: VersionTLS12,
1903 ClientAuth: RequestClientCert,
1904 },
1905 flags: []string{"-fail-cert-callback"},
1906 shouldFail: true,
1907 expectedError: ":CERT_CB_ERROR:",
1908 expectedLocalError: "remote error: internal error",
1909 },
1910 {
1911 testType: serverTest,
1912 name: "FailCertCallback-Server-TLS12",
1913 config: Config{
1914 MaxVersion: VersionTLS12,
1915 },
1916 flags: []string{"-fail-cert-callback"},
1917 shouldFail: true,
1918 expectedError: ":CERT_CB_ERROR:",
1919 expectedLocalError: "remote error: internal error",
1920 },
1921 {
1922 name: "FailCertCallback-Client-TLS13",
1923 config: Config{
1924 MaxVersion: VersionTLS13,
1925 ClientAuth: RequestClientCert,
1926 },
1927 flags: []string{"-fail-cert-callback"},
1928 shouldFail: true,
1929 expectedError: ":CERT_CB_ERROR:",
1930 expectedLocalError: "remote error: internal error",
1931 },
1932 {
1933 testType: serverTest,
1934 name: "FailCertCallback-Server-TLS13",
1935 config: Config{
1936 MaxVersion: VersionTLS13,
1937 },
1938 flags: []string{"-fail-cert-callback"},
1939 shouldFail: true,
1940 expectedError: ":CERT_CB_ERROR:",
1941 expectedLocalError: "remote error: internal error",
1942 },
1943 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1944 protocol: dtls,
1945 name: "FragmentMessageTypeMismatch-DTLS",
1946 config: Config{
1947 Bugs: ProtocolBugs{
1948 MaxHandshakeRecordLength: 2,
1949 FragmentMessageTypeMismatch: true,
1950 },
1951 },
1952 shouldFail: true,
1953 expectedError: ":FRAGMENT_MISMATCH:",
1954 },
1955 {
1956 protocol: dtls,
1957 name: "FragmentMessageLengthMismatch-DTLS",
1958 config: Config{
1959 Bugs: ProtocolBugs{
1960 MaxHandshakeRecordLength: 2,
1961 FragmentMessageLengthMismatch: true,
1962 },
1963 },
1964 shouldFail: true,
1965 expectedError: ":FRAGMENT_MISMATCH:",
1966 },
1967 {
1968 protocol: dtls,
1969 name: "SplitFragments-Header-DTLS",
1970 config: Config{
1971 Bugs: ProtocolBugs{
1972 SplitFragments: 2,
1973 },
1974 },
1975 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1976 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1977 },
1978 {
1979 protocol: dtls,
1980 name: "SplitFragments-Boundary-DTLS",
1981 config: Config{
1982 Bugs: ProtocolBugs{
1983 SplitFragments: dtlsRecordHeaderLen,
1984 },
1985 },
1986 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1987 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1988 },
1989 {
1990 protocol: dtls,
1991 name: "SplitFragments-Body-DTLS",
1992 config: Config{
1993 Bugs: ProtocolBugs{
1994 SplitFragments: dtlsRecordHeaderLen + 1,
1995 },
1996 },
1997 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1998 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1999 },
2000 {
2001 protocol: dtls,
2002 name: "SendEmptyFragments-DTLS",
2003 config: Config{
2004 Bugs: ProtocolBugs{
2005 SendEmptyFragments: true,
2006 },
2007 },
2008 },
2009 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]2010 name: "BadFinished-Client",
2011 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2012 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]2013 Bugs: ProtocolBugs{
2014 BadFinished: true,
2015 },
2016 },
2017 shouldFail: true,
2018 expectedError: ":DIGEST_CHECK_FAILED:",
2019 },
2020 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2021 name: "BadFinished-Client-TLS13",
2022 config: Config{
2023 MaxVersion: VersionTLS13,
2024 Bugs: ProtocolBugs{
2025 BadFinished: true,
2026 },
2027 },
2028 shouldFail: true,
2029 expectedError: ":DIGEST_CHECK_FAILED:",
2030 },
2031 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]2032 testType: serverTest,
2033 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2034 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2035 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2036 Bugs: ProtocolBugs{
2037 BadFinished: true,
2038 },
2039 },
2040 shouldFail: true,
2041 expectedError: ":DIGEST_CHECK_FAILED:",
2042 },
2043 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2044 testType: serverTest,
2045 name: "BadFinished-Server-TLS13",
2046 config: Config{
2047 MaxVersion: VersionTLS13,
2048 Bugs: ProtocolBugs{
2049 BadFinished: true,
2050 },
2051 },
2052 shouldFail: true,
2053 expectedError: ":DIGEST_CHECK_FAILED:",
2054 },
2055 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2056 name: "FalseStart-BadFinished",
2057 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2058 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2059 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2060 NextProtos: []string{"foo"},
2061 Bugs: ProtocolBugs{
2062 BadFinished: true,
2063 ExpectFalseStart: true,
2064 },
2065 },
2066 flags: []string{
2067 "-false-start",
2068 "-handshake-never-done",
2069 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]2070 "-expect-alpn", "foo",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2071 },
2072 shimWritesFirst: true,
2073 shouldFail: true,
2074 expectedError: ":DIGEST_CHECK_FAILED:",
2075 },
2076 {
2077 name: "NoFalseStart-NoALPN",
2078 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2079 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2080 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2081 Bugs: ProtocolBugs{
2082 ExpectFalseStart: true,
2083 AlertBeforeFalseStartTest: alertAccessDenied,
2084 },
2085 },
2086 flags: []string{
2087 "-false-start",
2088 },
2089 shimWritesFirst: true,
2090 shouldFail: true,
2091 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2092 expectedLocalError: "tls: peer did not false start: EOF",
2093 },
2094 {
2095 name: "NoFalseStart-NoAEAD",
2096 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2097 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2098 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2099 NextProtos: []string{"foo"},
2100 Bugs: ProtocolBugs{
2101 ExpectFalseStart: true,
2102 AlertBeforeFalseStartTest: alertAccessDenied,
2103 },
2104 },
2105 flags: []string{
2106 "-false-start",
2107 "-advertise-alpn", "\x03foo",
2108 },
2109 shimWritesFirst: true,
2110 shouldFail: true,
2111 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2112 expectedLocalError: "tls: peer did not false start: EOF",
2113 },
2114 {
2115 name: "NoFalseStart-RSA",
2116 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2117 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2118 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
2119 NextProtos: []string{"foo"},
2120 Bugs: ProtocolBugs{
2121 ExpectFalseStart: true,
2122 AlertBeforeFalseStartTest: alertAccessDenied,
2123 },
2124 },
2125 flags: []string{
2126 "-false-start",
2127 "-advertise-alpn", "\x03foo",
2128 },
2129 shimWritesFirst: true,
2130 shouldFail: true,
2131 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2132 expectedLocalError: "tls: peer did not false start: EOF",
2133 },
2134 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2135 protocol: dtls,
2136 name: "SendSplitAlert-Sync",
2137 config: Config{
2138 Bugs: ProtocolBugs{
2139 SendSplitAlert: true,
2140 },
2141 },
2142 },
2143 {
2144 protocol: dtls,
2145 name: "SendSplitAlert-Async",
2146 config: Config{
2147 Bugs: ProtocolBugs{
2148 SendSplitAlert: true,
2149 },
2150 },
2151 flags: []string{"-async"},
2152 },
2153 {
2154 protocol: dtls,
2155 name: "PackDTLSHandshake",
2156 config: Config{
2157 Bugs: ProtocolBugs{
2158 MaxHandshakeRecordLength: 2,
2159 PackHandshakeFragments: 20,
2160 PackHandshakeRecords: 200,
2161 },
2162 },
2163 },
2164 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2165 name: "SendEmptyRecords-Pass",
2166 sendEmptyRecords: 32,
2167 },
2168 {
2169 name: "SendEmptyRecords",
2170 sendEmptyRecords: 33,
2171 shouldFail: true,
2172 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2173 },
2174 {
2175 name: "SendEmptyRecords-Async",
2176 sendEmptyRecords: 33,
2177 flags: []string{"-async"},
2178 shouldFail: true,
2179 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2180 },
2181 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2182 name: "SendWarningAlerts-Pass",
2183 config: Config{
2184 MaxVersion: VersionTLS12,
2185 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2186 sendWarningAlerts: 4,
2187 },
2188 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2189 protocol: dtls,
2190 name: "SendWarningAlerts-DTLS-Pass",
2191 config: Config{
2192 MaxVersion: VersionTLS12,
2193 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2194 sendWarningAlerts: 4,
2195 },
2196 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2197 name: "SendWarningAlerts-TLS13",
2198 config: Config{
2199 MaxVersion: VersionTLS13,
2200 },
2201 sendWarningAlerts: 4,
2202 shouldFail: true,
2203 expectedError: ":BAD_ALERT:",
2204 expectedLocalError: "remote error: error decoding message",
2205 },
2206 {
2207 name: "SendWarningAlerts",
2208 config: Config{
2209 MaxVersion: VersionTLS12,
2210 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2211 sendWarningAlerts: 5,
2212 shouldFail: true,
2213 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2214 },
2215 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2216 name: "SendWarningAlerts-Async",
2217 config: Config{
2218 MaxVersion: VersionTLS12,
2219 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2220 sendWarningAlerts: 5,
2221 flags: []string{"-async"},
2222 shouldFail: true,
2223 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2224 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2225 {
David Benjamin24e58862017-06-14 18:45:29 -0400[diff] [blame]2226 name: "SendBogusAlertType",
2227 sendBogusAlertType: true,
2228 shouldFail: true,
2229 expectedError: ":UNKNOWN_ALERT_TYPE:",
2230 expectedLocalError: "remote error: illegal parameter",
2231 },
2232 {
2233 protocol: dtls,
2234 name: "SendBogusAlertType-DTLS",
2235 sendBogusAlertType: true,
2236 shouldFail: true,
2237 expectedError: ":UNKNOWN_ALERT_TYPE:",
2238 expectedLocalError: "remote error: illegal parameter",
2239 },
2240 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2241 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2242 config: Config{
2243 MaxVersion: VersionTLS13,
2244 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2245 sendKeyUpdates: 33,
2246 keyUpdateRequest: keyUpdateNotRequested,
2247 shouldFail: true,
2248 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2249 },
2250 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2251 name: "EmptySessionID",
2252 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2253 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2254 SessionTicketsDisabled: true,
2255 },
2256 noSessionCache: true,
2257 flags: []string{"-expect-no-session"},
2258 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2259 {
2260 name: "Unclean-Shutdown",
2261 config: Config{
2262 Bugs: ProtocolBugs{
2263 NoCloseNotify: true,
2264 ExpectCloseNotify: true,
2265 },
2266 },
2267 shimShutsDown: true,
2268 flags: []string{"-check-close-notify"},
2269 shouldFail: true,
2270 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2271 },
2272 {
2273 name: "Unclean-Shutdown-Ignored",
2274 config: Config{
2275 Bugs: ProtocolBugs{
2276 NoCloseNotify: true,
2277 },
2278 },
2279 shimShutsDown: true,
2280 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2281 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2282 name: "Unclean-Shutdown-Alert",
2283 config: Config{
2284 Bugs: ProtocolBugs{
2285 SendAlertOnShutdown: alertDecompressionFailure,
2286 ExpectCloseNotify: true,
2287 },
2288 },
2289 shimShutsDown: true,
2290 flags: []string{"-check-close-notify"},
2291 shouldFail: true,
2292 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2293 },
2294 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2295 name: "LargePlaintext",
2296 config: Config{
2297 Bugs: ProtocolBugs{
2298 SendLargeRecords: true,
2299 },
2300 },
2301 messageLen: maxPlaintext + 1,
2302 shouldFail: true,
2303 expectedError: ":DATA_LENGTH_TOO_LONG:",
2304 },
2305 {
2306 protocol: dtls,
2307 name: "LargePlaintext-DTLS",
2308 config: Config{
2309 Bugs: ProtocolBugs{
2310 SendLargeRecords: true,
2311 },
2312 },
2313 messageLen: maxPlaintext + 1,
2314 shouldFail: true,
2315 expectedError: ":DATA_LENGTH_TOO_LONG:",
2316 },
2317 {
2318 name: "LargeCiphertext",
2319 config: Config{
2320 Bugs: ProtocolBugs{
2321 SendLargeRecords: true,
2322 },
2323 },
2324 messageLen: maxPlaintext * 2,
2325 shouldFail: true,
2326 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2327 },
2328 {
2329 protocol: dtls,
2330 name: "LargeCiphertext-DTLS",
2331 config: Config{
2332 Bugs: ProtocolBugs{
2333 SendLargeRecords: true,
2334 },
2335 },
2336 messageLen: maxPlaintext * 2,
2337 // Unlike the other four cases, DTLS drops records which
2338 // are invalid before authentication, so the connection
2339 // does not fail.
2340 expectMessageDropped: true,
2341 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2342 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2343 name: "BadHelloRequest-1",
2344 renegotiate: 1,
2345 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2346 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2347 Bugs: ProtocolBugs{
2348 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2349 },
2350 },
2351 flags: []string{
2352 "-renegotiate-freely",
2353 "-expect-total-renegotiations", "1",
2354 },
2355 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2356 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2357 },
2358 {
2359 name: "BadHelloRequest-2",
2360 renegotiate: 1,
2361 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2362 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2363 Bugs: ProtocolBugs{
2364 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2365 },
2366 },
2367 flags: []string{
2368 "-renegotiate-freely",
2369 "-expect-total-renegotiations", "1",
2370 },
2371 shouldFail: true,
2372 expectedError: ":BAD_HELLO_REQUEST:",
2373 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2374 {
2375 testType: serverTest,
2376 name: "SupportTicketsWithSessionID",
2377 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2378 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2379 SessionTicketsDisabled: true,
2380 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2381 resumeConfig: &Config{
2382 MaxVersion: VersionTLS12,
2383 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2384 resumeSession: true,
2385 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2386 {
2387 protocol: dtls,
2388 name: "DTLS-SendExtraFinished",
2389 config: Config{
2390 Bugs: ProtocolBugs{
2391 SendExtraFinished: true,
2392 },
2393 },
2394 shouldFail: true,
2395 expectedError: ":UNEXPECTED_RECORD:",
2396 },
2397 {
2398 protocol: dtls,
2399 name: "DTLS-SendExtraFinished-Reordered",
2400 config: Config{
2401 Bugs: ProtocolBugs{
2402 MaxHandshakeRecordLength: 2,
2403 ReorderHandshakeFragments: true,
2404 SendExtraFinished: true,
2405 },
2406 },
2407 shouldFail: true,
2408 expectedError: ":UNEXPECTED_RECORD:",
2409 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2410 {
2411 testType: serverTest,
2412 name: "V2ClientHello-EmptyRecordPrefix",
2413 config: Config{
2414 // Choose a cipher suite that does not involve
2415 // elliptic curves, so no extensions are
2416 // involved.
2417 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2418 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2419 Bugs: ProtocolBugs{
2420 SendV2ClientHello: true,
2421 },
2422 },
2423 sendPrefix: string([]byte{
2424 byte(recordTypeHandshake),
2425 3, 1, // version
2426 0, 0, // length
2427 }),
2428 // A no-op empty record may not be sent before V2ClientHello.
2429 shouldFail: true,
2430 expectedError: ":WRONG_VERSION_NUMBER:",
2431 },
2432 {
2433 testType: serverTest,
2434 name: "V2ClientHello-WarningAlertPrefix",
2435 config: Config{
2436 // Choose a cipher suite that does not involve
2437 // elliptic curves, so no extensions are
2438 // involved.
2439 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2440 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2441 Bugs: ProtocolBugs{
2442 SendV2ClientHello: true,
2443 },
2444 },
2445 sendPrefix: string([]byte{
2446 byte(recordTypeAlert),
2447 3, 1, // version
2448 0, 2, // length
2449 alertLevelWarning, byte(alertDecompressionFailure),
2450 }),
2451 // A no-op warning alert may not be sent before V2ClientHello.
2452 shouldFail: true,
2453 expectedError: ":WRONG_VERSION_NUMBER:",
2454 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2455 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2456 name: "KeyUpdate-Client",
2457 config: Config{
2458 MaxVersion: VersionTLS13,
2459 },
2460 sendKeyUpdates: 1,
2461 keyUpdateRequest: keyUpdateNotRequested,
2462 },
2463 {
2464 testType: serverTest,
2465 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2466 config: Config{
2467 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2468 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2469 sendKeyUpdates: 1,
2470 keyUpdateRequest: keyUpdateNotRequested,
2471 },
2472 {
2473 name: "KeyUpdate-InvalidRequestMode",
2474 config: Config{
2475 MaxVersion: VersionTLS13,
2476 },
2477 sendKeyUpdates: 1,
2478 keyUpdateRequest: 42,
2479 shouldFail: true,
2480 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2481 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2482 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]2483 // Test that KeyUpdates are acknowledged properly.
2484 name: "KeyUpdate-RequestACK",
2485 config: Config{
2486 MaxVersion: VersionTLS13,
2487 Bugs: ProtocolBugs{
2488 RejectUnsolicitedKeyUpdate: true,
2489 },
2490 },
2491 // Test the shim receiving many KeyUpdates in a row.
2492 sendKeyUpdates: 5,
2493 messageCount: 5,
2494 keyUpdateRequest: keyUpdateRequested,
2495 },
2496 {
2497 // Test that KeyUpdates are acknowledged properly if the
2498 // peer's KeyUpdate is discovered while a write is
2499 // pending.
2500 name: "KeyUpdate-RequestACK-UnfinishedWrite",
2501 config: Config{
2502 MaxVersion: VersionTLS13,
2503 Bugs: ProtocolBugs{
2504 RejectUnsolicitedKeyUpdate: true,
2505 },
2506 },
2507 // Test the shim receiving many KeyUpdates in a row.
2508 sendKeyUpdates: 5,
2509 messageCount: 5,
2510 keyUpdateRequest: keyUpdateRequested,
2511 readWithUnfinishedWrite: true,
2512 flags: []string{"-async"},
2513 },
2514 {
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2515 name: "SendSNIWarningAlert",
2516 config: Config{
2517 MaxVersion: VersionTLS12,
2518 Bugs: ProtocolBugs{
2519 SendSNIWarningAlert: true,
2520 },
2521 },
2522 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2523 {
2524 testType: serverTest,
2525 name: "ExtraCompressionMethods-TLS12",
2526 config: Config{
2527 MaxVersion: VersionTLS12,
2528 Bugs: ProtocolBugs{
2529 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2530 },
2531 },
2532 },
2533 {
2534 testType: serverTest,
2535 name: "ExtraCompressionMethods-TLS13",
2536 config: Config{
2537 MaxVersion: VersionTLS13,
2538 Bugs: ProtocolBugs{
2539 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2540 },
2541 },
2542 shouldFail: true,
2543 expectedError: ":INVALID_COMPRESSION_LIST:",
2544 expectedLocalError: "remote error: illegal parameter",
2545 },
2546 {
2547 testType: serverTest,
2548 name: "NoNullCompression-TLS12",
2549 config: Config{
2550 MaxVersion: VersionTLS12,
2551 Bugs: ProtocolBugs{
2552 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2553 },
2554 },
2555 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2556 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2557 expectedLocalError: "remote error: illegal parameter",
2558 },
2559 {
2560 testType: serverTest,
2561 name: "NoNullCompression-TLS13",
2562 config: Config{
2563 MaxVersion: VersionTLS13,
2564 Bugs: ProtocolBugs{
2565 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2566 },
2567 },
2568 shouldFail: true,
2569 expectedError: ":INVALID_COMPRESSION_LIST:",
2570 expectedLocalError: "remote error: illegal parameter",
2571 },
David Benjamin413e79e2017-07-01 10:11:53 -0400[diff] [blame]2572 // Test that the client rejects invalid compression methods
2573 // from the server.
2574 {
2575 testType: clientTest,
2576 name: "InvalidCompressionMethod",
2577 config: Config{
2578 MaxVersion: VersionTLS12,
2579 Bugs: ProtocolBugs{
2580 SendCompressionMethod: 1,
2581 },
2582 },
2583 shouldFail: true,
2584 expectedError: ":UNSUPPORTED_COMPRESSION_ALGORITHM:",
2585 expectedLocalError: "remote error: illegal parameter",
2586 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2587 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2588 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2589 config: Config{
2590 MaxVersion: VersionTLS12,
2591 Bugs: ProtocolBugs{
2592 ExpectGREASE: true,
2593 },
2594 },
2595 flags: []string{"-enable-grease"},
2596 },
2597 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2598 name: "GREASE-Client-TLS13",
2599 config: Config{
2600 MaxVersion: VersionTLS13,
2601 Bugs: ProtocolBugs{
2602 ExpectGREASE: true,
2603 },
2604 },
2605 flags: []string{"-enable-grease"},
2606 },
2607 {
2608 testType: serverTest,
2609 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2610 config: Config{
2611 MaxVersion: VersionTLS13,
2612 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2613 // TLS 1.3 servers are expected to
2614 // always enable GREASE. TLS 1.3 is new,
2615 // so there is no existing ecosystem to
2616 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2617 ExpectGREASE: true,
2618 },
2619 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2620 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2621 {
2622 // Test the server so there is a large certificate as
2623 // well as application data.
2624 testType: serverTest,
2625 name: "MaxSendFragment",
2626 config: Config{
2627 Bugs: ProtocolBugs{
2628 MaxReceivePlaintext: 512,
2629 },
2630 },
2631 messageLen: 1024,
2632 flags: []string{
2633 "-max-send-fragment", "512",
2634 "-read-size", "1024",
2635 },
2636 },
2637 {
2638 // Test the server so there is a large certificate as
2639 // well as application data.
2640 testType: serverTest,
2641 name: "MaxSendFragment-TooLarge",
2642 config: Config{
2643 Bugs: ProtocolBugs{
2644 // Ensure that some of the records are
2645 // 512.
2646 MaxReceivePlaintext: 511,
2647 },
2648 },
2649 messageLen: 1024,
2650 flags: []string{
2651 "-max-send-fragment", "512",
2652 "-read-size", "1024",
2653 },
2654 shouldFail: true,
2655 expectedLocalError: "local error: record overflow",
2656 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2657 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2658 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2659
2660 // Test that very large messages can be received.
2661 cert := rsaCertificate
2662 for i := 0; i < 50; i++ {
2663 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2664 }
2665 testCases = append(testCases, testCase{
2666 name: "LargeMessage",
2667 config: Config{
2668 Certificates: []Certificate{cert},
2669 },
2670 })
2671 testCases = append(testCases, testCase{
2672 protocol: dtls,
2673 name: "LargeMessage-DTLS",
2674 config: Config{
2675 Certificates: []Certificate{cert},
2676 },
2677 })
2678
2679 // They are rejected if the maximum certificate chain length is capped.
2680 testCases = append(testCases, testCase{
2681 name: "LargeMessage-Reject",
2682 config: Config{
2683 Certificates: []Certificate{cert},
2684 },
2685 flags: []string{"-max-cert-list", "16384"},
2686 shouldFail: true,
2687 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2688 })
2689 testCases = append(testCases, testCase{
2690 protocol: dtls,
2691 name: "LargeMessage-Reject-DTLS",
2692 config: Config{
2693 Certificates: []Certificate{cert},
2694 },
2695 flags: []string{"-max-cert-list", "16384"},
2696 shouldFail: true,
2697 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2698 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2699}
2700
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2701func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2702 const psk = "12345"
2703 const pskIdentity = "luggage combo"
2704
2705 var prefix string
2706 if protocol == dtls {
2707 if !ver.hasDTLS {
2708 return
2709 }
2710 prefix = "D"
2711 }
2712
2713 var cert Certificate
2714 var certFile string
2715 var keyFile string
2716 if hasComponent(suite.name, "ECDSA") {
2717 cert = ecdsaP256Certificate
2718 certFile = ecdsaP256CertificateFile
2719 keyFile = ecdsaP256KeyFile
2720 } else {
2721 cert = rsaCertificate
2722 certFile = rsaCertificateFile
2723 keyFile = rsaKeyFile
2724 }
2725
2726 var flags []string
2727 if hasComponent(suite.name, "PSK") {
2728 flags = append(flags,
2729 "-psk", psk,
2730 "-psk-identity", pskIdentity)
2731 }
2732 if hasComponent(suite.name, "NULL") {
2733 // NULL ciphers must be explicitly enabled.
2734 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2735 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2736
2737 var shouldServerFail, shouldClientFail bool
2738 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2739 // BoringSSL clients accept ECDHE on SSLv3, but
2740 // a BoringSSL server will never select it
2741 // because the extension is missing.
2742 shouldServerFail = true
2743 }
2744 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2745 shouldClientFail = true
2746 shouldServerFail = true
2747 }
2748 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2749 shouldClientFail = true
2750 shouldServerFail = true
2751 }
2752 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2753 shouldClientFail = true
2754 shouldServerFail = true
2755 }
2756 if !isDTLSCipher(suite.name) && protocol == dtls {
2757 shouldClientFail = true
2758 shouldServerFail = true
2759 }
2760
2761 var sendCipherSuite uint16
2762 var expectedServerError, expectedClientError string
2763 serverCipherSuites := []uint16{suite.id}
2764 if shouldServerFail {
2765 expectedServerError = ":NO_SHARED_CIPHER:"
2766 }
2767 if shouldClientFail {
2768 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2769 // Configure the server to select ciphers as normal but
2770 // select an incompatible cipher in ServerHello.
2771 serverCipherSuites = nil
2772 sendCipherSuite = suite.id
2773 }
2774
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2775 // For cipher suites and versions where exporters are defined, verify
2776 // that they interoperate.
2777 var exportKeyingMaterial int
2778 if ver.version > VersionSSL30 {
2779 exportKeyingMaterial = 1024
2780 }
2781
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2782 testCases = append(testCases, testCase{
2783 testType: serverTest,
2784 protocol: protocol,
2785 name: prefix + ver.name + "-" + suite.name + "-server",
2786 config: Config{
2787 MinVersion: ver.version,
2788 MaxVersion: ver.version,
2789 CipherSuites: []uint16{suite.id},
2790 Certificates: []Certificate{cert},
2791 PreSharedKey: []byte(psk),
2792 PreSharedKeyIdentity: pskIdentity,
2793 Bugs: ProtocolBugs{
2794 AdvertiseAllConfiguredCiphers: true,
2795 },
2796 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2797 certFile: certFile,
2798 keyFile: keyFile,
2799 flags: flags,
2800 resumeSession: true,
2801 shouldFail: shouldServerFail,
2802 expectedError: expectedServerError,
2803 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2804 })
2805
2806 testCases = append(testCases, testCase{
2807 testType: clientTest,
2808 protocol: protocol,
2809 name: prefix + ver.name + "-" + suite.name + "-client",
2810 config: Config{
2811 MinVersion: ver.version,
2812 MaxVersion: ver.version,
2813 CipherSuites: serverCipherSuites,
2814 Certificates: []Certificate{cert},
2815 PreSharedKey: []byte(psk),
2816 PreSharedKeyIdentity: pskIdentity,
2817 Bugs: ProtocolBugs{
2818 IgnorePeerCipherPreferences: shouldClientFail,
2819 SendCipherSuite: sendCipherSuite,
2820 },
2821 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2822 flags: flags,
2823 resumeSession: true,
2824 shouldFail: shouldClientFail,
2825 expectedError: expectedClientError,
2826 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2827 })
2828
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2829 if shouldClientFail {
2830 return
2831 }
2832
2833 // Ensure the maximum record size is accepted.
2834 testCases = append(testCases, testCase{
2835 protocol: protocol,
2836 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2837 config: Config{
2838 MinVersion: ver.version,
2839 MaxVersion: ver.version,
2840 CipherSuites: []uint16{suite.id},
2841 Certificates: []Certificate{cert},
2842 PreSharedKey: []byte(psk),
2843 PreSharedKeyIdentity: pskIdentity,
2844 },
2845 flags: flags,
2846 messageLen: maxPlaintext,
2847 })
2848
2849 // Test bad records for all ciphers. Bad records are fatal in TLS
2850 // and ignored in DTLS.
2851 var shouldFail bool
2852 var expectedError string
2853 if protocol == tls {
2854 shouldFail = true
2855 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2856 }
2857
2858 testCases = append(testCases, testCase{
2859 protocol: protocol,
2860 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2861 config: Config{
2862 MinVersion: ver.version,
2863 MaxVersion: ver.version,
2864 CipherSuites: []uint16{suite.id},
2865 Certificates: []Certificate{cert},
2866 PreSharedKey: []byte(psk),
2867 PreSharedKeyIdentity: pskIdentity,
2868 },
2869 flags: flags,
2870 damageFirstWrite: true,
2871 messageLen: maxPlaintext,
2872 shouldFail: shouldFail,
2873 expectedError: expectedError,
2874 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2875}
2876
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2877func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2878 const bogusCipher = 0xfe00
2879
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2880 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2881 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2882 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2883 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2884 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2885 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2886 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2887
2888 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2889 name: "NoSharedCipher",
2890 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2891 MaxVersion: VersionTLS12,
2892 CipherSuites: []uint16{},
2893 },
2894 shouldFail: true,
2895 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2896 })
2897
2898 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2899 name: "NoSharedCipher-TLS13",
2900 config: Config{
2901 MaxVersion: VersionTLS13,
2902 CipherSuites: []uint16{},
2903 },
2904 shouldFail: true,
2905 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2906 })
2907
2908 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2909 name: "UnsupportedCipherSuite",
2910 config: Config{
2911 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2912 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2913 Bugs: ProtocolBugs{
2914 IgnorePeerCipherPreferences: true,
2915 },
2916 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2917 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2918 shouldFail: true,
2919 expectedError: ":WRONG_CIPHER_RETURNED:",
2920 })
2921
2922 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2923 name: "ServerHelloBogusCipher",
2924 config: Config{
2925 MaxVersion: VersionTLS12,
2926 Bugs: ProtocolBugs{
2927 SendCipherSuite: bogusCipher,
2928 },
2929 },
2930 shouldFail: true,
2931 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2932 })
2933 testCases = append(testCases, testCase{
2934 name: "ServerHelloBogusCipher-TLS13",
2935 config: Config{
2936 MaxVersion: VersionTLS13,
2937 Bugs: ProtocolBugs{
2938 SendCipherSuite: bogusCipher,
2939 },
2940 },
2941 shouldFail: true,
2942 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2943 })
2944
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2945 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2946 testCases = append(testCases, testCase{
2947 testType: serverTest,
2948 name: "UnknownCipher",
2949 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2950 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2951 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2952 Bugs: ProtocolBugs{
2953 AdvertiseAllConfiguredCiphers: true,
2954 },
2955 },
2956 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2957
2958 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2959 testCases = append(testCases, testCase{
2960 testType: serverTest,
2961 name: "UnknownCipher-TLS13",
2962 config: Config{
2963 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2964 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2965 Bugs: ProtocolBugs{
2966 AdvertiseAllConfiguredCiphers: true,
2967 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2968 },
2969 })
2970
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2971 // Test empty ECDHE_PSK identity hints work as expected.
2972 testCases = append(testCases, testCase{
2973 name: "EmptyECDHEPSKHint",
2974 config: Config{
2975 MaxVersion: VersionTLS12,
2976 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2977 PreSharedKey: []byte("secret"),
2978 },
2979 flags: []string{"-psk", "secret"},
2980 })
2981
2982 // Test empty PSK identity hints work as expected, even if an explicit
2983 // ServerKeyExchange is sent.
2984 testCases = append(testCases, testCase{
2985 name: "ExplicitEmptyPSKHint",
2986 config: Config{
2987 MaxVersion: VersionTLS12,
2988 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2989 PreSharedKey: []byte("secret"),
2990 Bugs: ProtocolBugs{
2991 AlwaysSendPreSharedKeyIdentityHint: true,
2992 },
2993 },
2994 flags: []string{"-psk", "secret"},
2995 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]2996
2997 // Test that clients enforce that the server-sent certificate and cipher
2998 // suite match in TLS 1.2.
2999 testCases = append(testCases, testCase{
3000 name: "CertificateCipherMismatch-RSA",
3001 config: Config{
3002 MaxVersion: VersionTLS12,
3003 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3004 Certificates: []Certificate{rsaCertificate},
3005 Bugs: ProtocolBugs{
3006 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
3007 },
3008 },
3009 shouldFail: true,
3010 expectedError: ":WRONG_CERTIFICATE_TYPE:",
3011 })
3012 testCases = append(testCases, testCase{
3013 name: "CertificateCipherMismatch-ECDSA",
3014 config: Config{
3015 MaxVersion: VersionTLS12,
3016 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3017 Certificates: []Certificate{ecdsaP256Certificate},
3018 Bugs: ProtocolBugs{
3019 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3020 },
3021 },
3022 shouldFail: true,
3023 expectedError: ":WRONG_CERTIFICATE_TYPE:",
3024 })
3025 testCases = append(testCases, testCase{
3026 name: "CertificateCipherMismatch-Ed25519",
3027 config: Config{
3028 MaxVersion: VersionTLS12,
3029 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3030 Certificates: []Certificate{ed25519Certificate},
3031 Bugs: ProtocolBugs{
3032 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3033 },
3034 },
3035 shouldFail: true,
3036 expectedError: ":WRONG_CERTIFICATE_TYPE:",
3037 })
3038
3039 // Test that servers decline to select a cipher suite which is
3040 // inconsistent with their configured certificate.
3041 testCases = append(testCases, testCase{
3042 testType: serverTest,
3043 name: "ServerCipherFilter-RSA",
3044 config: Config{
3045 MaxVersion: VersionTLS12,
3046 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3047 },
3048 flags: []string{
3049 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3050 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3051 },
3052 shouldFail: true,
3053 expectedError: ":NO_SHARED_CIPHER:",
3054 })
3055 testCases = append(testCases, testCase{
3056 testType: serverTest,
3057 name: "ServerCipherFilter-ECDSA",
3058 config: Config{
3059 MaxVersion: VersionTLS12,
3060 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3061 },
3062 flags: []string{
3063 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3064 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3065 },
3066 shouldFail: true,
3067 expectedError: ":NO_SHARED_CIPHER:",
3068 })
3069 testCases = append(testCases, testCase{
3070 testType: serverTest,
3071 name: "ServerCipherFilter-Ed25519",
3072 config: Config{
3073 MaxVersion: VersionTLS12,
3074 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3075 },
3076 flags: []string{
3077 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3078 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
3079 },
3080 shouldFail: true,
3081 expectedError: ":NO_SHARED_CIPHER:",
3082 })
David Benjamin364af782017-07-01 10:35:27 -0400[diff] [blame]3083
3084 // Test cipher suite negotiation works as expected. Configure a
3085 // complicated cipher suite configuration.
3086 const negotiationTestCiphers = "" +
3087 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:" +
3088 "[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]:" +
3089 "TLS_RSA_WITH_AES_128_GCM_SHA256:" +
3090 "TLS_RSA_WITH_AES_128_CBC_SHA:" +
3091 "[TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_CBC_SHA]"
3092 negotiationTests := []struct {
3093 ciphers []uint16
3094 expected uint16
3095 }{
3096 // Server preferences are honored, including when
3097 // equipreference groups are involved.
3098 {
3099 []uint16{
3100 TLS_RSA_WITH_AES_256_GCM_SHA384,
3101 TLS_RSA_WITH_AES_128_CBC_SHA,
3102 TLS_RSA_WITH_AES_128_GCM_SHA256,
3103 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3104 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3105 },
3106 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3107 },
3108 {
3109 []uint16{
3110 TLS_RSA_WITH_AES_256_GCM_SHA384,
3111 TLS_RSA_WITH_AES_128_CBC_SHA,
3112 TLS_RSA_WITH_AES_128_GCM_SHA256,
3113 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3114 },
3115 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3116 },
3117 {
3118 []uint16{
3119 TLS_RSA_WITH_AES_256_GCM_SHA384,
3120 TLS_RSA_WITH_AES_128_CBC_SHA,
3121 TLS_RSA_WITH_AES_128_GCM_SHA256,
3122 },
3123 TLS_RSA_WITH_AES_128_GCM_SHA256,
3124 },
3125 {
3126 []uint16{
3127 TLS_RSA_WITH_AES_256_GCM_SHA384,
3128 TLS_RSA_WITH_AES_128_CBC_SHA,
3129 },
3130 TLS_RSA_WITH_AES_128_CBC_SHA,
3131 },
3132 // Equipreference groups use the client preference.
3133 {
3134 []uint16{
3135 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3136 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3137 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3138 },
3139 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3140 },
3141 {
3142 []uint16{
3143 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3144 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3145 },
3146 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3147 },
3148 {
3149 []uint16{
3150 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3151 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3152 },
3153 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3154 },
3155 {
3156 []uint16{
3157 TLS_RSA_WITH_AES_256_GCM_SHA384,
3158 TLS_RSA_WITH_AES_256_CBC_SHA,
3159 },
3160 TLS_RSA_WITH_AES_256_GCM_SHA384,
3161 },
3162 {
3163 []uint16{
3164 TLS_RSA_WITH_AES_256_CBC_SHA,
3165 TLS_RSA_WITH_AES_256_GCM_SHA384,
3166 },
3167 TLS_RSA_WITH_AES_256_CBC_SHA,
3168 },
3169 // If there are two equipreference groups, the preferred one
3170 // takes precedence.
3171 {
3172 []uint16{
3173 TLS_RSA_WITH_AES_256_GCM_SHA384,
3174 TLS_RSA_WITH_AES_256_CBC_SHA,
3175 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3176 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3177 },
3178 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3179 },
3180 }
3181 for i, t := range negotiationTests {
3182 testCases = append(testCases, testCase{
3183 testType: serverTest,
3184 name: "CipherNegotiation-" + strconv.Itoa(i),
3185 config: Config{
3186 MaxVersion: VersionTLS12,
3187 CipherSuites: t.ciphers,
3188 },
3189 flags: []string{"-cipher", negotiationTestCiphers},
3190 expectedCipher: t.expected,
3191 })
3192 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3193}
3194
3195func addBadECDSASignatureTests() {
3196 for badR := BadValue(1); badR < NumBadValues; badR++ {
3197 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]3198 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3199 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
3200 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]3201 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3202 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3203 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3204 Bugs: ProtocolBugs{
3205 BadECDSAR: badR,
3206 BadECDSAS: badS,
3207 },
3208 },
3209 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]3210 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3211 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]3212 testCases = append(testCases, testCase{
3213 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
3214 config: Config{
3215 MaxVersion: VersionTLS13,
3216 Certificates: []Certificate{ecdsaP256Certificate},
3217 Bugs: ProtocolBugs{
3218 BadECDSAR: badR,
3219 BadECDSAS: badS,
3220 },
3221 },
3222 shouldFail: true,
3223 expectedError: ":BAD_SIGNATURE:",
3224 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3225 }
3226 }
3227}
3228
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3229func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]3230 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3231 name: "MaxCBCPadding",
3232 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3233 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3234 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3235 Bugs: ProtocolBugs{
3236 MaxPadding: true,
3237 },
3238 },
3239 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
3240 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]3241 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3242 name: "BadCBCPadding",
3243 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3244 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3245 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3246 Bugs: ProtocolBugs{
3247 PaddingFirstByteBad: true,
3248 },
3249 },
3250 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]3251 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3252 })
3253 // OpenSSL previously had an issue where the first byte of padding in
3254 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]3255 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3256 name: "BadCBCPadding255",
3257 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3258 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3259 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3260 Bugs: ProtocolBugs{
3261 MaxPadding: true,
3262 PaddingFirstByteBadIf255: true,
3263 },
3264 },
3265 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
3266 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]3267 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3268 })
3269}
3270
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3271func addCBCSplittingTests() {
David Benjamina1ce8562017-07-01 11:46:57 -0400[diff] [blame]3272 var cbcCiphers = []struct {
3273 name string
3274 cipher uint16
3275 }{
3276 {"3DES", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
3277 {"AES128", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3278 {"AES256", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
3279 }
3280 for _, t := range cbcCiphers {
3281 testCases = append(testCases, testCase{
3282 name: "CBCRecordSplitting-" + t.name,
3283 config: Config{
3284 MaxVersion: VersionTLS10,
3285 MinVersion: VersionTLS10,
3286 CipherSuites: []uint16{t.cipher},
3287 },
3288 messageLen: -1, // read until EOF
3289 resumeSession: true,
3290 flags: []string{
3291 "-async",
3292 "-write-different-record-sizes",
3293 "-cbc-record-splitting",
3294 },
3295 })
3296 testCases = append(testCases, testCase{
3297 name: "CBCRecordSplittingPartialWrite-" + t.name,
3298 config: Config{
3299 MaxVersion: VersionTLS10,
3300 MinVersion: VersionTLS10,
3301 CipherSuites: []uint16{t.cipher},
3302 },
3303 messageLen: -1, // read until EOF
3304 flags: []string{
3305 "-async",
3306 "-write-different-record-sizes",
3307 "-cbc-record-splitting",
3308 "-partial-write",
3309 },
3310 })
3311 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3312}
3313
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3314func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3315 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3316 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3317 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3318 cert, err := x509.ParseCertificate(cert.Certificate[0])
3319 if err != nil {
3320 panic(err)
3321 }
3322 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3323 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3324 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3325
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3326 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3327 testCases = append(testCases, testCase{
3328 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3329 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3330 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3331 MinVersion: ver.version,
3332 MaxVersion: ver.version,
3333 ClientAuth: RequireAnyClientCert,
3334 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3335 },
3336 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3337 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3338 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3339 },
3340 })
3341 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3342 testType: serverTest,
3343 name: ver.name + "-Server-ClientAuth-RSA",
3344 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3345 MinVersion: ver.version,
3346 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3347 Certificates: []Certificate{rsaCertificate},
3348 },
3349 flags: []string{"-require-any-client-certificate"},
3350 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3351 if ver.version != VersionSSL30 {
3352 testCases = append(testCases, testCase{
3353 testType: serverTest,
3354 name: ver.name + "-Server-ClientAuth-ECDSA",
3355 config: Config{
3356 MinVersion: ver.version,
3357 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3358 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3359 },
3360 flags: []string{"-require-any-client-certificate"},
3361 })
3362 testCases = append(testCases, testCase{
3363 testType: clientTest,
3364 name: ver.name + "-Client-ClientAuth-ECDSA",
3365 config: Config{
3366 MinVersion: ver.version,
3367 MaxVersion: ver.version,
3368 ClientAuth: RequireAnyClientCert,
3369 ClientCAs: certPool,
3370 },
3371 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3372 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3373 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3374 },
3375 })
3376 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3377
3378 testCases = append(testCases, testCase{
3379 name: "NoClientCertificate-" + ver.name,
3380 config: Config{
3381 MinVersion: ver.version,
3382 MaxVersion: ver.version,
3383 ClientAuth: RequireAnyClientCert,
3384 },
3385 shouldFail: true,
3386 expectedLocalError: "client didn't provide a certificate",
3387 })
3388
3389 testCases = append(testCases, testCase{
3390 // Even if not configured to expect a certificate, OpenSSL will
3391 // return X509_V_OK as the verify_result.
3392 testType: serverTest,
3393 name: "NoClientCertificateRequested-Server-" + ver.name,
3394 config: Config{
3395 MinVersion: ver.version,
3396 MaxVersion: ver.version,
3397 },
3398 flags: []string{
3399 "-expect-verify-result",
3400 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3401 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3402 })
3403
3404 testCases = append(testCases, testCase{
3405 // If a client certificate is not provided, OpenSSL will still
3406 // return X509_V_OK as the verify_result.
3407 testType: serverTest,
3408 name: "NoClientCertificate-Server-" + ver.name,
3409 config: Config{
3410 MinVersion: ver.version,
3411 MaxVersion: ver.version,
3412 },
3413 flags: []string{
3414 "-expect-verify-result",
3415 "-verify-peer",
3416 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3417 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3418 })
3419
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3420 certificateRequired := "remote error: certificate required"
3421 if ver.version < VersionTLS13 {
3422 // Prior to TLS 1.3, the generic handshake_failure alert
3423 // was used.
3424 certificateRequired = "remote error: handshake failure"
3425 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3426 testCases = append(testCases, testCase{
3427 testType: serverTest,
3428 name: "RequireAnyClientCertificate-" + ver.name,
3429 config: Config{
3430 MinVersion: ver.version,
3431 MaxVersion: ver.version,
3432 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3433 flags: []string{"-require-any-client-certificate"},
3434 shouldFail: true,
3435 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3436 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3437 })
3438
3439 if ver.version != VersionSSL30 {
3440 testCases = append(testCases, testCase{
3441 testType: serverTest,
3442 name: "SkipClientCertificate-" + ver.name,
3443 config: Config{
3444 MinVersion: ver.version,
3445 MaxVersion: ver.version,
3446 Bugs: ProtocolBugs{
3447 SkipClientCertificate: true,
3448 },
3449 },
3450 // Setting SSL_VERIFY_PEER allows anonymous clients.
3451 flags: []string{"-verify-peer"},
3452 shouldFail: true,
3453 expectedError: ":UNEXPECTED_MESSAGE:",
3454 })
David Benjaminc3648fa2017-07-01 10:50:56 -0400[diff] [blame]3455
3456 testCases = append(testCases, testCase{
3457 testType: serverTest,
3458 name: "VerifyPeerIfNoOBC-NoChannelID-" + ver.name,
3459 config: Config{
3460 MinVersion: ver.version,
3461 MaxVersion: ver.version,
3462 },
3463 flags: []string{
3464 "-enable-channel-id",
3465 "-verify-peer-if-no-obc",
3466 },
3467 shouldFail: true,
3468 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3469 expectedLocalError: certificateRequired,
3470 })
3471
3472 testCases = append(testCases, testCase{
3473 testType: serverTest,
3474 name: "VerifyPeerIfNoOBC-ChannelID-" + ver.name,
3475 config: Config{
3476 MinVersion: ver.version,
3477 MaxVersion: ver.version,
3478 ChannelID: channelIDKey,
3479 },
3480 expectChannelID: true,
3481 flags: []string{
3482 "-enable-channel-id",
3483 "-verify-peer-if-no-obc",
3484 },
3485 })
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3486 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3487
3488 testCases = append(testCases, testCase{
3489 testType: serverTest,
3490 name: ver.name + "-Server-CertReq-CA-List",
3491 config: Config{
3492 MinVersion: ver.version,
3493 MaxVersion: ver.version,
3494 Certificates: []Certificate{rsaCertificate},
3495 Bugs: ProtocolBugs{
3496 ExpectCertificateReqNames: caNames,
3497 },
3498 },
3499 flags: []string{
3500 "-require-any-client-certificate",
3501 "-use-client-ca-list", encodeDERValues(caNames),
3502 },
3503 })
3504
3505 testCases = append(testCases, testCase{
3506 testType: clientTest,
3507 name: ver.name + "-Client-CertReq-CA-List",
3508 config: Config{
3509 MinVersion: ver.version,
3510 MaxVersion: ver.version,
3511 Certificates: []Certificate{rsaCertificate},
3512 ClientAuth: RequireAnyClientCert,
3513 ClientCAs: certPool,
3514 },
3515 flags: []string{
3516 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3517 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3518 "-expect-client-ca-list", encodeDERValues(caNames),
3519 },
3520 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3521 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3522
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3523 // Client auth is only legal in certificate-based ciphers.
3524 testCases = append(testCases, testCase{
3525 testType: clientTest,
3526 name: "ClientAuth-PSK",
3527 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3528 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3529 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3530 PreSharedKey: []byte("secret"),
3531 ClientAuth: RequireAnyClientCert,
3532 },
3533 flags: []string{
3534 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3535 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3536 "-psk", "secret",
3537 },
3538 shouldFail: true,
3539 expectedError: ":UNEXPECTED_MESSAGE:",
3540 })
3541 testCases = append(testCases, testCase{
3542 testType: clientTest,
3543 name: "ClientAuth-ECDHE_PSK",
3544 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3545 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3546 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3547 PreSharedKey: []byte("secret"),
3548 ClientAuth: RequireAnyClientCert,
3549 },
3550 flags: []string{
3551 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3552 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3553 "-psk", "secret",
3554 },
3555 shouldFail: true,
3556 expectedError: ":UNEXPECTED_MESSAGE:",
3557 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3558
3559 // Regression test for a bug where the client CA list, if explicitly
3560 // set to NULL, was mis-encoded.
3561 testCases = append(testCases, testCase{
3562 testType: serverTest,
3563 name: "Null-Client-CA-List",
3564 config: Config{
3565 MaxVersion: VersionTLS12,
3566 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3567 Bugs: ProtocolBugs{
3568 ExpectCertificateReqNames: [][]byte{},
3569 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3570 },
3571 flags: []string{
3572 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3573 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3574 },
3575 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3576}
3577
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3578func addExtendedMasterSecretTests() {
3579 const expectEMSFlag = "-expect-extended-master-secret"
3580
3581 for _, with := range []bool{false, true} {
3582 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3583 if with {
3584 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3585 }
3586
3587 for _, isClient := range []bool{false, true} {
3588 suffix := "-Server"
3589 testType := serverTest
3590 if isClient {
3591 suffix = "-Client"
3592 testType = clientTest
3593 }
3594
3595 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3596 // In TLS 1.3, the extension is irrelevant and
3597 // always reports as enabled.
3598 var flags []string
3599 if with || ver.version >= VersionTLS13 {
3600 flags = []string{expectEMSFlag}
3601 }
3602
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3603 test := testCase{
3604 testType: testType,
3605 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3606 config: Config{
3607 MinVersion: ver.version,
3608 MaxVersion: ver.version,
3609 Bugs: ProtocolBugs{
3610 NoExtendedMasterSecret: !with,
3611 RequireExtendedMasterSecret: with,
3612 },
3613 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3614 flags: flags,
3615 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3616 }
3617 if test.shouldFail {
3618 test.expectedLocalError = "extended master secret required but not supported by peer"
3619 }
3620 testCases = append(testCases, test)
3621 }
3622 }
3623 }
3624
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3625 for _, isClient := range []bool{false, true} {
3626 for _, supportedInFirstConnection := range []bool{false, true} {
3627 for _, supportedInResumeConnection := range []bool{false, true} {
3628 boolToWord := func(b bool) string {
3629 if b {
3630 return "Yes"
3631 }
3632 return "No"
3633 }
3634 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3635 if isClient {
3636 suffix += "Client"
3637 } else {
3638 suffix += "Server"
3639 }
3640
3641 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3642 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3643 Bugs: ProtocolBugs{
3644 RequireExtendedMasterSecret: true,
3645 },
3646 }
3647
3648 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3649 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3650 Bugs: ProtocolBugs{
3651 NoExtendedMasterSecret: true,
3652 },
3653 }
3654
3655 test := testCase{
3656 name: "ExtendedMasterSecret-" + suffix,
3657 resumeSession: true,
3658 }
3659
3660 if !isClient {
3661 test.testType = serverTest
3662 }
3663
3664 if supportedInFirstConnection {
3665 test.config = supportedConfig
3666 } else {
3667 test.config = noSupportConfig
3668 }
3669
3670 if supportedInResumeConnection {
3671 test.resumeConfig = &supportedConfig
3672 } else {
3673 test.resumeConfig = &noSupportConfig
3674 }
3675
3676 switch suffix {
3677 case "YesToYes-Client", "YesToYes-Server":
3678 // When a session is resumed, it should
3679 // still be aware that its master
3680 // secret was generated via EMS and
3681 // thus it's safe to use tls-unique.
3682 test.flags = []string{expectEMSFlag}
3683 case "NoToYes-Server":
3684 // If an original connection did not
3685 // contain EMS, but a resumption
3686 // handshake does, then a server should
3687 // not resume the session.
3688 test.expectResumeRejected = true
3689 case "YesToNo-Server":
3690 // Resuming an EMS session without the
3691 // EMS extension should cause the
3692 // server to abort the connection.
3693 test.shouldFail = true
3694 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3695 case "NoToYes-Client":
3696 // A client should abort a connection
3697 // where the server resumed a non-EMS
3698 // session but echoed the EMS
3699 // extension.
3700 test.shouldFail = true
3701 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3702 case "YesToNo-Client":
3703 // A client should abort a connection
3704 // where the server didn't echo EMS
3705 // when the session used it.
3706 test.shouldFail = true
3707 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3708 }
3709
3710 testCases = append(testCases, test)
3711 }
3712 }
3713 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3714
3715 // Switching EMS on renegotiation is forbidden.
3716 testCases = append(testCases, testCase{
3717 name: "ExtendedMasterSecret-Renego-NoEMS",
3718 config: Config{
3719 MaxVersion: VersionTLS12,
3720 Bugs: ProtocolBugs{
3721 NoExtendedMasterSecret: true,
3722 NoExtendedMasterSecretOnRenegotiation: true,
3723 },
3724 },
3725 renegotiate: 1,
3726 flags: []string{
3727 "-renegotiate-freely",
3728 "-expect-total-renegotiations", "1",
3729 },
3730 })
3731
3732 testCases = append(testCases, testCase{
3733 name: "ExtendedMasterSecret-Renego-Upgrade",
3734 config: Config{
3735 MaxVersion: VersionTLS12,
3736 Bugs: ProtocolBugs{
3737 NoExtendedMasterSecret: true,
3738 },
3739 },
3740 renegotiate: 1,
3741 flags: []string{
3742 "-renegotiate-freely",
3743 "-expect-total-renegotiations", "1",
3744 },
3745 shouldFail: true,
3746 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3747 })
3748
3749 testCases = append(testCases, testCase{
3750 name: "ExtendedMasterSecret-Renego-Downgrade",
3751 config: Config{
3752 MaxVersion: VersionTLS12,
3753 Bugs: ProtocolBugs{
3754 NoExtendedMasterSecretOnRenegotiation: true,
3755 },
3756 },
3757 renegotiate: 1,
3758 flags: []string{
3759 "-renegotiate-freely",
3760 "-expect-total-renegotiations", "1",
3761 },
3762 shouldFail: true,
3763 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3764 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3765}
3766
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3767type stateMachineTestConfig struct {
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3768 protocol protocol
3769 async bool
3770 splitHandshake bool
3771 packHandshakeFlight bool
3772 implicitHandshake bool
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3773}
3774
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3775// Adds tests that try to cover the range of the handshake state machine, under
3776// various conditions. Some of these are redundant with other tests, but they
3777// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3778func addAllStateMachineCoverageTests() {
3779 for _, async := range []bool{false, true} {
3780 for _, protocol := range []protocol{tls, dtls} {
3781 addStateMachineCoverageTests(stateMachineTestConfig{
3782 protocol: protocol,
3783 async: async,
3784 })
3785 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3786 protocol: protocol,
3787 async: async,
3788 implicitHandshake: true,
3789 })
3790 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3791 protocol: protocol,
3792 async: async,
3793 splitHandshake: true,
3794 })
3795 if protocol == tls {
3796 addStateMachineCoverageTests(stateMachineTestConfig{
3797 protocol: protocol,
3798 async: async,
3799 packHandshakeFlight: true,
3800 })
3801 }
3802 }
3803 }
3804}
3805
3806func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3807 var tests []testCase
3808
3809 // Basic handshake, with resumption. Client and server,
3810 // session ID and session ticket.
3811 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3812 name: "Basic-Client",
3813 config: Config{
3814 MaxVersion: VersionTLS12,
3815 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3816 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3817 // Ensure session tickets are used, not session IDs.
3818 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3819 })
3820 tests = append(tests, testCase{
3821 name: "Basic-Client-RenewTicket",
3822 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3823 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3824 Bugs: ProtocolBugs{
3825 RenewTicketOnResume: true,
3826 },
3827 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3828 flags: []string{"-expect-ticket-renewal"},
3829 resumeSession: true,
3830 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3831 })
3832 tests = append(tests, testCase{
3833 name: "Basic-Client-NoTicket",
3834 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3835 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3836 SessionTicketsDisabled: true,
3837 },
3838 resumeSession: true,
3839 })
3840 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3841 testType: serverTest,
3842 name: "Basic-Server",
3843 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3844 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3845 Bugs: ProtocolBugs{
3846 RequireSessionTickets: true,
3847 },
3848 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3849 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3850 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3851 })
3852 tests = append(tests, testCase{
3853 testType: serverTest,
3854 name: "Basic-Server-NoTickets",
3855 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3856 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3857 SessionTicketsDisabled: true,
3858 },
3859 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3860 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3861 })
3862 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3863 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3864 name: "Basic-Server-EarlyCallback",
3865 config: Config{
3866 MaxVersion: VersionTLS12,
3867 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3868 flags: []string{"-use-early-callback"},
3869 resumeSession: true,
3870 })
3871
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3872 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3873 if config.protocol == tls {
3874 tests = append(tests, testCase{
3875 name: "TLS13-1RTT-Client",
3876 config: Config{
3877 MaxVersion: VersionTLS13,
3878 MinVersion: VersionTLS13,
3879 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3880 resumeSession: true,
3881 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3882 })
3883
3884 tests = append(tests, testCase{
3885 testType: serverTest,
3886 name: "TLS13-1RTT-Server",
3887 config: Config{
3888 MaxVersion: VersionTLS13,
3889 MinVersion: VersionTLS13,
3890 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3891 resumeSession: true,
3892 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3893 // TLS 1.3 uses tickets, so the session should not be
3894 // cached statefully.
3895 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3896 })
3897
3898 tests = append(tests, testCase{
3899 name: "TLS13-HelloRetryRequest-Client",
3900 config: Config{
3901 MaxVersion: VersionTLS13,
3902 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3903 // P-384 requires a HelloRetryRequest against BoringSSL's default
3904 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3905 CurvePreferences: []CurveID{CurveP384},
3906 Bugs: ProtocolBugs{
3907 ExpectMissingKeyShare: true,
3908 },
3909 },
3910 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3911 resumeSession: true,
3912 })
3913
3914 tests = append(tests, testCase{
3915 testType: serverTest,
3916 name: "TLS13-HelloRetryRequest-Server",
3917 config: Config{
3918 MaxVersion: VersionTLS13,
3919 MinVersion: VersionTLS13,
3920 // Require a HelloRetryRequest for every curve.
3921 DefaultCurves: []CurveID{},
3922 },
3923 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3924 resumeSession: true,
3925 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3926
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3927 tests = append(tests, testCase{
3928 testType: clientTest,
3929 name: "TLS13-EarlyData-Client",
3930 config: Config{
3931 MaxVersion: VersionTLS13,
3932 MinVersion: VersionTLS13,
3933 MaxEarlyDataSize: 16384,
3934 },
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]3935 resumeConfig: &Config{
3936 MaxVersion: VersionTLS13,
3937 MinVersion: VersionTLS13,
3938 MaxEarlyDataSize: 16384,
3939 Bugs: ProtocolBugs{
3940 ExpectEarlyData: [][]byte{{'h', 'e', 'l', 'l', 'o'}},
3941 },
3942 },
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3943 resumeSession: true,
3944 flags: []string{
3945 "-enable-early-data",
3946 "-expect-early-data-info",
3947 "-expect-accept-early-data",
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]3948 "-on-resume-shim-writes-first",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3949 },
3950 })
3951
3952 tests = append(tests, testCase{
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]3953 testType: clientTest,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]3954 name: "TLS13Experiment-EarlyData-Client",
3955 config: Config{
3956 MaxVersion: VersionTLS13,
3957 MinVersion: VersionTLS13,
3958 TLS13Variant: TLS13Experiment,
3959 MaxEarlyDataSize: 16384,
3960 },
3961 resumeConfig: &Config{
3962 MaxVersion: VersionTLS13,
3963 MinVersion: VersionTLS13,
3964 TLS13Variant: TLS13Experiment,
3965 MaxEarlyDataSize: 16384,
3966 Bugs: ProtocolBugs{
3967 ExpectEarlyData: [][]byte{{'h', 'e', 'l', 'l', 'o'}},
3968 },
3969 },
3970 resumeSession: true,
3971 flags: []string{
3972 "-enable-early-data",
3973 "-expect-early-data-info",
3974 "-expect-accept-early-data",
3975 "-on-resume-shim-writes-first",
3976 "-tls13-variant", "1",
3977 },
3978 })
3979
3980 tests = append(tests, testCase{
3981 testType: clientTest,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]3982 name: "TLS13-EarlyData-TooMuchData-Client",
3983 config: Config{
3984 MaxVersion: VersionTLS13,
3985 MinVersion: VersionTLS13,
3986 MaxEarlyDataSize: 2,
3987 },
3988 resumeConfig: &Config{
3989 MaxVersion: VersionTLS13,
3990 MinVersion: VersionTLS13,
3991 MaxEarlyDataSize: 2,
3992 Bugs: ProtocolBugs{
3993 ExpectEarlyData: [][]byte{{'h', 'e'}},
3994 },
3995 },
3996 resumeShimPrefix: "llo",
3997 resumeSession: true,
3998 flags: []string{
3999 "-enable-early-data",
4000 "-expect-early-data-info",
4001 "-expect-accept-early-data",
4002 "-on-resume-shim-writes-first",
4003 },
4004 })
4005
4006 // Unfinished writes can only be tested when operations are async. EarlyData
4007 // can't be tested as part of an ImplicitHandshake in this case since
4008 // otherwise the early data will be sent as normal data.
4009 if config.async && !config.implicitHandshake {
4010 tests = append(tests, testCase{
4011 testType: clientTest,
4012 name: "TLS13-EarlyData-UnfinishedWrite-Client",
4013 config: Config{
4014 MaxVersion: VersionTLS13,
4015 MinVersion: VersionTLS13,
4016 MaxEarlyDataSize: 16384,
4017 },
4018 resumeConfig: &Config{
4019 MaxVersion: VersionTLS13,
4020 MinVersion: VersionTLS13,
4021 MaxEarlyDataSize: 16384,
4022 Bugs: ProtocolBugs{
4023 ExpectLateEarlyData: [][]byte{{'h', 'e', 'l', 'l', 'o'}},
4024 },
4025 },
4026 resumeSession: true,
4027 flags: []string{
4028 "-enable-early-data",
4029 "-expect-early-data-info",
4030 "-expect-accept-early-data",
4031 "-on-resume-read-with-unfinished-write",
4032 "-on-resume-shim-writes-first",
4033 },
4034 })
4035
4036 // Rejected unfinished writes are discarded (from the
4037 // perspective of the calling application) on 0-RTT
4038 // reject.
4039 tests = append(tests, testCase{
4040 testType: clientTest,
4041 name: "TLS13-EarlyData-RejectUnfinishedWrite-Client",
4042 config: Config{
4043 MaxVersion: VersionTLS13,
4044 MinVersion: VersionTLS13,
4045 MaxEarlyDataSize: 16384,
4046 },
4047 resumeConfig: &Config{
4048 MaxVersion: VersionTLS13,
4049 MinVersion: VersionTLS13,
4050 MaxEarlyDataSize: 16384,
4051 Bugs: ProtocolBugs{
4052 AlwaysRejectEarlyData: true,
4053 },
4054 },
4055 resumeSession: true,
4056 flags: []string{
4057 "-enable-early-data",
4058 "-expect-early-data-info",
4059 "-expect-reject-early-data",
4060 "-on-resume-read-with-unfinished-write",
4061 "-on-resume-shim-writes-first",
4062 },
4063 })
4064 }
4065
4066 tests = append(tests, testCase{
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]4067 testType: serverTest,
4068 name: "TLS13-EarlyData-Server",
4069 config: Config{
4070 MaxVersion: VersionTLS13,
4071 MinVersion: VersionTLS13,
4072 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]4073 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]4074 ExpectEarlyDataAccepted: true,
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]4075 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]4076 },
4077 },
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]4078 messageCount: 2,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]4079 resumeSession: true,
4080 flags: []string{
4081 "-enable-early-data",
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]4082 "-expect-accept-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]4083 },
4084 })
Alessandro Ghedinide254b42017-04-17 19:12:33 +0100[diff] [blame]4085
4086 tests = append(tests, testCase{
4087 testType: serverTest,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4088 name: "TLS13Experiment-EarlyData-Server",
4089 config: Config{
4090 MaxVersion: VersionTLS13,
4091 MinVersion: VersionTLS13,
4092 TLS13Variant: TLS13Experiment,
4093 Bugs: ProtocolBugs{
4094 SendEarlyData: [][]byte{{1, 2, 3, 4}},
4095 ExpectEarlyDataAccepted: true,
4096 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
4097 },
4098 },
4099 messageCount: 2,
4100 resumeSession: true,
4101 flags: []string{
4102 "-enable-early-data",
4103 "-expect-accept-early-data",
4104 "-tls13-variant", "1",
4105 },
4106 })
4107
4108 tests = append(tests, testCase{
4109 testType: serverTest,
Alessandro Ghedinide254b42017-04-17 19:12:33 +0100[diff] [blame]4110 name: "TLS13-MaxEarlyData-Server",
4111 config: Config{
4112 MaxVersion: VersionTLS13,
4113 MinVersion: VersionTLS13,
4114 Bugs: ProtocolBugs{
David Benjamin29975892017-04-27 23:47:21 -0400[diff] [blame]4115 SendEarlyData: [][]byte{bytes.Repeat([]byte{1}, 14336+1)},
Alessandro Ghedinide254b42017-04-17 19:12:33 +0100[diff] [blame]4116 ExpectEarlyDataAccepted: true,
4117 },
4118 },
4119 messageCount: 2,
4120 resumeSession: true,
4121 flags: []string{
4122 "-enable-early-data",
4123 "-expect-accept-early-data",
4124 },
4125 shouldFail: true,
4126 expectedError: ":TOO_MUCH_READ_EARLY_DATA:",
4127 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]4128 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4129
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4130 // TLS client auth.
4131 tests = append(tests, testCase{
4132 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]4133 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]4134 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4135 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]4136 ClientAuth: RequestClientCert,
4137 },
4138 })
4139 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]4140 testType: serverTest,
4141 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4142 config: Config{
4143 MaxVersion: VersionTLS12,
4144 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]4145 // Setting SSL_VERIFY_PEER allows anonymous clients.
4146 flags: []string{"-verify-peer"},
4147 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4148 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]4149 tests = append(tests, testCase{
4150 testType: clientTest,
4151 name: "ClientAuth-NoCertificate-Client-SSL3",
4152 config: Config{
4153 MaxVersion: VersionSSL30,
4154 ClientAuth: RequestClientCert,
4155 },
4156 })
4157 tests = append(tests, testCase{
4158 testType: serverTest,
4159 name: "ClientAuth-NoCertificate-Server-SSL3",
4160 config: Config{
4161 MaxVersion: VersionSSL30,
4162 },
4163 // Setting SSL_VERIFY_PEER allows anonymous clients.
4164 flags: []string{"-verify-peer"},
4165 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4166 tests = append(tests, testCase{
4167 testType: clientTest,
4168 name: "ClientAuth-NoCertificate-Client-TLS13",
4169 config: Config{
4170 MaxVersion: VersionTLS13,
4171 ClientAuth: RequestClientCert,
4172 },
4173 })
4174 tests = append(tests, testCase{
4175 testType: serverTest,
4176 name: "ClientAuth-NoCertificate-Server-TLS13",
4177 config: Config{
4178 MaxVersion: VersionTLS13,
4179 },
4180 // Setting SSL_VERIFY_PEER allows anonymous clients.
4181 flags: []string{"-verify-peer"},
4182 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]4183 }
4184 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]4185 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]4186 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4187 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4188 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4189 ClientAuth: RequireAnyClientCert,
4190 },
4191 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]4192 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4193 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4194 },
4195 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]4196 tests = append(tests, testCase{
4197 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4198 name: "ClientAuth-RSA-Client-TLS13",
4199 config: Config{
4200 MaxVersion: VersionTLS13,
4201 ClientAuth: RequireAnyClientCert,
4202 },
4203 flags: []string{
4204 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4205 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4206 },
4207 })
4208 tests = append(tests, testCase{
4209 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]4210 name: "ClientAuth-ECDSA-Client",
4211 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4212 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]4213 ClientAuth: RequireAnyClientCert,
4214 },
4215 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]4216 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
4217 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]4218 },
4219 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]4220 tests = append(tests, testCase{
4221 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4222 name: "ClientAuth-ECDSA-Client-TLS13",
4223 config: Config{
4224 MaxVersion: VersionTLS13,
4225 ClientAuth: RequireAnyClientCert,
4226 },
4227 flags: []string{
4228 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
4229 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
4230 },
4231 })
4232 tests = append(tests, testCase{
4233 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4234 name: "ClientAuth-NoCertificate-OldCallback",
4235 config: Config{
4236 MaxVersion: VersionTLS12,
4237 ClientAuth: RequestClientCert,
4238 },
4239 flags: []string{"-use-old-client-cert-callback"},
4240 })
4241 tests = append(tests, testCase{
4242 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4243 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
4244 config: Config{
4245 MaxVersion: VersionTLS13,
4246 ClientAuth: RequestClientCert,
4247 },
4248 flags: []string{"-use-old-client-cert-callback"},
4249 })
4250 tests = append(tests, testCase{
4251 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]4252 name: "ClientAuth-OldCallback",
4253 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4254 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]4255 ClientAuth: RequireAnyClientCert,
4256 },
4257 flags: []string{
4258 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4259 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4260 "-use-old-client-cert-callback",
4261 },
4262 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4263 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4264 testType: clientTest,
4265 name: "ClientAuth-OldCallback-TLS13",
4266 config: Config{
4267 MaxVersion: VersionTLS13,
4268 ClientAuth: RequireAnyClientCert,
4269 },
4270 flags: []string{
4271 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4272 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4273 "-use-old-client-cert-callback",
4274 },
4275 })
4276 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4277 testType: serverTest,
4278 name: "ClientAuth-Server",
4279 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4280 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4281 Certificates: []Certificate{rsaCertificate},
4282 },
4283 flags: []string{"-require-any-client-certificate"},
4284 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4285 tests = append(tests, testCase{
4286 testType: serverTest,
4287 name: "ClientAuth-Server-TLS13",
4288 config: Config{
4289 MaxVersion: VersionTLS13,
4290 Certificates: []Certificate{rsaCertificate},
4291 },
4292 flags: []string{"-require-any-client-certificate"},
4293 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4294
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4295 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4296 tests = append(tests, testCase{
4297 testType: serverTest,
4298 name: "Basic-Server-RSA",
4299 config: Config{
4300 MaxVersion: VersionTLS12,
4301 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
4302 },
4303 flags: []string{
4304 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4305 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4306 },
4307 })
4308 tests = append(tests, testCase{
4309 testType: serverTest,
4310 name: "Basic-Server-ECDHE-RSA",
4311 config: Config{
4312 MaxVersion: VersionTLS12,
4313 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4314 },
4315 flags: []string{
4316 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4317 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4318 },
4319 })
4320 tests = append(tests, testCase{
4321 testType: serverTest,
4322 name: "Basic-Server-ECDHE-ECDSA",
4323 config: Config{
4324 MaxVersion: VersionTLS12,
4325 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
4326 },
4327 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]4328 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
4329 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4330 },
4331 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]4332 tests = append(tests, testCase{
4333 testType: serverTest,
4334 name: "Basic-Server-Ed25519",
4335 config: Config{
4336 MaxVersion: VersionTLS12,
4337 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
4338 },
4339 flags: []string{
4340 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
4341 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
4342 "-enable-ed25519",
4343 },
4344 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4345
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4346 // No session ticket support; server doesn't send NewSessionTicket.
4347 tests = append(tests, testCase{
4348 name: "SessionTicketsDisabled-Client",
4349 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4350 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4351 SessionTicketsDisabled: true,
4352 },
4353 })
4354 tests = append(tests, testCase{
4355 testType: serverTest,
4356 name: "SessionTicketsDisabled-Server",
4357 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4358 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4359 SessionTicketsDisabled: true,
4360 },
4361 })
4362
4363 // Skip ServerKeyExchange in PSK key exchange if there's no
4364 // identity hint.
4365 tests = append(tests, testCase{
4366 name: "EmptyPSKHint-Client",
4367 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4368 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4369 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
4370 PreSharedKey: []byte("secret"),
4371 },
4372 flags: []string{"-psk", "secret"},
4373 })
4374 tests = append(tests, testCase{
4375 testType: serverTest,
4376 name: "EmptyPSKHint-Server",
4377 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4378 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4379 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
4380 PreSharedKey: []byte("secret"),
4381 },
4382 flags: []string{"-psk", "secret"},
4383 })
4384
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4385 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]4386 tests = append(tests, testCase{
4387 testType: clientTest,
4388 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4389 config: Config{
4390 MaxVersion: VersionTLS12,
4391 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]4392 flags: []string{
4393 "-enable-ocsp-stapling",
4394 "-expect-ocsp-response",
4395 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]4396 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]4397 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]4398 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]4399 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]4400 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4401 testType: serverTest,
4402 name: "OCSPStapling-Server",
4403 config: Config{
4404 MaxVersion: VersionTLS12,
4405 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]4406 expectedOCSPResponse: testOCSPResponse,
4407 flags: []string{
4408 "-ocsp-response",
4409 base64.StdEncoding.EncodeToString(testOCSPResponse),
4410 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]4411 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]4412 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]4413 tests = append(tests, testCase{
4414 testType: clientTest,
4415 name: "OCSPStapling-Client-TLS13",
4416 config: Config{
4417 MaxVersion: VersionTLS13,
4418 },
4419 flags: []string{
4420 "-enable-ocsp-stapling",
4421 "-expect-ocsp-response",
4422 base64.StdEncoding.EncodeToString(testOCSPResponse),
4423 "-verify-peer",
4424 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4425 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]4426 })
4427 tests = append(tests, testCase{
4428 testType: serverTest,
4429 name: "OCSPStapling-Server-TLS13",
4430 config: Config{
4431 MaxVersion: VersionTLS13,
4432 },
4433 expectedOCSPResponse: testOCSPResponse,
4434 flags: []string{
4435 "-ocsp-response",
4436 base64.StdEncoding.EncodeToString(testOCSPResponse),
4437 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4438 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]4439 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]4440
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4441 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4442 for _, vers := range tlsVersions {
4443 if config.protocol == dtls && !vers.hasDTLS {
4444 continue
4445 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4446 for _, testType := range []testType{clientTest, serverTest} {
4447 suffix := "-Client"
4448 if testType == serverTest {
4449 suffix = "-Server"
4450 }
4451 suffix += "-" + vers.name
4452
4453 flag := "-verify-peer"
4454 if testType == serverTest {
4455 flag = "-require-any-client-certificate"
4456 }
4457
4458 tests = append(tests, testCase{
4459 testType: testType,
4460 name: "CertificateVerificationSucceed" + suffix,
4461 config: Config{
4462 MaxVersion: vers.version,
4463 Certificates: []Certificate{rsaCertificate},
4464 },
4465 flags: []string{
4466 flag,
4467 "-expect-verify-result",
4468 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4469 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4470 })
4471 tests = append(tests, testCase{
4472 testType: testType,
4473 name: "CertificateVerificationFail" + suffix,
4474 config: Config{
4475 MaxVersion: vers.version,
4476 Certificates: []Certificate{rsaCertificate},
4477 },
4478 flags: []string{
4479 flag,
4480 "-verify-fail",
4481 },
4482 shouldFail: true,
4483 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
4484 })
4485 }
4486
4487 // By default, the client is in a soft fail mode where the peer
4488 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4489 tests = append(tests, testCase{
4490 testType: clientTest,
4491 name: "CertificateVerificationSoftFail-" + vers.name,
4492 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4493 MaxVersion: vers.version,
4494 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4495 },
4496 flags: []string{
4497 "-verify-fail",
4498 "-expect-verify-result",
4499 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4500 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4501 })
4502 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]4503
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]4504 tests = append(tests, testCase{
4505 name: "ShimSendAlert",
4506 flags: []string{"-send-alert"},
4507 shimWritesFirst: true,
4508 shouldFail: true,
4509 expectedLocalError: "remote error: decompression failure",
4510 })
4511
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4512 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4513 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4514 name: "Renegotiate-Client",
4515 config: Config{
4516 MaxVersion: VersionTLS12,
4517 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]4518 renegotiate: 1,
4519 flags: []string{
4520 "-renegotiate-freely",
4521 "-expect-total-renegotiations", "1",
4522 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4523 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4524
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]4525 tests = append(tests, testCase{
4526 name: "SendHalfHelloRequest",
4527 config: Config{
4528 MaxVersion: VersionTLS12,
4529 Bugs: ProtocolBugs{
4530 PackHelloRequestWithFinished: config.packHandshakeFlight,
4531 },
4532 },
4533 sendHalfHelloRequest: true,
4534 flags: []string{"-renegotiate-ignore"},
4535 shouldFail: true,
4536 expectedError: ":UNEXPECTED_RECORD:",
4537 })
4538
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4539 // NPN on client and server; results in post-handshake message.
4540 tests = append(tests, testCase{
4541 name: "NPN-Client",
4542 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4543 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4544 NextProtos: []string{"foo"},
4545 },
4546 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4547 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4548 expectedNextProto: "foo",
4549 expectedNextProtoType: npn,
4550 })
4551 tests = append(tests, testCase{
4552 testType: serverTest,
4553 name: "NPN-Server",
4554 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4555 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4556 NextProtos: []string{"bar"},
4557 },
4558 flags: []string{
4559 "-advertise-npn", "\x03foo\x03bar\x03baz",
4560 "-expect-next-proto", "bar",
4561 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4562 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4563 expectedNextProto: "bar",
4564 expectedNextProtoType: npn,
4565 })
4566
4567 // TODO(davidben): Add tests for when False Start doesn't trigger.
4568
4569 // Client does False Start and negotiates NPN.
4570 tests = append(tests, testCase{
4571 name: "FalseStart",
4572 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4573 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4574 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4575 NextProtos: []string{"foo"},
4576 Bugs: ProtocolBugs{
4577 ExpectFalseStart: true,
4578 },
4579 },
4580 flags: []string{
4581 "-false-start",
4582 "-select-next-proto", "foo",
4583 },
4584 shimWritesFirst: true,
4585 resumeSession: true,
4586 })
4587
4588 // Client does False Start and negotiates ALPN.
4589 tests = append(tests, testCase{
4590 name: "FalseStart-ALPN",
4591 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4592 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4593 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4594 NextProtos: []string{"foo"},
4595 Bugs: ProtocolBugs{
4596 ExpectFalseStart: true,
4597 },
4598 },
4599 flags: []string{
4600 "-false-start",
4601 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]4602 "-expect-alpn", "foo",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4603 },
4604 shimWritesFirst: true,
4605 resumeSession: true,
4606 })
4607
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4608 // False Start without session tickets.
4609 tests = append(tests, testCase{
4610 name: "FalseStart-SessionTicketsDisabled",
4611 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4612 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4613 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4614 NextProtos: []string{"foo"},
4615 SessionTicketsDisabled: true,
4616 Bugs: ProtocolBugs{
4617 ExpectFalseStart: true,
4618 },
4619 },
4620 flags: []string{
4621 "-false-start",
4622 "-select-next-proto", "foo",
4623 },
4624 shimWritesFirst: true,
4625 })
4626
4627 // Server parses a V2ClientHello.
4628 tests = append(tests, testCase{
4629 testType: serverTest,
4630 name: "SendV2ClientHello",
4631 config: Config{
4632 // Choose a cipher suite that does not involve
4633 // elliptic curves, so no extensions are
4634 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4635 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4636 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4637 Bugs: ProtocolBugs{
4638 SendV2ClientHello: true,
4639 },
4640 },
4641 })
4642
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4643 // Test Channel ID
4644 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4645 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4646 continue
4647 }
4648 // Client sends a Channel ID.
4649 tests = append(tests, testCase{
4650 name: "ChannelID-Client-" + ver.name,
4651 config: Config{
4652 MaxVersion: ver.version,
4653 RequestChannelID: true,
4654 },
4655 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4656 resumeSession: true,
4657 expectChannelID: true,
4658 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4659
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4660 // Server accepts a Channel ID.
4661 tests = append(tests, testCase{
4662 testType: serverTest,
4663 name: "ChannelID-Server-" + ver.name,
4664 config: Config{
4665 MaxVersion: ver.version,
4666 ChannelID: channelIDKey,
4667 },
4668 flags: []string{
4669 "-expect-channel-id",
4670 base64.StdEncoding.EncodeToString(channelIDBytes),
4671 },
4672 resumeSession: true,
4673 expectChannelID: true,
4674 })
4675
4676 tests = append(tests, testCase{
4677 testType: serverTest,
4678 name: "InvalidChannelIDSignature-" + ver.name,
4679 config: Config{
4680 MaxVersion: ver.version,
4681 ChannelID: channelIDKey,
4682 Bugs: ProtocolBugs{
4683 InvalidChannelIDSignature: true,
4684 },
4685 },
4686 flags: []string{"-enable-channel-id"},
4687 shouldFail: true,
4688 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4689 })
David Benjamin634f4752017-07-01 11:08:41 -0400[diff] [blame]4690
4691 if ver.version < VersionTLS13 {
4692 // Channel ID requires ECDHE ciphers.
4693 tests = append(tests, testCase{
4694 testType: serverTest,
4695 name: "ChannelID-NoECDHE-" + ver.name,
4696 config: Config{
4697 MaxVersion: ver.version,
4698 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
4699 ChannelID: channelIDKey,
4700 },
4701 expectChannelID: false,
4702 flags: []string{"-enable-channel-id"},
4703 })
4704
4705 // Sanity-check setting expectChannelID false works.
4706 tests = append(tests, testCase{
4707 testType: serverTest,
4708 name: "ChannelID-ECDHE-" + ver.name,
4709 config: Config{
4710 MaxVersion: ver.version,
4711 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
4712 ChannelID: channelIDKey,
4713 },
4714 expectChannelID: false,
4715 flags: []string{"-enable-channel-id"},
4716 shouldFail: true,
4717 expectedLocalError: "channel ID unexpectedly negotiated",
4718 })
4719 }
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4720 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4721
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4722 // Channel ID and NPN at the same time, to ensure their relative
4723 // ordering is correct.
4724 tests = append(tests, testCase{
4725 name: "ChannelID-NPN-Client",
4726 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4727 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4728 RequestChannelID: true,
4729 NextProtos: []string{"foo"},
4730 },
4731 flags: []string{
4732 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4733 "-select-next-proto", "foo",
4734 },
4735 resumeSession: true,
4736 expectChannelID: true,
4737 expectedNextProto: "foo",
4738 expectedNextProtoType: npn,
4739 })
4740 tests = append(tests, testCase{
4741 testType: serverTest,
4742 name: "ChannelID-NPN-Server",
4743 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4744 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4745 ChannelID: channelIDKey,
4746 NextProtos: []string{"bar"},
4747 },
4748 flags: []string{
4749 "-expect-channel-id",
4750 base64.StdEncoding.EncodeToString(channelIDBytes),
4751 "-advertise-npn", "\x03foo\x03bar\x03baz",
4752 "-expect-next-proto", "bar",
4753 },
4754 resumeSession: true,
4755 expectChannelID: true,
4756 expectedNextProto: "bar",
4757 expectedNextProtoType: npn,
4758 })
4759
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4760 // Bidirectional shutdown with the runner initiating.
4761 tests = append(tests, testCase{
4762 name: "Shutdown-Runner",
4763 config: Config{
4764 Bugs: ProtocolBugs{
4765 ExpectCloseNotify: true,
4766 },
4767 },
4768 flags: []string{"-check-close-notify"},
4769 })
4770
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4771 if !config.implicitHandshake {
4772 // Bidirectional shutdown with the shim initiating. The runner,
4773 // in the meantime, sends garbage before the close_notify which
4774 // the shim must ignore. This test is disabled under implicit
4775 // handshake tests because the shim never reads or writes.
4776 tests = append(tests, testCase{
4777 name: "Shutdown-Shim",
4778 config: Config{
4779 MaxVersion: VersionTLS12,
4780 Bugs: ProtocolBugs{
4781 ExpectCloseNotify: true,
4782 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4783 },
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4784 shimShutsDown: true,
4785 sendEmptyRecords: 1,
4786 sendWarningAlerts: 1,
4787 flags: []string{"-check-close-notify"},
4788 })
4789 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4790 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4791 // TODO(davidben): DTLS 1.3 will want a similar thing for
4792 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4793 tests = append(tests, testCase{
4794 name: "SkipHelloVerifyRequest",
4795 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4796 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4797 Bugs: ProtocolBugs{
4798 SkipHelloVerifyRequest: true,
4799 },
4800 },
4801 })
4802 }
4803
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4804 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4805 test.protocol = config.protocol
4806 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4807 test.name += "-DTLS"
4808 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4809 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4810 test.name += "-Async"
4811 test.flags = append(test.flags, "-async")
4812 } else {
4813 test.name += "-Sync"
4814 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4815 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4816 test.name += "-SplitHandshakeRecords"
4817 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4818 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4819 test.config.Bugs.MaxPacketLength = 256
4820 test.flags = append(test.flags, "-mtu", "256")
4821 }
4822 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4823 if config.packHandshakeFlight {
4824 test.name += "-PackHandshakeFlight"
4825 test.config.Bugs.PackHandshakeFlight = true
4826 }
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4827 if config.implicitHandshake {
4828 test.name += "-ImplicitHandshake"
4829 test.flags = append(test.flags, "-implicit-handshake")
4830 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4831 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4832 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4833}
4834
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4835func addDDoSCallbackTests() {
4836 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4837 for _, resume := range []bool{false, true} {
4838 suffix := "Resume"
4839 if resume {
4840 suffix = "No" + suffix
4841 }
4842
4843 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4844 testType: serverTest,
4845 name: "Server-DDoS-OK-" + suffix,
4846 config: Config{
4847 MaxVersion: VersionTLS12,
4848 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4849 flags: []string{"-install-ddos-callback"},
4850 resumeSession: resume,
4851 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4852 testCases = append(testCases, testCase{
4853 testType: serverTest,
4854 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4855 config: Config{
4856 MaxVersion: VersionTLS13,
4857 },
4858 flags: []string{"-install-ddos-callback"},
4859 resumeSession: resume,
4860 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4861
4862 failFlag := "-fail-ddos-callback"
4863 if resume {
4864 failFlag = "-fail-second-ddos-callback"
4865 }
4866 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4867 testType: serverTest,
4868 name: "Server-DDoS-Reject-" + suffix,
4869 config: Config{
4870 MaxVersion: VersionTLS12,
4871 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4872 flags: []string{"-install-ddos-callback", failFlag},
4873 resumeSession: resume,
4874 shouldFail: true,
4875 expectedError: ":CONNECTION_REJECTED:",
4876 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4877 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4878 testCases = append(testCases, testCase{
4879 testType: serverTest,
4880 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4881 config: Config{
4882 MaxVersion: VersionTLS13,
4883 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4884 flags: []string{"-install-ddos-callback", failFlag},
4885 resumeSession: resume,
4886 shouldFail: true,
4887 expectedError: ":CONNECTION_REJECTED:",
4888 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4889 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4890 }
4891}
4892
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4893func addVersionNegotiationTests() {
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4894 for _, protocol := range []protocol{tls, dtls} {
4895 for _, shimVers := range allVersions(protocol) {
4896 // Assemble flags to disable all newer versions on the shim.
4897 var flags []string
4898 for _, vers := range allVersions(protocol) {
4899 if vers.version > shimVers.version {
4900 flags = append(flags, vers.excludeFlag)
4901 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4902 }
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4903
4904 flags2 := []string{"-max-version", shimVers.shimFlag(protocol)}
4905
4906 if shimVers.tls13Variant != 0 {
4907 flags = append(flags, "-tls13-variant", strconv.Itoa(shimVers.tls13Variant))
4908 flags2 = append(flags2, "-tls13-variant", strconv.Itoa(shimVers.tls13Variant))
4909 }
4910
4911 // Test configuring the runner's maximum version.
4912 for _, runnerVers := range allVersions(protocol) {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4913 expectedVersion := shimVers.version
4914 if runnerVers.version < shimVers.version {
4915 expectedVersion = runnerVers.version
4916 }
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4917 // When running and shim have different TLS 1.3 variants enabled,
4918 // shim clients are expected to fall back to TLS 1.2, while shim
4919 // servers support both variants when enabled when the experiment is
4920 // enabled.
4921 expectedServerVersion := expectedVersion
4922 expectedClientVersion := expectedVersion
4923 if expectedVersion == VersionTLS13 && runnerVers.tls13Variant != shimVers.tls13Variant {
4924 expectedClientVersion = VersionTLS12
4925 expectedServerVersion = VersionTLS12
4926 if shimVers.tls13Variant != TLS13Default {
4927 expectedServerVersion = VersionTLS13
4928 }
4929 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4930
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4931 suffix := shimVers.name + "-" + runnerVers.name
4932 if protocol == dtls {
4933 suffix += "-DTLS"
4934 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4935
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4936 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4937 clientVers := shimVers.version
4938 if clientVers > VersionTLS10 {
4939 clientVers = VersionTLS10
4940 }
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4941 clientVers = recordVersionToWire(clientVers, protocol)
4942 serverVers := expectedServerVersion
4943 if expectedServerVersion >= VersionTLS13 {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4944 serverVers = VersionTLS10
4945 }
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4946 serverVers = recordVersionToWire(serverVers, protocol)
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4947
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4948 testCases = append(testCases, testCase{
4949 protocol: protocol,
4950 testType: clientTest,
4951 name: "VersionNegotiation-Client-" + suffix,
4952 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4953 MaxVersion: runnerVers.version,
4954 TLS13Variant: runnerVers.tls13Variant,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4955 Bugs: ProtocolBugs{
4956 ExpectInitialRecordVersion: clientVers,
4957 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4958 },
4959 flags: flags,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4960 expectedVersion: expectedClientVersion,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4961 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4962 testCases = append(testCases, testCase{
4963 protocol: protocol,
4964 testType: clientTest,
4965 name: "VersionNegotiation-Client2-" + suffix,
4966 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4967 MaxVersion: runnerVers.version,
4968 TLS13Variant: runnerVers.tls13Variant,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4969 Bugs: ProtocolBugs{
4970 ExpectInitialRecordVersion: clientVers,
4971 },
4972 },
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4973 flags: flags2,
4974 expectedVersion: expectedClientVersion,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4975 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4976
4977 testCases = append(testCases, testCase{
4978 protocol: protocol,
4979 testType: serverTest,
4980 name: "VersionNegotiation-Server-" + suffix,
4981 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4982 MaxVersion: runnerVers.version,
4983 TLS13Variant: runnerVers.tls13Variant,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4984 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4985 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4986 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4987 },
4988 flags: flags,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4989 expectedVersion: expectedServerVersion,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4990 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4991 testCases = append(testCases, testCase{
4992 protocol: protocol,
4993 testType: serverTest,
4994 name: "VersionNegotiation-Server2-" + suffix,
4995 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]4996 MaxVersion: runnerVers.version,
4997 TLS13Variant: runnerVers.tls13Variant,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4998 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4999 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]5000 },
5001 },
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5002 flags: flags2,
5003 expectedVersion: expectedServerVersion,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]5004 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5005 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]5006 }
5007 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]5008
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5009 // Test the version extension at all versions.
5010 for _, vers := range tlsVersions {
5011 protocols := []protocol{tls}
5012 if vers.hasDTLS {
5013 protocols = append(protocols, dtls)
5014 }
5015 for _, protocol := range protocols {
5016 suffix := vers.name
5017 if protocol == dtls {
5018 suffix += "-DTLS"
5019 }
5020
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5021 testCases = append(testCases, testCase{
5022 protocol: protocol,
5023 testType: serverTest,
5024 name: "VersionNegotiationExtension-" + suffix,
5025 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5026 TLS13Variant: vers.tls13Variant,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5027 Bugs: ProtocolBugs{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5028 SendSupportedVersions: []uint16{0x1111, vers.wire(protocol), 0x2222},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5029 },
5030 },
5031 expectedVersion: vers.version,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5032 flags: []string{"-tls13-variant", strconv.Itoa(vers.tls13Variant)},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5033 })
5034 }
5035
5036 }
5037
5038 // If all versions are unknown, negotiation fails.
5039 testCases = append(testCases, testCase{
5040 testType: serverTest,
5041 name: "NoSupportedVersions",
5042 config: Config{
5043 Bugs: ProtocolBugs{
5044 SendSupportedVersions: []uint16{0x1111},
5045 },
5046 },
5047 shouldFail: true,
5048 expectedError: ":UNSUPPORTED_PROTOCOL:",
5049 })
5050 testCases = append(testCases, testCase{
5051 protocol: dtls,
5052 testType: serverTest,
5053 name: "NoSupportedVersions-DTLS",
5054 config: Config{
5055 Bugs: ProtocolBugs{
5056 SendSupportedVersions: []uint16{0x1111},
5057 },
5058 },
5059 shouldFail: true,
5060 expectedError: ":UNSUPPORTED_PROTOCOL:",
5061 })
5062
5063 testCases = append(testCases, testCase{
5064 testType: serverTest,
5065 name: "ClientHelloVersionTooHigh",
5066 config: Config{
5067 MaxVersion: VersionTLS13,
5068 Bugs: ProtocolBugs{
5069 SendClientVersion: 0x0304,
5070 OmitSupportedVersions: true,
5071 },
5072 },
5073 expectedVersion: VersionTLS12,
5074 })
5075
5076 testCases = append(testCases, testCase{
5077 testType: serverTest,
5078 name: "ConflictingVersionNegotiation",
5079 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5080 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]5081 SendClientVersion: VersionTLS12,
5082 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5083 },
5084 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]5085 // The extension takes precedence over the ClientHello version.
5086 expectedVersion: VersionTLS11,
5087 })
5088
5089 testCases = append(testCases, testCase{
5090 testType: serverTest,
5091 name: "ConflictingVersionNegotiation-2",
5092 config: Config{
5093 Bugs: ProtocolBugs{
5094 SendClientVersion: VersionTLS11,
5095 SendSupportedVersions: []uint16{VersionTLS12},
5096 },
5097 },
5098 // The extension takes precedence over the ClientHello version.
5099 expectedVersion: VersionTLS12,
5100 })
5101
5102 testCases = append(testCases, testCase{
5103 testType: serverTest,
5104 name: "RejectFinalTLS13",
5105 config: Config{
5106 Bugs: ProtocolBugs{
5107 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
5108 },
5109 },
5110 // We currently implement a draft TLS 1.3 version. Ensure that
5111 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5112 expectedVersion: VersionTLS12,
5113 })
5114
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]5115 // Test that the maximum version is selected regardless of the
5116 // client-sent order.
5117 testCases = append(testCases, testCase{
5118 testType: serverTest,
5119 name: "IgnoreClientVersionOrder",
5120 config: Config{
5121 Bugs: ProtocolBugs{
5122 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
5123 },
5124 },
5125 expectedVersion: VersionTLS13,
5126 })
5127
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]5128 // Test for version tolerance.
5129 testCases = append(testCases, testCase{
5130 testType: serverTest,
5131 name: "MinorVersionTolerance",
5132 config: Config{
5133 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5134 SendClientVersion: 0x03ff,
5135 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]5136 },
5137 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5138 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]5139 })
5140 testCases = append(testCases, testCase{
5141 testType: serverTest,
5142 name: "MajorVersionTolerance",
5143 config: Config{
5144 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5145 SendClientVersion: 0x0400,
5146 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]5147 },
5148 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]5149 // TLS 1.3 must be negotiated with the supported_versions
5150 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5151 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]5152 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]5153 testCases = append(testCases, testCase{
5154 testType: serverTest,
5155 name: "VersionTolerance-TLS13",
5156 config: Config{
5157 Bugs: ProtocolBugs{
5158 // Although TLS 1.3 does not use
5159 // ClientHello.version, it still tolerates high
5160 // values there.
5161 SendClientVersion: 0x0400,
5162 },
5163 },
5164 expectedVersion: VersionTLS13,
5165 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5166
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]5167 testCases = append(testCases, testCase{
5168 protocol: dtls,
5169 testType: serverTest,
5170 name: "MinorVersionTolerance-DTLS",
5171 config: Config{
5172 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5173 SendClientVersion: 0xfe00,
5174 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]5175 },
5176 },
5177 expectedVersion: VersionTLS12,
5178 })
5179 testCases = append(testCases, testCase{
5180 protocol: dtls,
5181 testType: serverTest,
5182 name: "MajorVersionTolerance-DTLS",
5183 config: Config{
5184 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5185 SendClientVersion: 0xfdff,
5186 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]5187 },
5188 },
5189 expectedVersion: VersionTLS12,
5190 })
5191
5192 // Test that versions below 3.0 are rejected.
5193 testCases = append(testCases, testCase{
5194 testType: serverTest,
5195 name: "VersionTooLow",
5196 config: Config{
5197 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5198 SendClientVersion: 0x0200,
5199 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]5200 },
5201 },
5202 shouldFail: true,
5203 expectedError: ":UNSUPPORTED_PROTOCOL:",
5204 })
5205 testCases = append(testCases, testCase{
5206 protocol: dtls,
5207 testType: serverTest,
5208 name: "VersionTooLow-DTLS",
5209 config: Config{
5210 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]5211 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]5212 },
5213 },
5214 shouldFail: true,
5215 expectedError: ":UNSUPPORTED_PROTOCOL:",
5216 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]5217
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]5218 testCases = append(testCases, testCase{
5219 name: "ServerBogusVersion",
5220 config: Config{
5221 Bugs: ProtocolBugs{
5222 SendServerHelloVersion: 0x1234,
5223 },
5224 },
5225 shouldFail: true,
5226 expectedError: ":UNSUPPORTED_PROTOCOL:",
5227 })
5228
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]5229 // Test TLS 1.3's downgrade signal.
5230 testCases = append(testCases, testCase{
5231 name: "Downgrade-TLS12-Client",
5232 config: Config{
5233 Bugs: ProtocolBugs{
5234 NegotiateVersion: VersionTLS12,
5235 },
5236 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]5237 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]5238 // TODO(davidben): This test should fail once TLS 1.3 is final
5239 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]5240 })
5241 testCases = append(testCases, testCase{
5242 testType: serverTest,
5243 name: "Downgrade-TLS12-Server",
5244 config: Config{
5245 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]5246 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]5247 },
5248 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]5249 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]5250 // TODO(davidben): This test should fail once TLS 1.3 is final
5251 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]5252 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]5253}
5254
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5255func addMinimumVersionTests() {
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5256 for _, protocol := range []protocol{tls, dtls} {
5257 for _, shimVers := range allVersions(protocol) {
5258 // Assemble flags to disable all older versions on the shim.
5259 var flags []string
5260 for _, vers := range allVersions(protocol) {
5261 if vers.version < shimVers.version {
5262 flags = append(flags, vers.excludeFlag)
5263 }
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5264 }
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5265
5266 flags2 := []string{"-min-version", shimVers.shimFlag(protocol)}
5267
5268 if shimVers.tls13Variant != 0 {
5269 flags = append(flags, "-tls13-variant", strconv.Itoa(shimVers.tls13Variant))
5270 flags2 = append(flags2, "-tls13-variant", strconv.Itoa(shimVers.tls13Variant))
5271 }
5272
5273 for _, runnerVers := range allVersions(protocol) {
5274 // Different TLS 1.3 variants are incompatible with each other and don't
5275 // produce consistent minimum versions.
5276 //
5277 // TODO(davidben): Fold these tests (the main value is in the
5278 // NegotiateVersion bug) into addVersionNegotiationTests and test based
5279 // on intended shim behavior, not the shim + runner combination.
5280 if shimVers.tls13Variant != runnerVers.tls13Variant {
5281 continue
5282 }
5283
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5284 suffix := shimVers.name + "-" + runnerVers.name
5285 if protocol == dtls {
5286 suffix += "-DTLS"
5287 }
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5288
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5289 var expectedVersion uint16
5290 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]5291 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5292 if runnerVers.version >= shimVers.version {
5293 expectedVersion = runnerVers.version
5294 } else {
5295 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]5296 expectedError = ":UNSUPPORTED_PROTOCOL:"
5297 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5298 }
5299
5300 testCases = append(testCases, testCase{
5301 protocol: protocol,
5302 testType: clientTest,
5303 name: "MinimumVersion-Client-" + suffix,
5304 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5305 MaxVersion: runnerVers.version,
5306 TLS13Variant: runnerVers.tls13Variant,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5307 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]5308 // Ensure the server does not decline to
5309 // select a version (versions extension) or
5310 // cipher (some ciphers depend on versions).
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5311 NegotiateVersion: runnerVers.wire(protocol),
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]5312 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5313 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5314 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]5315 flags: flags,
5316 expectedVersion: expectedVersion,
5317 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]5318 expectedError: expectedError,
5319 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5320 })
5321 testCases = append(testCases, testCase{
5322 protocol: protocol,
5323 testType: clientTest,
5324 name: "MinimumVersion-Client2-" + suffix,
5325 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5326 MaxVersion: runnerVers.version,
5327 TLS13Variant: runnerVers.tls13Variant,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5328 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]5329 // Ensure the server does not decline to
5330 // select a version (versions extension) or
5331 // cipher (some ciphers depend on versions).
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5332 NegotiateVersion: runnerVers.wire(protocol),
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]5333 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]5334 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5335 },
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5336 flags: flags2,
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]5337 expectedVersion: expectedVersion,
5338 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]5339 expectedError: expectedError,
5340 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5341 })
5342
5343 testCases = append(testCases, testCase{
5344 protocol: protocol,
5345 testType: serverTest,
5346 name: "MinimumVersion-Server-" + suffix,
5347 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5348 MaxVersion: runnerVers.version,
5349 TLS13Variant: runnerVers.tls13Variant,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5350 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]5351 flags: flags,
5352 expectedVersion: expectedVersion,
5353 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]5354 expectedError: expectedError,
5355 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5356 })
5357 testCases = append(testCases, testCase{
5358 protocol: protocol,
5359 testType: serverTest,
5360 name: "MinimumVersion-Server2-" + suffix,
5361 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5362 MaxVersion: runnerVers.version,
5363 TLS13Variant: runnerVers.tls13Variant,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5364 },
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]5365 flags: flags2,
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]5366 expectedVersion: expectedVersion,
5367 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]5368 expectedError: expectedError,
5369 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]5370 })
5371 }
5372 }
5373 }
5374}
5375
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5376func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5377 // TODO(davidben): Extensions, where applicable, all move their server
5378 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
5379 // tests for both. Also test interaction with 0-RTT when implemented.
5380
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5381 // Repeat extensions tests all versions except SSL 3.0.
5382 for _, ver := range tlsVersions {
5383 if ver.version == VersionSSL30 {
5384 continue
5385 }
5386
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5387 // Test that duplicate extensions are rejected.
5388 testCases = append(testCases, testCase{
5389 testType: clientTest,
5390 name: "DuplicateExtensionClient-" + ver.name,
5391 config: Config{
5392 MaxVersion: ver.version,
5393 Bugs: ProtocolBugs{
5394 DuplicateExtension: true,
5395 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5396 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5397 shouldFail: true,
5398 expectedLocalError: "remote error: error decoding message",
5399 })
5400 testCases = append(testCases, testCase{
5401 testType: serverTest,
5402 name: "DuplicateExtensionServer-" + ver.name,
5403 config: Config{
5404 MaxVersion: ver.version,
5405 Bugs: ProtocolBugs{
5406 DuplicateExtension: true,
5407 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5408 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5409 shouldFail: true,
5410 expectedLocalError: "remote error: error decoding message",
5411 })
5412
5413 // Test SNI.
5414 testCases = append(testCases, testCase{
5415 testType: clientTest,
5416 name: "ServerNameExtensionClient-" + ver.name,
5417 config: Config{
5418 MaxVersion: ver.version,
5419 Bugs: ProtocolBugs{
5420 ExpectServerName: "example.com",
5421 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5422 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5423 flags: []string{"-host-name", "example.com"},
5424 })
5425 testCases = append(testCases, testCase{
5426 testType: clientTest,
5427 name: "ServerNameExtensionClientMismatch-" + ver.name,
5428 config: Config{
5429 MaxVersion: ver.version,
5430 Bugs: ProtocolBugs{
5431 ExpectServerName: "mismatch.com",
5432 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5433 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5434 flags: []string{"-host-name", "example.com"},
5435 shouldFail: true,
5436 expectedLocalError: "tls: unexpected server name",
5437 })
5438 testCases = append(testCases, testCase{
5439 testType: clientTest,
5440 name: "ServerNameExtensionClientMissing-" + ver.name,
5441 config: Config{
5442 MaxVersion: ver.version,
5443 Bugs: ProtocolBugs{
5444 ExpectServerName: "missing.com",
5445 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5446 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5447 shouldFail: true,
5448 expectedLocalError: "tls: unexpected server name",
5449 })
5450 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]5451 testType: clientTest,
5452 name: "TolerateServerNameAck-" + ver.name,
5453 config: Config{
5454 MaxVersion: ver.version,
5455 Bugs: ProtocolBugs{
5456 SendServerNameAck: true,
5457 },
5458 },
5459 flags: []string{"-host-name", "example.com"},
5460 resumeSession: true,
5461 })
5462 testCases = append(testCases, testCase{
5463 testType: clientTest,
5464 name: "UnsolicitedServerNameAck-" + ver.name,
5465 config: Config{
5466 MaxVersion: ver.version,
5467 Bugs: ProtocolBugs{
5468 SendServerNameAck: true,
5469 },
5470 },
5471 shouldFail: true,
5472 expectedError: ":UNEXPECTED_EXTENSION:",
5473 expectedLocalError: "remote error: unsupported extension",
5474 })
5475 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5476 testType: serverTest,
5477 name: "ServerNameExtensionServer-" + ver.name,
5478 config: Config{
5479 MaxVersion: ver.version,
5480 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]5481 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5482 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5483 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5484 })
5485
5486 // Test ALPN.
5487 testCases = append(testCases, testCase{
5488 testType: clientTest,
5489 name: "ALPNClient-" + ver.name,
5490 config: Config{
5491 MaxVersion: ver.version,
5492 NextProtos: []string{"foo"},
5493 },
5494 flags: []string{
5495 "-advertise-alpn", "\x03foo\x03bar\x03baz",
5496 "-expect-alpn", "foo",
5497 },
5498 expectedNextProto: "foo",
5499 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5500 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5501 })
5502 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]5503 testType: clientTest,
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]5504 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]5505 config: Config{
5506 MaxVersion: ver.version,
5507 Bugs: ProtocolBugs{
5508 SendALPN: "baz",
5509 },
5510 },
5511 flags: []string{
5512 "-advertise-alpn", "\x03foo\x03bar",
5513 },
5514 shouldFail: true,
5515 expectedError: ":INVALID_ALPN_PROTOCOL:",
5516 expectedLocalError: "remote error: illegal parameter",
5517 })
5518 testCases = append(testCases, testCase{
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]5519 testType: clientTest,
5520 name: "ALPNClient-AllowUnknown-" + ver.name,
5521 config: Config{
5522 MaxVersion: ver.version,
5523 Bugs: ProtocolBugs{
5524 SendALPN: "baz",
5525 },
5526 },
5527 flags: []string{
5528 "-advertise-alpn", "\x03foo\x03bar",
5529 "-allow-unknown-alpn-protos",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]5530 "-expect-alpn", "baz",
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]5531 },
5532 })
5533 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5534 testType: serverTest,
5535 name: "ALPNServer-" + ver.name,
5536 config: Config{
5537 MaxVersion: ver.version,
5538 NextProtos: []string{"foo", "bar", "baz"},
5539 },
5540 flags: []string{
5541 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5542 "-select-alpn", "foo",
5543 },
5544 expectedNextProto: "foo",
5545 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5546 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5547 })
5548 testCases = append(testCases, testCase{
5549 testType: serverTest,
5550 name: "ALPNServer-Decline-" + ver.name,
5551 config: Config{
5552 MaxVersion: ver.version,
5553 NextProtos: []string{"foo", "bar", "baz"},
5554 },
5555 flags: []string{"-decline-alpn"},
5556 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5557 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5558 })
5559
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5560 // Test ALPN in async mode as well to ensure that extensions callbacks are only
5561 // called once.
5562 testCases = append(testCases, testCase{
5563 testType: serverTest,
5564 name: "ALPNServer-Async-" + ver.name,
5565 config: Config{
5566 MaxVersion: ver.version,
5567 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]5568 // Prior to TLS 1.3, exercise the asynchronous session callback.
5569 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5570 },
5571 flags: []string{
5572 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5573 "-select-alpn", "foo",
5574 "-async",
5575 },
5576 expectedNextProto: "foo",
5577 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5578 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5579 })
5580
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5581 var emptyString string
5582 testCases = append(testCases, testCase{
5583 testType: clientTest,
5584 name: "ALPNClient-EmptyProtocolName-" + ver.name,
5585 config: Config{
5586 MaxVersion: ver.version,
5587 NextProtos: []string{""},
5588 Bugs: ProtocolBugs{
5589 // A server returning an empty ALPN protocol
5590 // should be rejected.
5591 ALPNProtocol: &emptyString,
5592 },
5593 },
5594 flags: []string{
5595 "-advertise-alpn", "\x03foo",
5596 },
5597 shouldFail: true,
5598 expectedError: ":PARSE_TLSEXT:",
5599 })
5600 testCases = append(testCases, testCase{
5601 testType: serverTest,
5602 name: "ALPNServer-EmptyProtocolName-" + ver.name,
5603 config: Config{
5604 MaxVersion: ver.version,
5605 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5606 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5607 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5608 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5609 flags: []string{
5610 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5611 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5612 shouldFail: true,
5613 expectedError: ":PARSE_TLSEXT:",
5614 })
5615
5616 // Test NPN and the interaction with ALPN.
5617 if ver.version < VersionTLS13 {
5618 // Test that the server prefers ALPN over NPN.
5619 testCases = append(testCases, testCase{
5620 testType: serverTest,
5621 name: "ALPNServer-Preferred-" + ver.name,
5622 config: Config{
5623 MaxVersion: ver.version,
5624 NextProtos: []string{"foo", "bar", "baz"},
5625 },
5626 flags: []string{
5627 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5628 "-select-alpn", "foo",
5629 "-advertise-npn", "\x03foo\x03bar\x03baz",
5630 },
5631 expectedNextProto: "foo",
5632 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5633 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5634 })
5635 testCases = append(testCases, testCase{
5636 testType: serverTest,
5637 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5638 config: Config{
5639 MaxVersion: ver.version,
5640 NextProtos: []string{"foo", "bar", "baz"},
5641 Bugs: ProtocolBugs{
5642 SwapNPNAndALPN: true,
5643 },
5644 },
5645 flags: []string{
5646 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5647 "-select-alpn", "foo",
5648 "-advertise-npn", "\x03foo\x03bar\x03baz",
5649 },
5650 expectedNextProto: "foo",
5651 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5652 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5653 })
5654
5655 // Test that negotiating both NPN and ALPN is forbidden.
5656 testCases = append(testCases, testCase{
5657 name: "NegotiateALPNAndNPN-" + ver.name,
5658 config: Config{
5659 MaxVersion: ver.version,
5660 NextProtos: []string{"foo", "bar", "baz"},
5661 Bugs: ProtocolBugs{
5662 NegotiateALPNAndNPN: true,
5663 },
5664 },
5665 flags: []string{
5666 "-advertise-alpn", "\x03foo",
5667 "-select-next-proto", "foo",
5668 },
5669 shouldFail: true,
5670 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5671 })
5672 testCases = append(testCases, testCase{
5673 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5674 config: Config{
5675 MaxVersion: ver.version,
5676 NextProtos: []string{"foo", "bar", "baz"},
5677 Bugs: ProtocolBugs{
5678 NegotiateALPNAndNPN: true,
5679 SwapNPNAndALPN: true,
5680 },
5681 },
5682 flags: []string{
5683 "-advertise-alpn", "\x03foo",
5684 "-select-next-proto", "foo",
5685 },
5686 shouldFail: true,
5687 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5688 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5689 }
5690
5691 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5692
5693 // Resume with a corrupt ticket.
5694 testCases = append(testCases, testCase{
5695 testType: serverTest,
5696 name: "CorruptTicket-" + ver.name,
5697 config: Config{
5698 MaxVersion: ver.version,
5699 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5700 FilterTicket: func(in []byte) ([]byte, error) {
5701 in[len(in)-1] ^= 1
5702 return in, nil
5703 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5704 },
5705 },
5706 resumeSession: true,
5707 expectResumeRejected: true,
5708 })
5709 // Test the ticket callback, with and without renewal.
5710 testCases = append(testCases, testCase{
5711 testType: serverTest,
5712 name: "TicketCallback-" + ver.name,
5713 config: Config{
5714 MaxVersion: ver.version,
5715 },
5716 resumeSession: true,
5717 flags: []string{"-use-ticket-callback"},
5718 })
5719 testCases = append(testCases, testCase{
5720 testType: serverTest,
5721 name: "TicketCallback-Renew-" + ver.name,
5722 config: Config{
5723 MaxVersion: ver.version,
5724 Bugs: ProtocolBugs{
5725 ExpectNewTicket: true,
5726 },
5727 },
5728 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5729 resumeSession: true,
5730 })
5731
5732 // Test that the ticket callback is only called once when everything before
5733 // it in the ClientHello is asynchronous. This corrupts the ticket so
5734 // certificate selection callbacks run.
5735 testCases = append(testCases, testCase{
5736 testType: serverTest,
5737 name: "TicketCallback-SingleCall-" + ver.name,
5738 config: Config{
5739 MaxVersion: ver.version,
5740 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5741 FilterTicket: func(in []byte) ([]byte, error) {
5742 in[len(in)-1] ^= 1
5743 return in, nil
5744 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5745 },
5746 },
5747 resumeSession: true,
5748 expectResumeRejected: true,
5749 flags: []string{
5750 "-use-ticket-callback",
5751 "-async",
5752 },
5753 })
5754
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5755 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5756 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5757 testCases = append(testCases, testCase{
5758 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5759 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5760 config: Config{
5761 MaxVersion: ver.version,
5762 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5763 EmptyTicketSessionID: true,
5764 },
5765 },
5766 resumeSession: true,
5767 })
5768 testCases = append(testCases, testCase{
5769 testType: serverTest,
5770 name: "TicketSessionIDLength-16-" + ver.name,
5771 config: Config{
5772 MaxVersion: ver.version,
5773 Bugs: ProtocolBugs{
5774 TicketSessionIDLength: 16,
5775 },
5776 },
5777 resumeSession: true,
5778 })
5779 testCases = append(testCases, testCase{
5780 testType: serverTest,
5781 name: "TicketSessionIDLength-32-" + ver.name,
5782 config: Config{
5783 MaxVersion: ver.version,
5784 Bugs: ProtocolBugs{
5785 TicketSessionIDLength: 32,
5786 },
5787 },
5788 resumeSession: true,
5789 })
5790 testCases = append(testCases, testCase{
5791 testType: serverTest,
5792 name: "TicketSessionIDLength-33-" + ver.name,
5793 config: Config{
5794 MaxVersion: ver.version,
5795 Bugs: ProtocolBugs{
5796 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5797 },
5798 },
5799 resumeSession: true,
5800 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5801 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5802 expectedError: ":DECODE_ERROR:",
5803 })
5804 }
5805
5806 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5807 // are ignored.
5808 if ver.hasDTLS {
5809 testCases = append(testCases, testCase{
5810 protocol: dtls,
5811 name: "SRTP-Client-" + ver.name,
5812 config: Config{
5813 MaxVersion: ver.version,
5814 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5815 },
5816 flags: []string{
5817 "-srtp-profiles",
5818 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5819 },
5820 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5821 })
5822 testCases = append(testCases, testCase{
5823 protocol: dtls,
5824 testType: serverTest,
5825 name: "SRTP-Server-" + ver.name,
5826 config: Config{
5827 MaxVersion: ver.version,
5828 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5829 },
5830 flags: []string{
5831 "-srtp-profiles",
5832 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5833 },
5834 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5835 })
5836 // Test that the MKI is ignored.
5837 testCases = append(testCases, testCase{
5838 protocol: dtls,
5839 testType: serverTest,
5840 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5841 config: Config{
5842 MaxVersion: ver.version,
5843 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5844 Bugs: ProtocolBugs{
5845 SRTPMasterKeyIdentifer: "bogus",
5846 },
5847 },
5848 flags: []string{
5849 "-srtp-profiles",
5850 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5851 },
5852 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5853 })
5854 // Test that SRTP isn't negotiated on the server if there were
5855 // no matching profiles.
5856 testCases = append(testCases, testCase{
5857 protocol: dtls,
5858 testType: serverTest,
5859 name: "SRTP-Server-NoMatch-" + ver.name,
5860 config: Config{
5861 MaxVersion: ver.version,
5862 SRTPProtectionProfiles: []uint16{100, 101, 102},
5863 },
5864 flags: []string{
5865 "-srtp-profiles",
5866 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5867 },
5868 expectedSRTPProtectionProfile: 0,
5869 })
5870 // Test that the server returning an invalid SRTP profile is
5871 // flagged as an error by the client.
5872 testCases = append(testCases, testCase{
5873 protocol: dtls,
5874 name: "SRTP-Client-NoMatch-" + ver.name,
5875 config: Config{
5876 MaxVersion: ver.version,
5877 Bugs: ProtocolBugs{
5878 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5879 },
5880 },
5881 flags: []string{
5882 "-srtp-profiles",
5883 "SRTP_AES128_CM_SHA1_80",
5884 },
5885 shouldFail: true,
5886 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5887 })
5888 }
5889
5890 // Test SCT list.
5891 testCases = append(testCases, testCase{
5892 name: "SignedCertificateTimestampList-Client-" + ver.name,
5893 testType: clientTest,
5894 config: Config{
5895 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5896 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5897 flags: []string{
5898 "-enable-signed-cert-timestamps",
5899 "-expect-signed-cert-timestamps",
5900 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5901 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5902 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5903 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5904
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5905 var differentSCTList []byte
5906 differentSCTList = append(differentSCTList, testSCTList...)
5907 differentSCTList[len(differentSCTList)-1] ^= 1
5908
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5909 // The SCT extension did not specify that it must only be sent on resumption as it
5910 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5911 testCases = append(testCases, testCase{
5912 name: "SendSCTListOnResume-" + ver.name,
5913 config: Config{
5914 MaxVersion: ver.version,
5915 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5916 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5917 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5918 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5919 flags: []string{
5920 "-enable-signed-cert-timestamps",
5921 "-expect-signed-cert-timestamps",
5922 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5923 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5924 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5925 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5926
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5927 testCases = append(testCases, testCase{
5928 name: "SignedCertificateTimestampList-Server-" + ver.name,
5929 testType: serverTest,
5930 config: Config{
5931 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5932 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5933 flags: []string{
5934 "-signed-cert-timestamps",
5935 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5936 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5937 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5938 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5939 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5940
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5941 emptySCTListCert := *testCerts[0].cert
5942 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5943
5944 // Test empty SCT list.
5945 testCases = append(testCases, testCase{
5946 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5947 testType: clientTest,
5948 config: Config{
5949 MaxVersion: ver.version,
5950 Certificates: []Certificate{emptySCTListCert},
5951 },
5952 flags: []string{
5953 "-enable-signed-cert-timestamps",
5954 },
5955 shouldFail: true,
5956 expectedError: ":ERROR_PARSING_EXTENSION:",
5957 })
5958
5959 emptySCTCert := *testCerts[0].cert
5960 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5961
5962 // Test empty SCT in non-empty list.
5963 testCases = append(testCases, testCase{
5964 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5965 testType: clientTest,
5966 config: Config{
5967 MaxVersion: ver.version,
5968 Certificates: []Certificate{emptySCTCert},
5969 },
5970 flags: []string{
5971 "-enable-signed-cert-timestamps",
5972 },
5973 shouldFail: true,
5974 expectedError: ":ERROR_PARSING_EXTENSION:",
5975 })
5976
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5977 // Test that certificate-related extensions are not sent unsolicited.
5978 testCases = append(testCases, testCase{
5979 testType: serverTest,
5980 name: "UnsolicitedCertificateExtensions-" + ver.name,
5981 config: Config{
5982 MaxVersion: ver.version,
5983 Bugs: ProtocolBugs{
5984 NoOCSPStapling: true,
5985 NoSignedCertificateTimestamps: true,
5986 },
5987 },
5988 flags: []string{
5989 "-ocsp-response",
5990 base64.StdEncoding.EncodeToString(testOCSPResponse),
5991 "-signed-cert-timestamps",
5992 base64.StdEncoding.EncodeToString(testSCTList),
5993 },
5994 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5995 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5996
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5997 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5998 testType: clientTest,
5999 name: "ClientHelloPadding",
6000 config: Config{
6001 Bugs: ProtocolBugs{
6002 RequireClientHelloSize: 512,
6003 },
6004 },
6005 // This hostname just needs to be long enough to push the
6006 // ClientHello into F5's danger zone between 256 and 511 bytes
6007 // long.
6008 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
6009 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]6010
6011 // Extensions should not function in SSL 3.0.
6012 testCases = append(testCases, testCase{
6013 testType: serverTest,
6014 name: "SSLv3Extensions-NoALPN",
6015 config: Config{
6016 MaxVersion: VersionSSL30,
6017 NextProtos: []string{"foo", "bar", "baz"},
6018 },
6019 flags: []string{
6020 "-select-alpn", "foo",
6021 },
6022 expectNoNextProto: true,
6023 })
6024
6025 // Test session tickets separately as they follow a different codepath.
6026 testCases = append(testCases, testCase{
6027 testType: serverTest,
6028 name: "SSLv3Extensions-NoTickets",
6029 config: Config{
6030 MaxVersion: VersionSSL30,
6031 Bugs: ProtocolBugs{
6032 // Historically, session tickets in SSL 3.0
6033 // failed in different ways depending on whether
6034 // the client supported renegotiation_info.
6035 NoRenegotiationInfo: true,
6036 },
6037 },
6038 resumeSession: true,
6039 })
6040 testCases = append(testCases, testCase{
6041 testType: serverTest,
6042 name: "SSLv3Extensions-NoTickets2",
6043 config: Config{
6044 MaxVersion: VersionSSL30,
6045 },
6046 resumeSession: true,
6047 })
6048
6049 // But SSL 3.0 does send and process renegotiation_info.
6050 testCases = append(testCases, testCase{
6051 testType: serverTest,
6052 name: "SSLv3Extensions-RenegotiationInfo",
6053 config: Config{
6054 MaxVersion: VersionSSL30,
6055 Bugs: ProtocolBugs{
6056 RequireRenegotiationInfo: true,
6057 },
6058 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6059 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]6060 })
6061 testCases = append(testCases, testCase{
6062 testType: serverTest,
6063 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
6064 config: Config{
6065 MaxVersion: VersionSSL30,
6066 Bugs: ProtocolBugs{
6067 NoRenegotiationInfo: true,
6068 SendRenegotiationSCSV: true,
6069 RequireRenegotiationInfo: true,
6070 },
6071 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6072 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]6073 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6074
6075 // Test that illegal extensions in TLS 1.3 are rejected by the client if
6076 // in ServerHello.
6077 testCases = append(testCases, testCase{
6078 name: "NPN-Forbidden-TLS13",
6079 config: Config{
6080 MaxVersion: VersionTLS13,
6081 NextProtos: []string{"foo"},
6082 Bugs: ProtocolBugs{
6083 NegotiateNPNAtAllVersions: true,
6084 },
6085 },
6086 flags: []string{"-select-next-proto", "foo"},
6087 shouldFail: true,
6088 expectedError: ":ERROR_PARSING_EXTENSION:",
6089 })
6090 testCases = append(testCases, testCase{
6091 name: "EMS-Forbidden-TLS13",
6092 config: Config{
6093 MaxVersion: VersionTLS13,
6094 Bugs: ProtocolBugs{
6095 NegotiateEMSAtAllVersions: true,
6096 },
6097 },
6098 shouldFail: true,
6099 expectedError: ":ERROR_PARSING_EXTENSION:",
6100 })
6101 testCases = append(testCases, testCase{
6102 name: "RenegotiationInfo-Forbidden-TLS13",
6103 config: Config{
6104 MaxVersion: VersionTLS13,
6105 Bugs: ProtocolBugs{
6106 NegotiateRenegotiationInfoAtAllVersions: true,
6107 },
6108 },
6109 shouldFail: true,
6110 expectedError: ":ERROR_PARSING_EXTENSION:",
6111 })
6112 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6113 name: "Ticket-Forbidden-TLS13",
6114 config: Config{
6115 MaxVersion: VersionTLS12,
6116 },
6117 resumeConfig: &Config{
6118 MaxVersion: VersionTLS13,
6119 Bugs: ProtocolBugs{
6120 AdvertiseTicketExtension: true,
6121 },
6122 },
6123 resumeSession: true,
6124 shouldFail: true,
6125 expectedError: ":ERROR_PARSING_EXTENSION:",
6126 })
6127
6128 // Test that illegal extensions in TLS 1.3 are declined by the server if
6129 // offered in ClientHello. The runner's server will fail if this occurs,
6130 // so we exercise the offering path. (EMS and Renegotiation Info are
6131 // implicit in every test.)
6132 testCases = append(testCases, testCase{
6133 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]6134 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6135 config: Config{
6136 MaxVersion: VersionTLS13,
6137 NextProtos: []string{"bar"},
6138 },
6139 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
6140 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]6141
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]6142 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
6143 // tolerated.
6144 testCases = append(testCases, testCase{
6145 name: "SendOCSPResponseOnResume-TLS12",
6146 config: Config{
6147 MaxVersion: VersionTLS12,
6148 Bugs: ProtocolBugs{
6149 SendOCSPResponseOnResume: []byte("bogus"),
6150 },
6151 },
6152 flags: []string{
6153 "-enable-ocsp-stapling",
6154 "-expect-ocsp-response",
6155 base64.StdEncoding.EncodeToString(testOCSPResponse),
6156 },
6157 resumeSession: true,
6158 })
6159
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]6160 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6161 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]6162 config: Config{
6163 MaxVersion: VersionTLS13,
6164 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6165 SendExtensionOnCertificate: testOCSPExtension,
6166 },
6167 },
6168 shouldFail: true,
6169 expectedError: ":UNEXPECTED_EXTENSION:",
6170 })
6171
6172 testCases = append(testCases, testCase{
6173 name: "SendUnsolicitedSCTOnCertificate-TLS13",
6174 config: Config{
6175 MaxVersion: VersionTLS13,
6176 Bugs: ProtocolBugs{
6177 SendExtensionOnCertificate: testSCTExtension,
6178 },
6179 },
6180 shouldFail: true,
6181 expectedError: ":UNEXPECTED_EXTENSION:",
6182 })
6183
6184 // Test that extensions on client certificates are never accepted.
6185 testCases = append(testCases, testCase{
6186 name: "SendExtensionOnClientCertificate-TLS13",
6187 testType: serverTest,
6188 config: Config{
6189 MaxVersion: VersionTLS13,
6190 Certificates: []Certificate{rsaCertificate},
6191 Bugs: ProtocolBugs{
6192 SendExtensionOnCertificate: testOCSPExtension,
6193 },
6194 },
6195 flags: []string{
6196 "-enable-ocsp-stapling",
6197 "-require-any-client-certificate",
6198 },
6199 shouldFail: true,
6200 expectedError: ":UNEXPECTED_EXTENSION:",
6201 })
6202
6203 testCases = append(testCases, testCase{
6204 name: "SendUnknownExtensionOnCertificate-TLS13",
6205 config: Config{
6206 MaxVersion: VersionTLS13,
6207 Bugs: ProtocolBugs{
6208 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
6209 },
6210 },
6211 shouldFail: true,
6212 expectedError: ":UNEXPECTED_EXTENSION:",
6213 })
6214
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]6215 var differentSCTList []byte
6216 differentSCTList = append(differentSCTList, testSCTList...)
6217 differentSCTList[len(differentSCTList)-1] ^= 1
6218
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6219 // Test that extensions on intermediates are allowed but ignored.
6220 testCases = append(testCases, testCase{
6221 name: "IgnoreExtensionsOnIntermediates-TLS13",
6222 config: Config{
6223 MaxVersion: VersionTLS13,
6224 Certificates: []Certificate{rsaChainCertificate},
6225 Bugs: ProtocolBugs{
6226 // Send different values on the intermediate. This tests
6227 // the intermediate's extensions do not override the
6228 // leaf's.
6229 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]6230 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]6231 },
6232 },
6233 flags: []string{
6234 "-enable-ocsp-stapling",
6235 "-expect-ocsp-response",
6236 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6237 "-enable-signed-cert-timestamps",
6238 "-expect-signed-cert-timestamps",
6239 base64.StdEncoding.EncodeToString(testSCTList),
6240 },
6241 resumeSession: true,
6242 })
6243
6244 // Test that extensions are not sent on intermediates when configured
6245 // only for a leaf.
6246 testCases = append(testCases, testCase{
6247 testType: serverTest,
6248 name: "SendNoExtensionsOnIntermediate-TLS13",
6249 config: Config{
6250 MaxVersion: VersionTLS13,
6251 Bugs: ProtocolBugs{
6252 ExpectNoExtensionsOnIntermediate: true,
6253 },
6254 },
6255 flags: []string{
6256 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
6257 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
6258 "-ocsp-response",
6259 base64.StdEncoding.EncodeToString(testOCSPResponse),
6260 "-signed-cert-timestamps",
6261 base64.StdEncoding.EncodeToString(testSCTList),
6262 },
6263 })
6264
6265 // Test that extensions are not sent on client certificates.
6266 testCases = append(testCases, testCase{
6267 name: "SendNoClientCertificateExtensions-TLS13",
6268 config: Config{
6269 MaxVersion: VersionTLS13,
6270 ClientAuth: RequireAnyClientCert,
6271 },
6272 flags: []string{
6273 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6274 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6275 "-ocsp-response",
6276 base64.StdEncoding.EncodeToString(testOCSPResponse),
6277 "-signed-cert-timestamps",
6278 base64.StdEncoding.EncodeToString(testSCTList),
6279 },
6280 })
6281
6282 testCases = append(testCases, testCase{
6283 name: "SendDuplicateExtensionsOnCerts-TLS13",
6284 config: Config{
6285 MaxVersion: VersionTLS13,
6286 Bugs: ProtocolBugs{
6287 SendDuplicateCertExtensions: true,
6288 },
6289 },
6290 flags: []string{
6291 "-enable-ocsp-stapling",
6292 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]6293 },
6294 resumeSession: true,
6295 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6296 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]6297 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]6298
6299 testCases = append(testCases, testCase{
6300 name: "SignedCertificateTimestampListInvalid-Server",
6301 testType: serverTest,
6302 flags: []string{
6303 "-signed-cert-timestamps",
6304 base64.StdEncoding.EncodeToString([]byte{0, 0}),
6305 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]6306 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]6307 expectedError: ":INVALID_SCT_LIST:",
6308 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]6309}
6310
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6311func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6312 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6313 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6314 // SSL 3.0 does not have tickets and TLS 1.3 does not
6315 // have session IDs, so skip their cross-resumption
6316 // tests.
6317 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
6318 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
6319 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6320 }
6321
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6322 protocols := []protocol{tls}
6323 if sessionVers.hasDTLS && resumeVers.hasDTLS {
6324 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]6325 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6326 for _, protocol := range protocols {
6327 suffix := "-" + sessionVers.name + "-" + resumeVers.name
6328 if protocol == dtls {
6329 suffix += "-DTLS"
6330 }
6331
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6332 // We can't resume across TLS 1.3 variants and error out earlier in the
6333 // session resumption.
6334 if sessionVers.tls13Variant != resumeVers.tls13Variant {
6335 continue
6336 }
6337
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6338 if sessionVers.version == resumeVers.version {
6339 testCases = append(testCases, testCase{
6340 protocol: protocol,
6341 name: "Resume-Client" + suffix,
6342 resumeSession: true,
6343 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6344 MaxVersion: sessionVers.version,
6345 TLS13Variant: sessionVers.tls13Variant,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]6346 Bugs: ProtocolBugs{
6347 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
6348 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
6349 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6350 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6351 expectedVersion: sessionVers.version,
6352 expectedResumeVersion: resumeVers.version,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6353 flags: []string{
6354 "-tls13-variant", strconv.Itoa(sessionVers.tls13Variant),
6355 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6356 })
6357 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]6358 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
6359
6360 // Offering a TLS 1.3 session sends an empty session ID, so
6361 // there is no way to convince a non-lookahead client the
6362 // session was resumed. It will appear to the client that a
6363 // stray ChangeCipherSpec was sent.
6364 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
6365 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6366 }
6367
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6368 testCases = append(testCases, testCase{
6369 protocol: protocol,
6370 name: "Resume-Client-Mismatch" + suffix,
6371 resumeSession: true,
6372 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6373 MaxVersion: sessionVers.version,
6374 TLS13Variant: sessionVers.tls13Variant,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6375 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6376 expectedVersion: sessionVers.version,
6377 resumeConfig: &Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6378 MaxVersion: resumeVers.version,
6379 TLS13Variant: resumeVers.tls13Variant,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6380 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]6381 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6382 },
6383 },
6384 expectedResumeVersion: resumeVers.version,
6385 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6386 expectedError: error,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6387 flags: []string{
6388 "-on-initial-tls13-variant", strconv.Itoa(sessionVers.tls13Variant),
6389 "-on-resume-tls13-variant", strconv.Itoa(resumeVers.tls13Variant),
6390 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6391 })
6392 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6393
6394 testCases = append(testCases, testCase{
6395 protocol: protocol,
6396 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6397 resumeSession: true,
6398 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6399 MaxVersion: sessionVers.version,
6400 TLS13Variant: sessionVers.tls13Variant,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6401 },
6402 expectedVersion: sessionVers.version,
6403 resumeConfig: &Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6404 MaxVersion: resumeVers.version,
6405 TLS13Variant: resumeVers.tls13Variant,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6406 },
6407 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]6408 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6409 expectedResumeVersion: resumeVers.version,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6410 flags: []string{
6411 "-on-initial-tls13-variant", strconv.Itoa(sessionVers.tls13Variant),
6412 "-on-resume-tls13-variant", strconv.Itoa(resumeVers.tls13Variant),
6413 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6414 })
6415
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6416 testCases = append(testCases, testCase{
6417 protocol: protocol,
6418 testType: serverTest,
6419 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6420 resumeSession: true,
6421 config: Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6422 MaxVersion: sessionVers.version,
6423 TLS13Variant: sessionVers.tls13Variant,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6424 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]6425 expectedVersion: sessionVers.version,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6426 expectResumeRejected: sessionVers != resumeVers,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6427 resumeConfig: &Config{
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6428 MaxVersion: resumeVers.version,
6429 TLS13Variant: resumeVers.tls13Variant,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]6430 Bugs: ProtocolBugs{
6431 SendBothTickets: true,
6432 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6433 },
6434 expectedResumeVersion: resumeVers.version,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]6435 flags: []string{
6436 "-on-initial-tls13-variant", strconv.Itoa(sessionVers.tls13Variant),
6437 "-on-resume-tls13-variant", strconv.Itoa(resumeVers.tls13Variant),
6438 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]6439 })
6440 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6441 }
6442 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6443
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6444 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]6445 testCases = append(testCases, testCase{
6446 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6447 name: "ShimTicketRewritable",
6448 resumeSession: true,
6449 config: Config{
6450 MaxVersion: VersionTLS12,
6451 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6452 Bugs: ProtocolBugs{
6453 FilterTicket: func(in []byte) ([]byte, error) {
6454 in, err := SetShimTicketVersion(in, VersionTLS12)
6455 if err != nil {
6456 return nil, err
6457 }
6458 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
6459 },
6460 },
6461 },
6462 flags: []string{
6463 "-ticket-key",
6464 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6465 },
6466 })
6467
6468 // Resumptions are declined if the version does not match.
6469 testCases = append(testCases, testCase{
6470 testType: serverTest,
6471 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]6472 resumeSession: true,
6473 config: Config{
6474 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6475 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6476 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6477 FilterTicket: func(in []byte) ([]byte, error) {
6478 return SetShimTicketVersion(in, VersionTLS13)
6479 },
6480 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]6481 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6482 flags: []string{
6483 "-ticket-key",
6484 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6485 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]6486 expectResumeRejected: true,
6487 })
6488
6489 testCases = append(testCases, testCase{
6490 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6491 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]6492 resumeSession: true,
6493 config: Config{
6494 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6495 Bugs: ProtocolBugs{
6496 FilterTicket: func(in []byte) ([]byte, error) {
6497 return SetShimTicketVersion(in, VersionTLS12)
6498 },
6499 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]6500 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6501 flags: []string{
6502 "-ticket-key",
6503 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6504 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]6505 expectResumeRejected: true,
6506 })
6507
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6508 // Resumptions are declined if the cipher is invalid or disabled.
6509 testCases = append(testCases, testCase{
6510 testType: serverTest,
6511 name: "Resume-Server-DeclineBadCipher",
6512 resumeSession: true,
6513 config: Config{
6514 MaxVersion: VersionTLS12,
6515 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6516 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6517 FilterTicket: func(in []byte) ([]byte, error) {
6518 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
6519 },
6520 },
6521 },
6522 flags: []string{
6523 "-ticket-key",
6524 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6525 },
6526 expectResumeRejected: true,
6527 })
6528
6529 testCases = append(testCases, testCase{
6530 testType: serverTest,
6531 name: "Resume-Server-DeclineBadCipher-2",
6532 resumeSession: true,
6533 config: Config{
6534 MaxVersion: VersionTLS12,
6535 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6536 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6537 FilterTicket: func(in []byte) ([]byte, error) {
6538 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
6539 },
6540 },
6541 },
6542 flags: []string{
6543 "-cipher", "AES128",
6544 "-ticket-key",
6545 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6546 },
6547 expectResumeRejected: true,
6548 })
6549
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6550 // Sessions are not resumed if they do not use the preferred cipher.
6551 testCases = append(testCases, testCase{
6552 testType: serverTest,
6553 name: "Resume-Server-CipherNotPreferred",
6554 resumeSession: true,
6555 config: Config{
6556 MaxVersion: VersionTLS12,
6557 Bugs: ProtocolBugs{
6558 ExpectNewTicket: true,
6559 FilterTicket: func(in []byte) ([]byte, error) {
6560 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
6561 },
6562 },
6563 },
6564 flags: []string{
6565 "-ticket-key",
6566 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6567 },
6568 shouldFail: false,
6569 expectResumeRejected: true,
6570 })
6571
6572 // TLS 1.3 allows sessions to be resumed at a different cipher if their
6573 // PRF hashes match, but BoringSSL will always decline such resumptions.
6574 testCases = append(testCases, testCase{
6575 testType: serverTest,
6576 name: "Resume-Server-CipherNotPreferred-TLS13",
6577 resumeSession: true,
6578 config: Config{
6579 MaxVersion: VersionTLS13,
6580 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
6581 Bugs: ProtocolBugs{
6582 FilterTicket: func(in []byte) ([]byte, error) {
6583 // If the client (runner) offers ChaCha20-Poly1305 first, the
6584 // server (shim) always prefers it. Switch it to AES-GCM.
6585 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
6586 },
6587 },
6588 },
6589 flags: []string{
6590 "-ticket-key",
6591 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6592 },
6593 shouldFail: false,
6594 expectResumeRejected: true,
6595 })
6596
6597 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6598 testCases = append(testCases, testCase{
6599 testType: serverTest,
6600 name: "Resume-Server-DeclineBadCipher-TLS13",
6601 resumeSession: true,
6602 config: Config{
6603 MaxVersion: VersionTLS13,
6604 Bugs: ProtocolBugs{
6605 FilterTicket: func(in []byte) ([]byte, error) {
6606 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
6607 },
6608 },
6609 },
6610 flags: []string{
6611 "-ticket-key",
6612 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6613 },
6614 expectResumeRejected: true,
6615 })
6616
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6617 // If the client does not offer the cipher from the session, decline to
6618 // resume. Clients are forbidden from doing this, but BoringSSL selects
6619 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6620 testCases = append(testCases, testCase{
6621 testType: serverTest,
6622 name: "Resume-Server-UnofferedCipher",
6623 resumeSession: true,
6624 config: Config{
6625 MaxVersion: VersionTLS12,
6626 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6627 },
6628 resumeConfig: &Config{
6629 MaxVersion: VersionTLS12,
6630 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6631 Bugs: ProtocolBugs{
6632 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6633 },
6634 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6635 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6636 })
6637
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6638 // In TLS 1.3, clients may advertise a cipher list which does not
6639 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]6640 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
6641 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6642 testCases = append(testCases, testCase{
6643 testType: serverTest,
6644 name: "Resume-Server-UnofferedCipher-TLS13",
6645 resumeSession: true,
6646 config: Config{
6647 MaxVersion: VersionTLS13,
6648 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6649 },
6650 resumeConfig: &Config{
6651 MaxVersion: VersionTLS13,
6652 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6653 Bugs: ProtocolBugs{
6654 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6655 },
6656 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6657 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6658 })
6659
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6660 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6661 testCases = append(testCases, testCase{
6662 name: "Resume-Client-CipherMismatch",
6663 resumeSession: true,
6664 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6665 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6666 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6667 },
6668 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6669 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6670 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6671 Bugs: ProtocolBugs{
6672 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6673 },
6674 },
6675 shouldFail: true,
6676 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6677 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6678
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6679 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6680 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6681 testCases = append(testCases, testCase{
6682 name: "Resume-Client-CipherMismatch-TLS13",
6683 resumeSession: true,
6684 config: Config{
6685 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6686 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6687 },
6688 resumeConfig: &Config{
6689 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6690 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6691 },
6692 })
6693
6694 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6695 testCases = append(testCases, testCase{
6696 name: "Resume-Client-PRFMismatch-TLS13",
6697 resumeSession: true,
6698 config: Config{
6699 MaxVersion: VersionTLS13,
6700 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6701 },
6702 resumeConfig: &Config{
6703 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6704 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6705 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6706 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6707 },
6708 },
6709 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6710 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6711 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6712
6713 testCases = append(testCases, testCase{
6714 testType: serverTest,
6715 name: "Resume-Server-BinderWrongLength",
6716 resumeSession: true,
6717 config: Config{
6718 MaxVersion: VersionTLS13,
6719 Bugs: ProtocolBugs{
6720 SendShortPSKBinder: true,
6721 },
6722 },
6723 shouldFail: true,
6724 expectedLocalError: "remote error: error decrypting message",
6725 expectedError: ":DIGEST_CHECK_FAILED:",
6726 })
6727
6728 testCases = append(testCases, testCase{
6729 testType: serverTest,
6730 name: "Resume-Server-NoPSKBinder",
6731 resumeSession: true,
6732 config: Config{
6733 MaxVersion: VersionTLS13,
6734 Bugs: ProtocolBugs{
6735 SendNoPSKBinder: true,
6736 },
6737 },
6738 shouldFail: true,
6739 expectedLocalError: "remote error: error decoding message",
6740 expectedError: ":DECODE_ERROR:",
6741 })
6742
6743 testCases = append(testCases, testCase{
6744 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6745 name: "Resume-Server-ExtraPSKBinder",
6746 resumeSession: true,
6747 config: Config{
6748 MaxVersion: VersionTLS13,
6749 Bugs: ProtocolBugs{
6750 SendExtraPSKBinder: true,
6751 },
6752 },
6753 shouldFail: true,
6754 expectedLocalError: "remote error: illegal parameter",
6755 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6756 })
6757
6758 testCases = append(testCases, testCase{
6759 testType: serverTest,
6760 name: "Resume-Server-ExtraIdentityNoBinder",
6761 resumeSession: true,
6762 config: Config{
6763 MaxVersion: VersionTLS13,
6764 Bugs: ProtocolBugs{
6765 ExtraPSKIdentity: true,
6766 },
6767 },
6768 shouldFail: true,
6769 expectedLocalError: "remote error: illegal parameter",
6770 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6771 })
6772
6773 testCases = append(testCases, testCase{
6774 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6775 name: "Resume-Server-InvalidPSKBinder",
6776 resumeSession: true,
6777 config: Config{
6778 MaxVersion: VersionTLS13,
6779 Bugs: ProtocolBugs{
6780 SendInvalidPSKBinder: true,
6781 },
6782 },
6783 shouldFail: true,
6784 expectedLocalError: "remote error: error decrypting message",
6785 expectedError: ":DIGEST_CHECK_FAILED:",
6786 })
6787
6788 testCases = append(testCases, testCase{
6789 testType: serverTest,
6790 name: "Resume-Server-PSKBinderFirstExtension",
6791 resumeSession: true,
6792 config: Config{
6793 MaxVersion: VersionTLS13,
6794 Bugs: ProtocolBugs{
6795 PSKBinderFirst: true,
6796 },
6797 },
6798 shouldFail: true,
6799 expectedLocalError: "remote error: illegal parameter",
6800 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6801 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6802}
6803
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6804func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6805 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6806 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6807 testType: serverTest,
6808 name: "Renegotiate-Server-Forbidden",
6809 config: Config{
6810 MaxVersion: VersionTLS12,
6811 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6812 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6813 shouldFail: true,
6814 expectedError: ":NO_RENEGOTIATION:",
6815 expectedLocalError: "remote error: no renegotiation",
6816 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6817 // The server shouldn't echo the renegotiation extension unless
6818 // requested by the client.
6819 testCases = append(testCases, testCase{
6820 testType: serverTest,
6821 name: "Renegotiate-Server-NoExt",
6822 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6823 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6824 Bugs: ProtocolBugs{
6825 NoRenegotiationInfo: true,
6826 RequireRenegotiationInfo: true,
6827 },
6828 },
6829 shouldFail: true,
6830 expectedLocalError: "renegotiation extension missing",
6831 })
6832 // The renegotiation SCSV should be sufficient for the server to echo
6833 // the extension.
6834 testCases = append(testCases, testCase{
6835 testType: serverTest,
6836 name: "Renegotiate-Server-NoExt-SCSV",
6837 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6838 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6839 Bugs: ProtocolBugs{
6840 NoRenegotiationInfo: true,
6841 SendRenegotiationSCSV: true,
6842 RequireRenegotiationInfo: true,
6843 },
6844 },
6845 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6846 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6847 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6848 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6849 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6850 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6851 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6852 },
6853 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6854 renegotiate: 1,
6855 flags: []string{
6856 "-renegotiate-freely",
6857 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6858 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6859 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6860 })
6861 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6862 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6863 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6864 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6865 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6866 Bugs: ProtocolBugs{
6867 EmptyRenegotiationInfo: true,
6868 },
6869 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6870 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6871 shouldFail: true,
6872 expectedError: ":RENEGOTIATION_MISMATCH:",
6873 })
6874 testCases = append(testCases, testCase{
6875 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6876 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6877 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6878 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6879 Bugs: ProtocolBugs{
6880 BadRenegotiationInfo: true,
6881 },
6882 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6883 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6884 shouldFail: true,
6885 expectedError: ":RENEGOTIATION_MISMATCH:",
6886 })
6887 testCases = append(testCases, testCase{
David Benjamin9343b0b2017-07-01 00:31:27 -0400[diff] [blame]6888 name: "Renegotiate-Client-BadExt2",
6889 renegotiate: 1,
6890 config: Config{
6891 MaxVersion: VersionTLS12,
6892 Bugs: ProtocolBugs{
6893 BadRenegotiationInfoEnd: true,
6894 },
6895 },
6896 flags: []string{"-renegotiate-freely"},
6897 shouldFail: true,
6898 expectedError: ":RENEGOTIATION_MISMATCH:",
6899 })
6900 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6901 name: "Renegotiate-Client-Downgrade",
6902 renegotiate: 1,
6903 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6904 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6905 Bugs: ProtocolBugs{
6906 NoRenegotiationInfoAfterInitial: true,
6907 },
6908 },
6909 flags: []string{"-renegotiate-freely"},
6910 shouldFail: true,
6911 expectedError: ":RENEGOTIATION_MISMATCH:",
6912 })
6913 testCases = append(testCases, testCase{
6914 name: "Renegotiate-Client-Upgrade",
6915 renegotiate: 1,
6916 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6917 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6918 Bugs: ProtocolBugs{
6919 NoRenegotiationInfoInInitial: true,
6920 },
6921 },
6922 flags: []string{"-renegotiate-freely"},
6923 shouldFail: true,
6924 expectedError: ":RENEGOTIATION_MISMATCH:",
6925 })
6926 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6927 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6928 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6929 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6930 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6931 Bugs: ProtocolBugs{
6932 NoRenegotiationInfo: true,
6933 },
6934 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6935 flags: []string{
6936 "-renegotiate-freely",
6937 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6938 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6939 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6940 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6941
6942 // Test that the server may switch ciphers on renegotiation without
6943 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6944 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6945 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6946 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6947 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6948 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6949 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6950 },
6951 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6952 flags: []string{
6953 "-renegotiate-freely",
6954 "-expect-total-renegotiations", "1",
6955 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6956 })
6957 testCases = append(testCases, testCase{
6958 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6959 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6960 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6961 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6962 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6963 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6964 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6965 flags: []string{
6966 "-renegotiate-freely",
6967 "-expect-total-renegotiations", "1",
6968 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6969 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6970
6971 // Test that the server may not switch versions on renegotiation.
6972 testCases = append(testCases, testCase{
6973 name: "Renegotiate-Client-SwitchVersion",
6974 config: Config{
6975 MaxVersion: VersionTLS12,
6976 // Pick a cipher which exists at both versions.
6977 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6978 Bugs: ProtocolBugs{
6979 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6980 // Avoid failing early at the record layer.
6981 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6982 },
6983 },
6984 renegotiate: 1,
6985 flags: []string{
6986 "-renegotiate-freely",
6987 "-expect-total-renegotiations", "1",
6988 },
6989 shouldFail: true,
6990 expectedError: ":WRONG_SSL_VERSION:",
6991 })
6992
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6993 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6994 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6995 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6996 config: Config{
6997 MaxVersion: VersionTLS10,
6998 Bugs: ProtocolBugs{
6999 RequireSameRenegoClientVersion: true,
7000 },
7001 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]7002 flags: []string{
7003 "-renegotiate-freely",
7004 "-expect-total-renegotiations", "1",
7005 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]7006 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]7007 testCases = append(testCases, testCase{
7008 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]7009 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]7010 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]7011 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]7012 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7013 NextProtos: []string{"foo"},
7014 },
7015 flags: []string{
7016 "-false-start",
7017 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]7018 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]7019 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]7020 },
7021 shimWritesFirst: true,
7022 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]7023
7024 // Client-side renegotiation controls.
7025 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7026 name: "Renegotiate-Client-Forbidden-1",
7027 config: Config{
7028 MaxVersion: VersionTLS12,
7029 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]7030 renegotiate: 1,
7031 shouldFail: true,
7032 expectedError: ":NO_RENEGOTIATION:",
7033 expectedLocalError: "remote error: no renegotiation",
7034 })
7035 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7036 name: "Renegotiate-Client-Once-1",
7037 config: Config{
7038 MaxVersion: VersionTLS12,
7039 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]7040 renegotiate: 1,
7041 flags: []string{
7042 "-renegotiate-once",
7043 "-expect-total-renegotiations", "1",
7044 },
7045 })
7046 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7047 name: "Renegotiate-Client-Freely-1",
7048 config: Config{
7049 MaxVersion: VersionTLS12,
7050 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]7051 renegotiate: 1,
7052 flags: []string{
7053 "-renegotiate-freely",
7054 "-expect-total-renegotiations", "1",
7055 },
7056 })
7057 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7058 name: "Renegotiate-Client-Once-2",
7059 config: Config{
7060 MaxVersion: VersionTLS12,
7061 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]7062 renegotiate: 2,
7063 flags: []string{"-renegotiate-once"},
7064 shouldFail: true,
7065 expectedError: ":NO_RENEGOTIATION:",
7066 expectedLocalError: "remote error: no renegotiation",
7067 })
7068 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7069 name: "Renegotiate-Client-Freely-2",
7070 config: Config{
7071 MaxVersion: VersionTLS12,
7072 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]7073 renegotiate: 2,
7074 flags: []string{
7075 "-renegotiate-freely",
7076 "-expect-total-renegotiations", "2",
7077 },
7078 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]7079 testCases = append(testCases, testCase{
7080 name: "Renegotiate-Client-NoIgnore",
7081 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7082 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]7083 Bugs: ProtocolBugs{
7084 SendHelloRequestBeforeEveryAppDataRecord: true,
7085 },
7086 },
7087 shouldFail: true,
7088 expectedError: ":NO_RENEGOTIATION:",
7089 })
7090 testCases = append(testCases, testCase{
7091 name: "Renegotiate-Client-Ignore",
7092 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7093 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]7094 Bugs: ProtocolBugs{
7095 SendHelloRequestBeforeEveryAppDataRecord: true,
7096 },
7097 },
7098 flags: []string{
7099 "-renegotiate-ignore",
7100 "-expect-total-renegotiations", "0",
7101 },
7102 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7103
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]7104 // Renegotiation is not allowed at SSL 3.0.
7105 testCases = append(testCases, testCase{
7106 name: "Renegotiate-Client-SSL3",
7107 config: Config{
7108 MaxVersion: VersionSSL30,
7109 },
7110 renegotiate: 1,
7111 flags: []string{
7112 "-renegotiate-freely",
7113 "-expect-total-renegotiations", "1",
7114 },
7115 shouldFail: true,
7116 expectedError: ":NO_RENEGOTIATION:",
7117 expectedLocalError: "remote error: no renegotiation",
7118 })
7119
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]7120 // Renegotiation is not allowed when there is an unfinished write.
7121 testCases = append(testCases, testCase{
7122 name: "Renegotiate-Client-UnfinishedWrite",
7123 config: Config{
7124 MaxVersion: VersionTLS12,
7125 },
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]7126 renegotiate: 1,
7127 readWithUnfinishedWrite: true,
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]7128 flags: []string{
7129 "-async",
7130 "-renegotiate-freely",
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]7131 },
7132 shouldFail: true,
7133 expectedError: ":NO_RENEGOTIATION:",
7134 // We do not successfully send the no_renegotiation alert in
7135 // this case. https://crbug.com/boringssl/130
7136 })
7137
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]7138 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]7139 testCases = append(testCases, testCase{
7140 name: "StrayHelloRequest",
7141 config: Config{
7142 MaxVersion: VersionTLS12,
7143 Bugs: ProtocolBugs{
7144 SendHelloRequestBeforeEveryHandshakeMessage: true,
7145 },
7146 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]7147 shouldFail: true,
7148 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]7149 })
7150 testCases = append(testCases, testCase{
7151 name: "StrayHelloRequest-Packed",
7152 config: Config{
7153 MaxVersion: VersionTLS12,
7154 Bugs: ProtocolBugs{
7155 PackHandshakeFlight: true,
7156 SendHelloRequestBeforeEveryHandshakeMessage: true,
7157 },
7158 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]7159 shouldFail: true,
7160 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]7161 })
7162
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]7163 // Test renegotiation works if HelloRequest and server Finished come in
7164 // the same record.
7165 testCases = append(testCases, testCase{
7166 name: "Renegotiate-Client-Packed",
7167 config: Config{
7168 MaxVersion: VersionTLS12,
7169 Bugs: ProtocolBugs{
7170 PackHandshakeFlight: true,
7171 PackHelloRequestWithFinished: true,
7172 },
7173 },
7174 renegotiate: 1,
7175 flags: []string{
7176 "-renegotiate-freely",
7177 "-expect-total-renegotiations", "1",
7178 },
7179 })
7180
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]7181 // Renegotiation is forbidden in TLS 1.3.
7182 testCases = append(testCases, testCase{
7183 name: "Renegotiate-Client-TLS13",
7184 config: Config{
7185 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7186 Bugs: ProtocolBugs{
7187 SendHelloRequestBeforeEveryAppDataRecord: true,
7188 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]7189 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]7190 flags: []string{
7191 "-renegotiate-freely",
7192 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]7193 shouldFail: true,
7194 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]7195 })
7196
7197 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
7198 testCases = append(testCases, testCase{
7199 name: "StrayHelloRequest-TLS13",
7200 config: Config{
7201 MaxVersion: VersionTLS13,
7202 Bugs: ProtocolBugs{
7203 SendHelloRequestBeforeEveryHandshakeMessage: true,
7204 },
7205 },
7206 shouldFail: true,
7207 expectedError: ":UNEXPECTED_MESSAGE:",
7208 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]7209
7210 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
7211 // always reads as supporting it, regardless of whether it was
7212 // negotiated.
7213 testCases = append(testCases, testCase{
7214 name: "AlwaysReportRenegotiationInfo-TLS13",
7215 config: Config{
7216 MaxVersion: VersionTLS13,
7217 Bugs: ProtocolBugs{
7218 NoRenegotiationInfo: true,
7219 },
7220 },
7221 flags: []string{
7222 "-expect-secure-renegotiation",
7223 },
7224 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]7225
7226 // Certificates may not change on renegotiation.
7227 testCases = append(testCases, testCase{
7228 name: "Renegotiation-CertificateChange",
7229 config: Config{
7230 MaxVersion: VersionTLS12,
7231 Certificates: []Certificate{rsaCertificate},
7232 Bugs: ProtocolBugs{
7233 RenegotiationCertificate: &rsaChainCertificate,
7234 },
7235 },
7236 renegotiate: 1,
7237 flags: []string{"-renegotiate-freely"},
7238 shouldFail: true,
7239 expectedError: ":SERVER_CERT_CHANGED:",
7240 })
7241 testCases = append(testCases, testCase{
7242 name: "Renegotiation-CertificateChange-2",
7243 config: Config{
7244 MaxVersion: VersionTLS12,
7245 Certificates: []Certificate{rsaCertificate},
7246 Bugs: ProtocolBugs{
7247 RenegotiationCertificate: &rsa1024Certificate,
7248 },
7249 },
7250 renegotiate: 1,
7251 flags: []string{"-renegotiate-freely"},
7252 shouldFail: true,
7253 expectedError: ":SERVER_CERT_CHANGED:",
7254 })
David Benjaminbbf42462017-03-14 21:27:10 -0400[diff] [blame]7255
7256 // We do not negotiate ALPN after the initial handshake. This is
7257 // error-prone and only risks bugs in consumers.
7258 testCases = append(testCases, testCase{
7259 testType: clientTest,
7260 name: "Renegotiation-ForbidALPN",
7261 config: Config{
7262 MaxVersion: VersionTLS12,
7263 Bugs: ProtocolBugs{
7264 // Forcibly negotiate ALPN on both initial and
7265 // renegotiation handshakes. The test stack will
7266 // internally check the client does not offer
7267 // it.
7268 SendALPN: "foo",
7269 },
7270 },
7271 flags: []string{
7272 "-advertise-alpn", "\x03foo\x03bar\x03baz",
7273 "-expect-alpn", "foo",
7274 "-renegotiate-freely",
7275 },
7276 renegotiate: 1,
7277 shouldFail: true,
7278 expectedError: ":UNEXPECTED_EXTENSION:",
7279 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]7280}
7281
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]7282func addDTLSReplayTests() {
7283 // Test that sequence number replays are detected.
7284 testCases = append(testCases, testCase{
7285 protocol: dtls,
7286 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]7287 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]7288 replayWrites: true,
7289 })
7290
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]7291 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]7292 // than the retransmit window.
7293 testCases = append(testCases, testCase{
7294 protocol: dtls,
7295 name: "DTLS-Replay-LargeGaps",
7296 config: Config{
7297 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]7298 SequenceNumberMapping: func(in uint64) uint64 {
7299 return in * 127
7300 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]7301 },
7302 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]7303 messageCount: 200,
7304 replayWrites: true,
7305 })
7306
7307 // Test the incoming sequence number changing non-monotonically.
7308 testCases = append(testCases, testCase{
7309 protocol: dtls,
7310 name: "DTLS-Replay-NonMonotonic",
7311 config: Config{
7312 Bugs: ProtocolBugs{
7313 SequenceNumberMapping: func(in uint64) uint64 {
7314 return in ^ 31
7315 },
7316 },
7317 },
7318 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]7319 replayWrites: true,
7320 })
7321}
7322
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7323var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7324 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7325 id signatureAlgorithm
7326 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7327}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7328 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
7329 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
7330 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
7331 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7332 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]7333 // The “P256” in the following line is not a mistake. In TLS 1.2 the
7334 // hash function doesn't have to match the curve and so the same
7335 // signature algorithm works with P-224.
7336 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7337 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
7338 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
7339 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7340 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
7341 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
7342 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7343 {"Ed25519", signatureEd25519, testCertEd25519},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7344 // Tests for key types prior to TLS 1.2.
7345 {"RSA", 0, testCertRSA},
7346 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7347}
7348
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7349const fakeSigAlg1 signatureAlgorithm = 0x2a01
7350const fakeSigAlg2 signatureAlgorithm = 0xff01
7351
7352func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7353 // Not all ciphers involve a signature. Advertise a list which gives all
7354 // versions a signing cipher.
7355 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7356 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7357 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
7358 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
7359 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
7360 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]7361 }
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7362
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7363 var allAlgorithms []signatureAlgorithm
7364 for _, alg := range testSignatureAlgorithms {
7365 if alg.id != 0 {
7366 allAlgorithms = append(allAlgorithms, alg.id)
7367 }
7368 }
7369
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7370 // Make sure each signature algorithm works. Include some fake values in
7371 // the list and ensure they're ignored.
7372 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7373 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7374 if (ver.version < VersionTLS12) != (alg.id == 0) {
7375 continue
7376 }
7377
7378 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
7379 // or remove it in C.
7380 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7381 continue
7382 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7383
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7384 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7385 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7386 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7387 shouldSignFail = true
7388 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7389 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]7390 // RSA-PKCS1 does not exist in TLS 1.3.
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]7391 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
7392 shouldSignFail = true
7393 shouldVerifyFail = true
7394 }
7395 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
7396 // the curve has to match the hash size.
7397 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7398 shouldSignFail = true
7399 shouldVerifyFail = true
7400 }
7401
7402 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
7403 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
7404 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]7405 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7406
7407 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7408 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7409 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7410 }
7411 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7412 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7413 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7414
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7415 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]7416
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7417 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7418 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7419 config: Config{
7420 MaxVersion: ver.version,
7421 ClientAuth: RequireAnyClientCert,
7422 VerifySignatureAlgorithms: []signatureAlgorithm{
7423 fakeSigAlg1,
7424 alg.id,
7425 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7426 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7427 },
7428 flags: []string{
7429 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7430 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7431 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7432 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7433 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7434 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7435 expectedError: signError,
7436 expectedPeerSignatureAlgorithm: alg.id,
7437 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7438
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7439 testCases = append(testCases, testCase{
7440 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7441 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7442 config: Config{
7443 MaxVersion: ver.version,
7444 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
7445 SignSignatureAlgorithms: []signatureAlgorithm{
7446 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7447 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7448 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7449 SkipECDSACurveCheck: shouldVerifyFail,
7450 IgnoreSignatureVersionChecks: shouldVerifyFail,
7451 // Some signature algorithms may not be advertised.
7452 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7453 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7454 },
7455 flags: []string{
7456 "-require-any-client-certificate",
7457 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
7458 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7459 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7460 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]7461 // Resume the session to assert the peer signature
7462 // algorithm is reported on both handshakes.
7463 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7464 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7465 expectedError: verifyError,
7466 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7467
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]7468 // No signing cipher for SSL 3.0.
David Benjamin96bc12a2017-04-14 16:48:08 -0400[diff] [blame]7469 if ver.version > VersionSSL30 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]7470 testCases = append(testCases, testCase{
7471 testType: serverTest,
7472 name: "ServerAuth-Sign" + suffix,
7473 config: Config{
7474 MaxVersion: ver.version,
7475 CipherSuites: signingCiphers,
7476 VerifySignatureAlgorithms: []signatureAlgorithm{
7477 fakeSigAlg1,
7478 alg.id,
7479 fakeSigAlg2,
7480 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7481 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]7482 flags: []string{
7483 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7484 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7485 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7486 "-enable-ed25519",
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]7487 },
7488 shouldFail: shouldSignFail,
7489 expectedError: signError,
7490 expectedPeerSignatureAlgorithm: alg.id,
7491 })
7492 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7493
7494 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7495 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7496 config: Config{
7497 MaxVersion: ver.version,
7498 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7499 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7500 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7501 alg.id,
7502 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7503 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7504 SkipECDSACurveCheck: shouldVerifyFail,
7505 IgnoreSignatureVersionChecks: shouldVerifyFail,
7506 // Some signature algorithms may not be advertised.
7507 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7508 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7509 },
7510 flags: []string{
7511 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
7512 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7513 "-enable-ed25519",
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7514 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]7515 // Resume the session to assert the peer signature
7516 // algorithm is reported on both handshakes.
7517 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7518 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]7519 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7520 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7521
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7522 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7523 testCases = append(testCases, testCase{
7524 testType: serverTest,
7525 name: "ClientAuth-InvalidSignature" + suffix,
7526 config: Config{
7527 MaxVersion: ver.version,
7528 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
7529 SignSignatureAlgorithms: []signatureAlgorithm{
7530 alg.id,
7531 },
7532 Bugs: ProtocolBugs{
7533 InvalidSignature: true,
7534 },
7535 },
7536 flags: []string{
7537 "-require-any-client-certificate",
7538 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7539 "-enable-ed25519",
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7540 },
7541 shouldFail: true,
7542 expectedError: ":BAD_SIGNATURE:",
7543 })
7544
7545 testCases = append(testCases, testCase{
7546 name: "ServerAuth-InvalidSignature" + suffix,
7547 config: Config{
7548 MaxVersion: ver.version,
7549 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
7550 CipherSuites: signingCiphers,
7551 SignSignatureAlgorithms: []signatureAlgorithm{
7552 alg.id,
7553 },
7554 Bugs: ProtocolBugs{
7555 InvalidSignature: true,
7556 },
7557 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7558 flags: []string{
7559 "-enable-all-curves",
7560 "-enable-ed25519",
7561 },
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]7562 shouldFail: true,
7563 expectedError: ":BAD_SIGNATURE:",
7564 })
7565 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7566
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7567 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7568 testCases = append(testCases, testCase{
7569 name: "ClientAuth-Sign-Negotiate" + suffix,
7570 config: Config{
7571 MaxVersion: ver.version,
7572 ClientAuth: RequireAnyClientCert,
7573 VerifySignatureAlgorithms: allAlgorithms,
7574 },
7575 flags: []string{
7576 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7577 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7578 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7579 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7580 "-signing-prefs", strconv.Itoa(int(alg.id)),
7581 },
7582 expectedPeerSignatureAlgorithm: alg.id,
7583 })
7584
7585 testCases = append(testCases, testCase{
7586 testType: serverTest,
7587 name: "ServerAuth-Sign-Negotiate" + suffix,
7588 config: Config{
7589 MaxVersion: ver.version,
7590 CipherSuites: signingCiphers,
7591 VerifySignatureAlgorithms: allAlgorithms,
7592 },
7593 flags: []string{
7594 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7595 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7596 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7597 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7598 "-signing-prefs", strconv.Itoa(int(alg.id)),
7599 },
7600 expectedPeerSignatureAlgorithm: alg.id,
7601 })
7602 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7603 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7604 }
7605
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7606 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7607 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7608 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7609 config: Config{
7610 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7611 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7612 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7613 signatureECDSAWithP521AndSHA512,
7614 signatureRSAPKCS1WithSHA384,
7615 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7616 },
7617 },
7618 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7619 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7620 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7621 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7622 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7623 })
7624
7625 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7626 name: "ClientAuth-SignatureType-TLS13",
7627 config: Config{
7628 ClientAuth: RequireAnyClientCert,
7629 MaxVersion: VersionTLS13,
7630 VerifySignatureAlgorithms: []signatureAlgorithm{
7631 signatureECDSAWithP521AndSHA512,
7632 signatureRSAPKCS1WithSHA384,
7633 signatureRSAPSSWithSHA384,
7634 signatureECDSAWithSHA1,
7635 },
7636 },
7637 flags: []string{
7638 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7639 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7640 },
7641 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7642 })
7643
7644 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7645 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7646 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7647 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7648 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7649 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7650 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7651 signatureECDSAWithP521AndSHA512,
7652 signatureRSAPKCS1WithSHA384,
7653 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7654 },
7655 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7656 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7657 })
7658
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7659 testCases = append(testCases, testCase{
7660 testType: serverTest,
7661 name: "ServerAuth-SignatureType-TLS13",
7662 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7663 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7664 VerifySignatureAlgorithms: []signatureAlgorithm{
7665 signatureECDSAWithP521AndSHA512,
7666 signatureRSAPKCS1WithSHA384,
7667 signatureRSAPSSWithSHA384,
7668 signatureECDSAWithSHA1,
7669 },
7670 },
7671 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7672 })
7673
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7674 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7675 testCases = append(testCases, testCase{
7676 testType: serverTest,
7677 name: "Verify-ClientAuth-SignatureType",
7678 config: Config{
7679 MaxVersion: VersionTLS12,
7680 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7681 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7682 signatureRSAPKCS1WithSHA256,
7683 },
7684 Bugs: ProtocolBugs{
7685 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7686 },
7687 },
7688 flags: []string{
7689 "-require-any-client-certificate",
7690 },
7691 shouldFail: true,
7692 expectedError: ":WRONG_SIGNATURE_TYPE:",
7693 })
7694
7695 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7696 testType: serverTest,
7697 name: "Verify-ClientAuth-SignatureType-TLS13",
7698 config: Config{
7699 MaxVersion: VersionTLS13,
7700 Certificates: []Certificate{rsaCertificate},
7701 SignSignatureAlgorithms: []signatureAlgorithm{
7702 signatureRSAPSSWithSHA256,
7703 },
7704 Bugs: ProtocolBugs{
7705 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7706 },
7707 },
7708 flags: []string{
7709 "-require-any-client-certificate",
7710 },
7711 shouldFail: true,
7712 expectedError: ":WRONG_SIGNATURE_TYPE:",
7713 })
7714
7715 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7716 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7717 config: Config{
7718 MaxVersion: VersionTLS12,
7719 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7720 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7721 signatureRSAPKCS1WithSHA256,
7722 },
7723 Bugs: ProtocolBugs{
7724 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7725 },
7726 },
7727 shouldFail: true,
7728 expectedError: ":WRONG_SIGNATURE_TYPE:",
7729 })
7730
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7731 testCases = append(testCases, testCase{
7732 name: "Verify-ServerAuth-SignatureType-TLS13",
7733 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7734 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7735 SignSignatureAlgorithms: []signatureAlgorithm{
7736 signatureRSAPSSWithSHA256,
7737 },
7738 Bugs: ProtocolBugs{
7739 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7740 },
7741 },
7742 shouldFail: true,
7743 expectedError: ":WRONG_SIGNATURE_TYPE:",
7744 })
7745
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7746 // Test that, if the list is missing, the peer falls back to SHA-1 in
7747 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7748 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7749 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7750 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7751 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7752 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7753 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7754 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7755 },
7756 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7757 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7758 },
7759 },
7760 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7761 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7762 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7763 },
7764 })
7765
7766 testCases = append(testCases, testCase{
7767 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7768 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7769 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7770 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7771 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7772 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7773 },
7774 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7775 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7776 },
7777 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7778 flags: []string{
7779 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7780 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7781 },
7782 })
7783
7784 testCases = append(testCases, testCase{
7785 name: "ClientAuth-SHA1-Fallback-ECDSA",
7786 config: Config{
7787 MaxVersion: VersionTLS12,
7788 ClientAuth: RequireAnyClientCert,
7789 VerifySignatureAlgorithms: []signatureAlgorithm{
7790 signatureECDSAWithSHA1,
7791 },
7792 Bugs: ProtocolBugs{
7793 NoSignatureAlgorithms: true,
7794 },
7795 },
7796 flags: []string{
7797 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7798 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7799 },
7800 })
7801
7802 testCases = append(testCases, testCase{
7803 testType: serverTest,
7804 name: "ServerAuth-SHA1-Fallback-ECDSA",
7805 config: Config{
7806 MaxVersion: VersionTLS12,
7807 VerifySignatureAlgorithms: []signatureAlgorithm{
7808 signatureECDSAWithSHA1,
7809 },
7810 Bugs: ProtocolBugs{
7811 NoSignatureAlgorithms: true,
7812 },
7813 },
7814 flags: []string{
7815 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7816 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7817 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7818 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7819
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7820 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7821 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7822 config: Config{
7823 MaxVersion: VersionTLS13,
7824 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7825 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7826 signatureRSAPKCS1WithSHA1,
7827 },
7828 Bugs: ProtocolBugs{
7829 NoSignatureAlgorithms: true,
7830 },
7831 },
7832 flags: []string{
7833 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7834 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7835 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7836 shouldFail: true,
7837 // An empty CertificateRequest signature algorithm list is a
7838 // syntax error in TLS 1.3.
7839 expectedError: ":DECODE_ERROR:",
7840 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7841 })
7842
7843 testCases = append(testCases, testCase{
7844 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7845 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7846 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7847 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7848 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7849 signatureRSAPKCS1WithSHA1,
7850 },
7851 Bugs: ProtocolBugs{
7852 NoSignatureAlgorithms: true,
7853 },
7854 },
7855 shouldFail: true,
7856 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7857 })
7858
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7859 // Test that hash preferences are enforced. BoringSSL does not implement
7860 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7861 testCases = append(testCases, testCase{
7862 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7863 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7864 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7865 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7866 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7867 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7868 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7869 },
7870 Bugs: ProtocolBugs{
7871 IgnorePeerSignatureAlgorithmPreferences: true,
7872 },
7873 },
7874 flags: []string{"-require-any-client-certificate"},
7875 shouldFail: true,
7876 expectedError: ":WRONG_SIGNATURE_TYPE:",
7877 })
7878
7879 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7880 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7881 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7882 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7883 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7884 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7885 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7886 },
7887 Bugs: ProtocolBugs{
7888 IgnorePeerSignatureAlgorithmPreferences: true,
7889 },
7890 },
7891 shouldFail: true,
7892 expectedError: ":WRONG_SIGNATURE_TYPE:",
7893 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7894 testCases = append(testCases, testCase{
7895 testType: serverTest,
7896 name: "ClientAuth-Enforced-TLS13",
7897 config: Config{
7898 MaxVersion: VersionTLS13,
7899 Certificates: []Certificate{rsaCertificate},
7900 SignSignatureAlgorithms: []signatureAlgorithm{
7901 signatureRSAPKCS1WithMD5,
7902 },
7903 Bugs: ProtocolBugs{
7904 IgnorePeerSignatureAlgorithmPreferences: true,
7905 IgnoreSignatureVersionChecks: true,
7906 },
7907 },
7908 flags: []string{"-require-any-client-certificate"},
7909 shouldFail: true,
7910 expectedError: ":WRONG_SIGNATURE_TYPE:",
7911 })
7912
7913 testCases = append(testCases, testCase{
7914 name: "ServerAuth-Enforced-TLS13",
7915 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7916 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7917 SignSignatureAlgorithms: []signatureAlgorithm{
7918 signatureRSAPKCS1WithMD5,
7919 },
7920 Bugs: ProtocolBugs{
7921 IgnorePeerSignatureAlgorithmPreferences: true,
7922 IgnoreSignatureVersionChecks: true,
7923 },
7924 },
7925 shouldFail: true,
7926 expectedError: ":WRONG_SIGNATURE_TYPE:",
7927 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7928
7929 // Test that the agreed upon digest respects the client preferences and
7930 // the server digests.
7931 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7932 name: "NoCommonAlgorithms-Digests",
7933 config: Config{
7934 MaxVersion: VersionTLS12,
7935 ClientAuth: RequireAnyClientCert,
7936 VerifySignatureAlgorithms: []signatureAlgorithm{
7937 signatureRSAPKCS1WithSHA512,
7938 signatureRSAPKCS1WithSHA1,
7939 },
7940 },
7941 flags: []string{
7942 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7943 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7944 "-digest-prefs", "SHA256",
7945 },
7946 shouldFail: true,
7947 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7948 })
7949 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7950 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7951 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7952 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7953 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7954 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7955 signatureRSAPKCS1WithSHA512,
7956 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7957 },
7958 },
7959 flags: []string{
7960 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7961 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7962 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7963 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7964 shouldFail: true,
7965 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7966 })
7967 testCases = append(testCases, testCase{
7968 name: "NoCommonAlgorithms-TLS13",
7969 config: Config{
7970 MaxVersion: VersionTLS13,
7971 ClientAuth: RequireAnyClientCert,
7972 VerifySignatureAlgorithms: []signatureAlgorithm{
7973 signatureRSAPSSWithSHA512,
7974 signatureRSAPSSWithSHA384,
7975 },
7976 },
7977 flags: []string{
7978 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7979 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7980 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7981 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7982 shouldFail: true,
7983 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7984 })
7985 testCases = append(testCases, testCase{
7986 name: "Agree-Digest-SHA256",
7987 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7988 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7989 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7990 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7991 signatureRSAPKCS1WithSHA1,
7992 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7993 },
7994 },
7995 flags: []string{
7996 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7997 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7998 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7999 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]8000 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]8001 })
8002 testCases = append(testCases, testCase{
8003 name: "Agree-Digest-SHA1",
8004 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8005 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]8006 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]8007 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]8008 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]8009 },
8010 },
8011 flags: []string{
8012 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
8013 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]8014 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]8015 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]8016 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]8017 })
8018 testCases = append(testCases, testCase{
8019 name: "Agree-Digest-Default",
8020 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8021 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]8022 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]8023 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]8024 signatureRSAPKCS1WithSHA256,
8025 signatureECDSAWithP256AndSHA256,
8026 signatureRSAPKCS1WithSHA1,
8027 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]8028 },
8029 },
8030 flags: []string{
8031 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
8032 "-key-file", path.Join(*resourceDir, rsaKeyFile),
8033 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]8034 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]8035 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8036
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]8037 // Test that the signing preference list may include extra algorithms
8038 // without negotiation problems.
8039 testCases = append(testCases, testCase{
8040 testType: serverTest,
8041 name: "FilterExtraAlgorithms",
8042 config: Config{
8043 MaxVersion: VersionTLS12,
8044 VerifySignatureAlgorithms: []signatureAlgorithm{
8045 signatureRSAPKCS1WithSHA256,
8046 },
8047 },
8048 flags: []string{
8049 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
8050 "-key-file", path.Join(*resourceDir, rsaKeyFile),
8051 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
8052 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
8053 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
8054 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
8055 },
8056 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
8057 })
8058
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8059 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
8060 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8061 testCases = append(testCases, testCase{
8062 name: "CheckLeafCurve",
8063 config: Config{
8064 MaxVersion: VersionTLS12,
8065 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]8066 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8067 },
8068 flags: []string{"-p384-only"},
8069 shouldFail: true,
8070 expectedError: ":BAD_ECC_CERT:",
8071 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]8072
8073 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
8074 testCases = append(testCases, testCase{
8075 name: "CheckLeafCurve-TLS13",
8076 config: Config{
8077 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]8078 Certificates: []Certificate{ecdsaP256Certificate},
8079 },
8080 flags: []string{"-p384-only"},
8081 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]8082
8083 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
8084 testCases = append(testCases, testCase{
8085 name: "ECDSACurveMismatch-Verify-TLS12",
8086 config: Config{
8087 MaxVersion: VersionTLS12,
8088 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
8089 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]8090 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]8091 signatureECDSAWithP384AndSHA384,
8092 },
8093 },
8094 })
8095
8096 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
8097 testCases = append(testCases, testCase{
8098 name: "ECDSACurveMismatch-Verify-TLS13",
8099 config: Config{
8100 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]8101 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]8102 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]8103 signatureECDSAWithP384AndSHA384,
8104 },
8105 Bugs: ProtocolBugs{
8106 SkipECDSACurveCheck: true,
8107 },
8108 },
8109 shouldFail: true,
8110 expectedError: ":WRONG_SIGNATURE_TYPE:",
8111 })
8112
8113 // Signature algorithm selection in TLS 1.3 should take the curve into
8114 // account.
8115 testCases = append(testCases, testCase{
8116 testType: serverTest,
8117 name: "ECDSACurveMismatch-Sign-TLS13",
8118 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8119 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]8120 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]8121 signatureECDSAWithP384AndSHA384,
8122 signatureECDSAWithP256AndSHA256,
8123 },
8124 },
8125 flags: []string{
8126 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
8127 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
8128 },
8129 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
8130 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]8131
8132 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
8133 // server does not attempt to sign in that case.
8134 testCases = append(testCases, testCase{
8135 testType: serverTest,
8136 name: "RSA-PSS-Large",
8137 config: Config{
8138 MaxVersion: VersionTLS13,
8139 VerifySignatureAlgorithms: []signatureAlgorithm{
8140 signatureRSAPSSWithSHA512,
8141 },
8142 },
8143 flags: []string{
8144 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
8145 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
8146 },
8147 shouldFail: true,
8148 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
8149 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]8150
8151 // Test that RSA-PSS is enabled by default for TLS 1.2.
8152 testCases = append(testCases, testCase{
8153 testType: clientTest,
8154 name: "RSA-PSS-Default-Verify",
8155 config: Config{
8156 MaxVersion: VersionTLS12,
8157 SignSignatureAlgorithms: []signatureAlgorithm{
8158 signatureRSAPSSWithSHA256,
8159 },
8160 },
8161 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8162 })
8163
8164 testCases = append(testCases, testCase{
8165 testType: serverTest,
8166 name: "RSA-PSS-Default-Sign",
8167 config: Config{
8168 MaxVersion: VersionTLS12,
8169 VerifySignatureAlgorithms: []signatureAlgorithm{
8170 signatureRSAPSSWithSHA256,
8171 },
8172 },
8173 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8174 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]8175
8176 // TLS 1.1 and below has no way to advertise support for or negotiate
8177 // Ed25519's signature algorithm.
8178 testCases = append(testCases, testCase{
8179 testType: clientTest,
8180 name: "NoEd25519-TLS11-ServerAuth-Verify",
8181 config: Config{
8182 MaxVersion: VersionTLS11,
8183 Certificates: []Certificate{ed25519Certificate},
8184 Bugs: ProtocolBugs{
8185 // Sign with Ed25519 even though it is TLS 1.1.
8186 UseLegacySigningAlgorithm: signatureEd25519,
8187 },
8188 },
8189 flags: []string{"-enable-ed25519"},
8190 shouldFail: true,
8191 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
8192 })
8193 testCases = append(testCases, testCase{
8194 testType: serverTest,
8195 name: "NoEd25519-TLS11-ServerAuth-Sign",
8196 config: Config{
8197 MaxVersion: VersionTLS11,
8198 },
8199 flags: []string{
8200 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
8201 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
8202 },
8203 shouldFail: true,
8204 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
8205 })
8206 testCases = append(testCases, testCase{
8207 testType: serverTest,
8208 name: "NoEd25519-TLS11-ClientAuth-Verify",
8209 config: Config{
8210 MaxVersion: VersionTLS11,
8211 Certificates: []Certificate{ed25519Certificate},
8212 Bugs: ProtocolBugs{
8213 // Sign with Ed25519 even though it is TLS 1.1.
8214 UseLegacySigningAlgorithm: signatureEd25519,
8215 },
8216 },
8217 flags: []string{
8218 "-enable-ed25519",
8219 "-require-any-client-certificate",
8220 },
8221 shouldFail: true,
8222 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
8223 })
8224 testCases = append(testCases, testCase{
8225 testType: clientTest,
8226 name: "NoEd25519-TLS11-ClientAuth-Sign",
8227 config: Config{
8228 MaxVersion: VersionTLS11,
8229 ClientAuth: RequireAnyClientCert,
8230 },
8231 flags: []string{
8232 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
8233 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
8234 },
8235 shouldFail: true,
8236 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
8237 })
8238
8239 // Test Ed25519 is not advertised by default.
8240 testCases = append(testCases, testCase{
8241 testType: clientTest,
8242 name: "Ed25519DefaultDisable-NoAdvertise",
8243 config: Config{
8244 Certificates: []Certificate{ed25519Certificate},
8245 },
8246 shouldFail: true,
8247 expectedLocalError: "tls: no common signature algorithms",
8248 })
8249
8250 // Test Ed25519, when disabled, is not accepted if the peer ignores our
8251 // preferences.
8252 testCases = append(testCases, testCase{
8253 testType: clientTest,
8254 name: "Ed25519DefaultDisable-NoAccept",
8255 config: Config{
8256 Certificates: []Certificate{ed25519Certificate},
8257 Bugs: ProtocolBugs{
8258 IgnorePeerSignatureAlgorithmPreferences: true,
8259 },
8260 },
8261 shouldFail: true,
8262 expectedLocalError: "remote error: illegal parameter",
8263 expectedError: ":WRONG_SIGNATURE_TYPE:",
8264 })
David Benjamin71c21b42017-04-14 17:05:40 -0400[diff] [blame]8265
8266 // Test that configuring verify preferences changes what the client
8267 // advertises.
8268 testCases = append(testCases, testCase{
8269 name: "VerifyPreferences-Advertised",
8270 config: Config{
8271 Certificates: []Certificate{rsaCertificate},
8272 SignSignatureAlgorithms: []signatureAlgorithm{
8273 signatureRSAPSSWithSHA256,
8274 signatureRSAPSSWithSHA384,
8275 signatureRSAPSSWithSHA512,
8276 },
8277 },
8278 flags: []string{
8279 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
8280 "-expect-peer-signature-algorithm", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
8281 },
8282 })
8283
8284 // Test that the client advertises a set which the runner can find
8285 // nothing in common with.
8286 testCases = append(testCases, testCase{
8287 name: "VerifyPreferences-NoCommonAlgorithms",
8288 config: Config{
8289 Certificates: []Certificate{rsaCertificate},
8290 SignSignatureAlgorithms: []signatureAlgorithm{
8291 signatureRSAPSSWithSHA256,
8292 signatureRSAPSSWithSHA512,
8293 },
8294 },
8295 flags: []string{
8296 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
8297 },
8298 shouldFail: true,
8299 expectedLocalError: "tls: no common signature algorithms",
8300 })
8301
8302 // Test that the client enforces its preferences when configured.
8303 testCases = append(testCases, testCase{
8304 name: "VerifyPreferences-Enforced",
8305 config: Config{
8306 Certificates: []Certificate{rsaCertificate},
8307 SignSignatureAlgorithms: []signatureAlgorithm{
8308 signatureRSAPSSWithSHA256,
8309 signatureRSAPSSWithSHA512,
8310 },
8311 Bugs: ProtocolBugs{
8312 IgnorePeerSignatureAlgorithmPreferences: true,
8313 },
8314 },
8315 flags: []string{
8316 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
8317 },
8318 shouldFail: true,
8319 expectedLocalError: "remote error: illegal parameter",
8320 expectedError: ":WRONG_SIGNATURE_TYPE:",
8321 })
8322
8323 // Test that explicitly configuring Ed25519 is as good as changing the
8324 // boolean toggle.
8325 testCases = append(testCases, testCase{
8326 name: "VerifyPreferences-Ed25519",
8327 config: Config{
8328 Certificates: []Certificate{ed25519Certificate},
8329 },
8330 flags: []string{
8331 "-verify-prefs", strconv.Itoa(int(signatureEd25519)),
8332 },
8333 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]8334}
8335
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8336// timeouts is the retransmit schedule for BoringSSL. It doubles and
8337// caps at 60 seconds. On the 13th timeout, it gives up.
8338var timeouts = []time.Duration{
8339 1 * time.Second,
8340 2 * time.Second,
8341 4 * time.Second,
8342 8 * time.Second,
8343 16 * time.Second,
8344 32 * time.Second,
8345 60 * time.Second,
8346 60 * time.Second,
8347 60 * time.Second,
8348 60 * time.Second,
8349 60 * time.Second,
8350 60 * time.Second,
8351 60 * time.Second,
8352}
8353
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]8354// shortTimeouts is an alternate set of timeouts which would occur if the
8355// initial timeout duration was set to 250ms.
8356var shortTimeouts = []time.Duration{
8357 250 * time.Millisecond,
8358 500 * time.Millisecond,
8359 1 * time.Second,
8360 2 * time.Second,
8361 4 * time.Second,
8362 8 * time.Second,
8363 16 * time.Second,
8364 32 * time.Second,
8365 60 * time.Second,
8366 60 * time.Second,
8367 60 * time.Second,
8368 60 * time.Second,
8369 60 * time.Second,
8370}
8371
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8372func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]8373 // These tests work by coordinating some behavior on both the shim and
8374 // the runner.
8375 //
8376 // TimeoutSchedule configures the runner to send a series of timeout
8377 // opcodes to the shim (see packetAdaptor) immediately before reading
8378 // each peer handshake flight N. The timeout opcode both simulates a
8379 // timeout in the shim and acts as a synchronization point to help the
8380 // runner bracket each handshake flight.
8381 //
8382 // We assume the shim does not read from the channel eagerly. It must
8383 // first wait until it has sent flight N and is ready to receive
8384 // handshake flight N+1. At this point, it will process the timeout
8385 // opcode. It must then immediately respond with a timeout ACK and act
8386 // as if the shim was idle for the specified amount of time.
8387 //
8388 // The runner then drops all packets received before the ACK and
8389 // continues waiting for flight N. This ordering results in one attempt
8390 // at sending flight N to be dropped. For the test to complete, the
8391 // shim must send flight N again, testing that the shim implements DTLS
8392 // retransmit on a timeout.
8393
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8394 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8395 // likely be more epochs to cross and the final message's retransmit may
8396 // be more complex.
8397
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]8398 // Test that this is indeed the timeout schedule. Stress all
8399 // four patterns of handshake.
8400 for i := 1; i < len(timeouts); i++ {
8401 number := strconv.Itoa(i)
8402 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8403 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]8404 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8405 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8406 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8407 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]8408 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8409 },
8410 },
8411 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]8412 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8413 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]8414 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8415 protocol: dtls,
8416 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]8417 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8418 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8419 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8420 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]8421 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8422 },
8423 },
8424 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]8425 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8426 })
8427 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]8428
8429 // Test that exceeding the timeout schedule hits a read
8430 // timeout.
8431 testCases = append(testCases, testCase{
8432 protocol: dtls,
8433 name: "DTLS-Retransmit-Timeout",
8434 config: Config{
8435 MaxVersion: VersionTLS12,
8436 Bugs: ProtocolBugs{
8437 TimeoutSchedule: timeouts,
8438 },
8439 },
8440 resumeSession: true,
8441 flags: []string{"-async"},
8442 shouldFail: true,
8443 expectedError: ":READ_TIMEOUT_EXPIRED:",
8444 })
8445
8446 // Test that timeout handling has a fudge factor, due to API
8447 // problems.
8448 testCases = append(testCases, testCase{
8449 protocol: dtls,
8450 name: "DTLS-Retransmit-Fudge",
8451 config: Config{
8452 MaxVersion: VersionTLS12,
8453 Bugs: ProtocolBugs{
8454 TimeoutSchedule: []time.Duration{
8455 timeouts[0] - 10*time.Millisecond,
8456 },
8457 },
8458 },
8459 resumeSession: true,
8460 flags: []string{"-async"},
8461 })
8462
8463 // Test that the final Finished retransmitting isn't
8464 // duplicated if the peer badly fragments everything.
8465 testCases = append(testCases, testCase{
8466 testType: serverTest,
8467 protocol: dtls,
8468 name: "DTLS-Retransmit-Fragmented",
8469 config: Config{
8470 MaxVersion: VersionTLS12,
8471 Bugs: ProtocolBugs{
8472 TimeoutSchedule: []time.Duration{timeouts[0]},
8473 MaxHandshakeRecordLength: 2,
8474 },
8475 },
8476 flags: []string{"-async"},
8477 })
8478
8479 // Test the timeout schedule when a shorter initial timeout duration is set.
8480 testCases = append(testCases, testCase{
8481 protocol: dtls,
8482 name: "DTLS-Retransmit-Short-Client",
8483 config: Config{
8484 MaxVersion: VersionTLS12,
8485 Bugs: ProtocolBugs{
8486 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
8487 },
8488 },
8489 resumeSession: true,
8490 flags: []string{
8491 "-async",
8492 "-initial-timeout-duration-ms", "250",
8493 },
8494 })
8495 testCases = append(testCases, testCase{
8496 protocol: dtls,
8497 testType: serverTest,
8498 name: "DTLS-Retransmit-Short-Server",
8499 config: Config{
8500 MaxVersion: VersionTLS12,
8501 Bugs: ProtocolBugs{
8502 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
8503 },
8504 },
8505 resumeSession: true,
8506 flags: []string{
8507 "-async",
8508 "-initial-timeout-duration-ms", "250",
8509 },
8510 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]8511}
8512
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]8513func addExportKeyingMaterialTests() {
8514 for _, vers := range tlsVersions {
8515 if vers.version == VersionSSL30 {
8516 continue
8517 }
8518 testCases = append(testCases, testCase{
8519 name: "ExportKeyingMaterial-" + vers.name,
8520 config: Config{
8521 MaxVersion: vers.version,
8522 },
8523 exportKeyingMaterial: 1024,
8524 exportLabel: "label",
8525 exportContext: "context",
8526 useExportContext: true,
8527 })
8528 testCases = append(testCases, testCase{
8529 name: "ExportKeyingMaterial-NoContext-" + vers.name,
8530 config: Config{
8531 MaxVersion: vers.version,
8532 },
8533 exportKeyingMaterial: 1024,
8534 })
8535 testCases = append(testCases, testCase{
8536 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
8537 config: Config{
8538 MaxVersion: vers.version,
8539 },
8540 exportKeyingMaterial: 1024,
8541 useExportContext: true,
8542 })
8543 testCases = append(testCases, testCase{
8544 name: "ExportKeyingMaterial-Small-" + vers.name,
8545 config: Config{
8546 MaxVersion: vers.version,
8547 },
8548 exportKeyingMaterial: 1,
8549 exportLabel: "label",
8550 exportContext: "context",
8551 useExportContext: true,
8552 })
8553 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]8554
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]8555 testCases = append(testCases, testCase{
8556 name: "ExportKeyingMaterial-SSL3",
8557 config: Config{
8558 MaxVersion: VersionSSL30,
8559 },
8560 exportKeyingMaterial: 1024,
8561 exportLabel: "label",
8562 exportContext: "context",
8563 useExportContext: true,
8564 shouldFail: true,
8565 expectedError: "failed to export keying material",
8566 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]8567
8568 // Exporters work during a False Start.
8569 testCases = append(testCases, testCase{
8570 name: "ExportKeyingMaterial-FalseStart",
8571 config: Config{
8572 MaxVersion: VersionTLS12,
8573 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8574 NextProtos: []string{"foo"},
8575 Bugs: ProtocolBugs{
8576 ExpectFalseStart: true,
8577 },
8578 },
8579 flags: []string{
8580 "-false-start",
8581 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]8582 "-expect-alpn", "foo",
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]8583 },
8584 shimWritesFirst: true,
8585 exportKeyingMaterial: 1024,
8586 exportLabel: "label",
8587 exportContext: "context",
8588 useExportContext: true,
8589 })
8590
8591 // Exporters do not work in the middle of a renegotiation. Test this by
8592 // triggering the exporter after every SSL_read call and configuring the
8593 // shim to run asynchronously.
8594 testCases = append(testCases, testCase{
8595 name: "ExportKeyingMaterial-Renegotiate",
8596 config: Config{
8597 MaxVersion: VersionTLS12,
8598 },
8599 renegotiate: 1,
8600 flags: []string{
8601 "-async",
8602 "-use-exporter-between-reads",
8603 "-renegotiate-freely",
8604 "-expect-total-renegotiations", "1",
8605 },
8606 shouldFail: true,
8607 expectedError: "failed to export keying material",
8608 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]8609}
8610
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8611func addTLSUniqueTests() {
8612 for _, isClient := range []bool{false, true} {
8613 for _, isResumption := range []bool{false, true} {
8614 for _, hasEMS := range []bool{false, true} {
8615 var suffix string
8616 if isResumption {
8617 suffix = "Resume-"
8618 } else {
8619 suffix = "Full-"
8620 }
8621
8622 if hasEMS {
8623 suffix += "EMS-"
8624 } else {
8625 suffix += "NoEMS-"
8626 }
8627
8628 if isClient {
8629 suffix += "Client"
8630 } else {
8631 suffix += "Server"
8632 }
8633
8634 test := testCase{
8635 name: "TLSUnique-" + suffix,
8636 testTLSUnique: true,
8637 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8638 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8639 Bugs: ProtocolBugs{
8640 NoExtendedMasterSecret: !hasEMS,
8641 },
8642 },
8643 }
8644
8645 if isResumption {
8646 test.resumeSession = true
8647 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8648 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8649 Bugs: ProtocolBugs{
8650 NoExtendedMasterSecret: !hasEMS,
8651 },
8652 }
8653 }
8654
8655 if isResumption && !hasEMS {
8656 test.shouldFail = true
8657 test.expectedError = "failed to get tls-unique"
8658 }
8659
8660 testCases = append(testCases, test)
8661 }
8662 }
8663 }
8664}
8665
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8666func addCustomExtensionTests() {
8667 expectedContents := "custom extension"
8668 emptyString := ""
8669
8670 for _, isClient := range []bool{false, true} {
8671 suffix := "Server"
8672 flag := "-enable-server-custom-extension"
8673 testType := serverTest
8674 if isClient {
8675 suffix = "Client"
8676 flag = "-enable-client-custom-extension"
8677 testType = clientTest
8678 }
8679
8680 testCases = append(testCases, testCase{
8681 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8682 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8683 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8684 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8685 Bugs: ProtocolBugs{
8686 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8687 ExpectedCustomExtension: &expectedContents,
8688 },
8689 },
8690 flags: []string{flag},
8691 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8692 testCases = append(testCases, testCase{
8693 testType: testType,
8694 name: "CustomExtensions-" + suffix + "-TLS13",
8695 config: Config{
8696 MaxVersion: VersionTLS13,
8697 Bugs: ProtocolBugs{
8698 CustomExtension: expectedContents,
8699 ExpectedCustomExtension: &expectedContents,
8700 },
8701 },
8702 flags: []string{flag},
8703 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8704
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]8705 // 0-RTT is not currently supported with Custom Extensions.
8706 testCases = append(testCases, testCase{
8707 testType: testType,
8708 name: "CustomExtensions-" + suffix + "-EarlyData",
8709 config: Config{
8710 MaxVersion: VersionTLS13,
8711 Bugs: ProtocolBugs{
8712 CustomExtension: expectedContents,
8713 ExpectedCustomExtension: &expectedContents,
8714 },
8715 },
8716 shouldFail: true,
8717 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8718 flags: []string{flag, "-enable-early-data"},
8719 })
8720
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8721 // If the parse callback fails, the handshake should also fail.
8722 testCases = append(testCases, testCase{
8723 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8724 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8725 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8726 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8727 Bugs: ProtocolBugs{
8728 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8729 ExpectedCustomExtension: &expectedContents,
8730 },
8731 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8732 flags: []string{flag},
8733 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8734 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8735 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8736 testCases = append(testCases, testCase{
8737 testType: testType,
8738 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
8739 config: Config{
8740 MaxVersion: VersionTLS13,
8741 Bugs: ProtocolBugs{
8742 CustomExtension: expectedContents + "foo",
8743 ExpectedCustomExtension: &expectedContents,
8744 },
8745 },
8746 flags: []string{flag},
8747 shouldFail: true,
8748 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8749 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8750
8751 // If the add callback fails, the handshake should also fail.
8752 testCases = append(testCases, testCase{
8753 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8754 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8755 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8756 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8757 Bugs: ProtocolBugs{
8758 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8759 ExpectedCustomExtension: &expectedContents,
8760 },
8761 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8762 flags: []string{flag, "-custom-extension-fail-add"},
8763 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8764 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8765 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8766 testCases = append(testCases, testCase{
8767 testType: testType,
8768 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
8769 config: Config{
8770 MaxVersion: VersionTLS13,
8771 Bugs: ProtocolBugs{
8772 CustomExtension: expectedContents,
8773 ExpectedCustomExtension: &expectedContents,
8774 },
8775 },
8776 flags: []string{flag, "-custom-extension-fail-add"},
8777 shouldFail: true,
8778 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8779 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8780
8781 // If the add callback returns zero, no extension should be
8782 // added.
8783 skipCustomExtension := expectedContents
8784 if isClient {
8785 // For the case where the client skips sending the
8786 // custom extension, the server must not “echo” it.
8787 skipCustomExtension = ""
8788 }
8789 testCases = append(testCases, testCase{
8790 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8791 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8792 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8793 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8794 Bugs: ProtocolBugs{
8795 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8796 ExpectedCustomExtension: &emptyString,
8797 },
8798 },
8799 flags: []string{flag, "-custom-extension-skip"},
8800 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8801 testCases = append(testCases, testCase{
8802 testType: testType,
8803 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
8804 config: Config{
8805 MaxVersion: VersionTLS13,
8806 Bugs: ProtocolBugs{
8807 CustomExtension: skipCustomExtension,
8808 ExpectedCustomExtension: &emptyString,
8809 },
8810 },
8811 flags: []string{flag, "-custom-extension-skip"},
8812 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8813 }
8814
8815 // The custom extension add callback should not be called if the client
8816 // doesn't send the extension.
8817 testCases = append(testCases, testCase{
8818 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8819 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8820 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8821 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8822 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8823 ExpectedCustomExtension: &emptyString,
8824 },
8825 },
8826 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8827 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8828
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8829 testCases = append(testCases, testCase{
8830 testType: serverTest,
8831 name: "CustomExtensions-NotCalled-Server-TLS13",
8832 config: Config{
8833 MaxVersion: VersionTLS13,
8834 Bugs: ProtocolBugs{
8835 ExpectedCustomExtension: &emptyString,
8836 },
8837 },
8838 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8839 })
8840
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8841 // Test an unknown extension from the server.
8842 testCases = append(testCases, testCase{
8843 testType: clientTest,
8844 name: "UnknownExtension-Client",
8845 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8846 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8847 Bugs: ProtocolBugs{
8848 CustomExtension: expectedContents,
8849 },
8850 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8851 shouldFail: true,
8852 expectedError: ":UNEXPECTED_EXTENSION:",
8853 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8854 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8855 testCases = append(testCases, testCase{
8856 testType: clientTest,
8857 name: "UnknownExtension-Client-TLS13",
8858 config: Config{
8859 MaxVersion: VersionTLS13,
8860 Bugs: ProtocolBugs{
8861 CustomExtension: expectedContents,
8862 },
8863 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8864 shouldFail: true,
8865 expectedError: ":UNEXPECTED_EXTENSION:",
8866 expectedLocalError: "remote error: unsupported extension",
8867 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8868 testCases = append(testCases, testCase{
8869 testType: clientTest,
8870 name: "UnknownUnencryptedExtension-Client-TLS13",
8871 config: Config{
8872 MaxVersion: VersionTLS13,
8873 Bugs: ProtocolBugs{
8874 CustomUnencryptedExtension: expectedContents,
8875 },
8876 },
8877 shouldFail: true,
8878 expectedError: ":UNEXPECTED_EXTENSION:",
8879 // The shim must send an alert, but alerts at this point do not
8880 // get successfully decrypted by the runner.
8881 expectedLocalError: "local error: bad record MAC",
8882 })
8883 testCases = append(testCases, testCase{
8884 testType: clientTest,
8885 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8886 config: Config{
8887 MaxVersion: VersionTLS13,
8888 Bugs: ProtocolBugs{
8889 SendUnencryptedALPN: "foo",
8890 },
8891 },
8892 flags: []string{
8893 "-advertise-alpn", "\x03foo\x03bar",
8894 },
8895 shouldFail: true,
8896 expectedError: ":UNEXPECTED_EXTENSION:",
8897 // The shim must send an alert, but alerts at this point do not
8898 // get successfully decrypted by the runner.
8899 expectedLocalError: "local error: bad record MAC",
8900 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8901
8902 // Test a known but unoffered extension from the server.
8903 testCases = append(testCases, testCase{
8904 testType: clientTest,
8905 name: "UnofferedExtension-Client",
8906 config: Config{
8907 MaxVersion: VersionTLS12,
8908 Bugs: ProtocolBugs{
8909 SendALPN: "alpn",
8910 },
8911 },
8912 shouldFail: true,
8913 expectedError: ":UNEXPECTED_EXTENSION:",
8914 expectedLocalError: "remote error: unsupported extension",
8915 })
8916 testCases = append(testCases, testCase{
8917 testType: clientTest,
8918 name: "UnofferedExtension-Client-TLS13",
8919 config: Config{
8920 MaxVersion: VersionTLS13,
8921 Bugs: ProtocolBugs{
8922 SendALPN: "alpn",
8923 },
8924 },
8925 shouldFail: true,
8926 expectedError: ":UNEXPECTED_EXTENSION:",
8927 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8928 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8929}
8930
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8931func addRSAClientKeyExchangeTests() {
8932 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8933 testCases = append(testCases, testCase{
8934 testType: serverTest,
8935 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8936 config: Config{
8937 // Ensure the ClientHello version and final
8938 // version are different, to detect if the
8939 // server uses the wrong one.
8940 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8941 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8942 Bugs: ProtocolBugs{
8943 BadRSAClientKeyExchange: bad,
8944 },
8945 },
8946 shouldFail: true,
8947 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8948 })
8949 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8950
8951 // The server must compare whatever was in ClientHello.version for the
8952 // RSA premaster.
8953 testCases = append(testCases, testCase{
8954 testType: serverTest,
8955 name: "SendClientVersion-RSA",
8956 config: Config{
8957 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8958 Bugs: ProtocolBugs{
8959 SendClientVersion: 0x1234,
8960 },
8961 },
8962 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8963 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8964}
8965
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8966var testCurves = []struct {
8967 name string
8968 id CurveID
8969}{
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]8970 {"P-224", CurveP224},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8971 {"P-256", CurveP256},
8972 {"P-384", CurveP384},
8973 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8974 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8975}
8976
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8977const bogusCurve = 0x1234
8978
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8979func addCurveTests() {
8980 for _, curve := range testCurves {
8981 testCases = append(testCases, testCase{
8982 name: "CurveTest-Client-" + curve.name,
8983 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8984 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8985 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8986 CurvePreferences: []CurveID{curve.id},
8987 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8988 flags: []string{
8989 "-enable-all-curves",
8990 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8991 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8992 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8993 })
8994 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8995 name: "CurveTest-Client-" + curve.name + "-TLS13",
8996 config: Config{
8997 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8998 CurvePreferences: []CurveID{curve.id},
8999 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]9000 flags: []string{
9001 "-enable-all-curves",
9002 "-expect-curve-id", strconv.Itoa(int(curve.id)),
9003 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9004 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9005 })
9006 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]9007 testType: serverTest,
9008 name: "CurveTest-Server-" + curve.name,
9009 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9010 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]9011 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9012 CurvePreferences: []CurveID{curve.id},
9013 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]9014 flags: []string{
9015 "-enable-all-curves",
9016 "-expect-curve-id", strconv.Itoa(int(curve.id)),
9017 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9018 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]9019 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9020 testCases = append(testCases, testCase{
9021 testType: serverTest,
9022 name: "CurveTest-Server-" + curve.name + "-TLS13",
9023 config: Config{
9024 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9025 CurvePreferences: []CurveID{curve.id},
9026 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]9027 flags: []string{
9028 "-enable-all-curves",
9029 "-expect-curve-id", strconv.Itoa(int(curve.id)),
9030 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9031 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9032 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]9033 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]9034
9035 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]9036 testCases = append(testCases, testCase{
9037 testType: serverTest,
9038 name: "UnknownCurve",
9039 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9040 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]9041 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9042 CurvePreferences: []CurveID{bogusCurve, CurveP256},
9043 },
9044 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9045
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9046 // The server must be tolerant to bogus curves.
9047 testCases = append(testCases, testCase{
9048 testType: serverTest,
9049 name: "UnknownCurve-TLS13",
9050 config: Config{
9051 MaxVersion: VersionTLS13,
9052 CurvePreferences: []CurveID{bogusCurve, CurveP256},
9053 },
9054 })
9055
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9056 // The server must not consider ECDHE ciphers when there are no
9057 // supported curves.
9058 testCases = append(testCases, testCase{
9059 testType: serverTest,
9060 name: "NoSupportedCurves",
9061 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9062 MaxVersion: VersionTLS12,
9063 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9064 Bugs: ProtocolBugs{
9065 NoSupportedCurves: true,
9066 },
9067 },
9068 shouldFail: true,
9069 expectedError: ":NO_SHARED_CIPHER:",
9070 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9071 testCases = append(testCases, testCase{
9072 testType: serverTest,
9073 name: "NoSupportedCurves-TLS13",
9074 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9075 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9076 Bugs: ProtocolBugs{
9077 NoSupportedCurves: true,
9078 },
9079 },
9080 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9081 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9082 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9083
9084 // The server must fall back to another cipher when there are no
9085 // supported curves.
9086 testCases = append(testCases, testCase{
9087 testType: serverTest,
9088 name: "NoCommonCurves",
9089 config: Config{
9090 MaxVersion: VersionTLS12,
9091 CipherSuites: []uint16{
9092 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]9093 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9094 },
9095 CurvePreferences: []CurveID{CurveP224},
9096 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]9097 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9098 })
9099
9100 // The client must reject bogus curves and disabled curves.
9101 testCases = append(testCases, testCase{
9102 name: "BadECDHECurve",
9103 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9104 MaxVersion: VersionTLS12,
9105 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9106 Bugs: ProtocolBugs{
9107 SendCurve: bogusCurve,
9108 },
9109 },
9110 shouldFail: true,
9111 expectedError: ":WRONG_CURVE:",
9112 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9113 testCases = append(testCases, testCase{
9114 name: "BadECDHECurve-TLS13",
9115 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9116 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9117 Bugs: ProtocolBugs{
9118 SendCurve: bogusCurve,
9119 },
9120 },
9121 shouldFail: true,
9122 expectedError: ":WRONG_CURVE:",
9123 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9124
9125 testCases = append(testCases, testCase{
9126 name: "UnsupportedCurve",
9127 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9128 MaxVersion: VersionTLS12,
9129 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9130 CurvePreferences: []CurveID{CurveP256},
9131 Bugs: ProtocolBugs{
9132 IgnorePeerCurvePreferences: true,
9133 },
9134 },
9135 flags: []string{"-p384-only"},
9136 shouldFail: true,
9137 expectedError: ":WRONG_CURVE:",
9138 })
9139
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]9140 testCases = append(testCases, testCase{
9141 // TODO(davidben): Add a TLS 1.3 version where
9142 // HelloRetryRequest requests an unsupported curve.
9143 name: "UnsupportedCurve-ServerHello-TLS13",
9144 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9145 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]9146 CurvePreferences: []CurveID{CurveP384},
9147 Bugs: ProtocolBugs{
9148 SendCurve: CurveP256,
9149 },
9150 },
9151 flags: []string{"-p384-only"},
9152 shouldFail: true,
9153 expectedError: ":WRONG_CURVE:",
9154 })
9155
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9156 // Test invalid curve points.
9157 testCases = append(testCases, testCase{
9158 name: "InvalidECDHPoint-Client",
9159 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9160 MaxVersion: VersionTLS12,
9161 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9162 CurvePreferences: []CurveID{CurveP256},
9163 Bugs: ProtocolBugs{
9164 InvalidECDHPoint: true,
9165 },
9166 },
9167 shouldFail: true,
9168 expectedError: ":INVALID_ENCODING:",
9169 })
9170 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9171 name: "InvalidECDHPoint-Client-TLS13",
9172 config: Config{
9173 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9174 CurvePreferences: []CurveID{CurveP256},
9175 Bugs: ProtocolBugs{
9176 InvalidECDHPoint: true,
9177 },
9178 },
9179 shouldFail: true,
9180 expectedError: ":INVALID_ENCODING:",
9181 })
9182 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9183 testType: serverTest,
9184 name: "InvalidECDHPoint-Server",
9185 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]9186 MaxVersion: VersionTLS12,
9187 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9188 CurvePreferences: []CurveID{CurveP256},
9189 Bugs: ProtocolBugs{
9190 InvalidECDHPoint: true,
9191 },
9192 },
9193 shouldFail: true,
9194 expectedError: ":INVALID_ENCODING:",
9195 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9196 testCases = append(testCases, testCase{
9197 testType: serverTest,
9198 name: "InvalidECDHPoint-Server-TLS13",
9199 config: Config{
9200 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9201 CurvePreferences: []CurveID{CurveP256},
9202 Bugs: ProtocolBugs{
9203 InvalidECDHPoint: true,
9204 },
9205 },
9206 shouldFail: true,
9207 expectedError: ":INVALID_ENCODING:",
9208 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]9209
9210 // The previous curve ID should be reported on TLS 1.2 resumption.
9211 testCases = append(testCases, testCase{
9212 name: "CurveID-Resume-Client",
9213 config: Config{
9214 MaxVersion: VersionTLS12,
9215 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9216 CurvePreferences: []CurveID{CurveX25519},
9217 },
9218 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
9219 resumeSession: true,
9220 })
9221 testCases = append(testCases, testCase{
9222 testType: serverTest,
9223 name: "CurveID-Resume-Server",
9224 config: Config{
9225 MaxVersion: VersionTLS12,
9226 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9227 CurvePreferences: []CurveID{CurveX25519},
9228 },
9229 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
9230 resumeSession: true,
9231 })
9232
9233 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
9234 // one should be reported.
9235 testCases = append(testCases, testCase{
9236 name: "CurveID-Resume-Client-TLS13",
9237 config: Config{
9238 MaxVersion: VersionTLS13,
9239 CurvePreferences: []CurveID{CurveX25519},
9240 },
9241 resumeConfig: &Config{
9242 MaxVersion: VersionTLS13,
9243 CurvePreferences: []CurveID{CurveP256},
9244 },
9245 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]9246 "-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
9247 "-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]9248 },
9249 resumeSession: true,
9250 })
9251 testCases = append(testCases, testCase{
9252 testType: serverTest,
9253 name: "CurveID-Resume-Server-TLS13",
9254 config: Config{
9255 MaxVersion: VersionTLS13,
9256 CurvePreferences: []CurveID{CurveX25519},
9257 },
9258 resumeConfig: &Config{
9259 MaxVersion: VersionTLS13,
9260 CurvePreferences: []CurveID{CurveP256},
9261 },
9262 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]9263 "-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
9264 "-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]9265 },
9266 resumeSession: true,
9267 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]9268
9269 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
9270 testCases = append(testCases, testCase{
9271 name: "PointFormat-ServerHello-TLS12",
9272 config: Config{
9273 MaxVersion: VersionTLS12,
9274 Bugs: ProtocolBugs{
9275 SendSupportedPointFormats: []byte{pointFormatUncompressed},
9276 },
9277 },
9278 })
9279 testCases = append(testCases, testCase{
9280 name: "PointFormat-EncryptedExtensions-TLS13",
9281 config: Config{
9282 MaxVersion: VersionTLS13,
9283 Bugs: ProtocolBugs{
9284 SendSupportedPointFormats: []byte{pointFormatUncompressed},
9285 },
9286 },
9287 shouldFail: true,
9288 expectedError: ":ERROR_PARSING_EXTENSION:",
9289 })
9290
9291 // Test that we tolerate unknown point formats, as long as
9292 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
9293 // check they are still functional.
9294 testCases = append(testCases, testCase{
9295 name: "PointFormat-Client-Tolerance",
9296 config: Config{
9297 MaxVersion: VersionTLS12,
9298 Bugs: ProtocolBugs{
9299 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
9300 },
9301 },
9302 })
9303 testCases = append(testCases, testCase{
9304 testType: serverTest,
9305 name: "PointFormat-Server-Tolerance",
9306 config: Config{
9307 MaxVersion: VersionTLS12,
9308 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
9309 Bugs: ProtocolBugs{
9310 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
9311 },
9312 },
9313 })
9314
9315 // Test TLS 1.2 does not require the point format extension to be
9316 // present.
9317 testCases = append(testCases, testCase{
9318 name: "PointFormat-Client-Missing",
9319 config: Config{
9320 MaxVersion: VersionTLS12,
9321 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
9322 Bugs: ProtocolBugs{
9323 SendSupportedPointFormats: []byte{},
9324 },
9325 },
9326 })
9327 testCases = append(testCases, testCase{
9328 testType: serverTest,
9329 name: "PointFormat-Server-Missing",
9330 config: Config{
9331 MaxVersion: VersionTLS12,
9332 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
9333 Bugs: ProtocolBugs{
9334 SendSupportedPointFormats: []byte{},
9335 },
9336 },
9337 })
9338
9339 // If the point format extension is present, uncompressed points must be
9340 // offered. BoringSSL requires this whether or not ECDHE is used.
9341 testCases = append(testCases, testCase{
9342 name: "PointFormat-Client-MissingUncompressed",
9343 config: Config{
9344 MaxVersion: VersionTLS12,
9345 Bugs: ProtocolBugs{
9346 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
9347 },
9348 },
9349 shouldFail: true,
9350 expectedError: ":ERROR_PARSING_EXTENSION:",
9351 })
9352 testCases = append(testCases, testCase{
9353 testType: serverTest,
9354 name: "PointFormat-Server-MissingUncompressed",
9355 config: Config{
9356 MaxVersion: VersionTLS12,
9357 Bugs: ProtocolBugs{
9358 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
9359 },
9360 },
9361 shouldFail: true,
9362 expectedError: ":ERROR_PARSING_EXTENSION:",
9363 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]9364}
9365
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]9366func addTLS13RecordTests() {
9367 testCases = append(testCases, testCase{
9368 name: "TLS13-RecordPadding",
9369 config: Config{
9370 MaxVersion: VersionTLS13,
9371 MinVersion: VersionTLS13,
9372 Bugs: ProtocolBugs{
9373 RecordPadding: 10,
9374 },
9375 },
9376 })
9377
9378 testCases = append(testCases, testCase{
9379 name: "TLS13-EmptyRecords",
9380 config: Config{
9381 MaxVersion: VersionTLS13,
9382 MinVersion: VersionTLS13,
9383 Bugs: ProtocolBugs{
9384 OmitRecordContents: true,
9385 },
9386 },
9387 shouldFail: true,
9388 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9389 })
9390
9391 testCases = append(testCases, testCase{
9392 name: "TLS13-OnlyPadding",
9393 config: Config{
9394 MaxVersion: VersionTLS13,
9395 MinVersion: VersionTLS13,
9396 Bugs: ProtocolBugs{
9397 OmitRecordContents: true,
9398 RecordPadding: 10,
9399 },
9400 },
9401 shouldFail: true,
9402 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9403 })
9404
9405 testCases = append(testCases, testCase{
9406 name: "TLS13-WrongOuterRecord",
9407 config: Config{
9408 MaxVersion: VersionTLS13,
9409 MinVersion: VersionTLS13,
9410 Bugs: ProtocolBugs{
9411 OuterRecordType: recordTypeHandshake,
9412 },
9413 },
9414 shouldFail: true,
9415 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
9416 })
9417}
9418
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9419func addSessionTicketTests() {
9420 testCases = append(testCases, testCase{
9421 // In TLS 1.2 and below, empty NewSessionTicket messages
9422 // mean the server changed its mind on sending a ticket.
9423 name: "SendEmptySessionTicket",
9424 config: Config{
9425 MaxVersion: VersionTLS12,
9426 Bugs: ProtocolBugs{
9427 SendEmptySessionTicket: true,
9428 },
9429 },
9430 flags: []string{"-expect-no-session"},
9431 })
9432
9433 // Test that the server ignores unknown PSK modes.
9434 testCases = append(testCases, testCase{
9435 testType: serverTest,
9436 name: "TLS13-SendUnknownModeSessionTicket-Server",
9437 config: Config{
9438 MaxVersion: VersionTLS13,
9439 Bugs: ProtocolBugs{
9440 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9441 },
9442 },
9443 resumeSession: true,
9444 expectedResumeVersion: VersionTLS13,
9445 })
9446
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]9447 // Test that the server does not send session tickets with no matching key exchange mode.
9448 testCases = append(testCases, testCase{
9449 testType: serverTest,
9450 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
9451 config: Config{
9452 MaxVersion: VersionTLS13,
9453 Bugs: ProtocolBugs{
9454 SendPSKKeyExchangeModes: []byte{0x1a},
9455 ExpectNoNewSessionTicket: true,
9456 },
9457 },
9458 })
9459
9460 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9461 testCases = append(testCases, testCase{
9462 testType: serverTest,
9463 name: "TLS13-SendBadKEModeSessionTicket-Server",
9464 config: Config{
9465 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]9466 },
9467 resumeConfig: &Config{
9468 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9469 Bugs: ProtocolBugs{
9470 SendPSKKeyExchangeModes: []byte{0x1a},
9471 },
9472 },
9473 resumeSession: true,
9474 expectResumeRejected: true,
9475 })
9476
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]9477 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9478 testCases = append(testCases, testCase{
9479 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]9480 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9481 config: Config{
9482 MaxVersion: VersionTLS13,
9483 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]9484 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9485 },
9486 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]9487 resumeSession: true,
9488 flags: []string{
9489 "-resumption-delay", "10",
9490 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9491 })
9492
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]9493 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9494 testCases = append(testCases, testCase{
9495 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]9496 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9497 config: Config{
9498 MaxVersion: VersionTLS13,
9499 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]9500 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9501 },
9502 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]9503 resumeSession: true,
9504 shouldFail: true,
9505 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9506 })
9507
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]9508 // Test that the server's ticket age skew reporting works.
9509 testCases = append(testCases, testCase{
9510 testType: serverTest,
9511 name: "TLS13-TicketAgeSkew-Forward",
9512 config: Config{
9513 MaxVersion: VersionTLS13,
9514 Bugs: ProtocolBugs{
9515 SendTicketAge: 15 * time.Second,
9516 },
9517 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]9518 resumeSession: true,
9519 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]9520 flags: []string{
9521 "-resumption-delay", "10",
9522 "-expect-ticket-age-skew", "5",
9523 },
9524 })
9525 testCases = append(testCases, testCase{
9526 testType: serverTest,
9527 name: "TLS13-TicketAgeSkew-Backward",
9528 config: Config{
9529 MaxVersion: VersionTLS13,
9530 Bugs: ProtocolBugs{
9531 SendTicketAge: 5 * time.Second,
9532 },
9533 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]9534 resumeSession: true,
9535 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]9536 flags: []string{
9537 "-resumption-delay", "10",
9538 "-expect-ticket-age-skew", "-5",
9539 },
9540 })
9541
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9542 testCases = append(testCases, testCase{
9543 testType: clientTest,
9544 name: "TLS13-SendTicketEarlyDataInfo",
9545 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]9546 MaxVersion: VersionTLS13,
9547 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9548 },
9549 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]9550 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9551 "-expect-early-data-info",
9552 },
9553 })
9554
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]9555 // Test that 0-RTT tickets are ignored in clients unless opted in.
9556 testCases = append(testCases, testCase{
9557 testType: clientTest,
9558 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
9559 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]9560 MaxVersion: VersionTLS13,
9561 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]9562 },
9563 })
9564
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9565 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9566 testType: clientTest,
9567 name: "TLS13-DuplicateTicketEarlyDataInfo",
9568 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]9569 MaxVersion: VersionTLS13,
9570 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9571 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]9572 DuplicateTicketEarlyDataInfo: true,
9573 },
9574 },
9575 shouldFail: true,
9576 expectedError: ":DUPLICATE_EXTENSION:",
9577 expectedLocalError: "remote error: illegal parameter",
9578 })
9579
9580 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]9581 testType: serverTest,
9582 name: "TLS13-ExpectTicketEarlyDataInfo",
9583 config: Config{
9584 MaxVersion: VersionTLS13,
9585 Bugs: ProtocolBugs{
9586 ExpectTicketEarlyDataInfo: true,
9587 },
9588 },
9589 flags: []string{
9590 "-enable-early-data",
9591 },
9592 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9593
9594 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
9595 // is honored.
9596 testCases = append(testCases, testCase{
9597 testType: clientTest,
9598 name: "TLS13-HonorServerSessionTicketLifetime",
9599 config: Config{
9600 MaxVersion: VersionTLS13,
9601 Bugs: ProtocolBugs{
9602 SendTicketLifetime: 20 * time.Second,
9603 },
9604 },
9605 flags: []string{
9606 "-resumption-delay", "19",
9607 },
9608 resumeSession: true,
9609 })
9610 testCases = append(testCases, testCase{
9611 testType: clientTest,
9612 name: "TLS13-HonorServerSessionTicketLifetime-2",
9613 config: Config{
9614 MaxVersion: VersionTLS13,
9615 Bugs: ProtocolBugs{
9616 SendTicketLifetime: 20 * time.Second,
9617 // The client should not offer the expired session.
9618 ExpectNoTLS13PSK: true,
9619 },
9620 },
9621 flags: []string{
9622 "-resumption-delay", "21",
9623 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]9624 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9625 expectResumeRejected: true,
9626 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9627}
9628
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9629func addChangeCipherSpecTests() {
9630 // Test missing ChangeCipherSpecs.
9631 testCases = append(testCases, testCase{
9632 name: "SkipChangeCipherSpec-Client",
9633 config: Config{
9634 MaxVersion: VersionTLS12,
9635 Bugs: ProtocolBugs{
9636 SkipChangeCipherSpec: true,
9637 },
9638 },
9639 shouldFail: true,
9640 expectedError: ":UNEXPECTED_RECORD:",
9641 })
9642 testCases = append(testCases, testCase{
9643 testType: serverTest,
9644 name: "SkipChangeCipherSpec-Server",
9645 config: Config{
9646 MaxVersion: VersionTLS12,
9647 Bugs: ProtocolBugs{
9648 SkipChangeCipherSpec: true,
9649 },
9650 },
9651 shouldFail: true,
9652 expectedError: ":UNEXPECTED_RECORD:",
9653 })
9654 testCases = append(testCases, testCase{
9655 testType: serverTest,
9656 name: "SkipChangeCipherSpec-Server-NPN",
9657 config: Config{
9658 MaxVersion: VersionTLS12,
9659 NextProtos: []string{"bar"},
9660 Bugs: ProtocolBugs{
9661 SkipChangeCipherSpec: true,
9662 },
9663 },
9664 flags: []string{
9665 "-advertise-npn", "\x03foo\x03bar\x03baz",
9666 },
9667 shouldFail: true,
9668 expectedError: ":UNEXPECTED_RECORD:",
9669 })
9670
9671 // Test synchronization between the handshake and ChangeCipherSpec.
9672 // Partial post-CCS handshake messages before ChangeCipherSpec should be
9673 // rejected. Test both with and without handshake packing to handle both
9674 // when the partial post-CCS message is in its own record and when it is
9675 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9676 for _, packed := range []bool{false, true} {
9677 var suffix string
9678 if packed {
9679 suffix = "-Packed"
9680 }
9681
9682 testCases = append(testCases, testCase{
9683 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
9684 config: Config{
9685 MaxVersion: VersionTLS12,
9686 Bugs: ProtocolBugs{
9687 FragmentAcrossChangeCipherSpec: true,
9688 PackHandshakeFlight: packed,
9689 },
9690 },
9691 shouldFail: true,
9692 expectedError: ":UNEXPECTED_RECORD:",
9693 })
9694 testCases = append(testCases, testCase{
9695 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
9696 config: Config{
9697 MaxVersion: VersionTLS12,
9698 },
9699 resumeSession: true,
9700 resumeConfig: &Config{
9701 MaxVersion: VersionTLS12,
9702 Bugs: ProtocolBugs{
9703 FragmentAcrossChangeCipherSpec: true,
9704 PackHandshakeFlight: packed,
9705 },
9706 },
9707 shouldFail: true,
9708 expectedError: ":UNEXPECTED_RECORD:",
9709 })
9710 testCases = append(testCases, testCase{
9711 testType: serverTest,
9712 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
9713 config: Config{
9714 MaxVersion: VersionTLS12,
9715 Bugs: ProtocolBugs{
9716 FragmentAcrossChangeCipherSpec: true,
9717 PackHandshakeFlight: packed,
9718 },
9719 },
9720 shouldFail: true,
9721 expectedError: ":UNEXPECTED_RECORD:",
9722 })
9723 testCases = append(testCases, testCase{
9724 testType: serverTest,
9725 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
9726 config: Config{
9727 MaxVersion: VersionTLS12,
9728 },
9729 resumeSession: true,
9730 resumeConfig: &Config{
9731 MaxVersion: VersionTLS12,
9732 Bugs: ProtocolBugs{
9733 FragmentAcrossChangeCipherSpec: true,
9734 PackHandshakeFlight: packed,
9735 },
9736 },
9737 shouldFail: true,
9738 expectedError: ":UNEXPECTED_RECORD:",
9739 })
9740 testCases = append(testCases, testCase{
9741 testType: serverTest,
9742 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
9743 config: Config{
9744 MaxVersion: VersionTLS12,
9745 NextProtos: []string{"bar"},
9746 Bugs: ProtocolBugs{
9747 FragmentAcrossChangeCipherSpec: true,
9748 PackHandshakeFlight: packed,
9749 },
9750 },
9751 flags: []string{
9752 "-advertise-npn", "\x03foo\x03bar\x03baz",
9753 },
9754 shouldFail: true,
9755 expectedError: ":UNEXPECTED_RECORD:",
9756 })
9757 }
9758
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]9759 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
9760 // messages in the handshake queue. Do this by testing the server
9761 // reading the client Finished, reversing the flight so Finished comes
9762 // first.
9763 testCases = append(testCases, testCase{
9764 protocol: dtls,
9765 testType: serverTest,
9766 name: "SendUnencryptedFinished-DTLS",
9767 config: Config{
9768 MaxVersion: VersionTLS12,
9769 Bugs: ProtocolBugs{
9770 SendUnencryptedFinished: true,
9771 ReverseHandshakeFragments: true,
9772 },
9773 },
9774 shouldFail: true,
9775 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9776 })
9777
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9778 // Test synchronization between encryption changes and the handshake in
9779 // TLS 1.3, where ChangeCipherSpec is implicit.
9780 testCases = append(testCases, testCase{
9781 name: "PartialEncryptedExtensionsWithServerHello",
9782 config: Config{
9783 MaxVersion: VersionTLS13,
9784 Bugs: ProtocolBugs{
9785 PartialEncryptedExtensionsWithServerHello: true,
9786 },
9787 },
9788 shouldFail: true,
9789 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9790 })
9791 testCases = append(testCases, testCase{
9792 testType: serverTest,
9793 name: "PartialClientFinishedWithClientHello",
9794 config: Config{
9795 MaxVersion: VersionTLS13,
9796 Bugs: ProtocolBugs{
9797 PartialClientFinishedWithClientHello: true,
9798 },
9799 },
9800 shouldFail: true,
9801 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9802 })
9803
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9804 // Test that early ChangeCipherSpecs are handled correctly.
9805 testCases = append(testCases, testCase{
9806 testType: serverTest,
9807 name: "EarlyChangeCipherSpec-server-1",
9808 config: Config{
9809 MaxVersion: VersionTLS12,
9810 Bugs: ProtocolBugs{
9811 EarlyChangeCipherSpec: 1,
9812 },
9813 },
9814 shouldFail: true,
9815 expectedError: ":UNEXPECTED_RECORD:",
9816 })
9817 testCases = append(testCases, testCase{
9818 testType: serverTest,
9819 name: "EarlyChangeCipherSpec-server-2",
9820 config: Config{
9821 MaxVersion: VersionTLS12,
9822 Bugs: ProtocolBugs{
9823 EarlyChangeCipherSpec: 2,
9824 },
9825 },
9826 shouldFail: true,
9827 expectedError: ":UNEXPECTED_RECORD:",
9828 })
9829 testCases = append(testCases, testCase{
9830 protocol: dtls,
9831 name: "StrayChangeCipherSpec",
9832 config: Config{
9833 // TODO(davidben): Once DTLS 1.3 exists, test
9834 // that stray ChangeCipherSpec messages are
9835 // rejected.
9836 MaxVersion: VersionTLS12,
9837 Bugs: ProtocolBugs{
9838 StrayChangeCipherSpec: true,
9839 },
9840 },
9841 })
9842
9843 // Test that the contents of ChangeCipherSpec are checked.
9844 testCases = append(testCases, testCase{
9845 name: "BadChangeCipherSpec-1",
9846 config: Config{
9847 MaxVersion: VersionTLS12,
9848 Bugs: ProtocolBugs{
9849 BadChangeCipherSpec: []byte{2},
9850 },
9851 },
9852 shouldFail: true,
9853 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9854 })
9855 testCases = append(testCases, testCase{
9856 name: "BadChangeCipherSpec-2",
9857 config: Config{
9858 MaxVersion: VersionTLS12,
9859 Bugs: ProtocolBugs{
9860 BadChangeCipherSpec: []byte{1, 1},
9861 },
9862 },
9863 shouldFail: true,
9864 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9865 })
9866 testCases = append(testCases, testCase{
9867 protocol: dtls,
9868 name: "BadChangeCipherSpec-DTLS-1",
9869 config: Config{
9870 MaxVersion: VersionTLS12,
9871 Bugs: ProtocolBugs{
9872 BadChangeCipherSpec: []byte{2},
9873 },
9874 },
9875 shouldFail: true,
9876 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9877 })
9878 testCases = append(testCases, testCase{
9879 protocol: dtls,
9880 name: "BadChangeCipherSpec-DTLS-2",
9881 config: Config{
9882 MaxVersion: VersionTLS12,
9883 Bugs: ProtocolBugs{
9884 BadChangeCipherSpec: []byte{1, 1},
9885 },
9886 },
9887 shouldFail: true,
9888 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9889 })
9890}
9891
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9892type perMessageTest struct {
9893 messageType uint8
9894 test testCase
9895}
9896
9897// makePerMessageTests returns a series of test templates which cover each
9898// message in the TLS handshake. These may be used with bugs like
9899// WrongMessageType to fully test a per-message bug.
9900func makePerMessageTests() []perMessageTest {
9901 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9902 for _, protocol := range []protocol{tls, dtls} {
9903 var suffix string
9904 if protocol == dtls {
9905 suffix = "-DTLS"
9906 }
9907
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9908 ret = append(ret, perMessageTest{
9909 messageType: typeClientHello,
9910 test: testCase{
9911 protocol: protocol,
9912 testType: serverTest,
9913 name: "ClientHello" + suffix,
9914 config: Config{
9915 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9916 },
9917 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9918 })
9919
9920 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9921 ret = append(ret, perMessageTest{
9922 messageType: typeHelloVerifyRequest,
9923 test: testCase{
9924 protocol: protocol,
9925 name: "HelloVerifyRequest" + suffix,
9926 config: Config{
9927 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9928 },
9929 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9930 })
9931 }
9932
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9933 ret = append(ret, perMessageTest{
9934 messageType: typeServerHello,
9935 test: testCase{
9936 protocol: protocol,
9937 name: "ServerHello" + suffix,
9938 config: Config{
9939 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9940 },
9941 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9942 })
9943
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9944 ret = append(ret, perMessageTest{
9945 messageType: typeCertificate,
9946 test: testCase{
9947 protocol: protocol,
9948 name: "ServerCertificate" + suffix,
9949 config: Config{
9950 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9951 },
9952 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9953 })
9954
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9955 ret = append(ret, perMessageTest{
9956 messageType: typeCertificateStatus,
9957 test: testCase{
9958 protocol: protocol,
9959 name: "CertificateStatus" + suffix,
9960 config: Config{
9961 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9962 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9963 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9964 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9965 })
9966
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9967 ret = append(ret, perMessageTest{
9968 messageType: typeServerKeyExchange,
9969 test: testCase{
9970 protocol: protocol,
9971 name: "ServerKeyExchange" + suffix,
9972 config: Config{
9973 MaxVersion: VersionTLS12,
9974 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9975 },
9976 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9977 })
9978
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9979 ret = append(ret, perMessageTest{
9980 messageType: typeCertificateRequest,
9981 test: testCase{
9982 protocol: protocol,
9983 name: "CertificateRequest" + suffix,
9984 config: Config{
9985 MaxVersion: VersionTLS12,
9986 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9987 },
9988 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9989 })
9990
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9991 ret = append(ret, perMessageTest{
9992 messageType: typeServerHelloDone,
9993 test: testCase{
9994 protocol: protocol,
9995 name: "ServerHelloDone" + suffix,
9996 config: Config{
9997 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9998 },
9999 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10000 })
10001
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10002 ret = append(ret, perMessageTest{
10003 messageType: typeCertificate,
10004 test: testCase{
10005 testType: serverTest,
10006 protocol: protocol,
10007 name: "ClientCertificate" + suffix,
10008 config: Config{
10009 Certificates: []Certificate{rsaCertificate},
10010 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10011 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10012 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10013 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10014 })
10015
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10016 ret = append(ret, perMessageTest{
10017 messageType: typeCertificateVerify,
10018 test: testCase{
10019 testType: serverTest,
10020 protocol: protocol,
10021 name: "CertificateVerify" + suffix,
10022 config: Config{
10023 Certificates: []Certificate{rsaCertificate},
10024 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10025 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10026 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10027 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10028 })
10029
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10030 ret = append(ret, perMessageTest{
10031 messageType: typeClientKeyExchange,
10032 test: testCase{
10033 testType: serverTest,
10034 protocol: protocol,
10035 name: "ClientKeyExchange" + suffix,
10036 config: Config{
10037 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10038 },
10039 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10040 })
10041
10042 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10043 ret = append(ret, perMessageTest{
10044 messageType: typeNextProtocol,
10045 test: testCase{
10046 testType: serverTest,
10047 protocol: protocol,
10048 name: "NextProtocol" + suffix,
10049 config: Config{
10050 MaxVersion: VersionTLS12,
10051 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10052 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10053 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10054 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10055 })
10056
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10057 ret = append(ret, perMessageTest{
10058 messageType: typeChannelID,
10059 test: testCase{
10060 testType: serverTest,
10061 protocol: protocol,
10062 name: "ChannelID" + suffix,
10063 config: Config{
10064 MaxVersion: VersionTLS12,
10065 ChannelID: channelIDKey,
10066 },
10067 flags: []string{
10068 "-expect-channel-id",
10069 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10070 },
10071 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10072 })
10073 }
10074
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10075 ret = append(ret, perMessageTest{
10076 messageType: typeFinished,
10077 test: testCase{
10078 testType: serverTest,
10079 protocol: protocol,
10080 name: "ClientFinished" + suffix,
10081 config: Config{
10082 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10083 },
10084 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10085 })
10086
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10087 ret = append(ret, perMessageTest{
10088 messageType: typeNewSessionTicket,
10089 test: testCase{
10090 protocol: protocol,
10091 name: "NewSessionTicket" + suffix,
10092 config: Config{
10093 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10094 },
10095 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10096 })
10097
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10098 ret = append(ret, perMessageTest{
10099 messageType: typeFinished,
10100 test: testCase{
10101 protocol: protocol,
10102 name: "ServerFinished" + suffix,
10103 config: Config{
10104 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10105 },
10106 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10107 })
10108
10109 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10110
10111 ret = append(ret, perMessageTest{
10112 messageType: typeClientHello,
10113 test: testCase{
10114 testType: serverTest,
10115 name: "TLS13-ClientHello",
10116 config: Config{
10117 MaxVersion: VersionTLS13,
10118 },
10119 },
10120 })
10121
10122 ret = append(ret, perMessageTest{
10123 messageType: typeServerHello,
10124 test: testCase{
10125 name: "TLS13-ServerHello",
10126 config: Config{
10127 MaxVersion: VersionTLS13,
10128 },
10129 },
10130 })
10131
10132 ret = append(ret, perMessageTest{
10133 messageType: typeEncryptedExtensions,
10134 test: testCase{
10135 name: "TLS13-EncryptedExtensions",
10136 config: Config{
10137 MaxVersion: VersionTLS13,
10138 },
10139 },
10140 })
10141
10142 ret = append(ret, perMessageTest{
10143 messageType: typeCertificateRequest,
10144 test: testCase{
10145 name: "TLS13-CertificateRequest",
10146 config: Config{
10147 MaxVersion: VersionTLS13,
10148 ClientAuth: RequireAnyClientCert,
10149 },
10150 },
10151 })
10152
10153 ret = append(ret, perMessageTest{
10154 messageType: typeCertificate,
10155 test: testCase{
10156 name: "TLS13-ServerCertificate",
10157 config: Config{
10158 MaxVersion: VersionTLS13,
10159 },
10160 },
10161 })
10162
10163 ret = append(ret, perMessageTest{
10164 messageType: typeCertificateVerify,
10165 test: testCase{
10166 name: "TLS13-ServerCertificateVerify",
10167 config: Config{
10168 MaxVersion: VersionTLS13,
10169 },
10170 },
10171 })
10172
10173 ret = append(ret, perMessageTest{
10174 messageType: typeFinished,
10175 test: testCase{
10176 name: "TLS13-ServerFinished",
10177 config: Config{
10178 MaxVersion: VersionTLS13,
10179 },
10180 },
10181 })
10182
10183 ret = append(ret, perMessageTest{
10184 messageType: typeCertificate,
10185 test: testCase{
10186 testType: serverTest,
10187 name: "TLS13-ClientCertificate",
10188 config: Config{
10189 Certificates: []Certificate{rsaCertificate},
10190 MaxVersion: VersionTLS13,
10191 },
10192 flags: []string{"-require-any-client-certificate"},
10193 },
10194 })
10195
10196 ret = append(ret, perMessageTest{
10197 messageType: typeCertificateVerify,
10198 test: testCase{
10199 testType: serverTest,
10200 name: "TLS13-ClientCertificateVerify",
10201 config: Config{
10202 Certificates: []Certificate{rsaCertificate},
10203 MaxVersion: VersionTLS13,
10204 },
10205 flags: []string{"-require-any-client-certificate"},
10206 },
10207 })
10208
10209 ret = append(ret, perMessageTest{
10210 messageType: typeFinished,
10211 test: testCase{
10212 testType: serverTest,
10213 name: "TLS13-ClientFinished",
10214 config: Config{
10215 MaxVersion: VersionTLS13,
10216 },
10217 },
10218 })
10219
10220 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10221}
10222
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10223func addWrongMessageTypeTests() {
10224 for _, t := range makePerMessageTests() {
10225 t.test.name = "WrongMessageType-" + t.test.name
10226 t.test.config.Bugs.SendWrongMessageType = t.messageType
10227 t.test.shouldFail = true
10228 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
10229 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10230
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10231 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
10232 // In TLS 1.3, a bad ServerHello means the client sends
10233 // an unencrypted alert while the server expects
10234 // encryption, so the alert is not readable by runner.
10235 t.test.expectedLocalError = "local error: bad record MAC"
10236 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10237
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]10238 testCases = append(testCases, t.test)
10239 }
David Benjaminebacdee2017-04-08 11:00:45 -0400[diff] [blame]10240
10241 // The processing order for TLS 1.3 version negotiation is such that one
10242 // may accidentally accept a HelloRetryRequest in lieu of ServerHello in
10243 // TLS 1.2. Test that we do not do this.
10244 testCases = append(testCases, testCase{
10245 name: "SendServerHelloAsHelloRetryRequest",
10246 config: Config{
10247 MaxVersion: VersionTLS12,
10248 Bugs: ProtocolBugs{
10249 SendServerHelloAsHelloRetryRequest: true,
10250 },
10251 },
10252 shouldFail: true,
10253 expectedError: ":UNEXPECTED_MESSAGE:",
10254 expectedLocalError: "remote error: unexpected message",
10255 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10256}
10257
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]10258func addTrailingMessageDataTests() {
10259 for _, t := range makePerMessageTests() {
10260 t.test.name = "TrailingMessageData-" + t.test.name
10261 t.test.config.Bugs.SendTrailingMessageData = t.messageType
10262 t.test.shouldFail = true
10263 t.test.expectedError = ":DECODE_ERROR:"
10264 t.test.expectedLocalError = "remote error: error decoding message"
10265
10266 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
10267 // In TLS 1.3, a bad ServerHello means the client sends
10268 // an unencrypted alert while the server expects
10269 // encryption, so the alert is not readable by runner.
10270 t.test.expectedLocalError = "local error: bad record MAC"
10271 }
10272
10273 if t.messageType == typeFinished {
10274 // Bad Finished messages read as the verify data having
10275 // the wrong length.
10276 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
10277 t.test.expectedLocalError = "remote error: error decrypting message"
10278 }
10279
10280 testCases = append(testCases, t.test)
10281 }
10282}
10283
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10284func addTLS13HandshakeTests() {
10285 testCases = append(testCases, testCase{
10286 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]10287 name: "NegotiatePSKResumption-TLS13",
10288 config: Config{
10289 MaxVersion: VersionTLS13,
10290 Bugs: ProtocolBugs{
10291 NegotiatePSKResumption: true,
10292 },
10293 },
10294 resumeSession: true,
10295 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]10296 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]10297 })
10298
10299 testCases = append(testCases, testCase{
10300 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10301 name: "MissingKeyShare-Client",
10302 config: Config{
10303 MaxVersion: VersionTLS13,
10304 Bugs: ProtocolBugs{
10305 MissingKeyShare: true,
10306 },
10307 },
10308 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]10309 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10310 })
10311
10312 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10313 testType: serverTest,
10314 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10315 config: Config{
10316 MaxVersion: VersionTLS13,
10317 Bugs: ProtocolBugs{
10318 MissingKeyShare: true,
10319 },
10320 },
10321 shouldFail: true,
10322 expectedError: ":MISSING_KEY_SHARE:",
10323 })
10324
10325 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10326 testType: serverTest,
10327 name: "DuplicateKeyShares",
10328 config: Config{
10329 MaxVersion: VersionTLS13,
10330 Bugs: ProtocolBugs{
10331 DuplicateKeyShares: true,
10332 },
10333 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]10334 shouldFail: true,
10335 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10336 })
10337
10338 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]10339 testType: serverTest,
10340 name: "SkipEarlyData",
10341 config: Config{
10342 MaxVersion: VersionTLS13,
10343 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]10344 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]10345 },
10346 },
10347 })
10348
10349 testCases = append(testCases, testCase{
10350 testType: serverTest,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]10351 name: "SkipEarlyData-Experiment",
10352 config: Config{
10353 MaxVersion: VersionTLS13,
10354 TLS13Variant: TLS13Experiment,
10355 Bugs: ProtocolBugs{
10356 SendFakeEarlyDataLength: 4,
10357 },
10358 },
10359 flags: []string{"-tls13-variant", "1"},
10360 })
10361
10362 testCases = append(testCases, testCase{
10363 testType: serverTest,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]10364 name: "SkipEarlyData-OmitEarlyDataExtension",
10365 config: Config{
10366 MaxVersion: VersionTLS13,
10367 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]10368 SendFakeEarlyDataLength: 4,
10369 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]10370 },
10371 },
10372 shouldFail: true,
10373 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
10374 })
10375
10376 testCases = append(testCases, testCase{
10377 testType: serverTest,
10378 name: "SkipEarlyData-TooMuchData",
10379 config: Config{
10380 MaxVersion: VersionTLS13,
10381 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]10382 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]10383 },
10384 },
10385 shouldFail: true,
10386 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
10387 })
10388
10389 testCases = append(testCases, testCase{
10390 testType: serverTest,
10391 name: "SkipEarlyData-Interleaved",
10392 config: Config{
10393 MaxVersion: VersionTLS13,
10394 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]10395 SendFakeEarlyDataLength: 4,
10396 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]10397 },
10398 },
10399 shouldFail: true,
10400 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
10401 })
10402
10403 testCases = append(testCases, testCase{
10404 testType: serverTest,
10405 name: "SkipEarlyData-EarlyDataInTLS12",
10406 config: Config{
10407 MaxVersion: VersionTLS13,
10408 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]10409 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]10410 },
10411 },
10412 shouldFail: true,
10413 expectedError: ":UNEXPECTED_RECORD:",
10414 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
10415 })
10416
10417 testCases = append(testCases, testCase{
10418 testType: serverTest,
10419 name: "SkipEarlyData-HRR",
10420 config: Config{
10421 MaxVersion: VersionTLS13,
10422 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]10423 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]10424 },
10425 DefaultCurves: []CurveID{},
10426 },
10427 })
10428
10429 testCases = append(testCases, testCase{
10430 testType: serverTest,
10431 name: "SkipEarlyData-HRR-Interleaved",
10432 config: Config{
10433 MaxVersion: VersionTLS13,
10434 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]10435 SendFakeEarlyDataLength: 4,
10436 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]10437 },
10438 DefaultCurves: []CurveID{},
10439 },
10440 shouldFail: true,
10441 expectedError: ":UNEXPECTED_RECORD:",
10442 })
10443
10444 testCases = append(testCases, testCase{
10445 testType: serverTest,
10446 name: "SkipEarlyData-HRR-TooMuchData",
10447 config: Config{
10448 MaxVersion: VersionTLS13,
10449 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]10450 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]10451 },
10452 DefaultCurves: []CurveID{},
10453 },
10454 shouldFail: true,
10455 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
10456 })
10457
10458 // Test that skipping early data looking for cleartext correctly
10459 // processes an alert record.
10460 testCases = append(testCases, testCase{
10461 testType: serverTest,
10462 name: "SkipEarlyData-HRR-FatalAlert",
10463 config: Config{
10464 MaxVersion: VersionTLS13,
10465 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]10466 SendEarlyAlert: true,
10467 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]10468 },
10469 DefaultCurves: []CurveID{},
10470 },
10471 shouldFail: true,
10472 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
10473 })
10474
10475 testCases = append(testCases, testCase{
10476 testType: serverTest,
10477 name: "SkipEarlyData-SecondClientHelloEarlyData",
10478 config: Config{
10479 MaxVersion: VersionTLS13,
10480 Bugs: ProtocolBugs{
10481 SendEarlyDataOnSecondClientHello: true,
10482 },
10483 DefaultCurves: []CurveID{},
10484 },
10485 shouldFail: true,
10486 expectedLocalError: "remote error: bad record MAC",
10487 })
10488
10489 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10490 testType: clientTest,
10491 name: "EmptyEncryptedExtensions",
10492 config: Config{
10493 MaxVersion: VersionTLS13,
10494 Bugs: ProtocolBugs{
10495 EmptyEncryptedExtensions: true,
10496 },
10497 },
10498 shouldFail: true,
10499 expectedLocalError: "remote error: error decoding message",
10500 })
10501
10502 testCases = append(testCases, testCase{
10503 testType: clientTest,
10504 name: "EncryptedExtensionsWithKeyShare",
10505 config: Config{
10506 MaxVersion: VersionTLS13,
10507 Bugs: ProtocolBugs{
10508 EncryptedExtensionsWithKeyShare: true,
10509 },
10510 },
10511 shouldFail: true,
10512 expectedLocalError: "remote error: unsupported extension",
10513 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10514
10515 testCases = append(testCases, testCase{
10516 testType: serverTest,
10517 name: "SendHelloRetryRequest",
10518 config: Config{
10519 MaxVersion: VersionTLS13,
10520 // Require a HelloRetryRequest for every curve.
10521 DefaultCurves: []CurveID{},
10522 },
10523 expectedCurveID: CurveX25519,
10524 })
10525
10526 testCases = append(testCases, testCase{
10527 testType: serverTest,
10528 name: "SendHelloRetryRequest-2",
10529 config: Config{
10530 MaxVersion: VersionTLS13,
10531 DefaultCurves: []CurveID{CurveP384},
10532 },
10533 // Although the ClientHello did not predict our preferred curve,
10534 // we always select it whether it is predicted or not.
10535 expectedCurveID: CurveX25519,
10536 })
10537
10538 testCases = append(testCases, testCase{
10539 name: "UnknownCurve-HelloRetryRequest",
10540 config: Config{
10541 MaxVersion: VersionTLS13,
10542 // P-384 requires HelloRetryRequest in BoringSSL.
10543 CurvePreferences: []CurveID{CurveP384},
10544 Bugs: ProtocolBugs{
10545 SendHelloRetryRequestCurve: bogusCurve,
10546 },
10547 },
10548 shouldFail: true,
10549 expectedError: ":WRONG_CURVE:",
10550 })
10551
10552 testCases = append(testCases, testCase{
10553 name: "DisabledCurve-HelloRetryRequest",
10554 config: Config{
10555 MaxVersion: VersionTLS13,
10556 CurvePreferences: []CurveID{CurveP256},
10557 Bugs: ProtocolBugs{
10558 IgnorePeerCurvePreferences: true,
10559 },
10560 },
10561 flags: []string{"-p384-only"},
10562 shouldFail: true,
10563 expectedError: ":WRONG_CURVE:",
10564 })
10565
10566 testCases = append(testCases, testCase{
10567 name: "UnnecessaryHelloRetryRequest",
10568 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]10569 MaxVersion: VersionTLS13,
10570 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10571 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]10572 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10573 },
10574 },
10575 shouldFail: true,
10576 expectedError: ":WRONG_CURVE:",
10577 })
10578
10579 testCases = append(testCases, testCase{
10580 name: "SecondHelloRetryRequest",
10581 config: Config{
10582 MaxVersion: VersionTLS13,
10583 // P-384 requires HelloRetryRequest in BoringSSL.
10584 CurvePreferences: []CurveID{CurveP384},
10585 Bugs: ProtocolBugs{
10586 SecondHelloRetryRequest: true,
10587 },
10588 },
10589 shouldFail: true,
10590 expectedError: ":UNEXPECTED_MESSAGE:",
10591 })
10592
10593 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]10594 name: "HelloRetryRequest-Empty",
10595 config: Config{
10596 MaxVersion: VersionTLS13,
10597 Bugs: ProtocolBugs{
10598 AlwaysSendHelloRetryRequest: true,
10599 },
10600 },
10601 shouldFail: true,
10602 expectedError: ":DECODE_ERROR:",
10603 })
10604
10605 testCases = append(testCases, testCase{
10606 name: "HelloRetryRequest-DuplicateCurve",
10607 config: Config{
10608 MaxVersion: VersionTLS13,
10609 // P-384 requires a HelloRetryRequest against BoringSSL's default
10610 // configuration. Assert this ExpectMissingKeyShare.
10611 CurvePreferences: []CurveID{CurveP384},
10612 Bugs: ProtocolBugs{
10613 ExpectMissingKeyShare: true,
10614 DuplicateHelloRetryRequestExtensions: true,
10615 },
10616 },
10617 shouldFail: true,
10618 expectedError: ":DUPLICATE_EXTENSION:",
10619 expectedLocalError: "remote error: illegal parameter",
10620 })
10621
10622 testCases = append(testCases, testCase{
10623 name: "HelloRetryRequest-Cookie",
10624 config: Config{
10625 MaxVersion: VersionTLS13,
10626 Bugs: ProtocolBugs{
10627 SendHelloRetryRequestCookie: []byte("cookie"),
10628 },
10629 },
10630 })
10631
10632 testCases = append(testCases, testCase{
10633 name: "HelloRetryRequest-DuplicateCookie",
10634 config: Config{
10635 MaxVersion: VersionTLS13,
10636 Bugs: ProtocolBugs{
10637 SendHelloRetryRequestCookie: []byte("cookie"),
10638 DuplicateHelloRetryRequestExtensions: true,
10639 },
10640 },
10641 shouldFail: true,
10642 expectedError: ":DUPLICATE_EXTENSION:",
10643 expectedLocalError: "remote error: illegal parameter",
10644 })
10645
10646 testCases = append(testCases, testCase{
10647 name: "HelloRetryRequest-EmptyCookie",
10648 config: Config{
10649 MaxVersion: VersionTLS13,
10650 Bugs: ProtocolBugs{
10651 SendHelloRetryRequestCookie: []byte{},
10652 },
10653 },
10654 shouldFail: true,
10655 expectedError: ":DECODE_ERROR:",
10656 })
10657
10658 testCases = append(testCases, testCase{
10659 name: "HelloRetryRequest-Cookie-Curve",
10660 config: Config{
10661 MaxVersion: VersionTLS13,
10662 // P-384 requires HelloRetryRequest in BoringSSL.
10663 CurvePreferences: []CurveID{CurveP384},
10664 Bugs: ProtocolBugs{
10665 SendHelloRetryRequestCookie: []byte("cookie"),
10666 ExpectMissingKeyShare: true,
10667 },
10668 },
10669 })
10670
10671 testCases = append(testCases, testCase{
10672 name: "HelloRetryRequest-Unknown",
10673 config: Config{
10674 MaxVersion: VersionTLS13,
10675 Bugs: ProtocolBugs{
10676 CustomHelloRetryRequestExtension: "extension",
10677 },
10678 },
10679 shouldFail: true,
10680 expectedError: ":UNEXPECTED_EXTENSION:",
10681 expectedLocalError: "remote error: unsupported extension",
10682 })
10683
10684 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10685 testType: serverTest,
10686 name: "SecondClientHelloMissingKeyShare",
10687 config: Config{
10688 MaxVersion: VersionTLS13,
10689 DefaultCurves: []CurveID{},
10690 Bugs: ProtocolBugs{
10691 SecondClientHelloMissingKeyShare: true,
10692 },
10693 },
10694 shouldFail: true,
10695 expectedError: ":MISSING_KEY_SHARE:",
10696 })
10697
10698 testCases = append(testCases, testCase{
10699 testType: serverTest,
10700 name: "SecondClientHelloWrongCurve",
10701 config: Config{
10702 MaxVersion: VersionTLS13,
10703 DefaultCurves: []CurveID{},
10704 Bugs: ProtocolBugs{
10705 MisinterpretHelloRetryRequestCurve: CurveP521,
10706 },
10707 },
10708 shouldFail: true,
10709 expectedError: ":WRONG_CURVE:",
10710 })
10711
10712 testCases = append(testCases, testCase{
10713 name: "HelloRetryRequestVersionMismatch",
10714 config: Config{
10715 MaxVersion: VersionTLS13,
10716 // P-384 requires HelloRetryRequest in BoringSSL.
10717 CurvePreferences: []CurveID{CurveP384},
10718 Bugs: ProtocolBugs{
10719 SendServerHelloVersion: 0x0305,
10720 },
10721 },
10722 shouldFail: true,
10723 expectedError: ":WRONG_VERSION_NUMBER:",
10724 })
10725
10726 testCases = append(testCases, testCase{
10727 name: "HelloRetryRequestCurveMismatch",
10728 config: Config{
10729 MaxVersion: VersionTLS13,
10730 // P-384 requires HelloRetryRequest in BoringSSL.
10731 CurvePreferences: []CurveID{CurveP384},
10732 Bugs: ProtocolBugs{
10733 // Send P-384 (correct) in the HelloRetryRequest.
10734 SendHelloRetryRequestCurve: CurveP384,
10735 // But send P-256 in the ServerHello.
10736 SendCurve: CurveP256,
10737 },
10738 },
10739 shouldFail: true,
10740 expectedError: ":WRONG_CURVE:",
10741 })
10742
10743 // Test the server selecting a curve that requires a HelloRetryRequest
10744 // without sending it.
10745 testCases = append(testCases, testCase{
10746 name: "SkipHelloRetryRequest",
10747 config: Config{
10748 MaxVersion: VersionTLS13,
10749 // P-384 requires HelloRetryRequest in BoringSSL.
10750 CurvePreferences: []CurveID{CurveP384},
10751 Bugs: ProtocolBugs{
10752 SkipHelloRetryRequest: true,
10753 },
10754 },
10755 shouldFail: true,
10756 expectedError: ":WRONG_CURVE:",
10757 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]10758
10759 testCases = append(testCases, testCase{
10760 name: "TLS13-RequestContextInHandshake",
10761 config: Config{
10762 MaxVersion: VersionTLS13,
10763 MinVersion: VersionTLS13,
10764 ClientAuth: RequireAnyClientCert,
10765 Bugs: ProtocolBugs{
10766 SendRequestContext: []byte("request context"),
10767 },
10768 },
10769 flags: []string{
10770 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10771 "-key-file", path.Join(*resourceDir, rsaKeyFile),
10772 },
10773 shouldFail: true,
10774 expectedError: ":DECODE_ERROR:",
10775 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]10776
10777 testCases = append(testCases, testCase{
10778 testType: serverTest,
10779 name: "TLS13-TrailingKeyShareData",
10780 config: Config{
10781 MaxVersion: VersionTLS13,
10782 Bugs: ProtocolBugs{
10783 TrailingKeyShareData: true,
10784 },
10785 },
10786 shouldFail: true,
10787 expectedError: ":DECODE_ERROR:",
10788 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]10789
10790 testCases = append(testCases, testCase{
10791 name: "TLS13-AlwaysSelectPSKIdentity",
10792 config: Config{
10793 MaxVersion: VersionTLS13,
10794 Bugs: ProtocolBugs{
10795 AlwaysSelectPSKIdentity: true,
10796 },
10797 },
10798 shouldFail: true,
10799 expectedError: ":UNEXPECTED_EXTENSION:",
10800 })
10801
10802 testCases = append(testCases, testCase{
10803 name: "TLS13-InvalidPSKIdentity",
10804 config: Config{
10805 MaxVersion: VersionTLS13,
10806 Bugs: ProtocolBugs{
10807 SelectPSKIdentityOnResume: 1,
10808 },
10809 },
10810 resumeSession: true,
10811 shouldFail: true,
10812 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
10813 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10814
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10815 testCases = append(testCases, testCase{
10816 testType: serverTest,
10817 name: "TLS13-ExtraPSKIdentity",
10818 config: Config{
10819 MaxVersion: VersionTLS13,
10820 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]10821 ExtraPSKIdentity: true,
10822 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10823 },
10824 },
10825 resumeSession: true,
10826 })
10827
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10828 // Test that unknown NewSessionTicket extensions are tolerated.
10829 testCases = append(testCases, testCase{
10830 name: "TLS13-CustomTicketExtension",
10831 config: Config{
10832 MaxVersion: VersionTLS13,
10833 Bugs: ProtocolBugs{
10834 CustomTicketExtension: "1234",
10835 },
10836 },
10837 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10838
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10839 testCases = append(testCases, testCase{
10840 testType: clientTest,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]10841 name: "TLS13-EarlyData-Reject-Client",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10842 config: Config{
10843 MaxVersion: VersionTLS13,
10844 MaxEarlyDataSize: 16384,
10845 },
10846 resumeConfig: &Config{
10847 MaxVersion: VersionTLS13,
10848 MaxEarlyDataSize: 16384,
10849 Bugs: ProtocolBugs{
10850 AlwaysRejectEarlyData: true,
10851 },
10852 },
10853 resumeSession: true,
10854 flags: []string{
10855 "-enable-early-data",
10856 "-expect-early-data-info",
10857 "-expect-reject-early-data",
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]10858 "-on-resume-shim-writes-first",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10859 },
10860 })
10861
10862 testCases = append(testCases, testCase{
10863 testType: clientTest,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame^]10864 name: "TLS13Experiment-EarlyData-Reject-Client",
10865 config: Config{
10866 MaxVersion: VersionTLS13,
10867 MaxEarlyDataSize: 16384,
10868 TLS13Variant: TLS13Experiment,
10869 },
10870 resumeConfig: &Config{
10871 MaxVersion: VersionTLS13,
10872 TLS13Variant: TLS13Experiment,
10873 MaxEarlyDataSize: 16384,
10874 Bugs: ProtocolBugs{
10875 AlwaysRejectEarlyData: true,
10876 },
10877 },
10878 resumeSession: true,
10879 flags: []string{
10880 "-enable-early-data",
10881 "-expect-early-data-info",
10882 "-expect-reject-early-data",
10883 "-on-resume-shim-writes-first",
10884 "-tls13-variant", "1",
10885 },
10886 })
10887
10888 testCases = append(testCases, testCase{
10889 testType: clientTest,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]10890 name: "TLS13-EarlyData-RejectTicket-Client",
10891 config: Config{
10892 MaxVersion: VersionTLS13,
10893 MaxEarlyDataSize: 16384,
10894 Certificates: []Certificate{rsaCertificate},
10895 },
10896 resumeConfig: &Config{
10897 MaxVersion: VersionTLS13,
10898 MaxEarlyDataSize: 16384,
10899 Certificates: []Certificate{ecdsaP256Certificate},
10900 SessionTicketsDisabled: true,
10901 },
10902 resumeSession: true,
10903 expectResumeRejected: true,
10904 flags: []string{
10905 "-enable-early-data",
10906 "-expect-early-data-info",
10907 "-expect-reject-early-data",
10908 "-on-resume-shim-writes-first",
10909 "-on-initial-expect-peer-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10910 "-on-resume-expect-peer-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10911 "-on-retry-expect-peer-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
10912 // Session tickets are disabled, so the runner will not send a ticket.
10913 "-on-retry-expect-no-session",
10914 },
10915 })
10916
10917 testCases = append(testCases, testCase{
10918 testType: clientTest,
10919 name: "TLS13-EarlyData-HRR-Client",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10920 config: Config{
10921 MaxVersion: VersionTLS13,
10922 MaxEarlyDataSize: 16384,
10923 },
10924 resumeConfig: &Config{
10925 MaxVersion: VersionTLS13,
10926 MaxEarlyDataSize: 16384,
10927 Bugs: ProtocolBugs{
10928 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10929 },
10930 },
10931 resumeSession: true,
10932 flags: []string{
10933 "-enable-early-data",
10934 "-expect-early-data-info",
10935 "-expect-reject-early-data",
10936 },
10937 })
10938
10939 // The client must check the server does not send the early_data
10940 // extension while rejecting the session.
10941 testCases = append(testCases, testCase{
10942 testType: clientTest,
10943 name: "TLS13-EarlyDataWithoutResume-Client",
10944 config: Config{
10945 MaxVersion: VersionTLS13,
10946 MaxEarlyDataSize: 16384,
10947 },
10948 resumeConfig: &Config{
10949 MaxVersion: VersionTLS13,
10950 SessionTicketsDisabled: true,
10951 Bugs: ProtocolBugs{
10952 SendEarlyDataExtension: true,
10953 },
10954 },
10955 resumeSession: true,
10956 flags: []string{
10957 "-enable-early-data",
10958 "-expect-early-data-info",
10959 },
10960 shouldFail: true,
10961 expectedError: ":UNEXPECTED_EXTENSION:",
10962 })
10963
10964 // The client must fail with a dedicated error code if the server
10965 // responds with TLS 1.2 when offering 0-RTT.
10966 testCases = append(testCases, testCase{
10967 testType: clientTest,
10968 name: "TLS13-EarlyDataVersionDowngrade-Client",
10969 config: Config{
10970 MaxVersion: VersionTLS13,
10971 MaxEarlyDataSize: 16384,
10972 },
10973 resumeConfig: &Config{
10974 MaxVersion: VersionTLS12,
10975 },
10976 resumeSession: true,
10977 flags: []string{
10978 "-enable-early-data",
10979 "-expect-early-data-info",
10980 },
10981 shouldFail: true,
10982 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10983 })
10984
10985 // Test that the client rejects an (unsolicited) early_data extension if
10986 // the server sent an HRR.
10987 testCases = append(testCases, testCase{
10988 testType: clientTest,
10989 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10990 config: Config{
10991 MaxVersion: VersionTLS13,
10992 MaxEarlyDataSize: 16384,
10993 },
10994 resumeConfig: &Config{
10995 MaxVersion: VersionTLS13,
10996 MaxEarlyDataSize: 16384,
10997 Bugs: ProtocolBugs{
10998 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10999 SendEarlyDataExtension: true,
11000 },
11001 },
11002 resumeSession: true,
11003 flags: []string{
11004 "-enable-early-data",
11005 "-expect-early-data-info",
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]11006 "-expect-reject-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11007 },
11008 shouldFail: true,
11009 expectedError: ":UNEXPECTED_EXTENSION:",
11010 })
11011
11012 fooString := "foo"
11013 barString := "bar"
11014
11015 // Test that the client reports the correct ALPN after a 0-RTT reject
11016 // that changed it.
11017 testCases = append(testCases, testCase{
11018 testType: clientTest,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]11019 name: "TLS13-EarlyData-ALPNMismatch-Client",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11020 config: Config{
11021 MaxVersion: VersionTLS13,
11022 MaxEarlyDataSize: 16384,
11023 Bugs: ProtocolBugs{
11024 ALPNProtocol: &fooString,
11025 },
11026 },
11027 resumeConfig: &Config{
11028 MaxVersion: VersionTLS13,
11029 MaxEarlyDataSize: 16384,
11030 Bugs: ProtocolBugs{
11031 ALPNProtocol: &barString,
11032 },
11033 },
11034 resumeSession: true,
11035 flags: []string{
11036 "-advertise-alpn", "\x03foo\x03bar",
11037 "-enable-early-data",
11038 "-expect-early-data-info",
11039 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11040 "-on-initial-expect-alpn", "foo",
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]11041 "-on-resume-expect-alpn", "foo",
11042 "-on-retry-expect-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11043 },
11044 })
11045
11046 // Test that the client reports the correct ALPN after a 0-RTT reject if
11047 // ALPN was omitted from the first connection.
11048 testCases = append(testCases, testCase{
11049 testType: clientTest,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]11050 name: "TLS13-EarlyData-ALPNOmitted1-Client",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11051 config: Config{
11052 MaxVersion: VersionTLS13,
11053 MaxEarlyDataSize: 16384,
11054 },
11055 resumeConfig: &Config{
11056 MaxVersion: VersionTLS13,
11057 MaxEarlyDataSize: 16384,
11058 NextProtos: []string{"foo"},
11059 },
11060 resumeSession: true,
11061 flags: []string{
11062 "-advertise-alpn", "\x03foo\x03bar",
11063 "-enable-early-data",
11064 "-expect-early-data-info",
11065 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11066 "-on-initial-expect-alpn", "",
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]11067 "-on-resume-expect-alpn", "",
11068 "-on-retry-expect-alpn", "foo",
11069 "-on-resume-shim-writes-first",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11070 },
11071 })
11072
11073 // Test that the client reports the correct ALPN after a 0-RTT reject if
11074 // ALPN was omitted from the second connection.
11075 testCases = append(testCases, testCase{
11076 testType: clientTest,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]11077 name: "TLS13-EarlyData-ALPNOmitted2-Client",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11078 config: Config{
11079 MaxVersion: VersionTLS13,
11080 MaxEarlyDataSize: 16384,
11081 NextProtos: []string{"foo"},
11082 },
11083 resumeConfig: &Config{
11084 MaxVersion: VersionTLS13,
11085 MaxEarlyDataSize: 16384,
11086 },
11087 resumeSession: true,
11088 flags: []string{
11089 "-advertise-alpn", "\x03foo\x03bar",
11090 "-enable-early-data",
11091 "-expect-early-data-info",
11092 "-expect-reject-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11093 "-on-initial-expect-alpn", "foo",
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]11094 "-on-resume-expect-alpn", "foo",
11095 "-on-retry-expect-alpn", "",
11096 "-on-resume-shim-writes-first",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11097 },
11098 })
11099
11100 // Test that the client enforces ALPN match on 0-RTT accept.
11101 testCases = append(testCases, testCase{
11102 testType: clientTest,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]11103 name: "TLS13-EarlyData-BadALPNMismatch-Client",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11104 config: Config{
11105 MaxVersion: VersionTLS13,
11106 MaxEarlyDataSize: 16384,
11107 Bugs: ProtocolBugs{
11108 ALPNProtocol: &fooString,
11109 },
11110 },
11111 resumeConfig: &Config{
11112 MaxVersion: VersionTLS13,
11113 MaxEarlyDataSize: 16384,
11114 Bugs: ProtocolBugs{
11115 AlwaysAcceptEarlyData: true,
11116 ALPNProtocol: &barString,
11117 },
11118 },
11119 resumeSession: true,
11120 flags: []string{
11121 "-advertise-alpn", "\x03foo\x03bar",
11122 "-enable-early-data",
11123 "-expect-early-data-info",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11124 "-on-initial-expect-alpn", "foo",
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]11125 "-on-resume-expect-alpn", "foo",
11126 "-on-retry-expect-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11127 },
11128 shouldFail: true,
11129 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
11130 })
11131
11132 // Test that the server correctly rejects 0-RTT when the previous
11133 // session did not allow early data on resumption.
11134 testCases = append(testCases, testCase{
11135 testType: serverTest,
11136 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
11137 config: Config{
11138 MaxVersion: VersionTLS13,
11139 },
11140 resumeConfig: &Config{
11141 MaxVersion: VersionTLS13,
11142 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]11143 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11144 ExpectEarlyDataAccepted: false,
11145 },
11146 },
11147 resumeSession: true,
11148 flags: []string{
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11149 "-on-resume-enable-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11150 "-expect-reject-early-data",
11151 },
11152 })
11153
11154 // Test that we reject early data where ALPN is omitted from the first
11155 // connection.
11156 testCases = append(testCases, testCase{
11157 testType: serverTest,
11158 name: "TLS13-EarlyData-ALPNOmitted1-Server",
11159 config: Config{
11160 MaxVersion: VersionTLS13,
11161 NextProtos: []string{},
11162 },
11163 resumeConfig: &Config{
11164 MaxVersion: VersionTLS13,
11165 NextProtos: []string{"foo"},
11166 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]11167 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11168 ExpectEarlyDataAccepted: false,
11169 },
11170 },
11171 resumeSession: true,
11172 flags: []string{
11173 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11174 "-on-initial-select-alpn", "",
11175 "-on-resume-select-alpn", "foo",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11176 },
11177 })
11178
11179 // Test that we reject early data where ALPN is omitted from the second
11180 // connection.
11181 testCases = append(testCases, testCase{
11182 testType: serverTest,
11183 name: "TLS13-EarlyData-ALPNOmitted2-Server",
11184 config: Config{
11185 MaxVersion: VersionTLS13,
11186 NextProtos: []string{"foo"},
11187 },
11188 resumeConfig: &Config{
11189 MaxVersion: VersionTLS13,
11190 NextProtos: []string{},
11191 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]11192 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11193 ExpectEarlyDataAccepted: false,
11194 },
11195 },
11196 resumeSession: true,
11197 flags: []string{
11198 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11199 "-on-initial-select-alpn", "foo",
11200 "-on-resume-select-alpn", "",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11201 },
11202 })
11203
11204 // Test that we reject early data with mismatched ALPN.
11205 testCases = append(testCases, testCase{
11206 testType: serverTest,
11207 name: "TLS13-EarlyData-ALPNMismatch-Server",
11208 config: Config{
11209 MaxVersion: VersionTLS13,
11210 NextProtos: []string{"foo"},
11211 },
11212 resumeConfig: &Config{
11213 MaxVersion: VersionTLS13,
11214 NextProtos: []string{"bar"},
11215 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]11216 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11217 ExpectEarlyDataAccepted: false,
11218 },
11219 },
11220 resumeSession: true,
11221 flags: []string{
11222 "-enable-early-data",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11223 "-on-initial-select-alpn", "foo",
11224 "-on-resume-select-alpn", "bar",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]11225 },
11226 })
11227
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]11228 // Test that the client offering 0-RTT and Channel ID forbids the server
11229 // from accepting both.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]11230 testCases = append(testCases, testCase{
11231 testType: clientTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]11232 name: "TLS13-EarlyDataChannelID-AcceptBoth-Client",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]11233 config: Config{
11234 MaxVersion: VersionTLS13,
11235 MaxEarlyDataSize: 16384,
11236 RequestChannelID: true,
11237 },
11238 resumeSession: true,
11239 expectChannelID: true,
11240 shouldFail: true,
11241 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
11242 flags: []string{
11243 "-enable-early-data",
11244 "-expect-early-data-info",
11245 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
11246 },
11247 })
11248
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]11249 // Test that the client offering Channel ID and 0-RTT allows the server
11250 // to decline 0-RTT.
11251 testCases = append(testCases, testCase{
11252 testType: clientTest,
11253 name: "TLS13-EarlyDataChannelID-AcceptChannelID-Client",
11254 config: Config{
11255 MaxVersion: VersionTLS13,
11256 MaxEarlyDataSize: 16384,
11257 RequestChannelID: true,
11258 Bugs: ProtocolBugs{
11259 AlwaysRejectEarlyData: true,
11260 },
11261 },
11262 resumeSession: true,
11263 expectChannelID: true,
11264 flags: []string{
11265 "-enable-early-data",
11266 "-expect-early-data-info",
11267 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
11268 "-expect-reject-early-data",
11269 },
11270 })
11271
11272 // Test that the client offering Channel ID and 0-RTT allows the server
11273 // to decline Channel ID.
11274 testCases = append(testCases, testCase{
11275 testType: clientTest,
11276 name: "TLS13-EarlyDataChannelID-AcceptEarlyData-Client",
11277 config: Config{
11278 MaxVersion: VersionTLS13,
11279 MaxEarlyDataSize: 16384,
11280 },
11281 resumeSession: true,
11282 flags: []string{
11283 "-enable-early-data",
11284 "-expect-early-data-info",
11285 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
11286 "-expect-accept-early-data",
11287 },
11288 })
11289
11290 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
11291 // if it would negotiate Channel ID.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]11292 testCases = append(testCases, testCase{
11293 testType: serverTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]11294 name: "TLS13-EarlyDataChannelID-OfferBoth-Server",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]11295 config: Config{
11296 MaxVersion: VersionTLS13,
11297 ChannelID: channelIDKey,
11298 Bugs: ProtocolBugs{
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]11299 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]11300 ExpectEarlyDataAccepted: false,
11301 },
11302 },
11303 resumeSession: true,
11304 expectChannelID: true,
11305 flags: []string{
11306 "-enable-early-data",
11307 "-expect-reject-early-data",
11308 "-expect-channel-id",
11309 base64.StdEncoding.EncodeToString(channelIDBytes),
11310 },
11311 })
11312
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]11313 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
11314 // if not offered Channel ID.
11315 testCases = append(testCases, testCase{
11316 testType: serverTest,
11317 name: "TLS13-EarlyDataChannelID-OfferEarlyData-Server",
11318 config: Config{
11319 MaxVersion: VersionTLS13,
11320 Bugs: ProtocolBugs{
11321 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11322 ExpectEarlyDataAccepted: true,
11323 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
11324 },
11325 },
11326 resumeSession: true,
11327 expectChannelID: false,
11328 flags: []string{
11329 "-enable-early-data",
11330 "-expect-accept-early-data",
11331 "-enable-channel-id",
11332 },
11333 })
11334
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]11335 // Test that the server rejects 0-RTT streams without end_of_early_data.
11336 // The subsequent records should fail to decrypt.
11337 testCases = append(testCases, testCase{
11338 testType: serverTest,
11339 name: "TLS13-EarlyData-SkipEndOfEarlyData",
11340 config: Config{
11341 MaxVersion: VersionTLS13,
11342 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]11343 SendEarlyData: [][]byte{{1, 2, 3, 4}},
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]11344 ExpectEarlyDataAccepted: true,
11345 SkipEndOfEarlyData: true,
11346 },
11347 },
11348 resumeSession: true,
11349 flags: []string{"-enable-early-data"},
11350 shouldFail: true,
11351 expectedLocalError: "remote error: bad record MAC",
11352 expectedError: ":BAD_DECRYPT:",
11353 })
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]11354
11355 testCases = append(testCases, testCase{
11356 testType: serverTest,
11357 name: "TLS13-EarlyData-UnexpectedHandshake-Server",
11358 config: Config{
11359 MaxVersion: VersionTLS13,
11360 },
11361 resumeConfig: &Config{
11362 MaxVersion: VersionTLS13,
11363 Bugs: ProtocolBugs{
11364 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11365 SendStrayEarlyHandshake: true,
11366 ExpectEarlyDataAccepted: true},
11367 },
11368 resumeSession: true,
11369 shouldFail: true,
11370 expectedError: ":UNEXPECTED_RECORD:",
11371 expectedLocalError: "remote error: unexpected message",
11372 flags: []string{
11373 "-enable-early-data",
11374 },
11375 })
David Benjamind9cbb532017-07-07 13:17:19 -0400[diff] [blame]11376
11377 // Test that the client reports TLS 1.3 as the version while sending
11378 // early data.
11379 testCases = append(testCases, testCase{
11380 testType: clientTest,
11381 name: "TLS13-EarlyData-Client-VersionAPI",
11382 config: Config{
11383 MaxVersion: VersionTLS13,
11384 MaxEarlyDataSize: 16384,
11385 },
11386 resumeSession: true,
11387 flags: []string{
11388 "-enable-early-data",
11389 "-expect-early-data-info",
11390 "-expect-accept-early-data",
11391 "-expect-version", strconv.Itoa(VersionTLS13),
11392 },
11393 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]11394}
11395
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]11396func addTLS13CipherPreferenceTests() {
11397 // Test that client preference is honored if the shim has AES hardware
11398 // and ChaCha20-Poly1305 is preferred otherwise.
11399 testCases = append(testCases, testCase{
11400 testType: serverTest,
11401 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
11402 config: Config{
11403 MaxVersion: VersionTLS13,
11404 CipherSuites: []uint16{
11405 TLS_CHACHA20_POLY1305_SHA256,
11406 TLS_AES_128_GCM_SHA256,
11407 },
11408 },
11409 flags: []string{
11410 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
11411 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
11412 },
11413 })
11414
11415 testCases = append(testCases, testCase{
11416 testType: serverTest,
11417 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
11418 config: Config{
11419 MaxVersion: VersionTLS13,
11420 CipherSuites: []uint16{
11421 TLS_AES_128_GCM_SHA256,
11422 TLS_CHACHA20_POLY1305_SHA256,
11423 },
11424 },
11425 flags: []string{
11426 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
11427 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
11428 },
11429 })
11430
11431 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
11432 // whether it has AES hardware.
11433 testCases = append(testCases, testCase{
11434 name: "TLS13-CipherPreference-Client",
11435 config: Config{
11436 MaxVersion: VersionTLS13,
11437 // Use the client cipher order. (This is the default but
11438 // is listed to be explicit.)
11439 PreferServerCipherSuites: false,
11440 },
11441 flags: []string{
11442 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
11443 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
11444 },
11445 })
11446}
11447
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11448func addPeekTests() {
11449 // Test SSL_peek works, including on empty records.
11450 testCases = append(testCases, testCase{
11451 name: "Peek-Basic",
11452 sendEmptyRecords: 1,
11453 flags: []string{"-peek-then-read"},
11454 })
11455
11456 // Test SSL_peek can drive the initial handshake.
11457 testCases = append(testCases, testCase{
11458 name: "Peek-ImplicitHandshake",
11459 flags: []string{
11460 "-peek-then-read",
11461 "-implicit-handshake",
11462 },
11463 })
11464
11465 // Test SSL_peek can discover and drive a renegotiation.
11466 testCases = append(testCases, testCase{
11467 name: "Peek-Renegotiate",
11468 config: Config{
11469 MaxVersion: VersionTLS12,
11470 },
11471 renegotiate: 1,
11472 flags: []string{
11473 "-peek-then-read",
11474 "-renegotiate-freely",
11475 "-expect-total-renegotiations", "1",
11476 },
11477 })
11478
11479 // Test SSL_peek can discover a close_notify.
11480 testCases = append(testCases, testCase{
11481 name: "Peek-Shutdown",
11482 config: Config{
11483 Bugs: ProtocolBugs{
11484 ExpectCloseNotify: true,
11485 },
11486 },
11487 flags: []string{
11488 "-peek-then-read",
11489 "-check-close-notify",
11490 },
11491 })
11492
11493 // Test SSL_peek can discover an alert.
11494 testCases = append(testCases, testCase{
11495 name: "Peek-Alert",
11496 config: Config{
11497 Bugs: ProtocolBugs{
11498 SendSpuriousAlert: alertRecordOverflow,
11499 },
11500 },
11501 flags: []string{"-peek-then-read"},
11502 shouldFail: true,
11503 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
11504 })
11505
11506 // Test SSL_peek can handle KeyUpdate.
11507 testCases = append(testCases, testCase{
11508 name: "Peek-KeyUpdate",
11509 config: Config{
11510 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11511 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]11512 sendKeyUpdates: 1,
11513 keyUpdateRequest: keyUpdateNotRequested,
11514 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11515 })
11516}
11517
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]11518func addRecordVersionTests() {
11519 for _, ver := range tlsVersions {
11520 // Test that the record version is enforced.
11521 testCases = append(testCases, testCase{
11522 name: "CheckRecordVersion-" + ver.name,
11523 config: Config{
11524 MinVersion: ver.version,
11525 MaxVersion: ver.version,
11526 Bugs: ProtocolBugs{
11527 SendRecordVersion: 0x03ff,
11528 },
11529 },
11530 shouldFail: true,
11531 expectedError: ":WRONG_VERSION_NUMBER:",
11532 })
11533
11534 // Test that the ClientHello may use any record version, for
11535 // compatibility reasons.
11536 testCases = append(testCases, testCase{
11537 testType: serverTest,
11538 name: "LooseInitialRecordVersion-" + ver.name,
11539 config: Config{
11540 MinVersion: ver.version,
11541 MaxVersion: ver.version,
11542 Bugs: ProtocolBugs{
11543 SendInitialRecordVersion: 0x03ff,
11544 },
11545 },
11546 })
11547
11548 // Test that garbage ClientHello record versions are rejected.
11549 testCases = append(testCases, testCase{
11550 testType: serverTest,
11551 name: "GarbageInitialRecordVersion-" + ver.name,
11552 config: Config{
11553 MinVersion: ver.version,
11554 MaxVersion: ver.version,
11555 Bugs: ProtocolBugs{
11556 SendInitialRecordVersion: 0xffff,
11557 },
11558 },
11559 shouldFail: true,
11560 expectedError: ":WRONG_VERSION_NUMBER:",
11561 })
11562 }
11563}
11564
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11565func addCertificateTests() {
11566 // Test that a certificate chain with intermediate may be sent and
11567 // received as both client and server.
11568 for _, ver := range tlsVersions {
11569 testCases = append(testCases, testCase{
11570 testType: clientTest,
11571 name: "SendReceiveIntermediate-Client-" + ver.name,
11572 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]11573 MinVersion: ver.version,
11574 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11575 Certificates: []Certificate{rsaChainCertificate},
11576 ClientAuth: RequireAnyClientCert,
11577 },
11578 expectPeerCertificate: &rsaChainCertificate,
11579 flags: []string{
11580 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
11581 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
11582 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
11583 },
11584 })
11585
11586 testCases = append(testCases, testCase{
11587 testType: serverTest,
11588 name: "SendReceiveIntermediate-Server-" + ver.name,
11589 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]11590 MinVersion: ver.version,
11591 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11592 Certificates: []Certificate{rsaChainCertificate},
11593 },
11594 expectPeerCertificate: &rsaChainCertificate,
11595 flags: []string{
11596 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
11597 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
11598 "-require-any-client-certificate",
11599 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
11600 },
11601 })
11602 }
11603}
11604
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]11605func addRetainOnlySHA256ClientCertTests() {
11606 for _, ver := range tlsVersions {
11607 // Test that enabling
11608 // SSL_CTX_set_retain_only_sha256_of_client_certs without
11609 // actually requesting a client certificate is a no-op.
11610 testCases = append(testCases, testCase{
11611 testType: serverTest,
11612 name: "RetainOnlySHA256-NoCert-" + ver.name,
11613 config: Config{
11614 MinVersion: ver.version,
11615 MaxVersion: ver.version,
11616 },
11617 flags: []string{
11618 "-retain-only-sha256-client-cert-initial",
11619 "-retain-only-sha256-client-cert-resume",
11620 },
11621 resumeSession: true,
11622 })
11623
11624 // Test that when retaining only a SHA-256 certificate is
11625 // enabled, the hash appears as expected.
11626 testCases = append(testCases, testCase{
11627 testType: serverTest,
11628 name: "RetainOnlySHA256-Cert-" + ver.name,
11629 config: Config{
11630 MinVersion: ver.version,
11631 MaxVersion: ver.version,
11632 Certificates: []Certificate{rsaCertificate},
11633 },
11634 flags: []string{
11635 "-verify-peer",
11636 "-retain-only-sha256-client-cert-initial",
11637 "-retain-only-sha256-client-cert-resume",
11638 "-expect-sha256-client-cert-initial",
11639 "-expect-sha256-client-cert-resume",
11640 },
11641 resumeSession: true,
11642 })
11643
11644 // Test that when the config changes from on to off, a
11645 // resumption is rejected because the server now wants the full
11646 // certificate chain.
11647 testCases = append(testCases, testCase{
11648 testType: serverTest,
11649 name: "RetainOnlySHA256-OnOff-" + ver.name,
11650 config: Config{
11651 MinVersion: ver.version,
11652 MaxVersion: ver.version,
11653 Certificates: []Certificate{rsaCertificate},
11654 },
11655 flags: []string{
11656 "-verify-peer",
11657 "-retain-only-sha256-client-cert-initial",
11658 "-expect-sha256-client-cert-initial",
11659 },
11660 resumeSession: true,
11661 expectResumeRejected: true,
11662 })
11663
11664 // Test that when the config changes from off to on, a
11665 // resumption is rejected because the server now wants just the
11666 // hash.
11667 testCases = append(testCases, testCase{
11668 testType: serverTest,
11669 name: "RetainOnlySHA256-OffOn-" + ver.name,
11670 config: Config{
11671 MinVersion: ver.version,
11672 MaxVersion: ver.version,
11673 Certificates: []Certificate{rsaCertificate},
11674 },
11675 flags: []string{
11676 "-verify-peer",
11677 "-retain-only-sha256-client-cert-resume",
11678 "-expect-sha256-client-cert-resume",
11679 },
11680 resumeSession: true,
11681 expectResumeRejected: true,
11682 })
11683 }
11684}
11685
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11686func addECDSAKeyUsageTests() {
11687 p256 := elliptic.P256()
11688 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
11689 if err != nil {
11690 panic(err)
11691 }
11692
11693 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
11694 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
11695 if err != nil {
11696 panic(err)
11697 }
11698
11699 template := x509.Certificate{
11700 SerialNumber: serialNumber,
11701 Subject: pkix.Name{
11702 Organization: []string{"Acme Co"},
11703 },
11704 NotBefore: time.Now(),
11705 NotAfter: time.Now(),
11706
11707 // An ECC certificate with only the keyAgreement key usgae may
11708 // be used with ECDH, but not ECDSA.
11709 KeyUsage: x509.KeyUsageKeyAgreement,
11710 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
11711 BasicConstraintsValid: true,
11712 }
11713
11714 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
11715 if err != nil {
11716 panic(err)
11717 }
11718
11719 cert := Certificate{
11720 Certificate: [][]byte{derBytes},
11721 PrivateKey: priv,
11722 }
11723
11724 for _, ver := range tlsVersions {
11725 if ver.version < VersionTLS12 {
11726 continue
11727 }
11728
11729 testCases = append(testCases, testCase{
11730 testType: clientTest,
11731 name: "ECDSAKeyUsage-" + ver.name,
11732 config: Config{
11733 MinVersion: ver.version,
11734 MaxVersion: ver.version,
11735 Certificates: []Certificate{cert},
11736 },
11737 shouldFail: true,
11738 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
11739 })
11740 }
11741}
11742
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11743func addExtraHandshakeTests() {
11744 // An extra SSL_do_handshake is normally a no-op. These tests use -async
11745 // to ensure there is no transport I/O.
11746 testCases = append(testCases, testCase{
11747 testType: clientTest,
11748 name: "ExtraHandshake-Client-TLS12",
11749 config: Config{
11750 MinVersion: VersionTLS12,
11751 MaxVersion: VersionTLS12,
11752 },
11753 flags: []string{
11754 "-async",
11755 "-no-op-extra-handshake",
11756 },
11757 })
11758 testCases = append(testCases, testCase{
11759 testType: serverTest,
11760 name: "ExtraHandshake-Server-TLS12",
11761 config: Config{
11762 MinVersion: VersionTLS12,
11763 MaxVersion: VersionTLS12,
11764 },
11765 flags: []string{
11766 "-async",
11767 "-no-op-extra-handshake",
11768 },
11769 })
11770 testCases = append(testCases, testCase{
11771 testType: clientTest,
11772 name: "ExtraHandshake-Client-TLS13",
11773 config: Config{
11774 MinVersion: VersionTLS13,
11775 MaxVersion: VersionTLS13,
11776 },
11777 flags: []string{
11778 "-async",
11779 "-no-op-extra-handshake",
11780 },
11781 })
11782 testCases = append(testCases, testCase{
11783 testType: serverTest,
11784 name: "ExtraHandshake-Server-TLS13",
11785 config: Config{
11786 MinVersion: VersionTLS13,
11787 MaxVersion: VersionTLS13,
11788 },
11789 flags: []string{
11790 "-async",
11791 "-no-op-extra-handshake",
11792 },
11793 })
11794
11795 // An extra SSL_do_handshake is a no-op in server 0-RTT.
11796 testCases = append(testCases, testCase{
11797 testType: serverTest,
11798 name: "ExtraHandshake-Server-EarlyData-TLS13",
11799 config: Config{
11800 MaxVersion: VersionTLS13,
11801 MinVersion: VersionTLS13,
11802 Bugs: ProtocolBugs{
11803 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11804 ExpectEarlyDataAccepted: true,
11805 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
11806 },
11807 },
11808 messageCount: 2,
11809 resumeSession: true,
11810 flags: []string{
11811 "-async",
11812 "-enable-early-data",
11813 "-expect-accept-early-data",
11814 "-no-op-extra-handshake",
11815 },
11816 })
11817
11818 // An extra SSL_do_handshake drives the handshake to completion in False
11819 // Start. We test this by handshaking twice and asserting the False
11820 // Start does not appear to happen. See AlertBeforeFalseStartTest for
11821 // how the test works.
11822 testCases = append(testCases, testCase{
11823 testType: clientTest,
11824 name: "ExtraHandshake-FalseStart",
11825 config: Config{
11826 MaxVersion: VersionTLS12,
11827 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
11828 NextProtos: []string{"foo"},
11829 Bugs: ProtocolBugs{
11830 ExpectFalseStart: true,
11831 AlertBeforeFalseStartTest: alertAccessDenied,
11832 },
11833 },
11834 flags: []string{
11835 "-handshake-twice",
11836 "-false-start",
11837 "-advertise-alpn", "\x03foo",
Steven Valdez873ebc92017-05-09 12:12:58 -0400[diff] [blame]11838 "-expect-alpn", "foo",
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11839 },
11840 shimWritesFirst: true,
11841 shouldFail: true,
11842 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
11843 expectedLocalError: "tls: peer did not false start: EOF",
11844 })
11845}
11846
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11847func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11848 defer wg.Done()
11849
11850 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11851 var err error
11852
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11853 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11854 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
11855 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11856 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11857 if err != nil {
11858 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
11859 }
11860 break
11861 }
11862 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11863 } else if *repeatUntilFailure {
11864 for err == nil {
11865 statusChan <- statusMsg{test: test, started: true}
11866 err = runTest(test, shimPath, -1)
11867 }
11868 } else {
11869 statusChan <- statusMsg{test: test, started: true}
11870 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11871 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11872 statusChan <- statusMsg{test: test, err: err}
11873 }
11874}
11875
11876type statusMsg struct {
11877 test *testCase
11878 started bool
11879 err error
11880}
11881
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11882func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11883 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11884
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11885 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11886 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11887 if !*pipe {
11888 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]11889 var erase string
11890 for i := 0; i < lineLen; i++ {
11891 erase += "\b \b"
11892 }
11893 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11894 }
11895
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11896 if msg.started {
11897 started++
11898 } else {
11899 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11900
11901 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11902 if msg.err == errUnimplemented {
11903 if *pipe {
11904 // Print each test instead of a status line.
11905 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
11906 }
11907 unimplemented++
11908 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
11909 } else {
11910 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
11911 failed++
11912 testOutput.addResult(msg.test.name, "FAIL")
11913 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11914 } else {
11915 if *pipe {
11916 // Print each test instead of a status line.
11917 fmt.Printf("PASSED (%s)\n", msg.test.name)
11918 }
11919 testOutput.addResult(msg.test.name, "PASS")
11920 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11921 }
11922
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11923 if !*pipe {
11924 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11925 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11926 lineLen = len(line)
11927 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11928 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11929 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11930
11931 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11932}
11933
11934func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11935 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11936 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]11937 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11938
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11939 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11940 addCipherSuiteTests()
11941 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]11942 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]11943 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]11944 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]11945 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]11946 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]11947 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]11948 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]11949 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]11950 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]11951 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]11952 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]11953 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]11954 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]11955 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]11956 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]11957 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]11958 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]11959 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]11960 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]11961 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]11962 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]11963 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]11964 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]11965 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]11966 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]11967 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11968 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]11969 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11970 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]11971 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11972 addECDSAKeyUsageTests()
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11973 addExtraHandshakeTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11974
11975 var wg sync.WaitGroup
11976
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11977 statusChan := make(chan statusMsg, *numWorkers)
11978 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11979 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11980
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11981 if len(*shimConfigFile) != 0 {
11982 encoded, err := ioutil.ReadFile(*shimConfigFile)
11983 if err != nil {
11984 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
11985 os.Exit(1)
11986 }
11987
11988 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
11989 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
11990 os.Exit(1)
11991 }
11992 }
11993
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11994 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11995
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11996 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11997 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11998 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11999 }
12000
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]12001 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]12002 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]12003 matched := true
12004 if len(*testToRun) != 0 {
12005 var err error
12006 matched, err = filepath.Match(*testToRun, testCases[i].name)
12007 if err != nil {
12008 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
12009 os.Exit(1)
12010 }
12011 }
12012
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]12013 if !*includeDisabled {
12014 for pattern := range shimConfig.DisabledTests {
12015 isDisabled, err := filepath.Match(pattern, testCases[i].name)
12016 if err != nil {
12017 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
12018 os.Exit(1)
12019 }
12020
12021 if isDisabled {
12022 matched = false
12023 break
12024 }
12025 }
12026 }
12027
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]12028 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]12029 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]12030 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]12031
12032 // Only run one test if repeating until failure.
12033 if *repeatUntilFailure {
12034 break
12035 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12036 }
12037 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]12038
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]12039 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]12040 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]12041 os.Exit(1)
12042 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12043
12044 close(testChan)
12045 wg.Wait()
12046 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]12047 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12048
12049 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]12050
12051 if *jsonOutput != "" {
12052 if err := testOutput.writeTo(*jsonOutput); err != nil {
12053 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
12054 }
12055 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]12056
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]12057 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
12058 os.Exit(1)
12059 }
12060
12061 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]12062 os.Exit(1)
12063 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12064}