Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 69522117a6a16a568512821d18394c30aa4e6de6 / . / ssl / test / runner / runner.go
blob: 4f478bc2e42ac459d4c2b5cb55e26f5a6ec43b93 [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]68 includeDHE = flag.Bool("include-dhe", false, "If true, test DHE ciphersuites.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]69 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]70)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]71
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]72// ShimConfigurations is used with the “json” package and represents a shim
73// config file.
74type ShimConfiguration struct {
75 // DisabledTests maps from a glob-based pattern to a freeform string.
76 // The glob pattern is used to exclude tests from being run and the
77 // freeform string is unparsed but expected to explain why the test is
78 // disabled.
79 DisabledTests map[string]string
80
81 // ErrorMap maps from expected error strings to the correct error
82 // string for the shim in question. For example, it might map
83 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
84 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
85 ErrorMap map[string]string
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]86
87 // HalfRTTTickets is the number of half-RTT tickets the client should
88 // expect before half-RTT data when testing 0-RTT.
89 HalfRTTTickets int
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]90}
91
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]92// Setup shimConfig defaults aligning with BoringSSL.
93var shimConfig ShimConfiguration = ShimConfiguration{
94 HalfRTTTickets: 2,
95}
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]96
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]97type testCert int
98
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]99const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]100 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]101 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]102 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]103 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]104 testCertECDSAP256
105 testCertECDSAP384
106 testCertECDSAP521
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]107 testCertEd25519
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]108)
109
110const (
111 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]112 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]113 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]114 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]115 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
116 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
117 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]118 ed25519CertificateFile = "ed25519_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]119)
120
121const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]122 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]123 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]124 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]125 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]126 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
127 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
128 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]129 ed25519KeyFile = "ed25519_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]130 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]131)
132
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]133var (
134 rsaCertificate Certificate
135 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]136 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]137 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]138 ecdsaP256Certificate Certificate
139 ecdsaP384Certificate Certificate
140 ecdsaP521Certificate Certificate
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]141 ed25519Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]142)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]143
144var testCerts = []struct {
145 id testCert
146 certFile, keyFile string
147 cert *Certificate
148}{
149 {
150 id: testCertRSA,
151 certFile: rsaCertificateFile,
152 keyFile: rsaKeyFile,
153 cert: &rsaCertificate,
154 },
155 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]156 id: testCertRSA1024,
157 certFile: rsa1024CertificateFile,
158 keyFile: rsa1024KeyFile,
159 cert: &rsa1024Certificate,
160 },
161 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]162 id: testCertRSAChain,
163 certFile: rsaChainCertificateFile,
164 keyFile: rsaChainKeyFile,
165 cert: &rsaChainCertificate,
166 },
167 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]168 id: testCertECDSAP224,
169 certFile: ecdsaP224CertificateFile,
170 keyFile: ecdsaP224KeyFile,
171 cert: &ecdsaP224Certificate,
172 },
173 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]174 id: testCertECDSAP256,
175 certFile: ecdsaP256CertificateFile,
176 keyFile: ecdsaP256KeyFile,
177 cert: &ecdsaP256Certificate,
178 },
179 {
180 id: testCertECDSAP384,
181 certFile: ecdsaP384CertificateFile,
182 keyFile: ecdsaP384KeyFile,
183 cert: &ecdsaP384Certificate,
184 },
185 {
186 id: testCertECDSAP521,
187 certFile: ecdsaP521CertificateFile,
188 keyFile: ecdsaP521KeyFile,
189 cert: &ecdsaP521Certificate,
190 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]191 {
192 id: testCertEd25519,
193 certFile: ed25519CertificateFile,
194 keyFile: ed25519KeyFile,
195 cert: &ed25519Certificate,
196 },
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]197}
198
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]199var channelIDKey *ecdsa.PrivateKey
200var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]201
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]202var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]203var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]204
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]205var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]206var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]207
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]208func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]209 for i := range testCerts {
210 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
211 if err != nil {
212 panic(err)
213 }
214 cert.OCSPStaple = testOCSPResponse
215 cert.SignedCertificateTimestampList = testSCTList
216 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]217 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]218
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]219 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]220 if err != nil {
221 panic(err)
222 }
223 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
224 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
225 panic("bad key type")
226 }
227 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
228 if err != nil {
229 panic(err)
230 }
231 if channelIDKey.Curve != elliptic.P256() {
232 panic("bad curve")
233 }
234
235 channelIDBytes = make([]byte, 64)
236 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
237 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]238}
239
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]240func getRunnerCertificate(t testCert) Certificate {
241 for _, cert := range testCerts {
242 if cert.id == t {
243 return *cert.cert
244 }
245 }
246 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]247}
248
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]249func getShimCertificate(t testCert) string {
250 for _, cert := range testCerts {
251 if cert.id == t {
252 return cert.certFile
253 }
254 }
255 panic("Unknown test certificate")
256}
257
258func getShimKey(t testCert) string {
259 for _, cert := range testCerts {
260 if cert.id == t {
261 return cert.keyFile
262 }
263 }
264 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]265}
266
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]267// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
268func encodeDERValues(values [][]byte) string {
269 var ret string
270 for i, v := range values {
271 if i > 0 {
272 ret += ","
273 }
274 ret += hex.EncodeToString(v)
275 }
276
277 return ret
278}
279
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]280type testType int
281
282const (
283 clientTest testType = iota
284 serverTest
285)
286
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]287type protocol int
288
289const (
290 tls protocol = iota
291 dtls
292)
293
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]294const (
295 alpn = 1
296 npn = 2
297)
298
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]299type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]300 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]301 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]302 name string
303 config Config
304 shouldFail bool
305 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]306 // expectedLocalError, if not empty, contains a substring that must be
307 // found in the local error.
308 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]309 // expectedVersion, if non-zero, specifies the TLS version that must be
310 // negotiated.
311 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]312 // expectedResumeVersion, if non-zero, specifies the TLS version that
313 // must be negotiated on resumption. If zero, expectedVersion is used.
314 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]315 // expectedCipher, if non-zero, specifies the TLS cipher suite that
316 // should be negotiated.
317 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]318 // expectChannelID controls whether the connection should have
319 // negotiated a Channel ID with channelIDKey.
320 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]321 // expectedNextProto controls whether the connection should
322 // negotiate a next protocol via NPN or ALPN.
323 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]324 // expectNoNextProto, if true, means that no next protocol should be
325 // negotiated.
326 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]327 // expectedNextProtoType, if non-zero, is the expected next
328 // protocol negotiation mechanism.
329 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]330 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
331 // should be negotiated. If zero, none should be negotiated.
332 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]333 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
334 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]335 // expectedSCTList, if not nil, is the expected SCT list to be received.
336 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]337 // expectedPeerSignatureAlgorithm, if not zero, is the signature
338 // algorithm that the peer should have used in the handshake.
339 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]340 // expectedCurveID, if not zero, is the curve that the handshake should
341 // have used.
342 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]343 // messageLen is the length, in bytes, of the test message that will be
344 // sent.
345 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]346 // messageCount is the number of test messages that will be sent.
347 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]348 // certFile is the path to the certificate to use for the server.
349 certFile string
350 // keyFile is the path to the private key to use for the server.
351 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]352 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]353 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]354 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]355 // resumeRenewedSession controls whether a third connection should be
356 // tested which attempts to resume the second connection's session.
357 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]358 // expectResumeRejected, if true, specifies that the attempted
359 // resumption must be rejected by the client. This is only valid for a
360 // serverTest.
361 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]362 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]363 // resumption. Unless newSessionsOnResume is set,
364 // SessionTicketKey, ServerSessionCache, and
365 // ClientSessionCache are copied from the initial connection's
366 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]367 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]368 // newSessionsOnResume, if true, will cause resumeConfig to
369 // use a different session resumption context.
370 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]371 // noSessionCache, if true, will cause the server to run without a
372 // session cache.
373 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]374 // sendPrefix sends a prefix on the socket before actually performing a
375 // handshake.
376 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]377 // shimWritesFirst controls whether the shim sends an initial "hello"
378 // message before doing a roundtrip with the runner.
379 shimWritesFirst bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]380 // shimShutsDown, if true, runs a test where the shim shuts down the
381 // connection immediately after the handshake rather than echoing
382 // messages from the runner.
383 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]384 // renegotiate indicates the number of times the connection should be
385 // renegotiated during the exchange.
386 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]387 // sendHalfHelloRequest, if true, causes the server to send half a
388 // HelloRequest when the handshake completes.
389 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]390 // renegotiateCiphers is a list of ciphersuite ids that will be
391 // switched in just before renegotiation.
392 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]393 // replayWrites, if true, configures the underlying transport
394 // to replay every write it makes in DTLS tests.
395 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]396 // damageFirstWrite, if true, configures the underlying transport to
397 // damage the final byte of the first application data write.
398 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]399 // exportKeyingMaterial, if non-zero, configures the test to exchange
400 // keying material and verify they match.
401 exportKeyingMaterial int
402 exportLabel string
403 exportContext string
404 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]405 // flags, if not empty, contains a list of command-line flags that will
406 // be passed to the shim program.
407 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]408 // testTLSUnique, if true, causes the shim to send the tls-unique value
409 // which will be compared against the expected value.
410 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]411 // sendEmptyRecords is the number of consecutive empty records to send
412 // before and after the test message.
413 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]414 // sendWarningAlerts is the number of consecutive warning alerts to send
415 // before and after the test message.
416 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]417 // sendKeyUpdates is the number of consecutive key updates to send
418 // before and after the test message.
419 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]420 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
421 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]422 // expectMessageDropped, if true, means the test message is expected to
423 // be dropped by the client rather than echoed back.
424 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]425 // expectPeerCertificate, if not nil, is the certificate chain the peer
426 // is expected to send.
427 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]428}
429
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]430var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]431
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]432func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]433 if len(data) == 0 {
434 return
435 }
436
437 protocol := "tls"
438 if test.protocol == dtls {
439 protocol = "dtls"
440 }
441
442 side := "client"
443 if test.testType == serverTest {
444 side = "server"
445 }
446
447 dir := path.Join(*transcriptDir, protocol, side)
448 if err := os.MkdirAll(dir, 0755); err != nil {
449 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
450 return
451 }
452
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]453 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]454 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
455 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
456 }
457}
458
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]459// A timeoutConn implements an idle timeout on each Read and Write operation.
460type timeoutConn struct {
461 net.Conn
462 timeout time.Duration
463}
464
465func (t *timeoutConn) Read(b []byte) (int, error) {
466 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
467 return 0, err
468 }
469 return t.Conn.Read(b)
470}
471
472func (t *timeoutConn) Write(b []byte) (int, error) {
473 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
474 return 0, err
475 }
476 return t.Conn.Write(b)
477}
478
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]479func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]480 if !test.noSessionCache {
481 if config.ClientSessionCache == nil {
482 config.ClientSessionCache = NewLRUClientSessionCache(1)
483 }
484 if config.ServerSessionCache == nil {
485 config.ServerSessionCache = NewLRUServerSessionCache(1)
486 }
487 }
488 if test.testType == clientTest {
489 if len(config.Certificates) == 0 {
490 config.Certificates = []Certificate{rsaCertificate}
491 }
492 } else {
493 // Supply a ServerName to ensure a constant session cache key,
494 // rather than falling back to net.Conn.RemoteAddr.
495 if len(config.ServerName) == 0 {
496 config.ServerName = "test"
497 }
498 }
499 if *fuzzer {
500 config.Bugs.NullAllCiphers = true
501 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]502 if *deterministic {
503 config.Time = func() time.Time { return time.Unix(1234, 1234) }
504 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]505
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]506 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]507
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]508 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]509 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
510 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]511 }
512
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]513 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]514 local, peer := "client", "server"
515 if test.testType == clientTest {
516 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]517 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]518 connDebug := &recordingConn{
519 Conn: conn,
520 isDatagram: test.protocol == dtls,
521 local: local,
522 peer: peer,
523 }
524 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]525 if *flagDebug {
526 defer connDebug.WriteTo(os.Stdout)
527 }
528 if len(*transcriptDir) != 0 {
529 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]530 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]531 }()
532 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]533
534 if config.Bugs.PacketAdaptor != nil {
535 config.Bugs.PacketAdaptor.debug = connDebug
536 }
537 }
538
539 if test.replayWrites {
540 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]541 }
542
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]543 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]544 if test.damageFirstWrite {
545 connDamage = newDamageAdaptor(conn)
546 conn = connDamage
547 }
548
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]549 if test.sendPrefix != "" {
550 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
551 return err
552 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]553 }
554
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]555 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]556 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]557 if test.protocol == dtls {
558 tlsConn = DTLSServer(conn, config)
559 } else {
560 tlsConn = Server(conn, config)
561 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]562 } else {
563 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]564 if test.protocol == dtls {
565 tlsConn = DTLSClient(conn, config)
566 } else {
567 tlsConn = Client(conn, config)
568 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]569 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]570 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]571
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]572 if err := tlsConn.Handshake(); err != nil {
573 return err
574 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]575
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]576 // TODO(davidben): move all per-connection expectations into a dedicated
577 // expectations struct that can be specified separately for the two
578 // legs.
579 expectedVersion := test.expectedVersion
580 if isResume && test.expectedResumeVersion != 0 {
581 expectedVersion = test.expectedResumeVersion
582 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]583 connState := tlsConn.ConnectionState()
584 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]585 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]586 }
587
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]588 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]589 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
590 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]591 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
592 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
593 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]594
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]595 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]596 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]597 if channelID == nil {
598 return fmt.Errorf("no channel ID negotiated")
599 }
600 if channelID.Curve != channelIDKey.Curve ||
601 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
602 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
603 return fmt.Errorf("incorrect channel ID")
604 }
605 }
606
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]607 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]608 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]609 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
610 }
611 }
612
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]613 if test.expectNoNextProto {
614 if actual := connState.NegotiatedProtocol; actual != "" {
615 return fmt.Errorf("got unexpected next proto %s", actual)
616 }
617 }
618
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]619 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]620 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]621 return fmt.Errorf("next proto type mismatch")
622 }
623 }
624
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]625 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]626 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
627 }
628
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]629 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]630 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]631 }
632
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]633 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
634 return fmt.Errorf("SCT list mismatch")
635 }
636
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]637 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
638 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]639 }
640
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]641 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
642 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
643 }
644
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]645 if test.expectPeerCertificate != nil {
646 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
647 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
648 }
649 for i, cert := range connState.PeerCertificates {
650 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
651 return fmt.Errorf("peer certificate %d did not match", i+1)
652 }
653 }
654 }
655
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]656 if test.exportKeyingMaterial > 0 {
657 actual := make([]byte, test.exportKeyingMaterial)
658 if _, err := io.ReadFull(tlsConn, actual); err != nil {
659 return err
660 }
661 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
662 if err != nil {
663 return err
664 }
665 if !bytes.Equal(actual, expected) {
666 return fmt.Errorf("keying material mismatch")
667 }
668 }
669
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]670 if test.testTLSUnique {
671 var peersValue [12]byte
672 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
673 return err
674 }
675 expected := tlsConn.ConnectionState().TLSUnique
676 if !bytes.Equal(peersValue[:], expected) {
677 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
678 }
679 }
680
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]681 if test.shimWritesFirst {
682 var buf [5]byte
683 _, err := io.ReadFull(tlsConn, buf[:])
684 if err != nil {
685 return err
686 }
687 if string(buf[:]) != "hello" {
688 return fmt.Errorf("bad initial message")
689 }
690 }
691
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]692 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]693 if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil {
David Benjamin7f0965a2016-09-30 15:14:01 -0400[diff] [blame]694 return err
695 }
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]696 }
697
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]698 for i := 0; i < test.sendEmptyRecords; i++ {
699 tlsConn.Write(nil)
700 }
701
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]702 for i := 0; i < test.sendWarningAlerts; i++ {
703 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
704 }
705
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]706 if test.sendHalfHelloRequest {
707 tlsConn.SendHalfHelloRequest()
708 }
709
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]710 if test.renegotiate > 0 {
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]711 if test.renegotiateCiphers != nil {
712 config.CipherSuites = test.renegotiateCiphers
713 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]714 for i := 0; i < test.renegotiate; i++ {
715 if err := tlsConn.Renegotiate(); err != nil {
716 return err
717 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]718 }
719 } else if test.renegotiateCiphers != nil {
720 panic("renegotiateCiphers without renegotiate")
721 }
722
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]723 if test.damageFirstWrite {
724 connDamage.setDamage(true)
725 tlsConn.Write([]byte("DAMAGED WRITE"))
726 connDamage.setDamage(false)
727 }
728
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]729 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]730 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]731 if test.protocol == dtls {
732 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
733 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]734 // Read until EOF.
735 _, err := io.Copy(ioutil.Discard, tlsConn)
736 return err
737 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]738 if messageLen == 0 {
739 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]740 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]741
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]742 messageCount := test.messageCount
743 if messageCount == 0 {
744 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]745 }
746
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]747 for j := 0; j < messageCount; j++ {
748 testMessage := make([]byte, messageLen)
749 for i := range testMessage {
750 testMessage[i] = 0x42 ^ byte(j)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]751 }
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]752 tlsConn.Write(testMessage)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]753
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]754 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]755 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]756 }
757
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]758 for i := 0; i < test.sendEmptyRecords; i++ {
759 tlsConn.Write(nil)
760 }
761
762 for i := 0; i < test.sendWarningAlerts; i++ {
763 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
764 }
765
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]766 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]767 // The shim will not respond.
768 continue
769 }
770
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]771 buf := make([]byte, len(testMessage))
772 if test.protocol == dtls {
773 bufTmp := make([]byte, len(buf)+1)
774 n, err := tlsConn.Read(bufTmp)
775 if err != nil {
776 return err
777 }
778 if n != len(buf) {
779 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
780 }
781 copy(buf, bufTmp)
782 } else {
783 _, err := io.ReadFull(tlsConn, buf)
784 if err != nil {
785 return err
786 }
787 }
788
789 for i, v := range buf {
790 if v != testMessage[i]^0xff {
791 return fmt.Errorf("bad reply contents at byte %d", i)
792 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]793 }
794 }
795
796 return nil
797}
798
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]799func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]800 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]801 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]802 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]803 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]804 valgrindArgs = append(valgrindArgs, path)
805 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]806
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]807 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]808}
809
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]810func gdbOf(path string, args ...string) *exec.Cmd {
811 xtermArgs := []string{"-e", "gdb", "--args"}
812 xtermArgs = append(xtermArgs, path)
813 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]814
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]815 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]816}
817
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]818func lldbOf(path string, args ...string) *exec.Cmd {
819 xtermArgs := []string{"-e", "lldb", "--"}
820 xtermArgs = append(xtermArgs, path)
821 xtermArgs = append(xtermArgs, args...)
822
823 return exec.Command("xterm", xtermArgs...)
824}
825
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]826var (
827 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
828 errUnimplemented = errors.New("child process does not implement needed flags")
829)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]830
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]831// accept accepts a connection from listener, unless waitChan signals a process
832// exit first.
833func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
834 type connOrError struct {
835 conn net.Conn
836 err error
837 }
838 connChan := make(chan connOrError, 1)
839 go func() {
840 conn, err := listener.Accept()
841 connChan <- connOrError{conn, err}
842 close(connChan)
843 }()
844 select {
845 case result := <-connChan:
846 return result.conn, result.err
847 case childErr := <-waitChan:
848 waitChan <- childErr
849 return nil, fmt.Errorf("child exited early: %s", childErr)
850 }
851}
852
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]853func translateExpectedError(errorStr string) string {
854 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
855 return translated
856 }
857
858 if *looseErrors {
859 return ""
860 }
861
862 return errorStr
863}
864
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]865func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]866 // Help debugging panics on the Go side.
867 defer func() {
868 if r := recover(); r != nil {
869 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
870 panic(r)
871 }
872 }()
873
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]874 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
875 panic("Error expected without shouldFail in " + test.name)
876 }
877
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]878 if test.expectResumeRejected && !test.resumeSession {
879 panic("expectResumeRejected without resumeSession in " + test.name)
880 }
881
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]882 for _, ver := range tlsVersions {
883 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
884 continue
885 }
886
887 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
888 continue
889 }
890
891 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
892 }
893
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]894 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
895 if err != nil {
896 panic(err)
897 }
898 defer func() {
899 if listener != nil {
900 listener.Close()
901 }
902 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]903
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]904 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]905 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]906 flags = append(flags, "-server")
907
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]908 flags = append(flags, "-key-file")
909 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]910 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]911 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]912 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]913 }
914
915 flags = append(flags, "-cert-file")
916 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]917 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]918 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]919 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]920 }
921 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]922
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]923 if test.protocol == dtls {
924 flags = append(flags, "-dtls")
925 }
926
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]927 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]928 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]929 resumeCount++
930 if test.resumeRenewedSession {
931 resumeCount++
932 }
933 }
934
935 if resumeCount > 0 {
936 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]937 }
938
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]939 if test.shimWritesFirst {
940 flags = append(flags, "-shim-writes-first")
941 }
942
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]943 if test.shimShutsDown {
944 flags = append(flags, "-shim-shuts-down")
945 }
946
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]947 if test.exportKeyingMaterial > 0 {
948 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
949 flags = append(flags, "-export-label", test.exportLabel)
950 flags = append(flags, "-export-context", test.exportContext)
951 if test.useExportContext {
952 flags = append(flags, "-use-export-context")
953 }
954 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]955 if test.expectResumeRejected {
956 flags = append(flags, "-expect-session-miss")
957 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]958
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]959 if test.testTLSUnique {
960 flags = append(flags, "-tls-unique")
961 }
962
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]963 flags = append(flags, test.flags...)
964
965 var shim *exec.Cmd
966 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]967 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]968 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]969 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]970 } else if *useLLDB {
971 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]972 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]973 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]974 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]975 shim.Stdin = os.Stdin
976 var stdoutBuf, stderrBuf bytes.Buffer
977 shim.Stdout = &stdoutBuf
978 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]979 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]980 shim.Env = os.Environ()
981 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]982 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]983 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]984 }
985 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
986 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]987
988 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]989 panic(err)
990 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]991 waitChan := make(chan error, 1)
992 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]993
994 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]995
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]996 if *deterministic {
997 config.Rand = &deterministicRand{}
998 }
999
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1000 conn, err := acceptOrWait(listener, waitChan)
1001 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1002 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1003 conn.Close()
1004 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]1005
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]1006 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1007 var resumeConfig Config
1008 if test.resumeConfig != nil {
1009 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]1010 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1011 resumeConfig.SessionTicketKey = config.SessionTicketKey
1012 resumeConfig.ClientSessionCache = config.ClientSessionCache
1013 resumeConfig.ServerSessionCache = config.ServerSessionCache
1014 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]1015 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1016 } else {
1017 resumeConfig = config
1018 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1019 var connResume net.Conn
1020 connResume, err = acceptOrWait(listener, waitChan)
1021 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1022 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1023 connResume.Close()
1024 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1025 }
1026
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1027 // Close the listener now. This is to avoid hangs should the shim try to
1028 // open more connections than expected.
1029 listener.Close()
1030 listener = nil
1031
1032 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1033 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1034 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1035 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1036 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1037 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1038 case 89:
1039 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1040 case 99:
1041 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1042 }
1043 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1044
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1045 // Account for Windows line endings.
1046 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1047 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1048
1049 // Separate the errors from the shim and those from tools like
1050 // AddressSanitizer.
1051 var extraStderr string
1052 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1053 stderr = stderrParts[0]
1054 extraStderr = stderrParts[1]
1055 }
1056
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1057 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1058 expectedError := translateExpectedError(test.expectedError)
1059 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1060
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1061 localError := "none"
1062 if err != nil {
1063 localError = err.Error()
1064 }
1065 if len(test.expectedLocalError) != 0 {
1066 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1067 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1068
1069 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1070 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1071 if childErr != nil {
1072 childError = childErr.Error()
1073 }
1074
1075 var msg string
1076 switch {
1077 case failed && !test.shouldFail:
1078 msg = "unexpected failure"
1079 case !failed && test.shouldFail:
1080 msg = "unexpected success"
1081 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1082 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1083 default:
1084 panic("internal error")
1085 }
1086
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1087 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1088 }
1089
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1090 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1091 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1092 }
1093
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1094 if *useValgrind && isValgrindError {
1095 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1096 }
1097
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1098 return nil
1099}
1100
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1101type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1102 name string
1103 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1104 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1105 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1106}
1107
1108var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1109 {"SSL3", VersionSSL30, "-no-ssl3", false},
1110 {"TLS1", VersionTLS10, "-no-tls1", true},
1111 {"TLS11", VersionTLS11, "-no-tls11", false},
1112 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1113 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1114}
1115
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1116type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1117 name string
1118 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1119}
1120
1121var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1122 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1123 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1124 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1125 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1126 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1127 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1128 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1129 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1130 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1131 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1132 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1133 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1134 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1135 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1136 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1137 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1138 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1139 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1140 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1141 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1142 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1143 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1144 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1145 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1146 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1147 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1148 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1149 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1150 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1151 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1152}
1153
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1154func hasComponent(suiteName, component string) bool {
1155 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1156}
1157
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1158func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1159 return hasComponent(suiteName, "GCM") ||
1160 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1161 hasComponent(suiteName, "SHA384") ||
1162 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1163}
1164
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1165func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1166 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1167}
1168
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1169func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1170 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1171}
1172
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1173func bigFromHex(hex string) *big.Int {
1174 ret, ok := new(big.Int).SetString(hex, 16)
1175 if !ok {
1176 panic("failed to parse hex number 0x" + hex)
1177 }
1178 return ret
1179}
1180
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1181func addBasicTests() {
1182 basicTests := []testCase{
1183 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1184 name: "NoFallbackSCSV",
1185 config: Config{
1186 Bugs: ProtocolBugs{
1187 FailIfNotFallbackSCSV: true,
1188 },
1189 },
1190 shouldFail: true,
1191 expectedLocalError: "no fallback SCSV found",
1192 },
1193 {
1194 name: "SendFallbackSCSV",
1195 config: Config{
1196 Bugs: ProtocolBugs{
1197 FailIfNotFallbackSCSV: true,
1198 },
1199 },
1200 flags: []string{"-fallback-scsv"},
1201 },
1202 {
1203 name: "ClientCertificateTypes",
1204 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1205 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1206 ClientAuth: RequestClientCert,
1207 ClientCertificateTypes: []byte{
1208 CertTypeDSSSign,
1209 CertTypeRSASign,
1210 CertTypeECDSASign,
1211 },
1212 },
1213 flags: []string{
1214 "-expect-certificate-types",
1215 base64.StdEncoding.EncodeToString([]byte{
1216 CertTypeDSSSign,
1217 CertTypeRSASign,
1218 CertTypeECDSASign,
1219 }),
1220 },
1221 },
1222 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1223 name: "UnauthenticatedECDH",
1224 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1225 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1226 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1227 Bugs: ProtocolBugs{
1228 UnauthenticatedECDH: true,
1229 },
1230 },
1231 shouldFail: true,
1232 expectedError: ":UNEXPECTED_MESSAGE:",
1233 },
1234 {
1235 name: "SkipCertificateStatus",
1236 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1237 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1238 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1239 Bugs: ProtocolBugs{
1240 SkipCertificateStatus: true,
1241 },
1242 },
1243 flags: []string{
1244 "-enable-ocsp-stapling",
1245 },
1246 },
1247 {
1248 name: "SkipServerKeyExchange",
1249 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1250 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1251 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1252 Bugs: ProtocolBugs{
1253 SkipServerKeyExchange: true,
1254 },
1255 },
1256 shouldFail: true,
1257 expectedError: ":UNEXPECTED_MESSAGE:",
1258 },
1259 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1260 testType: serverTest,
1261 name: "Alert",
1262 config: Config{
1263 Bugs: ProtocolBugs{
1264 SendSpuriousAlert: alertRecordOverflow,
1265 },
1266 },
1267 shouldFail: true,
1268 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1269 },
1270 {
1271 protocol: dtls,
1272 testType: serverTest,
1273 name: "Alert-DTLS",
1274 config: Config{
1275 Bugs: ProtocolBugs{
1276 SendSpuriousAlert: alertRecordOverflow,
1277 },
1278 },
1279 shouldFail: true,
1280 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1281 },
1282 {
1283 testType: serverTest,
1284 name: "FragmentAlert",
1285 config: Config{
1286 Bugs: ProtocolBugs{
1287 FragmentAlert: true,
1288 SendSpuriousAlert: alertRecordOverflow,
1289 },
1290 },
1291 shouldFail: true,
1292 expectedError: ":BAD_ALERT:",
1293 },
1294 {
1295 protocol: dtls,
1296 testType: serverTest,
1297 name: "FragmentAlert-DTLS",
1298 config: Config{
1299 Bugs: ProtocolBugs{
1300 FragmentAlert: true,
1301 SendSpuriousAlert: alertRecordOverflow,
1302 },
1303 },
1304 shouldFail: true,
1305 expectedError: ":BAD_ALERT:",
1306 },
1307 {
1308 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1309 name: "DoubleAlert",
1310 config: Config{
1311 Bugs: ProtocolBugs{
1312 DoubleAlert: true,
1313 SendSpuriousAlert: alertRecordOverflow,
1314 },
1315 },
1316 shouldFail: true,
1317 expectedError: ":BAD_ALERT:",
1318 },
1319 {
1320 protocol: dtls,
1321 testType: serverTest,
1322 name: "DoubleAlert-DTLS",
1323 config: Config{
1324 Bugs: ProtocolBugs{
1325 DoubleAlert: true,
1326 SendSpuriousAlert: alertRecordOverflow,
1327 },
1328 },
1329 shouldFail: true,
1330 expectedError: ":BAD_ALERT:",
1331 },
1332 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1333 name: "SkipNewSessionTicket",
1334 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1335 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1336 Bugs: ProtocolBugs{
1337 SkipNewSessionTicket: true,
1338 },
1339 },
1340 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1341 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1342 },
1343 {
1344 testType: serverTest,
1345 name: "FallbackSCSV",
1346 config: Config{
1347 MaxVersion: VersionTLS11,
1348 Bugs: ProtocolBugs{
1349 SendFallbackSCSV: true,
1350 },
1351 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1352 shouldFail: true,
1353 expectedError: ":INAPPROPRIATE_FALLBACK:",
1354 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1355 },
1356 {
1357 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1358 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1359 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1360 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1361 Bugs: ProtocolBugs{
1362 SendFallbackSCSV: true,
1363 },
1364 },
1365 },
1366 {
1367 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1368 name: "FallbackSCSV-VersionMatch-TLS12",
1369 config: Config{
1370 MaxVersion: VersionTLS12,
1371 Bugs: ProtocolBugs{
1372 SendFallbackSCSV: true,
1373 },
1374 },
1375 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1376 },
1377 {
1378 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1379 name: "FragmentedClientVersion",
1380 config: Config{
1381 Bugs: ProtocolBugs{
1382 MaxHandshakeRecordLength: 1,
1383 FragmentClientVersion: true,
1384 },
1385 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1386 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1387 },
1388 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1389 testType: serverTest,
1390 name: "HttpGET",
1391 sendPrefix: "GET / HTTP/1.0\n",
1392 shouldFail: true,
1393 expectedError: ":HTTP_REQUEST:",
1394 },
1395 {
1396 testType: serverTest,
1397 name: "HttpPOST",
1398 sendPrefix: "POST / HTTP/1.0\n",
1399 shouldFail: true,
1400 expectedError: ":HTTP_REQUEST:",
1401 },
1402 {
1403 testType: serverTest,
1404 name: "HttpHEAD",
1405 sendPrefix: "HEAD / HTTP/1.0\n",
1406 shouldFail: true,
1407 expectedError: ":HTTP_REQUEST:",
1408 },
1409 {
1410 testType: serverTest,
1411 name: "HttpPUT",
1412 sendPrefix: "PUT / HTTP/1.0\n",
1413 shouldFail: true,
1414 expectedError: ":HTTP_REQUEST:",
1415 },
1416 {
1417 testType: serverTest,
1418 name: "HttpCONNECT",
1419 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1420 shouldFail: true,
1421 expectedError: ":HTTPS_PROXY_REQUEST:",
1422 },
1423 {
1424 testType: serverTest,
1425 name: "Garbage",
1426 sendPrefix: "blah",
1427 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1428 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1429 },
1430 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1431 name: "RSAEphemeralKey",
1432 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1433 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1434 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1435 Bugs: ProtocolBugs{
1436 RSAEphemeralKey: true,
1437 },
1438 },
1439 shouldFail: true,
1440 expectedError: ":UNEXPECTED_MESSAGE:",
1441 },
1442 {
1443 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1444 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1445 shouldFail: true,
1446 expectedError: ":WRONG_SSL_VERSION:",
1447 },
1448 {
1449 protocol: dtls,
1450 name: "DisableEverything-DTLS",
1451 flags: []string{"-no-tls12", "-no-tls1"},
1452 shouldFail: true,
1453 expectedError: ":WRONG_SSL_VERSION:",
1454 },
1455 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1456 protocol: dtls,
1457 testType: serverTest,
1458 name: "MTU",
1459 config: Config{
1460 Bugs: ProtocolBugs{
1461 MaxPacketLength: 256,
1462 },
1463 },
1464 flags: []string{"-mtu", "256"},
1465 },
1466 {
1467 protocol: dtls,
1468 testType: serverTest,
1469 name: "MTUExceeded",
1470 config: Config{
1471 Bugs: ProtocolBugs{
1472 MaxPacketLength: 255,
1473 },
1474 },
1475 flags: []string{"-mtu", "256"},
1476 shouldFail: true,
1477 expectedLocalError: "dtls: exceeded maximum packet length",
1478 },
1479 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1480 name: "EmptyCertificateList",
1481 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1482 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1483 Bugs: ProtocolBugs{
1484 EmptyCertificateList: true,
1485 },
1486 },
1487 shouldFail: true,
1488 expectedError: ":DECODE_ERROR:",
1489 },
1490 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1491 name: "EmptyCertificateList-TLS13",
1492 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1493 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1494 Bugs: ProtocolBugs{
1495 EmptyCertificateList: true,
1496 },
1497 },
1498 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1499 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1500 },
1501 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1502 name: "TLSFatalBadPackets",
1503 damageFirstWrite: true,
1504 shouldFail: true,
1505 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1506 },
1507 {
1508 protocol: dtls,
1509 name: "DTLSIgnoreBadPackets",
1510 damageFirstWrite: true,
1511 },
1512 {
1513 protocol: dtls,
1514 name: "DTLSIgnoreBadPackets-Async",
1515 damageFirstWrite: true,
1516 flags: []string{"-async"},
1517 },
1518 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1519 name: "AppDataBeforeHandshake",
1520 config: Config{
1521 Bugs: ProtocolBugs{
1522 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1523 },
1524 },
1525 shouldFail: true,
1526 expectedError: ":UNEXPECTED_RECORD:",
1527 },
1528 {
1529 name: "AppDataBeforeHandshake-Empty",
1530 config: Config{
1531 Bugs: ProtocolBugs{
1532 AppDataBeforeHandshake: []byte{},
1533 },
1534 },
1535 shouldFail: true,
1536 expectedError: ":UNEXPECTED_RECORD:",
1537 },
1538 {
1539 protocol: dtls,
1540 name: "AppDataBeforeHandshake-DTLS",
1541 config: Config{
1542 Bugs: ProtocolBugs{
1543 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1544 },
1545 },
1546 shouldFail: true,
1547 expectedError: ":UNEXPECTED_RECORD:",
1548 },
1549 {
1550 protocol: dtls,
1551 name: "AppDataBeforeHandshake-DTLS-Empty",
1552 config: Config{
1553 Bugs: ProtocolBugs{
1554 AppDataBeforeHandshake: []byte{},
1555 },
1556 },
1557 shouldFail: true,
1558 expectedError: ":UNEXPECTED_RECORD:",
1559 },
1560 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1561 name: "AppDataAfterChangeCipherSpec",
1562 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1563 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1564 Bugs: ProtocolBugs{
1565 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1566 },
1567 },
1568 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1569 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1570 },
1571 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1572 name: "AppDataAfterChangeCipherSpec-Empty",
1573 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1574 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1575 Bugs: ProtocolBugs{
1576 AppDataAfterChangeCipherSpec: []byte{},
1577 },
1578 },
1579 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1580 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1581 },
1582 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1583 protocol: dtls,
1584 name: "AppDataAfterChangeCipherSpec-DTLS",
1585 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1586 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1587 Bugs: ProtocolBugs{
1588 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1589 },
1590 },
1591 // BoringSSL's DTLS implementation will drop the out-of-order
1592 // application data.
1593 },
1594 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1595 protocol: dtls,
1596 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1597 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1598 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1599 Bugs: ProtocolBugs{
1600 AppDataAfterChangeCipherSpec: []byte{},
1601 },
1602 },
1603 // BoringSSL's DTLS implementation will drop the out-of-order
1604 // application data.
1605 },
1606 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1607 name: "AlertAfterChangeCipherSpec",
1608 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1609 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1610 Bugs: ProtocolBugs{
1611 AlertAfterChangeCipherSpec: alertRecordOverflow,
1612 },
1613 },
1614 shouldFail: true,
1615 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1616 },
1617 {
1618 protocol: dtls,
1619 name: "AlertAfterChangeCipherSpec-DTLS",
1620 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1621 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1622 Bugs: ProtocolBugs{
1623 AlertAfterChangeCipherSpec: alertRecordOverflow,
1624 },
1625 },
1626 shouldFail: true,
1627 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1628 },
1629 {
1630 protocol: dtls,
1631 name: "ReorderHandshakeFragments-Small-DTLS",
1632 config: Config{
1633 Bugs: ProtocolBugs{
1634 ReorderHandshakeFragments: true,
1635 // Small enough that every handshake message is
1636 // fragmented.
1637 MaxHandshakeRecordLength: 2,
1638 },
1639 },
1640 },
1641 {
1642 protocol: dtls,
1643 name: "ReorderHandshakeFragments-Large-DTLS",
1644 config: Config{
1645 Bugs: ProtocolBugs{
1646 ReorderHandshakeFragments: true,
1647 // Large enough that no handshake message is
1648 // fragmented.
1649 MaxHandshakeRecordLength: 2048,
1650 },
1651 },
1652 },
1653 {
1654 protocol: dtls,
1655 name: "MixCompleteMessageWithFragments-DTLS",
1656 config: Config{
1657 Bugs: ProtocolBugs{
1658 ReorderHandshakeFragments: true,
1659 MixCompleteMessageWithFragments: true,
1660 MaxHandshakeRecordLength: 2,
1661 },
1662 },
1663 },
1664 {
1665 name: "SendInvalidRecordType",
1666 config: Config{
1667 Bugs: ProtocolBugs{
1668 SendInvalidRecordType: true,
1669 },
1670 },
1671 shouldFail: true,
1672 expectedError: ":UNEXPECTED_RECORD:",
1673 },
1674 {
1675 protocol: dtls,
1676 name: "SendInvalidRecordType-DTLS",
1677 config: Config{
1678 Bugs: ProtocolBugs{
1679 SendInvalidRecordType: true,
1680 },
1681 },
1682 shouldFail: true,
1683 expectedError: ":UNEXPECTED_RECORD:",
1684 },
1685 {
1686 name: "FalseStart-SkipServerSecondLeg",
1687 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1688 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1689 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1690 NextProtos: []string{"foo"},
1691 Bugs: ProtocolBugs{
1692 SkipNewSessionTicket: true,
1693 SkipChangeCipherSpec: true,
1694 SkipFinished: true,
1695 ExpectFalseStart: true,
1696 },
1697 },
1698 flags: []string{
1699 "-false-start",
1700 "-handshake-never-done",
1701 "-advertise-alpn", "\x03foo",
1702 },
1703 shimWritesFirst: true,
1704 shouldFail: true,
1705 expectedError: ":UNEXPECTED_RECORD:",
1706 },
1707 {
1708 name: "FalseStart-SkipServerSecondLeg-Implicit",
1709 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1710 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1711 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1712 NextProtos: []string{"foo"},
1713 Bugs: ProtocolBugs{
1714 SkipNewSessionTicket: true,
1715 SkipChangeCipherSpec: true,
1716 SkipFinished: true,
1717 },
1718 },
1719 flags: []string{
1720 "-implicit-handshake",
1721 "-false-start",
1722 "-handshake-never-done",
1723 "-advertise-alpn", "\x03foo",
1724 },
1725 shouldFail: true,
1726 expectedError: ":UNEXPECTED_RECORD:",
1727 },
1728 {
1729 testType: serverTest,
1730 name: "FailEarlyCallback",
1731 flags: []string{"-fail-early-callback"},
1732 shouldFail: true,
1733 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1734 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1735 },
1736 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1737 name: "FailCertCallback-Client-TLS12",
1738 config: Config{
1739 MaxVersion: VersionTLS12,
1740 ClientAuth: RequestClientCert,
1741 },
1742 flags: []string{"-fail-cert-callback"},
1743 shouldFail: true,
1744 expectedError: ":CERT_CB_ERROR:",
1745 expectedLocalError: "remote error: internal error",
1746 },
1747 {
1748 testType: serverTest,
1749 name: "FailCertCallback-Server-TLS12",
1750 config: Config{
1751 MaxVersion: VersionTLS12,
1752 },
1753 flags: []string{"-fail-cert-callback"},
1754 shouldFail: true,
1755 expectedError: ":CERT_CB_ERROR:",
1756 expectedLocalError: "remote error: internal error",
1757 },
1758 {
1759 name: "FailCertCallback-Client-TLS13",
1760 config: Config{
1761 MaxVersion: VersionTLS13,
1762 ClientAuth: RequestClientCert,
1763 },
1764 flags: []string{"-fail-cert-callback"},
1765 shouldFail: true,
1766 expectedError: ":CERT_CB_ERROR:",
1767 expectedLocalError: "remote error: internal error",
1768 },
1769 {
1770 testType: serverTest,
1771 name: "FailCertCallback-Server-TLS13",
1772 config: Config{
1773 MaxVersion: VersionTLS13,
1774 },
1775 flags: []string{"-fail-cert-callback"},
1776 shouldFail: true,
1777 expectedError: ":CERT_CB_ERROR:",
1778 expectedLocalError: "remote error: internal error",
1779 },
1780 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1781 protocol: dtls,
1782 name: "FragmentMessageTypeMismatch-DTLS",
1783 config: Config{
1784 Bugs: ProtocolBugs{
1785 MaxHandshakeRecordLength: 2,
1786 FragmentMessageTypeMismatch: true,
1787 },
1788 },
1789 shouldFail: true,
1790 expectedError: ":FRAGMENT_MISMATCH:",
1791 },
1792 {
1793 protocol: dtls,
1794 name: "FragmentMessageLengthMismatch-DTLS",
1795 config: Config{
1796 Bugs: ProtocolBugs{
1797 MaxHandshakeRecordLength: 2,
1798 FragmentMessageLengthMismatch: true,
1799 },
1800 },
1801 shouldFail: true,
1802 expectedError: ":FRAGMENT_MISMATCH:",
1803 },
1804 {
1805 protocol: dtls,
1806 name: "SplitFragments-Header-DTLS",
1807 config: Config{
1808 Bugs: ProtocolBugs{
1809 SplitFragments: 2,
1810 },
1811 },
1812 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1813 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1814 },
1815 {
1816 protocol: dtls,
1817 name: "SplitFragments-Boundary-DTLS",
1818 config: Config{
1819 Bugs: ProtocolBugs{
1820 SplitFragments: dtlsRecordHeaderLen,
1821 },
1822 },
1823 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1824 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1825 },
1826 {
1827 protocol: dtls,
1828 name: "SplitFragments-Body-DTLS",
1829 config: Config{
1830 Bugs: ProtocolBugs{
1831 SplitFragments: dtlsRecordHeaderLen + 1,
1832 },
1833 },
1834 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1835 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1836 },
1837 {
1838 protocol: dtls,
1839 name: "SendEmptyFragments-DTLS",
1840 config: Config{
1841 Bugs: ProtocolBugs{
1842 SendEmptyFragments: true,
1843 },
1844 },
1845 },
1846 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1847 name: "BadFinished-Client",
1848 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1849 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1850 Bugs: ProtocolBugs{
1851 BadFinished: true,
1852 },
1853 },
1854 shouldFail: true,
1855 expectedError: ":DIGEST_CHECK_FAILED:",
1856 },
1857 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1858 name: "BadFinished-Client-TLS13",
1859 config: Config{
1860 MaxVersion: VersionTLS13,
1861 Bugs: ProtocolBugs{
1862 BadFinished: true,
1863 },
1864 },
1865 shouldFail: true,
1866 expectedError: ":DIGEST_CHECK_FAILED:",
1867 },
1868 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1869 testType: serverTest,
1870 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1871 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1872 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1873 Bugs: ProtocolBugs{
1874 BadFinished: true,
1875 },
1876 },
1877 shouldFail: true,
1878 expectedError: ":DIGEST_CHECK_FAILED:",
1879 },
1880 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1881 testType: serverTest,
1882 name: "BadFinished-Server-TLS13",
1883 config: Config{
1884 MaxVersion: VersionTLS13,
1885 Bugs: ProtocolBugs{
1886 BadFinished: true,
1887 },
1888 },
1889 shouldFail: true,
1890 expectedError: ":DIGEST_CHECK_FAILED:",
1891 },
1892 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1893 name: "FalseStart-BadFinished",
1894 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1895 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1896 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1897 NextProtos: []string{"foo"},
1898 Bugs: ProtocolBugs{
1899 BadFinished: true,
1900 ExpectFalseStart: true,
1901 },
1902 },
1903 flags: []string{
1904 "-false-start",
1905 "-handshake-never-done",
1906 "-advertise-alpn", "\x03foo",
1907 },
1908 shimWritesFirst: true,
1909 shouldFail: true,
1910 expectedError: ":DIGEST_CHECK_FAILED:",
1911 },
1912 {
1913 name: "NoFalseStart-NoALPN",
1914 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1915 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1916 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1917 Bugs: ProtocolBugs{
1918 ExpectFalseStart: true,
1919 AlertBeforeFalseStartTest: alertAccessDenied,
1920 },
1921 },
1922 flags: []string{
1923 "-false-start",
1924 },
1925 shimWritesFirst: true,
1926 shouldFail: true,
1927 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1928 expectedLocalError: "tls: peer did not false start: EOF",
1929 },
1930 {
1931 name: "NoFalseStart-NoAEAD",
1932 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1933 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1934 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1935 NextProtos: []string{"foo"},
1936 Bugs: ProtocolBugs{
1937 ExpectFalseStart: true,
1938 AlertBeforeFalseStartTest: alertAccessDenied,
1939 },
1940 },
1941 flags: []string{
1942 "-false-start",
1943 "-advertise-alpn", "\x03foo",
1944 },
1945 shimWritesFirst: true,
1946 shouldFail: true,
1947 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1948 expectedLocalError: "tls: peer did not false start: EOF",
1949 },
1950 {
1951 name: "NoFalseStart-RSA",
1952 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1953 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1954 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1955 NextProtos: []string{"foo"},
1956 Bugs: ProtocolBugs{
1957 ExpectFalseStart: true,
1958 AlertBeforeFalseStartTest: alertAccessDenied,
1959 },
1960 },
1961 flags: []string{
1962 "-false-start",
1963 "-advertise-alpn", "\x03foo",
1964 },
1965 shimWritesFirst: true,
1966 shouldFail: true,
1967 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1968 expectedLocalError: "tls: peer did not false start: EOF",
1969 },
1970 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1971 protocol: dtls,
1972 name: "SendSplitAlert-Sync",
1973 config: Config{
1974 Bugs: ProtocolBugs{
1975 SendSplitAlert: true,
1976 },
1977 },
1978 },
1979 {
1980 protocol: dtls,
1981 name: "SendSplitAlert-Async",
1982 config: Config{
1983 Bugs: ProtocolBugs{
1984 SendSplitAlert: true,
1985 },
1986 },
1987 flags: []string{"-async"},
1988 },
1989 {
1990 protocol: dtls,
1991 name: "PackDTLSHandshake",
1992 config: Config{
1993 Bugs: ProtocolBugs{
1994 MaxHandshakeRecordLength: 2,
1995 PackHandshakeFragments: 20,
1996 PackHandshakeRecords: 200,
1997 },
1998 },
1999 },
2000 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2001 name: "SendEmptyRecords-Pass",
2002 sendEmptyRecords: 32,
2003 },
2004 {
2005 name: "SendEmptyRecords",
2006 sendEmptyRecords: 33,
2007 shouldFail: true,
2008 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2009 },
2010 {
2011 name: "SendEmptyRecords-Async",
2012 sendEmptyRecords: 33,
2013 flags: []string{"-async"},
2014 shouldFail: true,
2015 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2016 },
2017 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2018 name: "SendWarningAlerts-Pass",
2019 config: Config{
2020 MaxVersion: VersionTLS12,
2021 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2022 sendWarningAlerts: 4,
2023 },
2024 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2025 protocol: dtls,
2026 name: "SendWarningAlerts-DTLS-Pass",
2027 config: Config{
2028 MaxVersion: VersionTLS12,
2029 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2030 sendWarningAlerts: 4,
2031 },
2032 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2033 name: "SendWarningAlerts-TLS13",
2034 config: Config{
2035 MaxVersion: VersionTLS13,
2036 },
2037 sendWarningAlerts: 4,
2038 shouldFail: true,
2039 expectedError: ":BAD_ALERT:",
2040 expectedLocalError: "remote error: error decoding message",
2041 },
2042 {
2043 name: "SendWarningAlerts",
2044 config: Config{
2045 MaxVersion: VersionTLS12,
2046 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2047 sendWarningAlerts: 5,
2048 shouldFail: true,
2049 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2050 },
2051 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2052 name: "SendWarningAlerts-Async",
2053 config: Config{
2054 MaxVersion: VersionTLS12,
2055 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2056 sendWarningAlerts: 5,
2057 flags: []string{"-async"},
2058 shouldFail: true,
2059 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2060 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2061 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2062 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2063 config: Config{
2064 MaxVersion: VersionTLS13,
2065 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2066 sendKeyUpdates: 33,
2067 keyUpdateRequest: keyUpdateNotRequested,
2068 shouldFail: true,
2069 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2070 },
2071 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2072 name: "EmptySessionID",
2073 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2074 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2075 SessionTicketsDisabled: true,
2076 },
2077 noSessionCache: true,
2078 flags: []string{"-expect-no-session"},
2079 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2080 {
2081 name: "Unclean-Shutdown",
2082 config: Config{
2083 Bugs: ProtocolBugs{
2084 NoCloseNotify: true,
2085 ExpectCloseNotify: true,
2086 },
2087 },
2088 shimShutsDown: true,
2089 flags: []string{"-check-close-notify"},
2090 shouldFail: true,
2091 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2092 },
2093 {
2094 name: "Unclean-Shutdown-Ignored",
2095 config: Config{
2096 Bugs: ProtocolBugs{
2097 NoCloseNotify: true,
2098 },
2099 },
2100 shimShutsDown: true,
2101 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2102 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2103 name: "Unclean-Shutdown-Alert",
2104 config: Config{
2105 Bugs: ProtocolBugs{
2106 SendAlertOnShutdown: alertDecompressionFailure,
2107 ExpectCloseNotify: true,
2108 },
2109 },
2110 shimShutsDown: true,
2111 flags: []string{"-check-close-notify"},
2112 shouldFail: true,
2113 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2114 },
2115 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2116 name: "LargePlaintext",
2117 config: Config{
2118 Bugs: ProtocolBugs{
2119 SendLargeRecords: true,
2120 },
2121 },
2122 messageLen: maxPlaintext + 1,
2123 shouldFail: true,
2124 expectedError: ":DATA_LENGTH_TOO_LONG:",
2125 },
2126 {
2127 protocol: dtls,
2128 name: "LargePlaintext-DTLS",
2129 config: Config{
2130 Bugs: ProtocolBugs{
2131 SendLargeRecords: true,
2132 },
2133 },
2134 messageLen: maxPlaintext + 1,
2135 shouldFail: true,
2136 expectedError: ":DATA_LENGTH_TOO_LONG:",
2137 },
2138 {
2139 name: "LargeCiphertext",
2140 config: Config{
2141 Bugs: ProtocolBugs{
2142 SendLargeRecords: true,
2143 },
2144 },
2145 messageLen: maxPlaintext * 2,
2146 shouldFail: true,
2147 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2148 },
2149 {
2150 protocol: dtls,
2151 name: "LargeCiphertext-DTLS",
2152 config: Config{
2153 Bugs: ProtocolBugs{
2154 SendLargeRecords: true,
2155 },
2156 },
2157 messageLen: maxPlaintext * 2,
2158 // Unlike the other four cases, DTLS drops records which
2159 // are invalid before authentication, so the connection
2160 // does not fail.
2161 expectMessageDropped: true,
2162 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2163 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2164 name: "BadHelloRequest-1",
2165 renegotiate: 1,
2166 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2167 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2168 Bugs: ProtocolBugs{
2169 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2170 },
2171 },
2172 flags: []string{
2173 "-renegotiate-freely",
2174 "-expect-total-renegotiations", "1",
2175 },
2176 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2177 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2178 },
2179 {
2180 name: "BadHelloRequest-2",
2181 renegotiate: 1,
2182 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2183 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2184 Bugs: ProtocolBugs{
2185 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2186 },
2187 },
2188 flags: []string{
2189 "-renegotiate-freely",
2190 "-expect-total-renegotiations", "1",
2191 },
2192 shouldFail: true,
2193 expectedError: ":BAD_HELLO_REQUEST:",
2194 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2195 {
2196 testType: serverTest,
2197 name: "SupportTicketsWithSessionID",
2198 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2199 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2200 SessionTicketsDisabled: true,
2201 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2202 resumeConfig: &Config{
2203 MaxVersion: VersionTLS12,
2204 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2205 resumeSession: true,
2206 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2207 {
2208 protocol: dtls,
2209 name: "DTLS-SendExtraFinished",
2210 config: Config{
2211 Bugs: ProtocolBugs{
2212 SendExtraFinished: true,
2213 },
2214 },
2215 shouldFail: true,
2216 expectedError: ":UNEXPECTED_RECORD:",
2217 },
2218 {
2219 protocol: dtls,
2220 name: "DTLS-SendExtraFinished-Reordered",
2221 config: Config{
2222 Bugs: ProtocolBugs{
2223 MaxHandshakeRecordLength: 2,
2224 ReorderHandshakeFragments: true,
2225 SendExtraFinished: true,
2226 },
2227 },
2228 shouldFail: true,
2229 expectedError: ":UNEXPECTED_RECORD:",
2230 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2231 {
2232 testType: serverTest,
2233 name: "V2ClientHello-EmptyRecordPrefix",
2234 config: Config{
2235 // Choose a cipher suite that does not involve
2236 // elliptic curves, so no extensions are
2237 // involved.
2238 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2239 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2240 Bugs: ProtocolBugs{
2241 SendV2ClientHello: true,
2242 },
2243 },
2244 sendPrefix: string([]byte{
2245 byte(recordTypeHandshake),
2246 3, 1, // version
2247 0, 0, // length
2248 }),
2249 // A no-op empty record may not be sent before V2ClientHello.
2250 shouldFail: true,
2251 expectedError: ":WRONG_VERSION_NUMBER:",
2252 },
2253 {
2254 testType: serverTest,
2255 name: "V2ClientHello-WarningAlertPrefix",
2256 config: Config{
2257 // Choose a cipher suite that does not involve
2258 // elliptic curves, so no extensions are
2259 // involved.
2260 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2261 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2262 Bugs: ProtocolBugs{
2263 SendV2ClientHello: true,
2264 },
2265 },
2266 sendPrefix: string([]byte{
2267 byte(recordTypeAlert),
2268 3, 1, // version
2269 0, 2, // length
2270 alertLevelWarning, byte(alertDecompressionFailure),
2271 }),
2272 // A no-op warning alert may not be sent before V2ClientHello.
2273 shouldFail: true,
2274 expectedError: ":WRONG_VERSION_NUMBER:",
2275 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2276 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2277 name: "KeyUpdate-Client",
2278 config: Config{
2279 MaxVersion: VersionTLS13,
2280 },
2281 sendKeyUpdates: 1,
2282 keyUpdateRequest: keyUpdateNotRequested,
2283 },
2284 {
2285 testType: serverTest,
2286 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2287 config: Config{
2288 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2289 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2290 sendKeyUpdates: 1,
2291 keyUpdateRequest: keyUpdateNotRequested,
2292 },
2293 {
2294 name: "KeyUpdate-InvalidRequestMode",
2295 config: Config{
2296 MaxVersion: VersionTLS13,
2297 },
2298 sendKeyUpdates: 1,
2299 keyUpdateRequest: 42,
2300 shouldFail: true,
2301 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2302 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2303 {
2304 name: "SendSNIWarningAlert",
2305 config: Config{
2306 MaxVersion: VersionTLS12,
2307 Bugs: ProtocolBugs{
2308 SendSNIWarningAlert: true,
2309 },
2310 },
2311 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2312 {
2313 testType: serverTest,
2314 name: "ExtraCompressionMethods-TLS12",
2315 config: Config{
2316 MaxVersion: VersionTLS12,
2317 Bugs: ProtocolBugs{
2318 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2319 },
2320 },
2321 },
2322 {
2323 testType: serverTest,
2324 name: "ExtraCompressionMethods-TLS13",
2325 config: Config{
2326 MaxVersion: VersionTLS13,
2327 Bugs: ProtocolBugs{
2328 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2329 },
2330 },
2331 shouldFail: true,
2332 expectedError: ":INVALID_COMPRESSION_LIST:",
2333 expectedLocalError: "remote error: illegal parameter",
2334 },
2335 {
2336 testType: serverTest,
2337 name: "NoNullCompression-TLS12",
2338 config: Config{
2339 MaxVersion: VersionTLS12,
2340 Bugs: ProtocolBugs{
2341 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2342 },
2343 },
2344 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2345 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2346 expectedLocalError: "remote error: illegal parameter",
2347 },
2348 {
2349 testType: serverTest,
2350 name: "NoNullCompression-TLS13",
2351 config: Config{
2352 MaxVersion: VersionTLS13,
2353 Bugs: ProtocolBugs{
2354 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2355 },
2356 },
2357 shouldFail: true,
2358 expectedError: ":INVALID_COMPRESSION_LIST:",
2359 expectedLocalError: "remote error: illegal parameter",
2360 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2361 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2362 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2363 config: Config{
2364 MaxVersion: VersionTLS12,
2365 Bugs: ProtocolBugs{
2366 ExpectGREASE: true,
2367 },
2368 },
2369 flags: []string{"-enable-grease"},
2370 },
2371 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2372 name: "GREASE-Client-TLS13",
2373 config: Config{
2374 MaxVersion: VersionTLS13,
2375 Bugs: ProtocolBugs{
2376 ExpectGREASE: true,
2377 },
2378 },
2379 flags: []string{"-enable-grease"},
2380 },
2381 {
2382 testType: serverTest,
2383 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2384 config: Config{
2385 MaxVersion: VersionTLS13,
2386 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2387 // TLS 1.3 servers are expected to
2388 // always enable GREASE. TLS 1.3 is new,
2389 // so there is no existing ecosystem to
2390 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2391 ExpectGREASE: true,
2392 },
2393 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2394 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2395 {
2396 // Test the server so there is a large certificate as
2397 // well as application data.
2398 testType: serverTest,
2399 name: "MaxSendFragment",
2400 config: Config{
2401 Bugs: ProtocolBugs{
2402 MaxReceivePlaintext: 512,
2403 },
2404 },
2405 messageLen: 1024,
2406 flags: []string{
2407 "-max-send-fragment", "512",
2408 "-read-size", "1024",
2409 },
2410 },
2411 {
2412 // Test the server so there is a large certificate as
2413 // well as application data.
2414 testType: serverTest,
2415 name: "MaxSendFragment-TooLarge",
2416 config: Config{
2417 Bugs: ProtocolBugs{
2418 // Ensure that some of the records are
2419 // 512.
2420 MaxReceivePlaintext: 511,
2421 },
2422 },
2423 messageLen: 1024,
2424 flags: []string{
2425 "-max-send-fragment", "512",
2426 "-read-size", "1024",
2427 },
2428 shouldFail: true,
2429 expectedLocalError: "local error: record overflow",
2430 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2431 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2432 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2433
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2434 if *includeDHE {
2435 testCases = append(testCases, testCase{
2436 name: "NoFalseStart-DHE_RSA",
2437 config: Config{
2438 MaxVersion: VersionTLS12,
2439 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2440 NextProtos: []string{"foo"},
2441 Bugs: ProtocolBugs{
2442 ExpectFalseStart: true,
2443 AlertBeforeFalseStartTest: alertAccessDenied,
2444 },
2445 },
2446 flags: []string{
2447 "-false-start",
2448 "-advertise-alpn", "\x03foo",
2449 },
2450 shimWritesFirst: true,
2451 shouldFail: true,
2452 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2453 expectedLocalError: "tls: peer did not false start: EOF",
2454 })
2455 }
2456
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2457 // Test that very large messages can be received.
2458 cert := rsaCertificate
2459 for i := 0; i < 50; i++ {
2460 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2461 }
2462 testCases = append(testCases, testCase{
2463 name: "LargeMessage",
2464 config: Config{
2465 Certificates: []Certificate{cert},
2466 },
2467 })
2468 testCases = append(testCases, testCase{
2469 protocol: dtls,
2470 name: "LargeMessage-DTLS",
2471 config: Config{
2472 Certificates: []Certificate{cert},
2473 },
2474 })
2475
2476 // They are rejected if the maximum certificate chain length is capped.
2477 testCases = append(testCases, testCase{
2478 name: "LargeMessage-Reject",
2479 config: Config{
2480 Certificates: []Certificate{cert},
2481 },
2482 flags: []string{"-max-cert-list", "16384"},
2483 shouldFail: true,
2484 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2485 })
2486 testCases = append(testCases, testCase{
2487 protocol: dtls,
2488 name: "LargeMessage-Reject-DTLS",
2489 config: Config{
2490 Certificates: []Certificate{cert},
2491 },
2492 flags: []string{"-max-cert-list", "16384"},
2493 shouldFail: true,
2494 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2495 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2496}
2497
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2498func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2499 const psk = "12345"
2500 const pskIdentity = "luggage combo"
2501
2502 var prefix string
2503 if protocol == dtls {
2504 if !ver.hasDTLS {
2505 return
2506 }
2507 prefix = "D"
2508 }
2509
2510 var cert Certificate
2511 var certFile string
2512 var keyFile string
2513 if hasComponent(suite.name, "ECDSA") {
2514 cert = ecdsaP256Certificate
2515 certFile = ecdsaP256CertificateFile
2516 keyFile = ecdsaP256KeyFile
2517 } else {
2518 cert = rsaCertificate
2519 certFile = rsaCertificateFile
2520 keyFile = rsaKeyFile
2521 }
2522
2523 var flags []string
2524 if hasComponent(suite.name, "PSK") {
2525 flags = append(flags,
2526 "-psk", psk,
2527 "-psk-identity", pskIdentity)
2528 }
2529 if hasComponent(suite.name, "NULL") {
2530 // NULL ciphers must be explicitly enabled.
2531 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2532 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2533
2534 var shouldServerFail, shouldClientFail bool
2535 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2536 // BoringSSL clients accept ECDHE on SSLv3, but
2537 // a BoringSSL server will never select it
2538 // because the extension is missing.
2539 shouldServerFail = true
2540 }
2541 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2542 shouldClientFail = true
2543 shouldServerFail = true
2544 }
2545 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2546 shouldClientFail = true
2547 shouldServerFail = true
2548 }
2549 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2550 shouldClientFail = true
2551 shouldServerFail = true
2552 }
2553 if !isDTLSCipher(suite.name) && protocol == dtls {
2554 shouldClientFail = true
2555 shouldServerFail = true
2556 }
2557
2558 var sendCipherSuite uint16
2559 var expectedServerError, expectedClientError string
2560 serverCipherSuites := []uint16{suite.id}
2561 if shouldServerFail {
2562 expectedServerError = ":NO_SHARED_CIPHER:"
2563 }
2564 if shouldClientFail {
2565 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2566 // Configure the server to select ciphers as normal but
2567 // select an incompatible cipher in ServerHello.
2568 serverCipherSuites = nil
2569 sendCipherSuite = suite.id
2570 }
2571
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2572 // For cipher suites and versions where exporters are defined, verify
2573 // that they interoperate.
2574 var exportKeyingMaterial int
2575 if ver.version > VersionSSL30 {
2576 exportKeyingMaterial = 1024
2577 }
2578
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2579 testCases = append(testCases, testCase{
2580 testType: serverTest,
2581 protocol: protocol,
2582 name: prefix + ver.name + "-" + suite.name + "-server",
2583 config: Config{
2584 MinVersion: ver.version,
2585 MaxVersion: ver.version,
2586 CipherSuites: []uint16{suite.id},
2587 Certificates: []Certificate{cert},
2588 PreSharedKey: []byte(psk),
2589 PreSharedKeyIdentity: pskIdentity,
2590 Bugs: ProtocolBugs{
2591 AdvertiseAllConfiguredCiphers: true,
2592 },
2593 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2594 certFile: certFile,
2595 keyFile: keyFile,
2596 flags: flags,
2597 resumeSession: true,
2598 shouldFail: shouldServerFail,
2599 expectedError: expectedServerError,
2600 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2601 })
2602
2603 testCases = append(testCases, testCase{
2604 testType: clientTest,
2605 protocol: protocol,
2606 name: prefix + ver.name + "-" + suite.name + "-client",
2607 config: Config{
2608 MinVersion: ver.version,
2609 MaxVersion: ver.version,
2610 CipherSuites: serverCipherSuites,
2611 Certificates: []Certificate{cert},
2612 PreSharedKey: []byte(psk),
2613 PreSharedKeyIdentity: pskIdentity,
2614 Bugs: ProtocolBugs{
2615 IgnorePeerCipherPreferences: shouldClientFail,
2616 SendCipherSuite: sendCipherSuite,
2617 },
2618 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2619 flags: flags,
2620 resumeSession: true,
2621 shouldFail: shouldClientFail,
2622 expectedError: expectedClientError,
2623 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2624 })
2625
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2626 if shouldClientFail {
2627 return
2628 }
2629
2630 // Ensure the maximum record size is accepted.
2631 testCases = append(testCases, testCase{
2632 protocol: protocol,
2633 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2634 config: Config{
2635 MinVersion: ver.version,
2636 MaxVersion: ver.version,
2637 CipherSuites: []uint16{suite.id},
2638 Certificates: []Certificate{cert},
2639 PreSharedKey: []byte(psk),
2640 PreSharedKeyIdentity: pskIdentity,
2641 },
2642 flags: flags,
2643 messageLen: maxPlaintext,
2644 })
2645
2646 // Test bad records for all ciphers. Bad records are fatal in TLS
2647 // and ignored in DTLS.
2648 var shouldFail bool
2649 var expectedError string
2650 if protocol == tls {
2651 shouldFail = true
2652 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2653 }
2654
2655 testCases = append(testCases, testCase{
2656 protocol: protocol,
2657 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2658 config: Config{
2659 MinVersion: ver.version,
2660 MaxVersion: ver.version,
2661 CipherSuites: []uint16{suite.id},
2662 Certificates: []Certificate{cert},
2663 PreSharedKey: []byte(psk),
2664 PreSharedKeyIdentity: pskIdentity,
2665 },
2666 flags: flags,
2667 damageFirstWrite: true,
2668 messageLen: maxPlaintext,
2669 shouldFail: shouldFail,
2670 expectedError: expectedError,
2671 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2672}
2673
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2674func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2675 const bogusCipher = 0xfe00
2676
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2677 if *includeDHE {
2678 testCipherSuites = append(testCipherSuites, []testCipherSuite{
2679 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2680 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
2681 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
2682 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
2683 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
2684 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
2685 }...)
2686 }
2687
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2688 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2689 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2690 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2691 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2692 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2693 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2694 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2695
2696 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2697 name: "NoSharedCipher",
2698 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2699 MaxVersion: VersionTLS12,
2700 CipherSuites: []uint16{},
2701 },
2702 shouldFail: true,
2703 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2704 })
2705
2706 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2707 name: "NoSharedCipher-TLS13",
2708 config: Config{
2709 MaxVersion: VersionTLS13,
2710 CipherSuites: []uint16{},
2711 },
2712 shouldFail: true,
2713 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2714 })
2715
2716 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2717 name: "UnsupportedCipherSuite",
2718 config: Config{
2719 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2720 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2721 Bugs: ProtocolBugs{
2722 IgnorePeerCipherPreferences: true,
2723 },
2724 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2725 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2726 shouldFail: true,
2727 expectedError: ":WRONG_CIPHER_RETURNED:",
2728 })
2729
2730 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2731 name: "ServerHelloBogusCipher",
2732 config: Config{
2733 MaxVersion: VersionTLS12,
2734 Bugs: ProtocolBugs{
2735 SendCipherSuite: bogusCipher,
2736 },
2737 },
2738 shouldFail: true,
2739 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2740 })
2741 testCases = append(testCases, testCase{
2742 name: "ServerHelloBogusCipher-TLS13",
2743 config: Config{
2744 MaxVersion: VersionTLS13,
2745 Bugs: ProtocolBugs{
2746 SendCipherSuite: bogusCipher,
2747 },
2748 },
2749 shouldFail: true,
2750 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2751 })
2752
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2753 if *includeDHE {
2754 testCases = append(testCases, testCase{
2755 name: "WeakDH",
2756 config: Config{
2757 MaxVersion: VersionTLS12,
2758 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2759 Bugs: ProtocolBugs{
2760 // This is a 1023-bit prime number, generated
2761 // with:
2762 // openssl gendh 1023 | openssl asn1parse -i
2763 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
2764 },
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2765 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2766 shouldFail: true,
2767 expectedError: ":BAD_DH_P_LENGTH:",
2768 })
Adam Langleycef75832015-09-03 14:51:12 -0700[diff] [blame]2769
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2770 testCases = append(testCases, testCase{
2771 name: "SillyDH",
2772 config: Config{
2773 MaxVersion: VersionTLS12,
2774 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2775 Bugs: ProtocolBugs{
2776 // This is a 4097-bit prime number, generated
2777 // with:
2778 // openssl gendh 4097 | openssl asn1parse -i
2779 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
2780 },
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2781 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2782 shouldFail: true,
2783 expectedError: ":DH_P_TOO_LONG:",
2784 })
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2785
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2786 // This test ensures that Diffie-Hellman public values are padded with
2787 // zeros so that they're the same length as the prime. This is to avoid
2788 // hitting a bug in yaSSL.
2789 testCases = append(testCases, testCase{
2790 testType: serverTest,
2791 name: "DHPublicValuePadded",
2792 config: Config{
2793 MaxVersion: VersionTLS12,
2794 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2795 Bugs: ProtocolBugs{
2796 RequireDHPublicValueLen: (1025 + 7) / 8,
2797 },
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2798 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2799 flags: []string{"-use-sparse-dh-prime"},
2800 })
2801 }
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2802
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2803 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2804 testCases = append(testCases, testCase{
2805 testType: serverTest,
2806 name: "UnknownCipher",
2807 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2808 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2809 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2810 Bugs: ProtocolBugs{
2811 AdvertiseAllConfiguredCiphers: true,
2812 },
2813 },
2814 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2815
2816 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2817 testCases = append(testCases, testCase{
2818 testType: serverTest,
2819 name: "UnknownCipher-TLS13",
2820 config: Config{
2821 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2822 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2823 Bugs: ProtocolBugs{
2824 AdvertiseAllConfiguredCiphers: true,
2825 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2826 },
2827 })
2828
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2829 // Test empty ECDHE_PSK identity hints work as expected.
2830 testCases = append(testCases, testCase{
2831 name: "EmptyECDHEPSKHint",
2832 config: Config{
2833 MaxVersion: VersionTLS12,
2834 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2835 PreSharedKey: []byte("secret"),
2836 },
2837 flags: []string{"-psk", "secret"},
2838 })
2839
2840 // Test empty PSK identity hints work as expected, even if an explicit
2841 // ServerKeyExchange is sent.
2842 testCases = append(testCases, testCase{
2843 name: "ExplicitEmptyPSKHint",
2844 config: Config{
2845 MaxVersion: VersionTLS12,
2846 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2847 PreSharedKey: []byte("secret"),
2848 Bugs: ProtocolBugs{
2849 AlwaysSendPreSharedKeyIdentityHint: true,
2850 },
2851 },
2852 flags: []string{"-psk", "secret"},
2853 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]2854
2855 // Test that clients enforce that the server-sent certificate and cipher
2856 // suite match in TLS 1.2.
2857 testCases = append(testCases, testCase{
2858 name: "CertificateCipherMismatch-RSA",
2859 config: Config{
2860 MaxVersion: VersionTLS12,
2861 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2862 Certificates: []Certificate{rsaCertificate},
2863 Bugs: ProtocolBugs{
2864 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2865 },
2866 },
2867 shouldFail: true,
2868 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2869 })
2870 testCases = append(testCases, testCase{
2871 name: "CertificateCipherMismatch-ECDSA",
2872 config: Config{
2873 MaxVersion: VersionTLS12,
2874 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2875 Certificates: []Certificate{ecdsaP256Certificate},
2876 Bugs: ProtocolBugs{
2877 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2878 },
2879 },
2880 shouldFail: true,
2881 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2882 })
2883 testCases = append(testCases, testCase{
2884 name: "CertificateCipherMismatch-Ed25519",
2885 config: Config{
2886 MaxVersion: VersionTLS12,
2887 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2888 Certificates: []Certificate{ed25519Certificate},
2889 Bugs: ProtocolBugs{
2890 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2891 },
2892 },
2893 shouldFail: true,
2894 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2895 })
2896
2897 // Test that servers decline to select a cipher suite which is
2898 // inconsistent with their configured certificate.
2899 testCases = append(testCases, testCase{
2900 testType: serverTest,
2901 name: "ServerCipherFilter-RSA",
2902 config: Config{
2903 MaxVersion: VersionTLS12,
2904 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2905 },
2906 flags: []string{
2907 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2908 "-key-file", path.Join(*resourceDir, rsaKeyFile),
2909 },
2910 shouldFail: true,
2911 expectedError: ":NO_SHARED_CIPHER:",
2912 })
2913 testCases = append(testCases, testCase{
2914 testType: serverTest,
2915 name: "ServerCipherFilter-ECDSA",
2916 config: Config{
2917 MaxVersion: VersionTLS12,
2918 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2919 },
2920 flags: []string{
2921 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2922 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
2923 },
2924 shouldFail: true,
2925 expectedError: ":NO_SHARED_CIPHER:",
2926 })
2927 testCases = append(testCases, testCase{
2928 testType: serverTest,
2929 name: "ServerCipherFilter-Ed25519",
2930 config: Config{
2931 MaxVersion: VersionTLS12,
2932 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2933 },
2934 flags: []string{
2935 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
2936 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
2937 },
2938 shouldFail: true,
2939 expectedError: ":NO_SHARED_CIPHER:",
2940 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2941}
2942
2943func addBadECDSASignatureTests() {
2944 for badR := BadValue(1); badR < NumBadValues; badR++ {
2945 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2946 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2947 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2948 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2949 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2950 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2951 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2952 Bugs: ProtocolBugs{
2953 BadECDSAR: badR,
2954 BadECDSAS: badS,
2955 },
2956 },
2957 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2958 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2959 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2960 testCases = append(testCases, testCase{
2961 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2962 config: Config{
2963 MaxVersion: VersionTLS13,
2964 Certificates: []Certificate{ecdsaP256Certificate},
2965 Bugs: ProtocolBugs{
2966 BadECDSAR: badR,
2967 BadECDSAS: badS,
2968 },
2969 },
2970 shouldFail: true,
2971 expectedError: ":BAD_SIGNATURE:",
2972 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2973 }
2974 }
2975}
2976
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2977func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2978 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2979 name: "MaxCBCPadding",
2980 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2981 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2982 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2983 Bugs: ProtocolBugs{
2984 MaxPadding: true,
2985 },
2986 },
2987 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2988 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2989 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2990 name: "BadCBCPadding",
2991 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2992 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2993 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2994 Bugs: ProtocolBugs{
2995 PaddingFirstByteBad: true,
2996 },
2997 },
2998 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2999 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3000 })
3001 // OpenSSL previously had an issue where the first byte of padding in
3002 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]3003 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3004 name: "BadCBCPadding255",
3005 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3006 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3007 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3008 Bugs: ProtocolBugs{
3009 MaxPadding: true,
3010 PaddingFirstByteBadIf255: true,
3011 },
3012 },
3013 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
3014 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]3015 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]3016 })
3017}
3018
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3019func addCBCSplittingTests() {
3020 testCases = append(testCases, testCase{
3021 name: "CBCRecordSplitting",
3022 config: Config{
3023 MaxVersion: VersionTLS10,
3024 MinVersion: VersionTLS10,
3025 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3026 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]3027 messageLen: -1, // read until EOF
3028 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3029 flags: []string{
3030 "-async",
3031 "-write-different-record-sizes",
3032 "-cbc-record-splitting",
3033 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]3034 })
3035 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3036 name: "CBCRecordSplittingPartialWrite",
3037 config: Config{
3038 MaxVersion: VersionTLS10,
3039 MinVersion: VersionTLS10,
3040 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3041 },
3042 messageLen: -1, // read until EOF
3043 flags: []string{
3044 "-async",
3045 "-write-different-record-sizes",
3046 "-cbc-record-splitting",
3047 "-partial-write",
3048 },
3049 })
3050}
3051
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3052func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3053 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3054 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3055 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3056 cert, err := x509.ParseCertificate(cert.Certificate[0])
3057 if err != nil {
3058 panic(err)
3059 }
3060 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3061 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3062 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3063
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3064 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3065 testCases = append(testCases, testCase{
3066 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3067 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3068 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3069 MinVersion: ver.version,
3070 MaxVersion: ver.version,
3071 ClientAuth: RequireAnyClientCert,
3072 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3073 },
3074 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3075 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3076 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3077 },
3078 })
3079 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3080 testType: serverTest,
3081 name: ver.name + "-Server-ClientAuth-RSA",
3082 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3083 MinVersion: ver.version,
3084 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3085 Certificates: []Certificate{rsaCertificate},
3086 },
3087 flags: []string{"-require-any-client-certificate"},
3088 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3089 if ver.version != VersionSSL30 {
3090 testCases = append(testCases, testCase{
3091 testType: serverTest,
3092 name: ver.name + "-Server-ClientAuth-ECDSA",
3093 config: Config{
3094 MinVersion: ver.version,
3095 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3096 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3097 },
3098 flags: []string{"-require-any-client-certificate"},
3099 })
3100 testCases = append(testCases, testCase{
3101 testType: clientTest,
3102 name: ver.name + "-Client-ClientAuth-ECDSA",
3103 config: Config{
3104 MinVersion: ver.version,
3105 MaxVersion: ver.version,
3106 ClientAuth: RequireAnyClientCert,
3107 ClientCAs: certPool,
3108 },
3109 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3110 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3111 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3112 },
3113 })
3114 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3115
3116 testCases = append(testCases, testCase{
3117 name: "NoClientCertificate-" + ver.name,
3118 config: Config{
3119 MinVersion: ver.version,
3120 MaxVersion: ver.version,
3121 ClientAuth: RequireAnyClientCert,
3122 },
3123 shouldFail: true,
3124 expectedLocalError: "client didn't provide a certificate",
3125 })
3126
3127 testCases = append(testCases, testCase{
3128 // Even if not configured to expect a certificate, OpenSSL will
3129 // return X509_V_OK as the verify_result.
3130 testType: serverTest,
3131 name: "NoClientCertificateRequested-Server-" + ver.name,
3132 config: Config{
3133 MinVersion: ver.version,
3134 MaxVersion: ver.version,
3135 },
3136 flags: []string{
3137 "-expect-verify-result",
3138 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3139 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3140 })
3141
3142 testCases = append(testCases, testCase{
3143 // If a client certificate is not provided, OpenSSL will still
3144 // return X509_V_OK as the verify_result.
3145 testType: serverTest,
3146 name: "NoClientCertificate-Server-" + ver.name,
3147 config: Config{
3148 MinVersion: ver.version,
3149 MaxVersion: ver.version,
3150 },
3151 flags: []string{
3152 "-expect-verify-result",
3153 "-verify-peer",
3154 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3155 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3156 })
3157
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3158 certificateRequired := "remote error: certificate required"
3159 if ver.version < VersionTLS13 {
3160 // Prior to TLS 1.3, the generic handshake_failure alert
3161 // was used.
3162 certificateRequired = "remote error: handshake failure"
3163 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3164 testCases = append(testCases, testCase{
3165 testType: serverTest,
3166 name: "RequireAnyClientCertificate-" + ver.name,
3167 config: Config{
3168 MinVersion: ver.version,
3169 MaxVersion: ver.version,
3170 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3171 flags: []string{"-require-any-client-certificate"},
3172 shouldFail: true,
3173 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3174 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3175 })
3176
3177 if ver.version != VersionSSL30 {
3178 testCases = append(testCases, testCase{
3179 testType: serverTest,
3180 name: "SkipClientCertificate-" + ver.name,
3181 config: Config{
3182 MinVersion: ver.version,
3183 MaxVersion: ver.version,
3184 Bugs: ProtocolBugs{
3185 SkipClientCertificate: true,
3186 },
3187 },
3188 // Setting SSL_VERIFY_PEER allows anonymous clients.
3189 flags: []string{"-verify-peer"},
3190 shouldFail: true,
3191 expectedError: ":UNEXPECTED_MESSAGE:",
3192 })
3193 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3194
3195 testCases = append(testCases, testCase{
3196 testType: serverTest,
3197 name: ver.name + "-Server-CertReq-CA-List",
3198 config: Config{
3199 MinVersion: ver.version,
3200 MaxVersion: ver.version,
3201 Certificates: []Certificate{rsaCertificate},
3202 Bugs: ProtocolBugs{
3203 ExpectCertificateReqNames: caNames,
3204 },
3205 },
3206 flags: []string{
3207 "-require-any-client-certificate",
3208 "-use-client-ca-list", encodeDERValues(caNames),
3209 },
3210 })
3211
3212 testCases = append(testCases, testCase{
3213 testType: clientTest,
3214 name: ver.name + "-Client-CertReq-CA-List",
3215 config: Config{
3216 MinVersion: ver.version,
3217 MaxVersion: ver.version,
3218 Certificates: []Certificate{rsaCertificate},
3219 ClientAuth: RequireAnyClientCert,
3220 ClientCAs: certPool,
3221 },
3222 flags: []string{
3223 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3224 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3225 "-expect-client-ca-list", encodeDERValues(caNames),
3226 },
3227 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3228 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3229
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3230 // Client auth is only legal in certificate-based ciphers.
3231 testCases = append(testCases, testCase{
3232 testType: clientTest,
3233 name: "ClientAuth-PSK",
3234 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3235 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3236 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3237 PreSharedKey: []byte("secret"),
3238 ClientAuth: RequireAnyClientCert,
3239 },
3240 flags: []string{
3241 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3242 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3243 "-psk", "secret",
3244 },
3245 shouldFail: true,
3246 expectedError: ":UNEXPECTED_MESSAGE:",
3247 })
3248 testCases = append(testCases, testCase{
3249 testType: clientTest,
3250 name: "ClientAuth-ECDHE_PSK",
3251 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3252 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3253 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3254 PreSharedKey: []byte("secret"),
3255 ClientAuth: RequireAnyClientCert,
3256 },
3257 flags: []string{
3258 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3259 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3260 "-psk", "secret",
3261 },
3262 shouldFail: true,
3263 expectedError: ":UNEXPECTED_MESSAGE:",
3264 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3265
3266 // Regression test for a bug where the client CA list, if explicitly
3267 // set to NULL, was mis-encoded.
3268 testCases = append(testCases, testCase{
3269 testType: serverTest,
3270 name: "Null-Client-CA-List",
3271 config: Config{
3272 MaxVersion: VersionTLS12,
3273 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3274 Bugs: ProtocolBugs{
3275 ExpectCertificateReqNames: [][]byte{},
3276 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3277 },
3278 flags: []string{
3279 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3280 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3281 },
3282 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3283}
3284
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3285func addExtendedMasterSecretTests() {
3286 const expectEMSFlag = "-expect-extended-master-secret"
3287
3288 for _, with := range []bool{false, true} {
3289 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3290 if with {
3291 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3292 }
3293
3294 for _, isClient := range []bool{false, true} {
3295 suffix := "-Server"
3296 testType := serverTest
3297 if isClient {
3298 suffix = "-Client"
3299 testType = clientTest
3300 }
3301
3302 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3303 // In TLS 1.3, the extension is irrelevant and
3304 // always reports as enabled.
3305 var flags []string
3306 if with || ver.version >= VersionTLS13 {
3307 flags = []string{expectEMSFlag}
3308 }
3309
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3310 test := testCase{
3311 testType: testType,
3312 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3313 config: Config{
3314 MinVersion: ver.version,
3315 MaxVersion: ver.version,
3316 Bugs: ProtocolBugs{
3317 NoExtendedMasterSecret: !with,
3318 RequireExtendedMasterSecret: with,
3319 },
3320 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3321 flags: flags,
3322 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3323 }
3324 if test.shouldFail {
3325 test.expectedLocalError = "extended master secret required but not supported by peer"
3326 }
3327 testCases = append(testCases, test)
3328 }
3329 }
3330 }
3331
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3332 for _, isClient := range []bool{false, true} {
3333 for _, supportedInFirstConnection := range []bool{false, true} {
3334 for _, supportedInResumeConnection := range []bool{false, true} {
3335 boolToWord := func(b bool) string {
3336 if b {
3337 return "Yes"
3338 }
3339 return "No"
3340 }
3341 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3342 if isClient {
3343 suffix += "Client"
3344 } else {
3345 suffix += "Server"
3346 }
3347
3348 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3349 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3350 Bugs: ProtocolBugs{
3351 RequireExtendedMasterSecret: true,
3352 },
3353 }
3354
3355 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3356 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3357 Bugs: ProtocolBugs{
3358 NoExtendedMasterSecret: true,
3359 },
3360 }
3361
3362 test := testCase{
3363 name: "ExtendedMasterSecret-" + suffix,
3364 resumeSession: true,
3365 }
3366
3367 if !isClient {
3368 test.testType = serverTest
3369 }
3370
3371 if supportedInFirstConnection {
3372 test.config = supportedConfig
3373 } else {
3374 test.config = noSupportConfig
3375 }
3376
3377 if supportedInResumeConnection {
3378 test.resumeConfig = &supportedConfig
3379 } else {
3380 test.resumeConfig = &noSupportConfig
3381 }
3382
3383 switch suffix {
3384 case "YesToYes-Client", "YesToYes-Server":
3385 // When a session is resumed, it should
3386 // still be aware that its master
3387 // secret was generated via EMS and
3388 // thus it's safe to use tls-unique.
3389 test.flags = []string{expectEMSFlag}
3390 case "NoToYes-Server":
3391 // If an original connection did not
3392 // contain EMS, but a resumption
3393 // handshake does, then a server should
3394 // not resume the session.
3395 test.expectResumeRejected = true
3396 case "YesToNo-Server":
3397 // Resuming an EMS session without the
3398 // EMS extension should cause the
3399 // server to abort the connection.
3400 test.shouldFail = true
3401 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3402 case "NoToYes-Client":
3403 // A client should abort a connection
3404 // where the server resumed a non-EMS
3405 // session but echoed the EMS
3406 // extension.
3407 test.shouldFail = true
3408 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3409 case "YesToNo-Client":
3410 // A client should abort a connection
3411 // where the server didn't echo EMS
3412 // when the session used it.
3413 test.shouldFail = true
3414 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3415 }
3416
3417 testCases = append(testCases, test)
3418 }
3419 }
3420 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3421
3422 // Switching EMS on renegotiation is forbidden.
3423 testCases = append(testCases, testCase{
3424 name: "ExtendedMasterSecret-Renego-NoEMS",
3425 config: Config{
3426 MaxVersion: VersionTLS12,
3427 Bugs: ProtocolBugs{
3428 NoExtendedMasterSecret: true,
3429 NoExtendedMasterSecretOnRenegotiation: true,
3430 },
3431 },
3432 renegotiate: 1,
3433 flags: []string{
3434 "-renegotiate-freely",
3435 "-expect-total-renegotiations", "1",
3436 },
3437 })
3438
3439 testCases = append(testCases, testCase{
3440 name: "ExtendedMasterSecret-Renego-Upgrade",
3441 config: Config{
3442 MaxVersion: VersionTLS12,
3443 Bugs: ProtocolBugs{
3444 NoExtendedMasterSecret: true,
3445 },
3446 },
3447 renegotiate: 1,
3448 flags: []string{
3449 "-renegotiate-freely",
3450 "-expect-total-renegotiations", "1",
3451 },
3452 shouldFail: true,
3453 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3454 })
3455
3456 testCases = append(testCases, testCase{
3457 name: "ExtendedMasterSecret-Renego-Downgrade",
3458 config: Config{
3459 MaxVersion: VersionTLS12,
3460 Bugs: ProtocolBugs{
3461 NoExtendedMasterSecretOnRenegotiation: true,
3462 },
3463 },
3464 renegotiate: 1,
3465 flags: []string{
3466 "-renegotiate-freely",
3467 "-expect-total-renegotiations", "1",
3468 },
3469 shouldFail: true,
3470 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3471 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3472}
3473
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3474type stateMachineTestConfig struct {
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3475 protocol protocol
3476 async bool
3477 splitHandshake bool
3478 packHandshakeFlight bool
3479 implicitHandshake bool
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3480}
3481
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3482// Adds tests that try to cover the range of the handshake state machine, under
3483// various conditions. Some of these are redundant with other tests, but they
3484// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3485func addAllStateMachineCoverageTests() {
3486 for _, async := range []bool{false, true} {
3487 for _, protocol := range []protocol{tls, dtls} {
3488 addStateMachineCoverageTests(stateMachineTestConfig{
3489 protocol: protocol,
3490 async: async,
3491 })
3492 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3493 protocol: protocol,
3494 async: async,
3495 implicitHandshake: true,
3496 })
3497 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3498 protocol: protocol,
3499 async: async,
3500 splitHandshake: true,
3501 })
3502 if protocol == tls {
3503 addStateMachineCoverageTests(stateMachineTestConfig{
3504 protocol: protocol,
3505 async: async,
3506 packHandshakeFlight: true,
3507 })
3508 }
3509 }
3510 }
3511}
3512
3513func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3514 var tests []testCase
3515
3516 // Basic handshake, with resumption. Client and server,
3517 // session ID and session ticket.
3518 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3519 name: "Basic-Client",
3520 config: Config{
3521 MaxVersion: VersionTLS12,
3522 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3523 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3524 // Ensure session tickets are used, not session IDs.
3525 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3526 })
3527 tests = append(tests, testCase{
3528 name: "Basic-Client-RenewTicket",
3529 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3530 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3531 Bugs: ProtocolBugs{
3532 RenewTicketOnResume: true,
3533 },
3534 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3535 flags: []string{"-expect-ticket-renewal"},
3536 resumeSession: true,
3537 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3538 })
3539 tests = append(tests, testCase{
3540 name: "Basic-Client-NoTicket",
3541 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3542 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3543 SessionTicketsDisabled: true,
3544 },
3545 resumeSession: true,
3546 })
3547 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3548 testType: serverTest,
3549 name: "Basic-Server",
3550 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3551 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3552 Bugs: ProtocolBugs{
3553 RequireSessionTickets: true,
3554 },
3555 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3556 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3557 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3558 })
3559 tests = append(tests, testCase{
3560 testType: serverTest,
3561 name: "Basic-Server-NoTickets",
3562 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3563 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3564 SessionTicketsDisabled: true,
3565 },
3566 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3567 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3568 })
3569 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3570 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3571 name: "Basic-Server-EarlyCallback",
3572 config: Config{
3573 MaxVersion: VersionTLS12,
3574 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3575 flags: []string{"-use-early-callback"},
3576 resumeSession: true,
3577 })
3578
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3579 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3580 if config.protocol == tls {
3581 tests = append(tests, testCase{
3582 name: "TLS13-1RTT-Client",
3583 config: Config{
3584 MaxVersion: VersionTLS13,
3585 MinVersion: VersionTLS13,
3586 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3587 resumeSession: true,
3588 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3589 })
3590
3591 tests = append(tests, testCase{
3592 testType: serverTest,
3593 name: "TLS13-1RTT-Server",
3594 config: Config{
3595 MaxVersion: VersionTLS13,
3596 MinVersion: VersionTLS13,
3597 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3598 resumeSession: true,
3599 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3600 // TLS 1.3 uses tickets, so the session should not be
3601 // cached statefully.
3602 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3603 })
3604
3605 tests = append(tests, testCase{
3606 name: "TLS13-HelloRetryRequest-Client",
3607 config: Config{
3608 MaxVersion: VersionTLS13,
3609 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3610 // P-384 requires a HelloRetryRequest against BoringSSL's default
3611 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3612 CurvePreferences: []CurveID{CurveP384},
3613 Bugs: ProtocolBugs{
3614 ExpectMissingKeyShare: true,
3615 },
3616 },
3617 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3618 resumeSession: true,
3619 })
3620
3621 tests = append(tests, testCase{
3622 testType: serverTest,
3623 name: "TLS13-HelloRetryRequest-Server",
3624 config: Config{
3625 MaxVersion: VersionTLS13,
3626 MinVersion: VersionTLS13,
3627 // Require a HelloRetryRequest for every curve.
3628 DefaultCurves: []CurveID{},
3629 },
3630 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3631 resumeSession: true,
3632 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3633
3634 // TODO(svaldez): Send data on early data once implemented.
3635 tests = append(tests, testCase{
3636 testType: clientTest,
3637 name: "TLS13-EarlyData-Client",
3638 config: Config{
3639 MaxVersion: VersionTLS13,
3640 MinVersion: VersionTLS13,
3641 MaxEarlyDataSize: 16384,
3642 },
3643 resumeSession: true,
3644 flags: []string{
3645 "-enable-early-data",
3646 "-expect-early-data-info",
3647 "-expect-accept-early-data",
3648 },
3649 })
3650
3651 tests = append(tests, testCase{
3652 testType: serverTest,
3653 name: "TLS13-EarlyData-Server",
3654 config: Config{
3655 MaxVersion: VersionTLS13,
3656 MinVersion: VersionTLS13,
3657 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3658 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3659 ExpectEarlyDataAccepted: true,
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3660 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3661 },
3662 },
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3663 messageCount: 2,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3664 resumeSession: true,
3665 flags: []string{
3666 "-enable-early-data",
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3667 "-expect-accept-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3668 },
3669 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3670 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3671
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3672 // TLS client auth.
3673 tests = append(tests, testCase{
3674 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3675 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3676 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3677 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3678 ClientAuth: RequestClientCert,
3679 },
3680 })
3681 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3682 testType: serverTest,
3683 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3684 config: Config{
3685 MaxVersion: VersionTLS12,
3686 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3687 // Setting SSL_VERIFY_PEER allows anonymous clients.
3688 flags: []string{"-verify-peer"},
3689 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3690 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3691 tests = append(tests, testCase{
3692 testType: clientTest,
3693 name: "ClientAuth-NoCertificate-Client-SSL3",
3694 config: Config{
3695 MaxVersion: VersionSSL30,
3696 ClientAuth: RequestClientCert,
3697 },
3698 })
3699 tests = append(tests, testCase{
3700 testType: serverTest,
3701 name: "ClientAuth-NoCertificate-Server-SSL3",
3702 config: Config{
3703 MaxVersion: VersionSSL30,
3704 },
3705 // Setting SSL_VERIFY_PEER allows anonymous clients.
3706 flags: []string{"-verify-peer"},
3707 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3708 tests = append(tests, testCase{
3709 testType: clientTest,
3710 name: "ClientAuth-NoCertificate-Client-TLS13",
3711 config: Config{
3712 MaxVersion: VersionTLS13,
3713 ClientAuth: RequestClientCert,
3714 },
3715 })
3716 tests = append(tests, testCase{
3717 testType: serverTest,
3718 name: "ClientAuth-NoCertificate-Server-TLS13",
3719 config: Config{
3720 MaxVersion: VersionTLS13,
3721 },
3722 // Setting SSL_VERIFY_PEER allows anonymous clients.
3723 flags: []string{"-verify-peer"},
3724 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3725 }
3726 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3727 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3728 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3729 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3730 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3731 ClientAuth: RequireAnyClientCert,
3732 },
3733 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3734 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3735 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3736 },
3737 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3738 tests = append(tests, testCase{
3739 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3740 name: "ClientAuth-RSA-Client-TLS13",
3741 config: Config{
3742 MaxVersion: VersionTLS13,
3743 ClientAuth: RequireAnyClientCert,
3744 },
3745 flags: []string{
3746 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3747 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3748 },
3749 })
3750 tests = append(tests, testCase{
3751 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3752 name: "ClientAuth-ECDSA-Client",
3753 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3754 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3755 ClientAuth: RequireAnyClientCert,
3756 },
3757 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3758 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3759 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3760 },
3761 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3762 tests = append(tests, testCase{
3763 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3764 name: "ClientAuth-ECDSA-Client-TLS13",
3765 config: Config{
3766 MaxVersion: VersionTLS13,
3767 ClientAuth: RequireAnyClientCert,
3768 },
3769 flags: []string{
3770 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3771 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3772 },
3773 })
3774 tests = append(tests, testCase{
3775 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3776 name: "ClientAuth-NoCertificate-OldCallback",
3777 config: Config{
3778 MaxVersion: VersionTLS12,
3779 ClientAuth: RequestClientCert,
3780 },
3781 flags: []string{"-use-old-client-cert-callback"},
3782 })
3783 tests = append(tests, testCase{
3784 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3785 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3786 config: Config{
3787 MaxVersion: VersionTLS13,
3788 ClientAuth: RequestClientCert,
3789 },
3790 flags: []string{"-use-old-client-cert-callback"},
3791 })
3792 tests = append(tests, testCase{
3793 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3794 name: "ClientAuth-OldCallback",
3795 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3796 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3797 ClientAuth: RequireAnyClientCert,
3798 },
3799 flags: []string{
3800 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3801 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3802 "-use-old-client-cert-callback",
3803 },
3804 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3805 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3806 testType: clientTest,
3807 name: "ClientAuth-OldCallback-TLS13",
3808 config: Config{
3809 MaxVersion: VersionTLS13,
3810 ClientAuth: RequireAnyClientCert,
3811 },
3812 flags: []string{
3813 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3814 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3815 "-use-old-client-cert-callback",
3816 },
3817 })
3818 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3819 testType: serverTest,
3820 name: "ClientAuth-Server",
3821 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3822 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3823 Certificates: []Certificate{rsaCertificate},
3824 },
3825 flags: []string{"-require-any-client-certificate"},
3826 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3827 tests = append(tests, testCase{
3828 testType: serverTest,
3829 name: "ClientAuth-Server-TLS13",
3830 config: Config{
3831 MaxVersion: VersionTLS13,
3832 Certificates: []Certificate{rsaCertificate},
3833 },
3834 flags: []string{"-require-any-client-certificate"},
3835 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3836
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3837 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3838 tests = append(tests, testCase{
3839 testType: serverTest,
3840 name: "Basic-Server-RSA",
3841 config: Config{
3842 MaxVersion: VersionTLS12,
3843 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3844 },
3845 flags: []string{
3846 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3847 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3848 },
3849 })
3850 tests = append(tests, testCase{
3851 testType: serverTest,
3852 name: "Basic-Server-ECDHE-RSA",
3853 config: Config{
3854 MaxVersion: VersionTLS12,
3855 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3856 },
3857 flags: []string{
3858 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3859 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3860 },
3861 })
3862 tests = append(tests, testCase{
3863 testType: serverTest,
3864 name: "Basic-Server-ECDHE-ECDSA",
3865 config: Config{
3866 MaxVersion: VersionTLS12,
3867 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3868 },
3869 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3870 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3871 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3872 },
3873 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]3874 tests = append(tests, testCase{
3875 testType: serverTest,
3876 name: "Basic-Server-Ed25519",
3877 config: Config{
3878 MaxVersion: VersionTLS12,
3879 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3880 },
3881 flags: []string{
3882 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3883 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
3884 "-enable-ed25519",
3885 },
3886 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3887
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3888 // No session ticket support; server doesn't send NewSessionTicket.
3889 tests = append(tests, testCase{
3890 name: "SessionTicketsDisabled-Client",
3891 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3892 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3893 SessionTicketsDisabled: true,
3894 },
3895 })
3896 tests = append(tests, testCase{
3897 testType: serverTest,
3898 name: "SessionTicketsDisabled-Server",
3899 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3900 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3901 SessionTicketsDisabled: true,
3902 },
3903 })
3904
3905 // Skip ServerKeyExchange in PSK key exchange if there's no
3906 // identity hint.
3907 tests = append(tests, testCase{
3908 name: "EmptyPSKHint-Client",
3909 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3910 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3911 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3912 PreSharedKey: []byte("secret"),
3913 },
3914 flags: []string{"-psk", "secret"},
3915 })
3916 tests = append(tests, testCase{
3917 testType: serverTest,
3918 name: "EmptyPSKHint-Server",
3919 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3920 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3921 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3922 PreSharedKey: []byte("secret"),
3923 },
3924 flags: []string{"-psk", "secret"},
3925 })
3926
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3927 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3928 tests = append(tests, testCase{
3929 testType: clientTest,
3930 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3931 config: Config{
3932 MaxVersion: VersionTLS12,
3933 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3934 flags: []string{
3935 "-enable-ocsp-stapling",
3936 "-expect-ocsp-response",
3937 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3938 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3939 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3940 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3941 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3942 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3943 testType: serverTest,
3944 name: "OCSPStapling-Server",
3945 config: Config{
3946 MaxVersion: VersionTLS12,
3947 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3948 expectedOCSPResponse: testOCSPResponse,
3949 flags: []string{
3950 "-ocsp-response",
3951 base64.StdEncoding.EncodeToString(testOCSPResponse),
3952 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3953 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3954 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3955 tests = append(tests, testCase{
3956 testType: clientTest,
3957 name: "OCSPStapling-Client-TLS13",
3958 config: Config{
3959 MaxVersion: VersionTLS13,
3960 },
3961 flags: []string{
3962 "-enable-ocsp-stapling",
3963 "-expect-ocsp-response",
3964 base64.StdEncoding.EncodeToString(testOCSPResponse),
3965 "-verify-peer",
3966 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3967 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3968 })
3969 tests = append(tests, testCase{
3970 testType: serverTest,
3971 name: "OCSPStapling-Server-TLS13",
3972 config: Config{
3973 MaxVersion: VersionTLS13,
3974 },
3975 expectedOCSPResponse: testOCSPResponse,
3976 flags: []string{
3977 "-ocsp-response",
3978 base64.StdEncoding.EncodeToString(testOCSPResponse),
3979 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3980 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3981 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3982
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3983 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3984 for _, vers := range tlsVersions {
3985 if config.protocol == dtls && !vers.hasDTLS {
3986 continue
3987 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3988 for _, testType := range []testType{clientTest, serverTest} {
3989 suffix := "-Client"
3990 if testType == serverTest {
3991 suffix = "-Server"
3992 }
3993 suffix += "-" + vers.name
3994
3995 flag := "-verify-peer"
3996 if testType == serverTest {
3997 flag = "-require-any-client-certificate"
3998 }
3999
4000 tests = append(tests, testCase{
4001 testType: testType,
4002 name: "CertificateVerificationSucceed" + suffix,
4003 config: Config{
4004 MaxVersion: vers.version,
4005 Certificates: []Certificate{rsaCertificate},
4006 },
4007 flags: []string{
4008 flag,
4009 "-expect-verify-result",
4010 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4011 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4012 })
4013 tests = append(tests, testCase{
4014 testType: testType,
4015 name: "CertificateVerificationFail" + suffix,
4016 config: Config{
4017 MaxVersion: vers.version,
4018 Certificates: []Certificate{rsaCertificate},
4019 },
4020 flags: []string{
4021 flag,
4022 "-verify-fail",
4023 },
4024 shouldFail: true,
4025 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
4026 })
4027 }
4028
4029 // By default, the client is in a soft fail mode where the peer
4030 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4031 tests = append(tests, testCase{
4032 testType: clientTest,
4033 name: "CertificateVerificationSoftFail-" + vers.name,
4034 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4035 MaxVersion: vers.version,
4036 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4037 },
4038 flags: []string{
4039 "-verify-fail",
4040 "-expect-verify-result",
4041 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4042 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4043 })
4044 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]4045
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]4046 tests = append(tests, testCase{
4047 name: "ShimSendAlert",
4048 flags: []string{"-send-alert"},
4049 shimWritesFirst: true,
4050 shouldFail: true,
4051 expectedLocalError: "remote error: decompression failure",
4052 })
4053
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4054 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4055 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4056 name: "Renegotiate-Client",
4057 config: Config{
4058 MaxVersion: VersionTLS12,
4059 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]4060 renegotiate: 1,
4061 flags: []string{
4062 "-renegotiate-freely",
4063 "-expect-total-renegotiations", "1",
4064 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4065 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4066
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]4067 tests = append(tests, testCase{
4068 name: "SendHalfHelloRequest",
4069 config: Config{
4070 MaxVersion: VersionTLS12,
4071 Bugs: ProtocolBugs{
4072 PackHelloRequestWithFinished: config.packHandshakeFlight,
4073 },
4074 },
4075 sendHalfHelloRequest: true,
4076 flags: []string{"-renegotiate-ignore"},
4077 shouldFail: true,
4078 expectedError: ":UNEXPECTED_RECORD:",
4079 })
4080
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4081 // NPN on client and server; results in post-handshake message.
4082 tests = append(tests, testCase{
4083 name: "NPN-Client",
4084 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4085 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4086 NextProtos: []string{"foo"},
4087 },
4088 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4089 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4090 expectedNextProto: "foo",
4091 expectedNextProtoType: npn,
4092 })
4093 tests = append(tests, testCase{
4094 testType: serverTest,
4095 name: "NPN-Server",
4096 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4097 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4098 NextProtos: []string{"bar"},
4099 },
4100 flags: []string{
4101 "-advertise-npn", "\x03foo\x03bar\x03baz",
4102 "-expect-next-proto", "bar",
4103 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4104 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4105 expectedNextProto: "bar",
4106 expectedNextProtoType: npn,
4107 })
4108
4109 // TODO(davidben): Add tests for when False Start doesn't trigger.
4110
4111 // Client does False Start and negotiates NPN.
4112 tests = append(tests, testCase{
4113 name: "FalseStart",
4114 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4115 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4116 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4117 NextProtos: []string{"foo"},
4118 Bugs: ProtocolBugs{
4119 ExpectFalseStart: true,
4120 },
4121 },
4122 flags: []string{
4123 "-false-start",
4124 "-select-next-proto", "foo",
4125 },
4126 shimWritesFirst: true,
4127 resumeSession: true,
4128 })
4129
4130 // Client does False Start and negotiates ALPN.
4131 tests = append(tests, testCase{
4132 name: "FalseStart-ALPN",
4133 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4134 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4135 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4136 NextProtos: []string{"foo"},
4137 Bugs: ProtocolBugs{
4138 ExpectFalseStart: true,
4139 },
4140 },
4141 flags: []string{
4142 "-false-start",
4143 "-advertise-alpn", "\x03foo",
4144 },
4145 shimWritesFirst: true,
4146 resumeSession: true,
4147 })
4148
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4149 // False Start without session tickets.
4150 tests = append(tests, testCase{
4151 name: "FalseStart-SessionTicketsDisabled",
4152 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4153 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4154 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4155 NextProtos: []string{"foo"},
4156 SessionTicketsDisabled: true,
4157 Bugs: ProtocolBugs{
4158 ExpectFalseStart: true,
4159 },
4160 },
4161 flags: []string{
4162 "-false-start",
4163 "-select-next-proto", "foo",
4164 },
4165 shimWritesFirst: true,
4166 })
4167
4168 // Server parses a V2ClientHello.
4169 tests = append(tests, testCase{
4170 testType: serverTest,
4171 name: "SendV2ClientHello",
4172 config: Config{
4173 // Choose a cipher suite that does not involve
4174 // elliptic curves, so no extensions are
4175 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4176 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4177 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4178 Bugs: ProtocolBugs{
4179 SendV2ClientHello: true,
4180 },
4181 },
4182 })
4183
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4184 // Test Channel ID
4185 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4186 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4187 continue
4188 }
4189 // Client sends a Channel ID.
4190 tests = append(tests, testCase{
4191 name: "ChannelID-Client-" + ver.name,
4192 config: Config{
4193 MaxVersion: ver.version,
4194 RequestChannelID: true,
4195 },
4196 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4197 resumeSession: true,
4198 expectChannelID: true,
4199 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4200
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4201 // Server accepts a Channel ID.
4202 tests = append(tests, testCase{
4203 testType: serverTest,
4204 name: "ChannelID-Server-" + ver.name,
4205 config: Config{
4206 MaxVersion: ver.version,
4207 ChannelID: channelIDKey,
4208 },
4209 flags: []string{
4210 "-expect-channel-id",
4211 base64.StdEncoding.EncodeToString(channelIDBytes),
4212 },
4213 resumeSession: true,
4214 expectChannelID: true,
4215 })
4216
4217 tests = append(tests, testCase{
4218 testType: serverTest,
4219 name: "InvalidChannelIDSignature-" + ver.name,
4220 config: Config{
4221 MaxVersion: ver.version,
4222 ChannelID: channelIDKey,
4223 Bugs: ProtocolBugs{
4224 InvalidChannelIDSignature: true,
4225 },
4226 },
4227 flags: []string{"-enable-channel-id"},
4228 shouldFail: true,
4229 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4230 })
4231 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4232
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4233 // Channel ID and NPN at the same time, to ensure their relative
4234 // ordering is correct.
4235 tests = append(tests, testCase{
4236 name: "ChannelID-NPN-Client",
4237 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4238 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4239 RequestChannelID: true,
4240 NextProtos: []string{"foo"},
4241 },
4242 flags: []string{
4243 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4244 "-select-next-proto", "foo",
4245 },
4246 resumeSession: true,
4247 expectChannelID: true,
4248 expectedNextProto: "foo",
4249 expectedNextProtoType: npn,
4250 })
4251 tests = append(tests, testCase{
4252 testType: serverTest,
4253 name: "ChannelID-NPN-Server",
4254 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4255 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4256 ChannelID: channelIDKey,
4257 NextProtos: []string{"bar"},
4258 },
4259 flags: []string{
4260 "-expect-channel-id",
4261 base64.StdEncoding.EncodeToString(channelIDBytes),
4262 "-advertise-npn", "\x03foo\x03bar\x03baz",
4263 "-expect-next-proto", "bar",
4264 },
4265 resumeSession: true,
4266 expectChannelID: true,
4267 expectedNextProto: "bar",
4268 expectedNextProtoType: npn,
4269 })
4270
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4271 // Bidirectional shutdown with the runner initiating.
4272 tests = append(tests, testCase{
4273 name: "Shutdown-Runner",
4274 config: Config{
4275 Bugs: ProtocolBugs{
4276 ExpectCloseNotify: true,
4277 },
4278 },
4279 flags: []string{"-check-close-notify"},
4280 })
4281
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4282 if !config.implicitHandshake {
4283 // Bidirectional shutdown with the shim initiating. The runner,
4284 // in the meantime, sends garbage before the close_notify which
4285 // the shim must ignore. This test is disabled under implicit
4286 // handshake tests because the shim never reads or writes.
4287 tests = append(tests, testCase{
4288 name: "Shutdown-Shim",
4289 config: Config{
4290 MaxVersion: VersionTLS12,
4291 Bugs: ProtocolBugs{
4292 ExpectCloseNotify: true,
4293 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4294 },
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4295 shimShutsDown: true,
4296 sendEmptyRecords: 1,
4297 sendWarningAlerts: 1,
4298 flags: []string{"-check-close-notify"},
4299 })
4300 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4301 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4302 // TODO(davidben): DTLS 1.3 will want a similar thing for
4303 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4304 tests = append(tests, testCase{
4305 name: "SkipHelloVerifyRequest",
4306 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4307 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4308 Bugs: ProtocolBugs{
4309 SkipHelloVerifyRequest: true,
4310 },
4311 },
4312 })
4313 }
4314
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4315 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4316 test.protocol = config.protocol
4317 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4318 test.name += "-DTLS"
4319 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4320 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4321 test.name += "-Async"
4322 test.flags = append(test.flags, "-async")
4323 } else {
4324 test.name += "-Sync"
4325 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4326 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4327 test.name += "-SplitHandshakeRecords"
4328 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4329 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4330 test.config.Bugs.MaxPacketLength = 256
4331 test.flags = append(test.flags, "-mtu", "256")
4332 }
4333 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4334 if config.packHandshakeFlight {
4335 test.name += "-PackHandshakeFlight"
4336 test.config.Bugs.PackHandshakeFlight = true
4337 }
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4338 if config.implicitHandshake {
4339 test.name += "-ImplicitHandshake"
4340 test.flags = append(test.flags, "-implicit-handshake")
4341 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4342 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4343 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4344}
4345
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4346func addDDoSCallbackTests() {
4347 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4348 for _, resume := range []bool{false, true} {
4349 suffix := "Resume"
4350 if resume {
4351 suffix = "No" + suffix
4352 }
4353
4354 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4355 testType: serverTest,
4356 name: "Server-DDoS-OK-" + suffix,
4357 config: Config{
4358 MaxVersion: VersionTLS12,
4359 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4360 flags: []string{"-install-ddos-callback"},
4361 resumeSession: resume,
4362 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4363 testCases = append(testCases, testCase{
4364 testType: serverTest,
4365 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4366 config: Config{
4367 MaxVersion: VersionTLS13,
4368 },
4369 flags: []string{"-install-ddos-callback"},
4370 resumeSession: resume,
4371 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4372
4373 failFlag := "-fail-ddos-callback"
4374 if resume {
4375 failFlag = "-fail-second-ddos-callback"
4376 }
4377 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4378 testType: serverTest,
4379 name: "Server-DDoS-Reject-" + suffix,
4380 config: Config{
4381 MaxVersion: VersionTLS12,
4382 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4383 flags: []string{"-install-ddos-callback", failFlag},
4384 resumeSession: resume,
4385 shouldFail: true,
4386 expectedError: ":CONNECTION_REJECTED:",
4387 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4388 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4389 testCases = append(testCases, testCase{
4390 testType: serverTest,
4391 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4392 config: Config{
4393 MaxVersion: VersionTLS13,
4394 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4395 flags: []string{"-install-ddos-callback", failFlag},
4396 resumeSession: resume,
4397 shouldFail: true,
4398 expectedError: ":CONNECTION_REJECTED:",
4399 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4400 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4401 }
4402}
4403
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4404func addVersionNegotiationTests() {
4405 for i, shimVers := range tlsVersions {
4406 // Assemble flags to disable all newer versions on the shim.
4407 var flags []string
4408 for _, vers := range tlsVersions[i+1:] {
4409 flags = append(flags, vers.flag)
4410 }
4411
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4412 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4413 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4414 protocols := []protocol{tls}
4415 if runnerVers.hasDTLS && shimVers.hasDTLS {
4416 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4417 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4418 for _, protocol := range protocols {
4419 expectedVersion := shimVers.version
4420 if runnerVers.version < shimVers.version {
4421 expectedVersion = runnerVers.version
4422 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4423
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4424 suffix := shimVers.name + "-" + runnerVers.name
4425 if protocol == dtls {
4426 suffix += "-DTLS"
4427 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4428
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4429 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4430
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4431 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4432 clientVers := shimVers.version
4433 if clientVers > VersionTLS10 {
4434 clientVers = VersionTLS10
4435 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4436 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4437 serverVers := expectedVersion
4438 if expectedVersion >= VersionTLS13 {
4439 serverVers = VersionTLS10
4440 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4441 serverVers = versionToWire(serverVers, protocol == dtls)
4442
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4443 testCases = append(testCases, testCase{
4444 protocol: protocol,
4445 testType: clientTest,
4446 name: "VersionNegotiation-Client-" + suffix,
4447 config: Config{
4448 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4449 Bugs: ProtocolBugs{
4450 ExpectInitialRecordVersion: clientVers,
4451 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4452 },
4453 flags: flags,
4454 expectedVersion: expectedVersion,
4455 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4456 testCases = append(testCases, testCase{
4457 protocol: protocol,
4458 testType: clientTest,
4459 name: "VersionNegotiation-Client2-" + suffix,
4460 config: Config{
4461 MaxVersion: runnerVers.version,
4462 Bugs: ProtocolBugs{
4463 ExpectInitialRecordVersion: clientVers,
4464 },
4465 },
4466 flags: []string{"-max-version", shimVersFlag},
4467 expectedVersion: expectedVersion,
4468 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4469
4470 testCases = append(testCases, testCase{
4471 protocol: protocol,
4472 testType: serverTest,
4473 name: "VersionNegotiation-Server-" + suffix,
4474 config: Config{
4475 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4476 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4477 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4478 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4479 },
4480 flags: flags,
4481 expectedVersion: expectedVersion,
4482 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4483 testCases = append(testCases, testCase{
4484 protocol: protocol,
4485 testType: serverTest,
4486 name: "VersionNegotiation-Server2-" + suffix,
4487 config: Config{
4488 MaxVersion: runnerVers.version,
4489 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4490 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4491 },
4492 },
4493 flags: []string{"-max-version", shimVersFlag},
4494 expectedVersion: expectedVersion,
4495 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4496 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4497 }
4498 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4499
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4500 // Test the version extension at all versions.
4501 for _, vers := range tlsVersions {
4502 protocols := []protocol{tls}
4503 if vers.hasDTLS {
4504 protocols = append(protocols, dtls)
4505 }
4506 for _, protocol := range protocols {
4507 suffix := vers.name
4508 if protocol == dtls {
4509 suffix += "-DTLS"
4510 }
4511
4512 wireVersion := versionToWire(vers.version, protocol == dtls)
4513 testCases = append(testCases, testCase{
4514 protocol: protocol,
4515 testType: serverTest,
4516 name: "VersionNegotiationExtension-" + suffix,
4517 config: Config{
4518 Bugs: ProtocolBugs{
4519 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4520 },
4521 },
4522 expectedVersion: vers.version,
4523 })
4524 }
4525
4526 }
4527
4528 // If all versions are unknown, negotiation fails.
4529 testCases = append(testCases, testCase{
4530 testType: serverTest,
4531 name: "NoSupportedVersions",
4532 config: Config{
4533 Bugs: ProtocolBugs{
4534 SendSupportedVersions: []uint16{0x1111},
4535 },
4536 },
4537 shouldFail: true,
4538 expectedError: ":UNSUPPORTED_PROTOCOL:",
4539 })
4540 testCases = append(testCases, testCase{
4541 protocol: dtls,
4542 testType: serverTest,
4543 name: "NoSupportedVersions-DTLS",
4544 config: Config{
4545 Bugs: ProtocolBugs{
4546 SendSupportedVersions: []uint16{0x1111},
4547 },
4548 },
4549 shouldFail: true,
4550 expectedError: ":UNSUPPORTED_PROTOCOL:",
4551 })
4552
4553 testCases = append(testCases, testCase{
4554 testType: serverTest,
4555 name: "ClientHelloVersionTooHigh",
4556 config: Config{
4557 MaxVersion: VersionTLS13,
4558 Bugs: ProtocolBugs{
4559 SendClientVersion: 0x0304,
4560 OmitSupportedVersions: true,
4561 },
4562 },
4563 expectedVersion: VersionTLS12,
4564 })
4565
4566 testCases = append(testCases, testCase{
4567 testType: serverTest,
4568 name: "ConflictingVersionNegotiation",
4569 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4570 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4571 SendClientVersion: VersionTLS12,
4572 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4573 },
4574 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4575 // The extension takes precedence over the ClientHello version.
4576 expectedVersion: VersionTLS11,
4577 })
4578
4579 testCases = append(testCases, testCase{
4580 testType: serverTest,
4581 name: "ConflictingVersionNegotiation-2",
4582 config: Config{
4583 Bugs: ProtocolBugs{
4584 SendClientVersion: VersionTLS11,
4585 SendSupportedVersions: []uint16{VersionTLS12},
4586 },
4587 },
4588 // The extension takes precedence over the ClientHello version.
4589 expectedVersion: VersionTLS12,
4590 })
4591
4592 testCases = append(testCases, testCase{
4593 testType: serverTest,
4594 name: "RejectFinalTLS13",
4595 config: Config{
4596 Bugs: ProtocolBugs{
4597 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4598 },
4599 },
4600 // We currently implement a draft TLS 1.3 version. Ensure that
4601 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4602 expectedVersion: VersionTLS12,
4603 })
4604
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4605 // Test that the maximum version is selected regardless of the
4606 // client-sent order.
4607 testCases = append(testCases, testCase{
4608 testType: serverTest,
4609 name: "IgnoreClientVersionOrder",
4610 config: Config{
4611 Bugs: ProtocolBugs{
4612 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4613 },
4614 },
4615 expectedVersion: VersionTLS13,
4616 })
4617
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4618 // Test for version tolerance.
4619 testCases = append(testCases, testCase{
4620 testType: serverTest,
4621 name: "MinorVersionTolerance",
4622 config: Config{
4623 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4624 SendClientVersion: 0x03ff,
4625 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4626 },
4627 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4628 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4629 })
4630 testCases = append(testCases, testCase{
4631 testType: serverTest,
4632 name: "MajorVersionTolerance",
4633 config: Config{
4634 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4635 SendClientVersion: 0x0400,
4636 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4637 },
4638 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4639 // TLS 1.3 must be negotiated with the supported_versions
4640 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4641 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4642 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4643 testCases = append(testCases, testCase{
4644 testType: serverTest,
4645 name: "VersionTolerance-TLS13",
4646 config: Config{
4647 Bugs: ProtocolBugs{
4648 // Although TLS 1.3 does not use
4649 // ClientHello.version, it still tolerates high
4650 // values there.
4651 SendClientVersion: 0x0400,
4652 },
4653 },
4654 expectedVersion: VersionTLS13,
4655 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4656
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4657 testCases = append(testCases, testCase{
4658 protocol: dtls,
4659 testType: serverTest,
4660 name: "MinorVersionTolerance-DTLS",
4661 config: Config{
4662 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4663 SendClientVersion: 0xfe00,
4664 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4665 },
4666 },
4667 expectedVersion: VersionTLS12,
4668 })
4669 testCases = append(testCases, testCase{
4670 protocol: dtls,
4671 testType: serverTest,
4672 name: "MajorVersionTolerance-DTLS",
4673 config: Config{
4674 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4675 SendClientVersion: 0xfdff,
4676 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4677 },
4678 },
4679 expectedVersion: VersionTLS12,
4680 })
4681
4682 // Test that versions below 3.0 are rejected.
4683 testCases = append(testCases, testCase{
4684 testType: serverTest,
4685 name: "VersionTooLow",
4686 config: Config{
4687 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4688 SendClientVersion: 0x0200,
4689 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4690 },
4691 },
4692 shouldFail: true,
4693 expectedError: ":UNSUPPORTED_PROTOCOL:",
4694 })
4695 testCases = append(testCases, testCase{
4696 protocol: dtls,
4697 testType: serverTest,
4698 name: "VersionTooLow-DTLS",
4699 config: Config{
4700 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4701 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4702 },
4703 },
4704 shouldFail: true,
4705 expectedError: ":UNSUPPORTED_PROTOCOL:",
4706 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4707
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4708 testCases = append(testCases, testCase{
4709 name: "ServerBogusVersion",
4710 config: Config{
4711 Bugs: ProtocolBugs{
4712 SendServerHelloVersion: 0x1234,
4713 },
4714 },
4715 shouldFail: true,
4716 expectedError: ":UNSUPPORTED_PROTOCOL:",
4717 })
4718
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4719 // Test TLS 1.3's downgrade signal.
4720 testCases = append(testCases, testCase{
4721 name: "Downgrade-TLS12-Client",
4722 config: Config{
4723 Bugs: ProtocolBugs{
4724 NegotiateVersion: VersionTLS12,
4725 },
4726 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4727 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4728 // TODO(davidben): This test should fail once TLS 1.3 is final
4729 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4730 })
4731 testCases = append(testCases, testCase{
4732 testType: serverTest,
4733 name: "Downgrade-TLS12-Server",
4734 config: Config{
4735 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4736 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4737 },
4738 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4739 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4740 // TODO(davidben): This test should fail once TLS 1.3 is final
4741 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4742 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4743}
4744
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4745func addMinimumVersionTests() {
4746 for i, shimVers := range tlsVersions {
4747 // Assemble flags to disable all older versions on the shim.
4748 var flags []string
4749 for _, vers := range tlsVersions[:i] {
4750 flags = append(flags, vers.flag)
4751 }
4752
4753 for _, runnerVers := range tlsVersions {
4754 protocols := []protocol{tls}
4755 if runnerVers.hasDTLS && shimVers.hasDTLS {
4756 protocols = append(protocols, dtls)
4757 }
4758 for _, protocol := range protocols {
4759 suffix := shimVers.name + "-" + runnerVers.name
4760 if protocol == dtls {
4761 suffix += "-DTLS"
4762 }
4763 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4764
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4765 var expectedVersion uint16
4766 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4767 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4768 if runnerVers.version >= shimVers.version {
4769 expectedVersion = runnerVers.version
4770 } else {
4771 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4772 expectedError = ":UNSUPPORTED_PROTOCOL:"
4773 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4774 }
4775
4776 testCases = append(testCases, testCase{
4777 protocol: protocol,
4778 testType: clientTest,
4779 name: "MinimumVersion-Client-" + suffix,
4780 config: Config{
4781 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4782 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4783 // Ensure the server does not decline to
4784 // select a version (versions extension) or
4785 // cipher (some ciphers depend on versions).
4786 NegotiateVersion: runnerVers.version,
4787 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4788 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4789 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4790 flags: flags,
4791 expectedVersion: expectedVersion,
4792 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4793 expectedError: expectedError,
4794 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4795 })
4796 testCases = append(testCases, testCase{
4797 protocol: protocol,
4798 testType: clientTest,
4799 name: "MinimumVersion-Client2-" + suffix,
4800 config: Config{
4801 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4802 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4803 // Ensure the server does not decline to
4804 // select a version (versions extension) or
4805 // cipher (some ciphers depend on versions).
4806 NegotiateVersion: runnerVers.version,
4807 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4808 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4809 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4810 flags: []string{"-min-version", shimVersFlag},
4811 expectedVersion: expectedVersion,
4812 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4813 expectedError: expectedError,
4814 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4815 })
4816
4817 testCases = append(testCases, testCase{
4818 protocol: protocol,
4819 testType: serverTest,
4820 name: "MinimumVersion-Server-" + suffix,
4821 config: Config{
4822 MaxVersion: runnerVers.version,
4823 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4824 flags: flags,
4825 expectedVersion: expectedVersion,
4826 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4827 expectedError: expectedError,
4828 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4829 })
4830 testCases = append(testCases, testCase{
4831 protocol: protocol,
4832 testType: serverTest,
4833 name: "MinimumVersion-Server2-" + suffix,
4834 config: Config{
4835 MaxVersion: runnerVers.version,
4836 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4837 flags: []string{"-min-version", shimVersFlag},
4838 expectedVersion: expectedVersion,
4839 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4840 expectedError: expectedError,
4841 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4842 })
4843 }
4844 }
4845 }
4846}
4847
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4848func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4849 // TODO(davidben): Extensions, where applicable, all move their server
4850 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4851 // tests for both. Also test interaction with 0-RTT when implemented.
4852
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4853 // Repeat extensions tests all versions except SSL 3.0.
4854 for _, ver := range tlsVersions {
4855 if ver.version == VersionSSL30 {
4856 continue
4857 }
4858
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4859 // Test that duplicate extensions are rejected.
4860 testCases = append(testCases, testCase{
4861 testType: clientTest,
4862 name: "DuplicateExtensionClient-" + ver.name,
4863 config: Config{
4864 MaxVersion: ver.version,
4865 Bugs: ProtocolBugs{
4866 DuplicateExtension: true,
4867 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4868 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4869 shouldFail: true,
4870 expectedLocalError: "remote error: error decoding message",
4871 })
4872 testCases = append(testCases, testCase{
4873 testType: serverTest,
4874 name: "DuplicateExtensionServer-" + ver.name,
4875 config: Config{
4876 MaxVersion: ver.version,
4877 Bugs: ProtocolBugs{
4878 DuplicateExtension: true,
4879 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4880 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4881 shouldFail: true,
4882 expectedLocalError: "remote error: error decoding message",
4883 })
4884
4885 // Test SNI.
4886 testCases = append(testCases, testCase{
4887 testType: clientTest,
4888 name: "ServerNameExtensionClient-" + ver.name,
4889 config: Config{
4890 MaxVersion: ver.version,
4891 Bugs: ProtocolBugs{
4892 ExpectServerName: "example.com",
4893 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4894 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4895 flags: []string{"-host-name", "example.com"},
4896 })
4897 testCases = append(testCases, testCase{
4898 testType: clientTest,
4899 name: "ServerNameExtensionClientMismatch-" + ver.name,
4900 config: Config{
4901 MaxVersion: ver.version,
4902 Bugs: ProtocolBugs{
4903 ExpectServerName: "mismatch.com",
4904 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4905 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4906 flags: []string{"-host-name", "example.com"},
4907 shouldFail: true,
4908 expectedLocalError: "tls: unexpected server name",
4909 })
4910 testCases = append(testCases, testCase{
4911 testType: clientTest,
4912 name: "ServerNameExtensionClientMissing-" + ver.name,
4913 config: Config{
4914 MaxVersion: ver.version,
4915 Bugs: ProtocolBugs{
4916 ExpectServerName: "missing.com",
4917 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4918 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4919 shouldFail: true,
4920 expectedLocalError: "tls: unexpected server name",
4921 })
4922 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]4923 testType: clientTest,
4924 name: "TolerateServerNameAck-" + ver.name,
4925 config: Config{
4926 MaxVersion: ver.version,
4927 Bugs: ProtocolBugs{
4928 SendServerNameAck: true,
4929 },
4930 },
4931 flags: []string{"-host-name", "example.com"},
4932 resumeSession: true,
4933 })
4934 testCases = append(testCases, testCase{
4935 testType: clientTest,
4936 name: "UnsolicitedServerNameAck-" + ver.name,
4937 config: Config{
4938 MaxVersion: ver.version,
4939 Bugs: ProtocolBugs{
4940 SendServerNameAck: true,
4941 },
4942 },
4943 shouldFail: true,
4944 expectedError: ":UNEXPECTED_EXTENSION:",
4945 expectedLocalError: "remote error: unsupported extension",
4946 })
4947 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4948 testType: serverTest,
4949 name: "ServerNameExtensionServer-" + ver.name,
4950 config: Config{
4951 MaxVersion: ver.version,
4952 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4953 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4954 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4955 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4956 })
4957
4958 // Test ALPN.
4959 testCases = append(testCases, testCase{
4960 testType: clientTest,
4961 name: "ALPNClient-" + ver.name,
4962 config: Config{
4963 MaxVersion: ver.version,
4964 NextProtos: []string{"foo"},
4965 },
4966 flags: []string{
4967 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4968 "-expect-alpn", "foo",
4969 },
4970 expectedNextProto: "foo",
4971 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4972 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4973 })
4974 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4975 testType: clientTest,
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4976 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4977 config: Config{
4978 MaxVersion: ver.version,
4979 Bugs: ProtocolBugs{
4980 SendALPN: "baz",
4981 },
4982 },
4983 flags: []string{
4984 "-advertise-alpn", "\x03foo\x03bar",
4985 },
4986 shouldFail: true,
4987 expectedError: ":INVALID_ALPN_PROTOCOL:",
4988 expectedLocalError: "remote error: illegal parameter",
4989 })
4990 testCases = append(testCases, testCase{
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4991 testType: clientTest,
4992 name: "ALPNClient-AllowUnknown-" + ver.name,
4993 config: Config{
4994 MaxVersion: ver.version,
4995 Bugs: ProtocolBugs{
4996 SendALPN: "baz",
4997 },
4998 },
4999 flags: []string{
5000 "-advertise-alpn", "\x03foo\x03bar",
5001 "-allow-unknown-alpn-protos",
5002 },
5003 })
5004 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5005 testType: serverTest,
5006 name: "ALPNServer-" + ver.name,
5007 config: Config{
5008 MaxVersion: ver.version,
5009 NextProtos: []string{"foo", "bar", "baz"},
5010 },
5011 flags: []string{
5012 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5013 "-select-alpn", "foo",
5014 },
5015 expectedNextProto: "foo",
5016 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5017 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5018 })
5019 testCases = append(testCases, testCase{
5020 testType: serverTest,
5021 name: "ALPNServer-Decline-" + ver.name,
5022 config: Config{
5023 MaxVersion: ver.version,
5024 NextProtos: []string{"foo", "bar", "baz"},
5025 },
5026 flags: []string{"-decline-alpn"},
5027 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5028 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5029 })
5030
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5031 // Test ALPN in async mode as well to ensure that extensions callbacks are only
5032 // called once.
5033 testCases = append(testCases, testCase{
5034 testType: serverTest,
5035 name: "ALPNServer-Async-" + ver.name,
5036 config: Config{
5037 MaxVersion: ver.version,
5038 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]5039 // Prior to TLS 1.3, exercise the asynchronous session callback.
5040 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5041 },
5042 flags: []string{
5043 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5044 "-select-alpn", "foo",
5045 "-async",
5046 },
5047 expectedNextProto: "foo",
5048 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5049 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5050 })
5051
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5052 var emptyString string
5053 testCases = append(testCases, testCase{
5054 testType: clientTest,
5055 name: "ALPNClient-EmptyProtocolName-" + ver.name,
5056 config: Config{
5057 MaxVersion: ver.version,
5058 NextProtos: []string{""},
5059 Bugs: ProtocolBugs{
5060 // A server returning an empty ALPN protocol
5061 // should be rejected.
5062 ALPNProtocol: &emptyString,
5063 },
5064 },
5065 flags: []string{
5066 "-advertise-alpn", "\x03foo",
5067 },
5068 shouldFail: true,
5069 expectedError: ":PARSE_TLSEXT:",
5070 })
5071 testCases = append(testCases, testCase{
5072 testType: serverTest,
5073 name: "ALPNServer-EmptyProtocolName-" + ver.name,
5074 config: Config{
5075 MaxVersion: ver.version,
5076 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5077 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5078 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5079 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5080 flags: []string{
5081 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5082 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5083 shouldFail: true,
5084 expectedError: ":PARSE_TLSEXT:",
5085 })
5086
5087 // Test NPN and the interaction with ALPN.
5088 if ver.version < VersionTLS13 {
5089 // Test that the server prefers ALPN over NPN.
5090 testCases = append(testCases, testCase{
5091 testType: serverTest,
5092 name: "ALPNServer-Preferred-" + ver.name,
5093 config: Config{
5094 MaxVersion: ver.version,
5095 NextProtos: []string{"foo", "bar", "baz"},
5096 },
5097 flags: []string{
5098 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5099 "-select-alpn", "foo",
5100 "-advertise-npn", "\x03foo\x03bar\x03baz",
5101 },
5102 expectedNextProto: "foo",
5103 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5104 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5105 })
5106 testCases = append(testCases, testCase{
5107 testType: serverTest,
5108 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5109 config: Config{
5110 MaxVersion: ver.version,
5111 NextProtos: []string{"foo", "bar", "baz"},
5112 Bugs: ProtocolBugs{
5113 SwapNPNAndALPN: true,
5114 },
5115 },
5116 flags: []string{
5117 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5118 "-select-alpn", "foo",
5119 "-advertise-npn", "\x03foo\x03bar\x03baz",
5120 },
5121 expectedNextProto: "foo",
5122 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5123 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5124 })
5125
5126 // Test that negotiating both NPN and ALPN is forbidden.
5127 testCases = append(testCases, testCase{
5128 name: "NegotiateALPNAndNPN-" + ver.name,
5129 config: Config{
5130 MaxVersion: ver.version,
5131 NextProtos: []string{"foo", "bar", "baz"},
5132 Bugs: ProtocolBugs{
5133 NegotiateALPNAndNPN: true,
5134 },
5135 },
5136 flags: []string{
5137 "-advertise-alpn", "\x03foo",
5138 "-select-next-proto", "foo",
5139 },
5140 shouldFail: true,
5141 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5142 })
5143 testCases = append(testCases, testCase{
5144 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5145 config: Config{
5146 MaxVersion: ver.version,
5147 NextProtos: []string{"foo", "bar", "baz"},
5148 Bugs: ProtocolBugs{
5149 NegotiateALPNAndNPN: true,
5150 SwapNPNAndALPN: true,
5151 },
5152 },
5153 flags: []string{
5154 "-advertise-alpn", "\x03foo",
5155 "-select-next-proto", "foo",
5156 },
5157 shouldFail: true,
5158 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5159 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5160 }
5161
5162 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5163
5164 // Resume with a corrupt ticket.
5165 testCases = append(testCases, testCase{
5166 testType: serverTest,
5167 name: "CorruptTicket-" + ver.name,
5168 config: Config{
5169 MaxVersion: ver.version,
5170 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5171 FilterTicket: func(in []byte) ([]byte, error) {
5172 in[len(in)-1] ^= 1
5173 return in, nil
5174 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5175 },
5176 },
5177 resumeSession: true,
5178 expectResumeRejected: true,
5179 })
5180 // Test the ticket callback, with and without renewal.
5181 testCases = append(testCases, testCase{
5182 testType: serverTest,
5183 name: "TicketCallback-" + ver.name,
5184 config: Config{
5185 MaxVersion: ver.version,
5186 },
5187 resumeSession: true,
5188 flags: []string{"-use-ticket-callback"},
5189 })
5190 testCases = append(testCases, testCase{
5191 testType: serverTest,
5192 name: "TicketCallback-Renew-" + ver.name,
5193 config: Config{
5194 MaxVersion: ver.version,
5195 Bugs: ProtocolBugs{
5196 ExpectNewTicket: true,
5197 },
5198 },
5199 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5200 resumeSession: true,
5201 })
5202
5203 // Test that the ticket callback is only called once when everything before
5204 // it in the ClientHello is asynchronous. This corrupts the ticket so
5205 // certificate selection callbacks run.
5206 testCases = append(testCases, testCase{
5207 testType: serverTest,
5208 name: "TicketCallback-SingleCall-" + ver.name,
5209 config: Config{
5210 MaxVersion: ver.version,
5211 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5212 FilterTicket: func(in []byte) ([]byte, error) {
5213 in[len(in)-1] ^= 1
5214 return in, nil
5215 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5216 },
5217 },
5218 resumeSession: true,
5219 expectResumeRejected: true,
5220 flags: []string{
5221 "-use-ticket-callback",
5222 "-async",
5223 },
5224 })
5225
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5226 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5227 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5228 testCases = append(testCases, testCase{
5229 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5230 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5231 config: Config{
5232 MaxVersion: ver.version,
5233 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5234 EmptyTicketSessionID: true,
5235 },
5236 },
5237 resumeSession: true,
5238 })
5239 testCases = append(testCases, testCase{
5240 testType: serverTest,
5241 name: "TicketSessionIDLength-16-" + ver.name,
5242 config: Config{
5243 MaxVersion: ver.version,
5244 Bugs: ProtocolBugs{
5245 TicketSessionIDLength: 16,
5246 },
5247 },
5248 resumeSession: true,
5249 })
5250 testCases = append(testCases, testCase{
5251 testType: serverTest,
5252 name: "TicketSessionIDLength-32-" + ver.name,
5253 config: Config{
5254 MaxVersion: ver.version,
5255 Bugs: ProtocolBugs{
5256 TicketSessionIDLength: 32,
5257 },
5258 },
5259 resumeSession: true,
5260 })
5261 testCases = append(testCases, testCase{
5262 testType: serverTest,
5263 name: "TicketSessionIDLength-33-" + ver.name,
5264 config: Config{
5265 MaxVersion: ver.version,
5266 Bugs: ProtocolBugs{
5267 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5268 },
5269 },
5270 resumeSession: true,
5271 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5272 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5273 expectedError: ":DECODE_ERROR:",
5274 })
5275 }
5276
5277 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5278 // are ignored.
5279 if ver.hasDTLS {
5280 testCases = append(testCases, testCase{
5281 protocol: dtls,
5282 name: "SRTP-Client-" + ver.name,
5283 config: Config{
5284 MaxVersion: ver.version,
5285 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5286 },
5287 flags: []string{
5288 "-srtp-profiles",
5289 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5290 },
5291 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5292 })
5293 testCases = append(testCases, testCase{
5294 protocol: dtls,
5295 testType: serverTest,
5296 name: "SRTP-Server-" + ver.name,
5297 config: Config{
5298 MaxVersion: ver.version,
5299 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5300 },
5301 flags: []string{
5302 "-srtp-profiles",
5303 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5304 },
5305 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5306 })
5307 // Test that the MKI is ignored.
5308 testCases = append(testCases, testCase{
5309 protocol: dtls,
5310 testType: serverTest,
5311 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5312 config: Config{
5313 MaxVersion: ver.version,
5314 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5315 Bugs: ProtocolBugs{
5316 SRTPMasterKeyIdentifer: "bogus",
5317 },
5318 },
5319 flags: []string{
5320 "-srtp-profiles",
5321 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5322 },
5323 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5324 })
5325 // Test that SRTP isn't negotiated on the server if there were
5326 // no matching profiles.
5327 testCases = append(testCases, testCase{
5328 protocol: dtls,
5329 testType: serverTest,
5330 name: "SRTP-Server-NoMatch-" + ver.name,
5331 config: Config{
5332 MaxVersion: ver.version,
5333 SRTPProtectionProfiles: []uint16{100, 101, 102},
5334 },
5335 flags: []string{
5336 "-srtp-profiles",
5337 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5338 },
5339 expectedSRTPProtectionProfile: 0,
5340 })
5341 // Test that the server returning an invalid SRTP profile is
5342 // flagged as an error by the client.
5343 testCases = append(testCases, testCase{
5344 protocol: dtls,
5345 name: "SRTP-Client-NoMatch-" + ver.name,
5346 config: Config{
5347 MaxVersion: ver.version,
5348 Bugs: ProtocolBugs{
5349 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5350 },
5351 },
5352 flags: []string{
5353 "-srtp-profiles",
5354 "SRTP_AES128_CM_SHA1_80",
5355 },
5356 shouldFail: true,
5357 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5358 })
5359 }
5360
5361 // Test SCT list.
5362 testCases = append(testCases, testCase{
5363 name: "SignedCertificateTimestampList-Client-" + ver.name,
5364 testType: clientTest,
5365 config: Config{
5366 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5367 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5368 flags: []string{
5369 "-enable-signed-cert-timestamps",
5370 "-expect-signed-cert-timestamps",
5371 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5372 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5373 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5374 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5375
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5376 var differentSCTList []byte
5377 differentSCTList = append(differentSCTList, testSCTList...)
5378 differentSCTList[len(differentSCTList)-1] ^= 1
5379
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5380 // The SCT extension did not specify that it must only be sent on resumption as it
5381 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5382 testCases = append(testCases, testCase{
5383 name: "SendSCTListOnResume-" + ver.name,
5384 config: Config{
5385 MaxVersion: ver.version,
5386 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5387 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5388 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5389 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5390 flags: []string{
5391 "-enable-signed-cert-timestamps",
5392 "-expect-signed-cert-timestamps",
5393 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5394 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5395 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5396 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5397
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5398 testCases = append(testCases, testCase{
5399 name: "SignedCertificateTimestampList-Server-" + ver.name,
5400 testType: serverTest,
5401 config: Config{
5402 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5403 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5404 flags: []string{
5405 "-signed-cert-timestamps",
5406 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5407 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5408 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5409 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5410 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5411
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5412 emptySCTListCert := *testCerts[0].cert
5413 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5414
5415 // Test empty SCT list.
5416 testCases = append(testCases, testCase{
5417 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5418 testType: clientTest,
5419 config: Config{
5420 MaxVersion: ver.version,
5421 Certificates: []Certificate{emptySCTListCert},
5422 },
5423 flags: []string{
5424 "-enable-signed-cert-timestamps",
5425 },
5426 shouldFail: true,
5427 expectedError: ":ERROR_PARSING_EXTENSION:",
5428 })
5429
5430 emptySCTCert := *testCerts[0].cert
5431 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5432
5433 // Test empty SCT in non-empty list.
5434 testCases = append(testCases, testCase{
5435 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5436 testType: clientTest,
5437 config: Config{
5438 MaxVersion: ver.version,
5439 Certificates: []Certificate{emptySCTCert},
5440 },
5441 flags: []string{
5442 "-enable-signed-cert-timestamps",
5443 },
5444 shouldFail: true,
5445 expectedError: ":ERROR_PARSING_EXTENSION:",
5446 })
5447
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5448 // Test that certificate-related extensions are not sent unsolicited.
5449 testCases = append(testCases, testCase{
5450 testType: serverTest,
5451 name: "UnsolicitedCertificateExtensions-" + ver.name,
5452 config: Config{
5453 MaxVersion: ver.version,
5454 Bugs: ProtocolBugs{
5455 NoOCSPStapling: true,
5456 NoSignedCertificateTimestamps: true,
5457 },
5458 },
5459 flags: []string{
5460 "-ocsp-response",
5461 base64.StdEncoding.EncodeToString(testOCSPResponse),
5462 "-signed-cert-timestamps",
5463 base64.StdEncoding.EncodeToString(testSCTList),
5464 },
5465 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5466 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5467
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5468 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5469 testType: clientTest,
5470 name: "ClientHelloPadding",
5471 config: Config{
5472 Bugs: ProtocolBugs{
5473 RequireClientHelloSize: 512,
5474 },
5475 },
5476 // This hostname just needs to be long enough to push the
5477 // ClientHello into F5's danger zone between 256 and 511 bytes
5478 // long.
5479 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5480 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5481
5482 // Extensions should not function in SSL 3.0.
5483 testCases = append(testCases, testCase{
5484 testType: serverTest,
5485 name: "SSLv3Extensions-NoALPN",
5486 config: Config{
5487 MaxVersion: VersionSSL30,
5488 NextProtos: []string{"foo", "bar", "baz"},
5489 },
5490 flags: []string{
5491 "-select-alpn", "foo",
5492 },
5493 expectNoNextProto: true,
5494 })
5495
5496 // Test session tickets separately as they follow a different codepath.
5497 testCases = append(testCases, testCase{
5498 testType: serverTest,
5499 name: "SSLv3Extensions-NoTickets",
5500 config: Config{
5501 MaxVersion: VersionSSL30,
5502 Bugs: ProtocolBugs{
5503 // Historically, session tickets in SSL 3.0
5504 // failed in different ways depending on whether
5505 // the client supported renegotiation_info.
5506 NoRenegotiationInfo: true,
5507 },
5508 },
5509 resumeSession: true,
5510 })
5511 testCases = append(testCases, testCase{
5512 testType: serverTest,
5513 name: "SSLv3Extensions-NoTickets2",
5514 config: Config{
5515 MaxVersion: VersionSSL30,
5516 },
5517 resumeSession: true,
5518 })
5519
5520 // But SSL 3.0 does send and process renegotiation_info.
5521 testCases = append(testCases, testCase{
5522 testType: serverTest,
5523 name: "SSLv3Extensions-RenegotiationInfo",
5524 config: Config{
5525 MaxVersion: VersionSSL30,
5526 Bugs: ProtocolBugs{
5527 RequireRenegotiationInfo: true,
5528 },
5529 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5530 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5531 })
5532 testCases = append(testCases, testCase{
5533 testType: serverTest,
5534 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5535 config: Config{
5536 MaxVersion: VersionSSL30,
5537 Bugs: ProtocolBugs{
5538 NoRenegotiationInfo: true,
5539 SendRenegotiationSCSV: true,
5540 RequireRenegotiationInfo: true,
5541 },
5542 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5543 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5544 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5545
5546 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5547 // in ServerHello.
5548 testCases = append(testCases, testCase{
5549 name: "NPN-Forbidden-TLS13",
5550 config: Config{
5551 MaxVersion: VersionTLS13,
5552 NextProtos: []string{"foo"},
5553 Bugs: ProtocolBugs{
5554 NegotiateNPNAtAllVersions: true,
5555 },
5556 },
5557 flags: []string{"-select-next-proto", "foo"},
5558 shouldFail: true,
5559 expectedError: ":ERROR_PARSING_EXTENSION:",
5560 })
5561 testCases = append(testCases, testCase{
5562 name: "EMS-Forbidden-TLS13",
5563 config: Config{
5564 MaxVersion: VersionTLS13,
5565 Bugs: ProtocolBugs{
5566 NegotiateEMSAtAllVersions: true,
5567 },
5568 },
5569 shouldFail: true,
5570 expectedError: ":ERROR_PARSING_EXTENSION:",
5571 })
5572 testCases = append(testCases, testCase{
5573 name: "RenegotiationInfo-Forbidden-TLS13",
5574 config: Config{
5575 MaxVersion: VersionTLS13,
5576 Bugs: ProtocolBugs{
5577 NegotiateRenegotiationInfoAtAllVersions: true,
5578 },
5579 },
5580 shouldFail: true,
5581 expectedError: ":ERROR_PARSING_EXTENSION:",
5582 })
5583 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5584 name: "Ticket-Forbidden-TLS13",
5585 config: Config{
5586 MaxVersion: VersionTLS12,
5587 },
5588 resumeConfig: &Config{
5589 MaxVersion: VersionTLS13,
5590 Bugs: ProtocolBugs{
5591 AdvertiseTicketExtension: true,
5592 },
5593 },
5594 resumeSession: true,
5595 shouldFail: true,
5596 expectedError: ":ERROR_PARSING_EXTENSION:",
5597 })
5598
5599 // Test that illegal extensions in TLS 1.3 are declined by the server if
5600 // offered in ClientHello. The runner's server will fail if this occurs,
5601 // so we exercise the offering path. (EMS and Renegotiation Info are
5602 // implicit in every test.)
5603 testCases = append(testCases, testCase{
5604 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5605 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5606 config: Config{
5607 MaxVersion: VersionTLS13,
5608 NextProtos: []string{"bar"},
5609 },
5610 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5611 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5612
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5613 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5614 // tolerated.
5615 testCases = append(testCases, testCase{
5616 name: "SendOCSPResponseOnResume-TLS12",
5617 config: Config{
5618 MaxVersion: VersionTLS12,
5619 Bugs: ProtocolBugs{
5620 SendOCSPResponseOnResume: []byte("bogus"),
5621 },
5622 },
5623 flags: []string{
5624 "-enable-ocsp-stapling",
5625 "-expect-ocsp-response",
5626 base64.StdEncoding.EncodeToString(testOCSPResponse),
5627 },
5628 resumeSession: true,
5629 })
5630
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5631 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5632 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5633 config: Config{
5634 MaxVersion: VersionTLS13,
5635 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5636 SendExtensionOnCertificate: testOCSPExtension,
5637 },
5638 },
5639 shouldFail: true,
5640 expectedError: ":UNEXPECTED_EXTENSION:",
5641 })
5642
5643 testCases = append(testCases, testCase{
5644 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5645 config: Config{
5646 MaxVersion: VersionTLS13,
5647 Bugs: ProtocolBugs{
5648 SendExtensionOnCertificate: testSCTExtension,
5649 },
5650 },
5651 shouldFail: true,
5652 expectedError: ":UNEXPECTED_EXTENSION:",
5653 })
5654
5655 // Test that extensions on client certificates are never accepted.
5656 testCases = append(testCases, testCase{
5657 name: "SendExtensionOnClientCertificate-TLS13",
5658 testType: serverTest,
5659 config: Config{
5660 MaxVersion: VersionTLS13,
5661 Certificates: []Certificate{rsaCertificate},
5662 Bugs: ProtocolBugs{
5663 SendExtensionOnCertificate: testOCSPExtension,
5664 },
5665 },
5666 flags: []string{
5667 "-enable-ocsp-stapling",
5668 "-require-any-client-certificate",
5669 },
5670 shouldFail: true,
5671 expectedError: ":UNEXPECTED_EXTENSION:",
5672 })
5673
5674 testCases = append(testCases, testCase{
5675 name: "SendUnknownExtensionOnCertificate-TLS13",
5676 config: Config{
5677 MaxVersion: VersionTLS13,
5678 Bugs: ProtocolBugs{
5679 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5680 },
5681 },
5682 shouldFail: true,
5683 expectedError: ":UNEXPECTED_EXTENSION:",
5684 })
5685
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5686 var differentSCTList []byte
5687 differentSCTList = append(differentSCTList, testSCTList...)
5688 differentSCTList[len(differentSCTList)-1] ^= 1
5689
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5690 // Test that extensions on intermediates are allowed but ignored.
5691 testCases = append(testCases, testCase{
5692 name: "IgnoreExtensionsOnIntermediates-TLS13",
5693 config: Config{
5694 MaxVersion: VersionTLS13,
5695 Certificates: []Certificate{rsaChainCertificate},
5696 Bugs: ProtocolBugs{
5697 // Send different values on the intermediate. This tests
5698 // the intermediate's extensions do not override the
5699 // leaf's.
5700 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5701 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5702 },
5703 },
5704 flags: []string{
5705 "-enable-ocsp-stapling",
5706 "-expect-ocsp-response",
5707 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5708 "-enable-signed-cert-timestamps",
5709 "-expect-signed-cert-timestamps",
5710 base64.StdEncoding.EncodeToString(testSCTList),
5711 },
5712 resumeSession: true,
5713 })
5714
5715 // Test that extensions are not sent on intermediates when configured
5716 // only for a leaf.
5717 testCases = append(testCases, testCase{
5718 testType: serverTest,
5719 name: "SendNoExtensionsOnIntermediate-TLS13",
5720 config: Config{
5721 MaxVersion: VersionTLS13,
5722 Bugs: ProtocolBugs{
5723 ExpectNoExtensionsOnIntermediate: true,
5724 },
5725 },
5726 flags: []string{
5727 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5728 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5729 "-ocsp-response",
5730 base64.StdEncoding.EncodeToString(testOCSPResponse),
5731 "-signed-cert-timestamps",
5732 base64.StdEncoding.EncodeToString(testSCTList),
5733 },
5734 })
5735
5736 // Test that extensions are not sent on client certificates.
5737 testCases = append(testCases, testCase{
5738 name: "SendNoClientCertificateExtensions-TLS13",
5739 config: Config{
5740 MaxVersion: VersionTLS13,
5741 ClientAuth: RequireAnyClientCert,
5742 },
5743 flags: []string{
5744 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5745 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5746 "-ocsp-response",
5747 base64.StdEncoding.EncodeToString(testOCSPResponse),
5748 "-signed-cert-timestamps",
5749 base64.StdEncoding.EncodeToString(testSCTList),
5750 },
5751 })
5752
5753 testCases = append(testCases, testCase{
5754 name: "SendDuplicateExtensionsOnCerts-TLS13",
5755 config: Config{
5756 MaxVersion: VersionTLS13,
5757 Bugs: ProtocolBugs{
5758 SendDuplicateCertExtensions: true,
5759 },
5760 },
5761 flags: []string{
5762 "-enable-ocsp-stapling",
5763 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5764 },
5765 resumeSession: true,
5766 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5767 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5768 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5769
5770 testCases = append(testCases, testCase{
5771 name: "SignedCertificateTimestampListInvalid-Server",
5772 testType: serverTest,
5773 flags: []string{
5774 "-signed-cert-timestamps",
5775 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5776 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5777 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5778 expectedError: ":INVALID_SCT_LIST:",
5779 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5780}
5781
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5782func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5783 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5784 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5785 // SSL 3.0 does not have tickets and TLS 1.3 does not
5786 // have session IDs, so skip their cross-resumption
5787 // tests.
5788 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5789 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5790 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5791 }
5792
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5793 protocols := []protocol{tls}
5794 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5795 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5796 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5797 for _, protocol := range protocols {
5798 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5799 if protocol == dtls {
5800 suffix += "-DTLS"
5801 }
5802
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5803 if sessionVers.version == resumeVers.version {
5804 testCases = append(testCases, testCase{
5805 protocol: protocol,
5806 name: "Resume-Client" + suffix,
5807 resumeSession: true,
5808 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5809 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5810 Bugs: ProtocolBugs{
5811 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5812 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5813 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5814 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5815 expectedVersion: sessionVers.version,
5816 expectedResumeVersion: resumeVers.version,
5817 })
5818 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5819 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5820
5821 // Offering a TLS 1.3 session sends an empty session ID, so
5822 // there is no way to convince a non-lookahead client the
5823 // session was resumed. It will appear to the client that a
5824 // stray ChangeCipherSpec was sent.
5825 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5826 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5827 }
5828
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5829 testCases = append(testCases, testCase{
5830 protocol: protocol,
5831 name: "Resume-Client-Mismatch" + suffix,
5832 resumeSession: true,
5833 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5834 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5835 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5836 expectedVersion: sessionVers.version,
5837 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5838 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5839 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5840 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5841 },
5842 },
5843 expectedResumeVersion: resumeVers.version,
5844 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5845 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5846 })
5847 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5848
5849 testCases = append(testCases, testCase{
5850 protocol: protocol,
5851 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5852 resumeSession: true,
5853 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5854 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5855 },
5856 expectedVersion: sessionVers.version,
5857 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5858 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5859 },
5860 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5861 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5862 expectedResumeVersion: resumeVers.version,
5863 })
5864
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5865 testCases = append(testCases, testCase{
5866 protocol: protocol,
5867 testType: serverTest,
5868 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5869 resumeSession: true,
5870 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5871 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5872 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5873 expectedVersion: sessionVers.version,
5874 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5875 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5876 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5877 Bugs: ProtocolBugs{
5878 SendBothTickets: true,
5879 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5880 },
5881 expectedResumeVersion: resumeVers.version,
5882 })
5883 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5884 }
5885 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5886
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5887 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5888 testCases = append(testCases, testCase{
5889 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5890 name: "ShimTicketRewritable",
5891 resumeSession: true,
5892 config: Config{
5893 MaxVersion: VersionTLS12,
5894 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5895 Bugs: ProtocolBugs{
5896 FilterTicket: func(in []byte) ([]byte, error) {
5897 in, err := SetShimTicketVersion(in, VersionTLS12)
5898 if err != nil {
5899 return nil, err
5900 }
5901 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5902 },
5903 },
5904 },
5905 flags: []string{
5906 "-ticket-key",
5907 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5908 },
5909 })
5910
5911 // Resumptions are declined if the version does not match.
5912 testCases = append(testCases, testCase{
5913 testType: serverTest,
5914 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5915 resumeSession: true,
5916 config: Config{
5917 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5918 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5919 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5920 FilterTicket: func(in []byte) ([]byte, error) {
5921 return SetShimTicketVersion(in, VersionTLS13)
5922 },
5923 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5924 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5925 flags: []string{
5926 "-ticket-key",
5927 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5928 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5929 expectResumeRejected: true,
5930 })
5931
5932 testCases = append(testCases, testCase{
5933 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5934 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5935 resumeSession: true,
5936 config: Config{
5937 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5938 Bugs: ProtocolBugs{
5939 FilterTicket: func(in []byte) ([]byte, error) {
5940 return SetShimTicketVersion(in, VersionTLS12)
5941 },
5942 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5943 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5944 flags: []string{
5945 "-ticket-key",
5946 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5947 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5948 expectResumeRejected: true,
5949 })
5950
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5951 // Resumptions are declined if the cipher is invalid or disabled.
5952 testCases = append(testCases, testCase{
5953 testType: serverTest,
5954 name: "Resume-Server-DeclineBadCipher",
5955 resumeSession: true,
5956 config: Config{
5957 MaxVersion: VersionTLS12,
5958 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5959 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5960 FilterTicket: func(in []byte) ([]byte, error) {
5961 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5962 },
5963 },
5964 },
5965 flags: []string{
5966 "-ticket-key",
5967 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5968 },
5969 expectResumeRejected: true,
5970 })
5971
5972 testCases = append(testCases, testCase{
5973 testType: serverTest,
5974 name: "Resume-Server-DeclineBadCipher-2",
5975 resumeSession: true,
5976 config: Config{
5977 MaxVersion: VersionTLS12,
5978 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5979 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5980 FilterTicket: func(in []byte) ([]byte, error) {
5981 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5982 },
5983 },
5984 },
5985 flags: []string{
5986 "-cipher", "AES128",
5987 "-ticket-key",
5988 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5989 },
5990 expectResumeRejected: true,
5991 })
5992
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5993 // Sessions are not resumed if they do not use the preferred cipher.
5994 testCases = append(testCases, testCase{
5995 testType: serverTest,
5996 name: "Resume-Server-CipherNotPreferred",
5997 resumeSession: true,
5998 config: Config{
5999 MaxVersion: VersionTLS12,
6000 Bugs: ProtocolBugs{
6001 ExpectNewTicket: true,
6002 FilterTicket: func(in []byte) ([]byte, error) {
6003 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
6004 },
6005 },
6006 },
6007 flags: []string{
6008 "-ticket-key",
6009 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6010 },
6011 shouldFail: false,
6012 expectResumeRejected: true,
6013 })
6014
6015 // TLS 1.3 allows sessions to be resumed at a different cipher if their
6016 // PRF hashes match, but BoringSSL will always decline such resumptions.
6017 testCases = append(testCases, testCase{
6018 testType: serverTest,
6019 name: "Resume-Server-CipherNotPreferred-TLS13",
6020 resumeSession: true,
6021 config: Config{
6022 MaxVersion: VersionTLS13,
6023 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
6024 Bugs: ProtocolBugs{
6025 FilterTicket: func(in []byte) ([]byte, error) {
6026 // If the client (runner) offers ChaCha20-Poly1305 first, the
6027 // server (shim) always prefers it. Switch it to AES-GCM.
6028 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
6029 },
6030 },
6031 },
6032 flags: []string{
6033 "-ticket-key",
6034 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6035 },
6036 shouldFail: false,
6037 expectResumeRejected: true,
6038 })
6039
6040 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6041 testCases = append(testCases, testCase{
6042 testType: serverTest,
6043 name: "Resume-Server-DeclineBadCipher-TLS13",
6044 resumeSession: true,
6045 config: Config{
6046 MaxVersion: VersionTLS13,
6047 Bugs: ProtocolBugs{
6048 FilterTicket: func(in []byte) ([]byte, error) {
6049 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
6050 },
6051 },
6052 },
6053 flags: []string{
6054 "-ticket-key",
6055 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6056 },
6057 expectResumeRejected: true,
6058 })
6059
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6060 // If the client does not offer the cipher from the session, decline to
6061 // resume. Clients are forbidden from doing this, but BoringSSL selects
6062 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6063 testCases = append(testCases, testCase{
6064 testType: serverTest,
6065 name: "Resume-Server-UnofferedCipher",
6066 resumeSession: true,
6067 config: Config{
6068 MaxVersion: VersionTLS12,
6069 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6070 },
6071 resumeConfig: &Config{
6072 MaxVersion: VersionTLS12,
6073 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6074 Bugs: ProtocolBugs{
6075 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6076 },
6077 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6078 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6079 })
6080
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6081 // In TLS 1.3, clients may advertise a cipher list which does not
6082 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]6083 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
6084 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6085 testCases = append(testCases, testCase{
6086 testType: serverTest,
6087 name: "Resume-Server-UnofferedCipher-TLS13",
6088 resumeSession: true,
6089 config: Config{
6090 MaxVersion: VersionTLS13,
6091 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6092 },
6093 resumeConfig: &Config{
6094 MaxVersion: VersionTLS13,
6095 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6096 Bugs: ProtocolBugs{
6097 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6098 },
6099 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6100 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6101 })
6102
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6103 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6104 testCases = append(testCases, testCase{
6105 name: "Resume-Client-CipherMismatch",
6106 resumeSession: true,
6107 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6108 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6109 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6110 },
6111 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6112 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6113 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6114 Bugs: ProtocolBugs{
6115 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6116 },
6117 },
6118 shouldFail: true,
6119 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6120 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6121
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6122 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6123 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6124 testCases = append(testCases, testCase{
6125 name: "Resume-Client-CipherMismatch-TLS13",
6126 resumeSession: true,
6127 config: Config{
6128 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6129 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6130 },
6131 resumeConfig: &Config{
6132 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6133 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6134 },
6135 })
6136
6137 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6138 testCases = append(testCases, testCase{
6139 name: "Resume-Client-PRFMismatch-TLS13",
6140 resumeSession: true,
6141 config: Config{
6142 MaxVersion: VersionTLS13,
6143 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6144 },
6145 resumeConfig: &Config{
6146 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6147 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6148 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6149 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6150 },
6151 },
6152 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6153 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6154 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6155
6156 testCases = append(testCases, testCase{
6157 testType: serverTest,
6158 name: "Resume-Server-BinderWrongLength",
6159 resumeSession: true,
6160 config: Config{
6161 MaxVersion: VersionTLS13,
6162 Bugs: ProtocolBugs{
6163 SendShortPSKBinder: true,
6164 },
6165 },
6166 shouldFail: true,
6167 expectedLocalError: "remote error: error decrypting message",
6168 expectedError: ":DIGEST_CHECK_FAILED:",
6169 })
6170
6171 testCases = append(testCases, testCase{
6172 testType: serverTest,
6173 name: "Resume-Server-NoPSKBinder",
6174 resumeSession: true,
6175 config: Config{
6176 MaxVersion: VersionTLS13,
6177 Bugs: ProtocolBugs{
6178 SendNoPSKBinder: true,
6179 },
6180 },
6181 shouldFail: true,
6182 expectedLocalError: "remote error: error decoding message",
6183 expectedError: ":DECODE_ERROR:",
6184 })
6185
6186 testCases = append(testCases, testCase{
6187 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6188 name: "Resume-Server-ExtraPSKBinder",
6189 resumeSession: true,
6190 config: Config{
6191 MaxVersion: VersionTLS13,
6192 Bugs: ProtocolBugs{
6193 SendExtraPSKBinder: true,
6194 },
6195 },
6196 shouldFail: true,
6197 expectedLocalError: "remote error: illegal parameter",
6198 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6199 })
6200
6201 testCases = append(testCases, testCase{
6202 testType: serverTest,
6203 name: "Resume-Server-ExtraIdentityNoBinder",
6204 resumeSession: true,
6205 config: Config{
6206 MaxVersion: VersionTLS13,
6207 Bugs: ProtocolBugs{
6208 ExtraPSKIdentity: true,
6209 },
6210 },
6211 shouldFail: true,
6212 expectedLocalError: "remote error: illegal parameter",
6213 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6214 })
6215
6216 testCases = append(testCases, testCase{
6217 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6218 name: "Resume-Server-InvalidPSKBinder",
6219 resumeSession: true,
6220 config: Config{
6221 MaxVersion: VersionTLS13,
6222 Bugs: ProtocolBugs{
6223 SendInvalidPSKBinder: true,
6224 },
6225 },
6226 shouldFail: true,
6227 expectedLocalError: "remote error: error decrypting message",
6228 expectedError: ":DIGEST_CHECK_FAILED:",
6229 })
6230
6231 testCases = append(testCases, testCase{
6232 testType: serverTest,
6233 name: "Resume-Server-PSKBinderFirstExtension",
6234 resumeSession: true,
6235 config: Config{
6236 MaxVersion: VersionTLS13,
6237 Bugs: ProtocolBugs{
6238 PSKBinderFirst: true,
6239 },
6240 },
6241 shouldFail: true,
6242 expectedLocalError: "remote error: illegal parameter",
6243 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6244 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6245}
6246
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6247func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6248 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6249 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6250 testType: serverTest,
6251 name: "Renegotiate-Server-Forbidden",
6252 config: Config{
6253 MaxVersion: VersionTLS12,
6254 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6255 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6256 shouldFail: true,
6257 expectedError: ":NO_RENEGOTIATION:",
6258 expectedLocalError: "remote error: no renegotiation",
6259 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6260 // The server shouldn't echo the renegotiation extension unless
6261 // requested by the client.
6262 testCases = append(testCases, testCase{
6263 testType: serverTest,
6264 name: "Renegotiate-Server-NoExt",
6265 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6266 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6267 Bugs: ProtocolBugs{
6268 NoRenegotiationInfo: true,
6269 RequireRenegotiationInfo: true,
6270 },
6271 },
6272 shouldFail: true,
6273 expectedLocalError: "renegotiation extension missing",
6274 })
6275 // The renegotiation SCSV should be sufficient for the server to echo
6276 // the extension.
6277 testCases = append(testCases, testCase{
6278 testType: serverTest,
6279 name: "Renegotiate-Server-NoExt-SCSV",
6280 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6281 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6282 Bugs: ProtocolBugs{
6283 NoRenegotiationInfo: true,
6284 SendRenegotiationSCSV: true,
6285 RequireRenegotiationInfo: true,
6286 },
6287 },
6288 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6289 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6290 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6291 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6292 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6293 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6294 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6295 },
6296 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6297 renegotiate: 1,
6298 flags: []string{
6299 "-renegotiate-freely",
6300 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6301 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6302 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6303 })
6304 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6305 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6306 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6307 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6308 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6309 Bugs: ProtocolBugs{
6310 EmptyRenegotiationInfo: true,
6311 },
6312 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6313 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6314 shouldFail: true,
6315 expectedError: ":RENEGOTIATION_MISMATCH:",
6316 })
6317 testCases = append(testCases, testCase{
6318 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6319 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6320 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6321 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6322 Bugs: ProtocolBugs{
6323 BadRenegotiationInfo: true,
6324 },
6325 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6326 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6327 shouldFail: true,
6328 expectedError: ":RENEGOTIATION_MISMATCH:",
6329 })
6330 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6331 name: "Renegotiate-Client-Downgrade",
6332 renegotiate: 1,
6333 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6334 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6335 Bugs: ProtocolBugs{
6336 NoRenegotiationInfoAfterInitial: true,
6337 },
6338 },
6339 flags: []string{"-renegotiate-freely"},
6340 shouldFail: true,
6341 expectedError: ":RENEGOTIATION_MISMATCH:",
6342 })
6343 testCases = append(testCases, testCase{
6344 name: "Renegotiate-Client-Upgrade",
6345 renegotiate: 1,
6346 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6347 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6348 Bugs: ProtocolBugs{
6349 NoRenegotiationInfoInInitial: true,
6350 },
6351 },
6352 flags: []string{"-renegotiate-freely"},
6353 shouldFail: true,
6354 expectedError: ":RENEGOTIATION_MISMATCH:",
6355 })
6356 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6357 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6358 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6359 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6360 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6361 Bugs: ProtocolBugs{
6362 NoRenegotiationInfo: true,
6363 },
6364 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6365 flags: []string{
6366 "-renegotiate-freely",
6367 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6368 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6369 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6370 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6371
6372 // Test that the server may switch ciphers on renegotiation without
6373 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6374 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6375 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6376 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6377 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6378 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6379 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6380 },
6381 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6382 flags: []string{
6383 "-renegotiate-freely",
6384 "-expect-total-renegotiations", "1",
6385 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6386 })
6387 testCases = append(testCases, testCase{
6388 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6389 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6390 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6391 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6392 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6393 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6394 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6395 flags: []string{
6396 "-renegotiate-freely",
6397 "-expect-total-renegotiations", "1",
6398 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6399 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6400
6401 // Test that the server may not switch versions on renegotiation.
6402 testCases = append(testCases, testCase{
6403 name: "Renegotiate-Client-SwitchVersion",
6404 config: Config{
6405 MaxVersion: VersionTLS12,
6406 // Pick a cipher which exists at both versions.
6407 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6408 Bugs: ProtocolBugs{
6409 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6410 // Avoid failing early at the record layer.
6411 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6412 },
6413 },
6414 renegotiate: 1,
6415 flags: []string{
6416 "-renegotiate-freely",
6417 "-expect-total-renegotiations", "1",
6418 },
6419 shouldFail: true,
6420 expectedError: ":WRONG_SSL_VERSION:",
6421 })
6422
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6423 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6424 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6425 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6426 config: Config{
6427 MaxVersion: VersionTLS10,
6428 Bugs: ProtocolBugs{
6429 RequireSameRenegoClientVersion: true,
6430 },
6431 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6432 flags: []string{
6433 "-renegotiate-freely",
6434 "-expect-total-renegotiations", "1",
6435 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6436 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6437 testCases = append(testCases, testCase{
6438 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6439 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6440 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6441 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6442 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6443 NextProtos: []string{"foo"},
6444 },
6445 flags: []string{
6446 "-false-start",
6447 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6448 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6449 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6450 },
6451 shimWritesFirst: true,
6452 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6453
6454 // Client-side renegotiation controls.
6455 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6456 name: "Renegotiate-Client-Forbidden-1",
6457 config: Config{
6458 MaxVersion: VersionTLS12,
6459 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6460 renegotiate: 1,
6461 shouldFail: true,
6462 expectedError: ":NO_RENEGOTIATION:",
6463 expectedLocalError: "remote error: no renegotiation",
6464 })
6465 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6466 name: "Renegotiate-Client-Once-1",
6467 config: Config{
6468 MaxVersion: VersionTLS12,
6469 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6470 renegotiate: 1,
6471 flags: []string{
6472 "-renegotiate-once",
6473 "-expect-total-renegotiations", "1",
6474 },
6475 })
6476 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6477 name: "Renegotiate-Client-Freely-1",
6478 config: Config{
6479 MaxVersion: VersionTLS12,
6480 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6481 renegotiate: 1,
6482 flags: []string{
6483 "-renegotiate-freely",
6484 "-expect-total-renegotiations", "1",
6485 },
6486 })
6487 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6488 name: "Renegotiate-Client-Once-2",
6489 config: Config{
6490 MaxVersion: VersionTLS12,
6491 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6492 renegotiate: 2,
6493 flags: []string{"-renegotiate-once"},
6494 shouldFail: true,
6495 expectedError: ":NO_RENEGOTIATION:",
6496 expectedLocalError: "remote error: no renegotiation",
6497 })
6498 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6499 name: "Renegotiate-Client-Freely-2",
6500 config: Config{
6501 MaxVersion: VersionTLS12,
6502 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6503 renegotiate: 2,
6504 flags: []string{
6505 "-renegotiate-freely",
6506 "-expect-total-renegotiations", "2",
6507 },
6508 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6509 testCases = append(testCases, testCase{
6510 name: "Renegotiate-Client-NoIgnore",
6511 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6512 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6513 Bugs: ProtocolBugs{
6514 SendHelloRequestBeforeEveryAppDataRecord: true,
6515 },
6516 },
6517 shouldFail: true,
6518 expectedError: ":NO_RENEGOTIATION:",
6519 })
6520 testCases = append(testCases, testCase{
6521 name: "Renegotiate-Client-Ignore",
6522 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6523 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6524 Bugs: ProtocolBugs{
6525 SendHelloRequestBeforeEveryAppDataRecord: true,
6526 },
6527 },
6528 flags: []string{
6529 "-renegotiate-ignore",
6530 "-expect-total-renegotiations", "0",
6531 },
6532 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6533
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6534 // Renegotiation is not allowed at SSL 3.0.
6535 testCases = append(testCases, testCase{
6536 name: "Renegotiate-Client-SSL3",
6537 config: Config{
6538 MaxVersion: VersionSSL30,
6539 },
6540 renegotiate: 1,
6541 flags: []string{
6542 "-renegotiate-freely",
6543 "-expect-total-renegotiations", "1",
6544 },
6545 shouldFail: true,
6546 expectedError: ":NO_RENEGOTIATION:",
6547 expectedLocalError: "remote error: no renegotiation",
6548 })
6549
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6550 // Renegotiation is not allowed when there is an unfinished write.
6551 testCases = append(testCases, testCase{
6552 name: "Renegotiate-Client-UnfinishedWrite",
6553 config: Config{
6554 MaxVersion: VersionTLS12,
6555 },
6556 renegotiate: 1,
6557 flags: []string{
6558 "-async",
6559 "-renegotiate-freely",
6560 "-read-with-unfinished-write",
6561 },
6562 shouldFail: true,
6563 expectedError: ":NO_RENEGOTIATION:",
6564 // We do not successfully send the no_renegotiation alert in
6565 // this case. https://crbug.com/boringssl/130
6566 })
6567
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6568 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6569 testCases = append(testCases, testCase{
6570 name: "StrayHelloRequest",
6571 config: Config{
6572 MaxVersion: VersionTLS12,
6573 Bugs: ProtocolBugs{
6574 SendHelloRequestBeforeEveryHandshakeMessage: true,
6575 },
6576 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6577 shouldFail: true,
6578 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6579 })
6580 testCases = append(testCases, testCase{
6581 name: "StrayHelloRequest-Packed",
6582 config: Config{
6583 MaxVersion: VersionTLS12,
6584 Bugs: ProtocolBugs{
6585 PackHandshakeFlight: true,
6586 SendHelloRequestBeforeEveryHandshakeMessage: true,
6587 },
6588 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6589 shouldFail: true,
6590 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6591 })
6592
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6593 // Test renegotiation works if HelloRequest and server Finished come in
6594 // the same record.
6595 testCases = append(testCases, testCase{
6596 name: "Renegotiate-Client-Packed",
6597 config: Config{
6598 MaxVersion: VersionTLS12,
6599 Bugs: ProtocolBugs{
6600 PackHandshakeFlight: true,
6601 PackHelloRequestWithFinished: true,
6602 },
6603 },
6604 renegotiate: 1,
6605 flags: []string{
6606 "-renegotiate-freely",
6607 "-expect-total-renegotiations", "1",
6608 },
6609 })
6610
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6611 // Renegotiation is forbidden in TLS 1.3.
6612 testCases = append(testCases, testCase{
6613 name: "Renegotiate-Client-TLS13",
6614 config: Config{
6615 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6616 Bugs: ProtocolBugs{
6617 SendHelloRequestBeforeEveryAppDataRecord: true,
6618 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6619 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6620 flags: []string{
6621 "-renegotiate-freely",
6622 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6623 shouldFail: true,
6624 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6625 })
6626
6627 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6628 testCases = append(testCases, testCase{
6629 name: "StrayHelloRequest-TLS13",
6630 config: Config{
6631 MaxVersion: VersionTLS13,
6632 Bugs: ProtocolBugs{
6633 SendHelloRequestBeforeEveryHandshakeMessage: true,
6634 },
6635 },
6636 shouldFail: true,
6637 expectedError: ":UNEXPECTED_MESSAGE:",
6638 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6639
6640 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6641 // always reads as supporting it, regardless of whether it was
6642 // negotiated.
6643 testCases = append(testCases, testCase{
6644 name: "AlwaysReportRenegotiationInfo-TLS13",
6645 config: Config{
6646 MaxVersion: VersionTLS13,
6647 Bugs: ProtocolBugs{
6648 NoRenegotiationInfo: true,
6649 },
6650 },
6651 flags: []string{
6652 "-expect-secure-renegotiation",
6653 },
6654 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]6655
6656 // Certificates may not change on renegotiation.
6657 testCases = append(testCases, testCase{
6658 name: "Renegotiation-CertificateChange",
6659 config: Config{
6660 MaxVersion: VersionTLS12,
6661 Certificates: []Certificate{rsaCertificate},
6662 Bugs: ProtocolBugs{
6663 RenegotiationCertificate: &rsaChainCertificate,
6664 },
6665 },
6666 renegotiate: 1,
6667 flags: []string{"-renegotiate-freely"},
6668 shouldFail: true,
6669 expectedError: ":SERVER_CERT_CHANGED:",
6670 })
6671 testCases = append(testCases, testCase{
6672 name: "Renegotiation-CertificateChange-2",
6673 config: Config{
6674 MaxVersion: VersionTLS12,
6675 Certificates: []Certificate{rsaCertificate},
6676 Bugs: ProtocolBugs{
6677 RenegotiationCertificate: &rsa1024Certificate,
6678 },
6679 },
6680 renegotiate: 1,
6681 flags: []string{"-renegotiate-freely"},
6682 shouldFail: true,
6683 expectedError: ":SERVER_CERT_CHANGED:",
6684 })
David Benjaminbbf42462017-03-14 21:27:10 -0400[diff] [blame]6685
6686 // We do not negotiate ALPN after the initial handshake. This is
6687 // error-prone and only risks bugs in consumers.
6688 testCases = append(testCases, testCase{
6689 testType: clientTest,
6690 name: "Renegotiation-ForbidALPN",
6691 config: Config{
6692 MaxVersion: VersionTLS12,
6693 Bugs: ProtocolBugs{
6694 // Forcibly negotiate ALPN on both initial and
6695 // renegotiation handshakes. The test stack will
6696 // internally check the client does not offer
6697 // it.
6698 SendALPN: "foo",
6699 },
6700 },
6701 flags: []string{
6702 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6703 "-expect-alpn", "foo",
6704 "-renegotiate-freely",
6705 },
6706 renegotiate: 1,
6707 shouldFail: true,
6708 expectedError: ":UNEXPECTED_EXTENSION:",
6709 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6710}
6711
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6712func addDTLSReplayTests() {
6713 // Test that sequence number replays are detected.
6714 testCases = append(testCases, testCase{
6715 protocol: dtls,
6716 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6717 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6718 replayWrites: true,
6719 })
6720
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6721 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6722 // than the retransmit window.
6723 testCases = append(testCases, testCase{
6724 protocol: dtls,
6725 name: "DTLS-Replay-LargeGaps",
6726 config: Config{
6727 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6728 SequenceNumberMapping: func(in uint64) uint64 {
6729 return in * 127
6730 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6731 },
6732 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6733 messageCount: 200,
6734 replayWrites: true,
6735 })
6736
6737 // Test the incoming sequence number changing non-monotonically.
6738 testCases = append(testCases, testCase{
6739 protocol: dtls,
6740 name: "DTLS-Replay-NonMonotonic",
6741 config: Config{
6742 Bugs: ProtocolBugs{
6743 SequenceNumberMapping: func(in uint64) uint64 {
6744 return in ^ 31
6745 },
6746 },
6747 },
6748 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6749 replayWrites: true,
6750 })
6751}
6752
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6753var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6754 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6755 id signatureAlgorithm
6756 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6757}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6758 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6759 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6760 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6761 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6762 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6763 // The “P256” in the following line is not a mistake. In TLS 1.2 the
6764 // hash function doesn't have to match the curve and so the same
6765 // signature algorithm works with P-224.
6766 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6767 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6768 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6769 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6770 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6771 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6772 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]6773 {"Ed25519", signatureEd25519, testCertEd25519},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6774 // Tests for key types prior to TLS 1.2.
6775 {"RSA", 0, testCertRSA},
6776 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6777}
6778
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6779const fakeSigAlg1 signatureAlgorithm = 0x2a01
6780const fakeSigAlg2 signatureAlgorithm = 0xff01
6781
6782func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6783 // Not all ciphers involve a signature. Advertise a list which gives all
6784 // versions a signing cipher.
6785 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6786 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6787 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6788 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6789 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6790 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6791 }
6792 if *includeDHE {
6793 signingCiphers = append(signingCiphers, TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6794 }
6795
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6796 var allAlgorithms []signatureAlgorithm
6797 for _, alg := range testSignatureAlgorithms {
6798 if alg.id != 0 {
6799 allAlgorithms = append(allAlgorithms, alg.id)
6800 }
6801 }
6802
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6803 // Make sure each signature algorithm works. Include some fake values in
6804 // the list and ensure they're ignored.
6805 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6806 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6807 if (ver.version < VersionTLS12) != (alg.id == 0) {
6808 continue
6809 }
6810
6811 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6812 // or remove it in C.
6813 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6814 continue
6815 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6816
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6817 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6818 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6819 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6820 shouldSignFail = true
6821 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6822 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6823 // RSA-PKCS1 does not exist in TLS 1.3.
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6824 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
6825 shouldSignFail = true
6826 shouldVerifyFail = true
6827 }
6828 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
6829 // the curve has to match the hash size.
6830 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6831 shouldSignFail = true
6832 shouldVerifyFail = true
6833 }
6834
6835 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6836 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6837 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6838 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6839
6840 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6841 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6842 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6843 }
6844 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6845 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6846 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6847
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6848 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6849
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6850 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6851 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6852 config: Config{
6853 MaxVersion: ver.version,
6854 ClientAuth: RequireAnyClientCert,
6855 VerifySignatureAlgorithms: []signatureAlgorithm{
6856 fakeSigAlg1,
6857 alg.id,
6858 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6859 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6860 },
6861 flags: []string{
6862 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6863 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6864 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]6865 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6866 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6867 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6868 expectedError: signError,
6869 expectedPeerSignatureAlgorithm: alg.id,
6870 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6871
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6872 testCases = append(testCases, testCase{
6873 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6874 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6875 config: Config{
6876 MaxVersion: ver.version,
6877 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6878 SignSignatureAlgorithms: []signatureAlgorithm{
6879 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6880 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6881 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6882 SkipECDSACurveCheck: shouldVerifyFail,
6883 IgnoreSignatureVersionChecks: shouldVerifyFail,
6884 // Some signature algorithms may not be advertised.
6885 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6886 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6887 },
6888 flags: []string{
6889 "-require-any-client-certificate",
6890 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6891 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]6892 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6893 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6894 // Resume the session to assert the peer signature
6895 // algorithm is reported on both handshakes.
6896 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6897 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6898 expectedError: verifyError,
6899 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6900
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6901 // No signing cipher for SSL 3.0.
6902 if *includeDHE || ver.version > VersionSSL30 {
6903 testCases = append(testCases, testCase{
6904 testType: serverTest,
6905 name: "ServerAuth-Sign" + suffix,
6906 config: Config{
6907 MaxVersion: ver.version,
6908 CipherSuites: signingCiphers,
6909 VerifySignatureAlgorithms: []signatureAlgorithm{
6910 fakeSigAlg1,
6911 alg.id,
6912 fakeSigAlg2,
6913 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6914 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6915 flags: []string{
6916 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6917 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6918 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]6919 "-enable-ed25519",
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6920 },
6921 shouldFail: shouldSignFail,
6922 expectedError: signError,
6923 expectedPeerSignatureAlgorithm: alg.id,
6924 })
6925 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6926
6927 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6928 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6929 config: Config{
6930 MaxVersion: ver.version,
6931 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6932 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6933 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6934 alg.id,
6935 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6936 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6937 SkipECDSACurveCheck: shouldVerifyFail,
6938 IgnoreSignatureVersionChecks: shouldVerifyFail,
6939 // Some signature algorithms may not be advertised.
6940 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6941 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6942 },
6943 flags: []string{
6944 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6945 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]6946 "-enable-ed25519",
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6947 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6948 // Resume the session to assert the peer signature
6949 // algorithm is reported on both handshakes.
6950 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6951 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6952 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6953 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6954
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6955 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6956 testCases = append(testCases, testCase{
6957 testType: serverTest,
6958 name: "ClientAuth-InvalidSignature" + suffix,
6959 config: Config{
6960 MaxVersion: ver.version,
6961 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6962 SignSignatureAlgorithms: []signatureAlgorithm{
6963 alg.id,
6964 },
6965 Bugs: ProtocolBugs{
6966 InvalidSignature: true,
6967 },
6968 },
6969 flags: []string{
6970 "-require-any-client-certificate",
6971 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]6972 "-enable-ed25519",
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6973 },
6974 shouldFail: true,
6975 expectedError: ":BAD_SIGNATURE:",
6976 })
6977
6978 testCases = append(testCases, testCase{
6979 name: "ServerAuth-InvalidSignature" + suffix,
6980 config: Config{
6981 MaxVersion: ver.version,
6982 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6983 CipherSuites: signingCiphers,
6984 SignSignatureAlgorithms: []signatureAlgorithm{
6985 alg.id,
6986 },
6987 Bugs: ProtocolBugs{
6988 InvalidSignature: true,
6989 },
6990 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]6991 flags: []string{
6992 "-enable-all-curves",
6993 "-enable-ed25519",
6994 },
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6995 shouldFail: true,
6996 expectedError: ":BAD_SIGNATURE:",
6997 })
6998 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6999
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]7000 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7001 testCases = append(testCases, testCase{
7002 name: "ClientAuth-Sign-Negotiate" + suffix,
7003 config: Config{
7004 MaxVersion: ver.version,
7005 ClientAuth: RequireAnyClientCert,
7006 VerifySignatureAlgorithms: allAlgorithms,
7007 },
7008 flags: []string{
7009 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7010 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7011 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]7012 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7013 "-signing-prefs", strconv.Itoa(int(alg.id)),
7014 },
7015 expectedPeerSignatureAlgorithm: alg.id,
7016 })
7017
7018 testCases = append(testCases, testCase{
7019 testType: serverTest,
7020 name: "ServerAuth-Sign-Negotiate" + suffix,
7021 config: Config{
7022 MaxVersion: ver.version,
7023 CipherSuites: signingCiphers,
7024 VerifySignatureAlgorithms: allAlgorithms,
7025 },
7026 flags: []string{
7027 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7028 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7029 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]7030 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7031 "-signing-prefs", strconv.Itoa(int(alg.id)),
7032 },
7033 expectedPeerSignatureAlgorithm: alg.id,
7034 })
7035 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7036 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7037 }
7038
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7039 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7040 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7041 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7042 config: Config{
7043 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7044 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7045 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7046 signatureECDSAWithP521AndSHA512,
7047 signatureRSAPKCS1WithSHA384,
7048 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7049 },
7050 },
7051 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7052 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7053 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7054 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7055 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7056 })
7057
7058 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7059 name: "ClientAuth-SignatureType-TLS13",
7060 config: Config{
7061 ClientAuth: RequireAnyClientCert,
7062 MaxVersion: VersionTLS13,
7063 VerifySignatureAlgorithms: []signatureAlgorithm{
7064 signatureECDSAWithP521AndSHA512,
7065 signatureRSAPKCS1WithSHA384,
7066 signatureRSAPSSWithSHA384,
7067 signatureECDSAWithSHA1,
7068 },
7069 },
7070 flags: []string{
7071 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7072 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7073 },
7074 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7075 })
7076
7077 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7078 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7079 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7080 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7081 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7082 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7083 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7084 signatureECDSAWithP521AndSHA512,
7085 signatureRSAPKCS1WithSHA384,
7086 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7087 },
7088 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7089 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7090 })
7091
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7092 testCases = append(testCases, testCase{
7093 testType: serverTest,
7094 name: "ServerAuth-SignatureType-TLS13",
7095 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7096 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7097 VerifySignatureAlgorithms: []signatureAlgorithm{
7098 signatureECDSAWithP521AndSHA512,
7099 signatureRSAPKCS1WithSHA384,
7100 signatureRSAPSSWithSHA384,
7101 signatureECDSAWithSHA1,
7102 },
7103 },
7104 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7105 })
7106
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7107 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7108 testCases = append(testCases, testCase{
7109 testType: serverTest,
7110 name: "Verify-ClientAuth-SignatureType",
7111 config: Config{
7112 MaxVersion: VersionTLS12,
7113 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7114 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7115 signatureRSAPKCS1WithSHA256,
7116 },
7117 Bugs: ProtocolBugs{
7118 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7119 },
7120 },
7121 flags: []string{
7122 "-require-any-client-certificate",
7123 },
7124 shouldFail: true,
7125 expectedError: ":WRONG_SIGNATURE_TYPE:",
7126 })
7127
7128 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7129 testType: serverTest,
7130 name: "Verify-ClientAuth-SignatureType-TLS13",
7131 config: Config{
7132 MaxVersion: VersionTLS13,
7133 Certificates: []Certificate{rsaCertificate},
7134 SignSignatureAlgorithms: []signatureAlgorithm{
7135 signatureRSAPSSWithSHA256,
7136 },
7137 Bugs: ProtocolBugs{
7138 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7139 },
7140 },
7141 flags: []string{
7142 "-require-any-client-certificate",
7143 },
7144 shouldFail: true,
7145 expectedError: ":WRONG_SIGNATURE_TYPE:",
7146 })
7147
7148 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7149 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7150 config: Config{
7151 MaxVersion: VersionTLS12,
7152 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7153 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7154 signatureRSAPKCS1WithSHA256,
7155 },
7156 Bugs: ProtocolBugs{
7157 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7158 },
7159 },
7160 shouldFail: true,
7161 expectedError: ":WRONG_SIGNATURE_TYPE:",
7162 })
7163
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7164 testCases = append(testCases, testCase{
7165 name: "Verify-ServerAuth-SignatureType-TLS13",
7166 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7167 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7168 SignSignatureAlgorithms: []signatureAlgorithm{
7169 signatureRSAPSSWithSHA256,
7170 },
7171 Bugs: ProtocolBugs{
7172 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7173 },
7174 },
7175 shouldFail: true,
7176 expectedError: ":WRONG_SIGNATURE_TYPE:",
7177 })
7178
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7179 // Test that, if the list is missing, the peer falls back to SHA-1 in
7180 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7181 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7182 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7183 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7184 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7185 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7186 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7187 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7188 },
7189 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7190 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7191 },
7192 },
7193 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7194 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7195 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7196 },
7197 })
7198
7199 testCases = append(testCases, testCase{
7200 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7201 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7202 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7203 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7204 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7205 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7206 },
7207 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7208 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7209 },
7210 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7211 flags: []string{
7212 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7213 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7214 },
7215 })
7216
7217 testCases = append(testCases, testCase{
7218 name: "ClientAuth-SHA1-Fallback-ECDSA",
7219 config: Config{
7220 MaxVersion: VersionTLS12,
7221 ClientAuth: RequireAnyClientCert,
7222 VerifySignatureAlgorithms: []signatureAlgorithm{
7223 signatureECDSAWithSHA1,
7224 },
7225 Bugs: ProtocolBugs{
7226 NoSignatureAlgorithms: true,
7227 },
7228 },
7229 flags: []string{
7230 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7231 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7232 },
7233 })
7234
7235 testCases = append(testCases, testCase{
7236 testType: serverTest,
7237 name: "ServerAuth-SHA1-Fallback-ECDSA",
7238 config: Config{
7239 MaxVersion: VersionTLS12,
7240 VerifySignatureAlgorithms: []signatureAlgorithm{
7241 signatureECDSAWithSHA1,
7242 },
7243 Bugs: ProtocolBugs{
7244 NoSignatureAlgorithms: true,
7245 },
7246 },
7247 flags: []string{
7248 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7249 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7250 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7251 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7252
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7253 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7254 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7255 config: Config{
7256 MaxVersion: VersionTLS13,
7257 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7258 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7259 signatureRSAPKCS1WithSHA1,
7260 },
7261 Bugs: ProtocolBugs{
7262 NoSignatureAlgorithms: true,
7263 },
7264 },
7265 flags: []string{
7266 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7267 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7268 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7269 shouldFail: true,
7270 // An empty CertificateRequest signature algorithm list is a
7271 // syntax error in TLS 1.3.
7272 expectedError: ":DECODE_ERROR:",
7273 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7274 })
7275
7276 testCases = append(testCases, testCase{
7277 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7278 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7279 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7280 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7281 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7282 signatureRSAPKCS1WithSHA1,
7283 },
7284 Bugs: ProtocolBugs{
7285 NoSignatureAlgorithms: true,
7286 },
7287 },
7288 shouldFail: true,
7289 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7290 })
7291
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7292 // Test that hash preferences are enforced. BoringSSL does not implement
7293 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7294 testCases = append(testCases, testCase{
7295 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7296 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7297 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7298 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7299 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7300 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7301 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7302 },
7303 Bugs: ProtocolBugs{
7304 IgnorePeerSignatureAlgorithmPreferences: true,
7305 },
7306 },
7307 flags: []string{"-require-any-client-certificate"},
7308 shouldFail: true,
7309 expectedError: ":WRONG_SIGNATURE_TYPE:",
7310 })
7311
7312 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7313 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7314 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7315 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7316 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7317 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7318 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7319 },
7320 Bugs: ProtocolBugs{
7321 IgnorePeerSignatureAlgorithmPreferences: true,
7322 },
7323 },
7324 shouldFail: true,
7325 expectedError: ":WRONG_SIGNATURE_TYPE:",
7326 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7327 testCases = append(testCases, testCase{
7328 testType: serverTest,
7329 name: "ClientAuth-Enforced-TLS13",
7330 config: Config{
7331 MaxVersion: VersionTLS13,
7332 Certificates: []Certificate{rsaCertificate},
7333 SignSignatureAlgorithms: []signatureAlgorithm{
7334 signatureRSAPKCS1WithMD5,
7335 },
7336 Bugs: ProtocolBugs{
7337 IgnorePeerSignatureAlgorithmPreferences: true,
7338 IgnoreSignatureVersionChecks: true,
7339 },
7340 },
7341 flags: []string{"-require-any-client-certificate"},
7342 shouldFail: true,
7343 expectedError: ":WRONG_SIGNATURE_TYPE:",
7344 })
7345
7346 testCases = append(testCases, testCase{
7347 name: "ServerAuth-Enforced-TLS13",
7348 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7349 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7350 SignSignatureAlgorithms: []signatureAlgorithm{
7351 signatureRSAPKCS1WithMD5,
7352 },
7353 Bugs: ProtocolBugs{
7354 IgnorePeerSignatureAlgorithmPreferences: true,
7355 IgnoreSignatureVersionChecks: true,
7356 },
7357 },
7358 shouldFail: true,
7359 expectedError: ":WRONG_SIGNATURE_TYPE:",
7360 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7361
7362 // Test that the agreed upon digest respects the client preferences and
7363 // the server digests.
7364 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7365 name: "NoCommonAlgorithms-Digests",
7366 config: Config{
7367 MaxVersion: VersionTLS12,
7368 ClientAuth: RequireAnyClientCert,
7369 VerifySignatureAlgorithms: []signatureAlgorithm{
7370 signatureRSAPKCS1WithSHA512,
7371 signatureRSAPKCS1WithSHA1,
7372 },
7373 },
7374 flags: []string{
7375 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7376 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7377 "-digest-prefs", "SHA256",
7378 },
7379 shouldFail: true,
7380 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7381 })
7382 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7383 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7384 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7385 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7386 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7387 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7388 signatureRSAPKCS1WithSHA512,
7389 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7390 },
7391 },
7392 flags: []string{
7393 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7394 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7395 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7396 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7397 shouldFail: true,
7398 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7399 })
7400 testCases = append(testCases, testCase{
7401 name: "NoCommonAlgorithms-TLS13",
7402 config: Config{
7403 MaxVersion: VersionTLS13,
7404 ClientAuth: RequireAnyClientCert,
7405 VerifySignatureAlgorithms: []signatureAlgorithm{
7406 signatureRSAPSSWithSHA512,
7407 signatureRSAPSSWithSHA384,
7408 },
7409 },
7410 flags: []string{
7411 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7412 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7413 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7414 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7415 shouldFail: true,
7416 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7417 })
7418 testCases = append(testCases, testCase{
7419 name: "Agree-Digest-SHA256",
7420 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7421 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7422 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7423 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7424 signatureRSAPKCS1WithSHA1,
7425 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7426 },
7427 },
7428 flags: []string{
7429 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7430 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7431 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7432 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7433 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7434 })
7435 testCases = append(testCases, testCase{
7436 name: "Agree-Digest-SHA1",
7437 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7438 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7439 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7440 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7441 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7442 },
7443 },
7444 flags: []string{
7445 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7446 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7447 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7448 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7449 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7450 })
7451 testCases = append(testCases, testCase{
7452 name: "Agree-Digest-Default",
7453 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7454 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7455 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7456 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7457 signatureRSAPKCS1WithSHA256,
7458 signatureECDSAWithP256AndSHA256,
7459 signatureRSAPKCS1WithSHA1,
7460 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7461 },
7462 },
7463 flags: []string{
7464 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7465 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7466 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7467 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7468 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7469
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7470 // Test that the signing preference list may include extra algorithms
7471 // without negotiation problems.
7472 testCases = append(testCases, testCase{
7473 testType: serverTest,
7474 name: "FilterExtraAlgorithms",
7475 config: Config{
7476 MaxVersion: VersionTLS12,
7477 VerifySignatureAlgorithms: []signatureAlgorithm{
7478 signatureRSAPKCS1WithSHA256,
7479 },
7480 },
7481 flags: []string{
7482 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7483 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7484 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7485 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7486 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7487 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7488 },
7489 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7490 })
7491
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7492 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7493 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7494 testCases = append(testCases, testCase{
7495 name: "CheckLeafCurve",
7496 config: Config{
7497 MaxVersion: VersionTLS12,
7498 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7499 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7500 },
7501 flags: []string{"-p384-only"},
7502 shouldFail: true,
7503 expectedError: ":BAD_ECC_CERT:",
7504 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7505
7506 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7507 testCases = append(testCases, testCase{
7508 name: "CheckLeafCurve-TLS13",
7509 config: Config{
7510 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7511 Certificates: []Certificate{ecdsaP256Certificate},
7512 },
7513 flags: []string{"-p384-only"},
7514 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7515
7516 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7517 testCases = append(testCases, testCase{
7518 name: "ECDSACurveMismatch-Verify-TLS12",
7519 config: Config{
7520 MaxVersion: VersionTLS12,
7521 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7522 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7523 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7524 signatureECDSAWithP384AndSHA384,
7525 },
7526 },
7527 })
7528
7529 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7530 testCases = append(testCases, testCase{
7531 name: "ECDSACurveMismatch-Verify-TLS13",
7532 config: Config{
7533 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7534 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7535 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7536 signatureECDSAWithP384AndSHA384,
7537 },
7538 Bugs: ProtocolBugs{
7539 SkipECDSACurveCheck: true,
7540 },
7541 },
7542 shouldFail: true,
7543 expectedError: ":WRONG_SIGNATURE_TYPE:",
7544 })
7545
7546 // Signature algorithm selection in TLS 1.3 should take the curve into
7547 // account.
7548 testCases = append(testCases, testCase{
7549 testType: serverTest,
7550 name: "ECDSACurveMismatch-Sign-TLS13",
7551 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7552 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7553 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7554 signatureECDSAWithP384AndSHA384,
7555 signatureECDSAWithP256AndSHA256,
7556 },
7557 },
7558 flags: []string{
7559 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7560 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7561 },
7562 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7563 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7564
7565 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7566 // server does not attempt to sign in that case.
7567 testCases = append(testCases, testCase{
7568 testType: serverTest,
7569 name: "RSA-PSS-Large",
7570 config: Config{
7571 MaxVersion: VersionTLS13,
7572 VerifySignatureAlgorithms: []signatureAlgorithm{
7573 signatureRSAPSSWithSHA512,
7574 },
7575 },
7576 flags: []string{
7577 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7578 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7579 },
7580 shouldFail: true,
7581 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7582 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7583
7584 // Test that RSA-PSS is enabled by default for TLS 1.2.
7585 testCases = append(testCases, testCase{
7586 testType: clientTest,
7587 name: "RSA-PSS-Default-Verify",
7588 config: Config{
7589 MaxVersion: VersionTLS12,
7590 SignSignatureAlgorithms: []signatureAlgorithm{
7591 signatureRSAPSSWithSHA256,
7592 },
7593 },
7594 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7595 })
7596
7597 testCases = append(testCases, testCase{
7598 testType: serverTest,
7599 name: "RSA-PSS-Default-Sign",
7600 config: Config{
7601 MaxVersion: VersionTLS12,
7602 VerifySignatureAlgorithms: []signatureAlgorithm{
7603 signatureRSAPSSWithSHA256,
7604 },
7605 },
7606 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7607 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame^]7608
7609 // TLS 1.1 and below has no way to advertise support for or negotiate
7610 // Ed25519's signature algorithm.
7611 testCases = append(testCases, testCase{
7612 testType: clientTest,
7613 name: "NoEd25519-TLS11-ServerAuth-Verify",
7614 config: Config{
7615 MaxVersion: VersionTLS11,
7616 Certificates: []Certificate{ed25519Certificate},
7617 Bugs: ProtocolBugs{
7618 // Sign with Ed25519 even though it is TLS 1.1.
7619 UseLegacySigningAlgorithm: signatureEd25519,
7620 },
7621 },
7622 flags: []string{"-enable-ed25519"},
7623 shouldFail: true,
7624 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7625 })
7626 testCases = append(testCases, testCase{
7627 testType: serverTest,
7628 name: "NoEd25519-TLS11-ServerAuth-Sign",
7629 config: Config{
7630 MaxVersion: VersionTLS11,
7631 },
7632 flags: []string{
7633 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7634 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7635 },
7636 shouldFail: true,
7637 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7638 })
7639 testCases = append(testCases, testCase{
7640 testType: serverTest,
7641 name: "NoEd25519-TLS11-ClientAuth-Verify",
7642 config: Config{
7643 MaxVersion: VersionTLS11,
7644 Certificates: []Certificate{ed25519Certificate},
7645 Bugs: ProtocolBugs{
7646 // Sign with Ed25519 even though it is TLS 1.1.
7647 UseLegacySigningAlgorithm: signatureEd25519,
7648 },
7649 },
7650 flags: []string{
7651 "-enable-ed25519",
7652 "-require-any-client-certificate",
7653 },
7654 shouldFail: true,
7655 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7656 })
7657 testCases = append(testCases, testCase{
7658 testType: clientTest,
7659 name: "NoEd25519-TLS11-ClientAuth-Sign",
7660 config: Config{
7661 MaxVersion: VersionTLS11,
7662 ClientAuth: RequireAnyClientCert,
7663 },
7664 flags: []string{
7665 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7666 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7667 },
7668 shouldFail: true,
7669 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7670 })
7671
7672 // Test Ed25519 is not advertised by default.
7673 testCases = append(testCases, testCase{
7674 testType: clientTest,
7675 name: "Ed25519DefaultDisable-NoAdvertise",
7676 config: Config{
7677 Certificates: []Certificate{ed25519Certificate},
7678 },
7679 shouldFail: true,
7680 expectedLocalError: "tls: no common signature algorithms",
7681 })
7682
7683 // Test Ed25519, when disabled, is not accepted if the peer ignores our
7684 // preferences.
7685 testCases = append(testCases, testCase{
7686 testType: clientTest,
7687 name: "Ed25519DefaultDisable-NoAccept",
7688 config: Config{
7689 Certificates: []Certificate{ed25519Certificate},
7690 Bugs: ProtocolBugs{
7691 IgnorePeerSignatureAlgorithmPreferences: true,
7692 },
7693 },
7694 shouldFail: true,
7695 expectedLocalError: "remote error: illegal parameter",
7696 expectedError: ":WRONG_SIGNATURE_TYPE:",
7697 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7698}
7699
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7700// timeouts is the retransmit schedule for BoringSSL. It doubles and
7701// caps at 60 seconds. On the 13th timeout, it gives up.
7702var timeouts = []time.Duration{
7703 1 * time.Second,
7704 2 * time.Second,
7705 4 * time.Second,
7706 8 * time.Second,
7707 16 * time.Second,
7708 32 * time.Second,
7709 60 * time.Second,
7710 60 * time.Second,
7711 60 * time.Second,
7712 60 * time.Second,
7713 60 * time.Second,
7714 60 * time.Second,
7715 60 * time.Second,
7716}
7717
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7718// shortTimeouts is an alternate set of timeouts which would occur if the
7719// initial timeout duration was set to 250ms.
7720var shortTimeouts = []time.Duration{
7721 250 * time.Millisecond,
7722 500 * time.Millisecond,
7723 1 * time.Second,
7724 2 * time.Second,
7725 4 * time.Second,
7726 8 * time.Second,
7727 16 * time.Second,
7728 32 * time.Second,
7729 60 * time.Second,
7730 60 * time.Second,
7731 60 * time.Second,
7732 60 * time.Second,
7733 60 * time.Second,
7734}
7735
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7736func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7737 // These tests work by coordinating some behavior on both the shim and
7738 // the runner.
7739 //
7740 // TimeoutSchedule configures the runner to send a series of timeout
7741 // opcodes to the shim (see packetAdaptor) immediately before reading
7742 // each peer handshake flight N. The timeout opcode both simulates a
7743 // timeout in the shim and acts as a synchronization point to help the
7744 // runner bracket each handshake flight.
7745 //
7746 // We assume the shim does not read from the channel eagerly. It must
7747 // first wait until it has sent flight N and is ready to receive
7748 // handshake flight N+1. At this point, it will process the timeout
7749 // opcode. It must then immediately respond with a timeout ACK and act
7750 // as if the shim was idle for the specified amount of time.
7751 //
7752 // The runner then drops all packets received before the ACK and
7753 // continues waiting for flight N. This ordering results in one attempt
7754 // at sending flight N to be dropped. For the test to complete, the
7755 // shim must send flight N again, testing that the shim implements DTLS
7756 // retransmit on a timeout.
7757
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7758 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7759 // likely be more epochs to cross and the final message's retransmit may
7760 // be more complex.
7761
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7762 // Test that this is indeed the timeout schedule. Stress all
7763 // four patterns of handshake.
7764 for i := 1; i < len(timeouts); i++ {
7765 number := strconv.Itoa(i)
7766 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7767 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7768 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7769 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7770 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7771 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7772 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7773 },
7774 },
7775 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7776 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7777 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7778 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7779 protocol: dtls,
7780 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7781 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7782 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7783 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7784 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7785 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7786 },
7787 },
7788 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7789 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7790 })
7791 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7792
7793 // Test that exceeding the timeout schedule hits a read
7794 // timeout.
7795 testCases = append(testCases, testCase{
7796 protocol: dtls,
7797 name: "DTLS-Retransmit-Timeout",
7798 config: Config{
7799 MaxVersion: VersionTLS12,
7800 Bugs: ProtocolBugs{
7801 TimeoutSchedule: timeouts,
7802 },
7803 },
7804 resumeSession: true,
7805 flags: []string{"-async"},
7806 shouldFail: true,
7807 expectedError: ":READ_TIMEOUT_EXPIRED:",
7808 })
7809
7810 // Test that timeout handling has a fudge factor, due to API
7811 // problems.
7812 testCases = append(testCases, testCase{
7813 protocol: dtls,
7814 name: "DTLS-Retransmit-Fudge",
7815 config: Config{
7816 MaxVersion: VersionTLS12,
7817 Bugs: ProtocolBugs{
7818 TimeoutSchedule: []time.Duration{
7819 timeouts[0] - 10*time.Millisecond,
7820 },
7821 },
7822 },
7823 resumeSession: true,
7824 flags: []string{"-async"},
7825 })
7826
7827 // Test that the final Finished retransmitting isn't
7828 // duplicated if the peer badly fragments everything.
7829 testCases = append(testCases, testCase{
7830 testType: serverTest,
7831 protocol: dtls,
7832 name: "DTLS-Retransmit-Fragmented",
7833 config: Config{
7834 MaxVersion: VersionTLS12,
7835 Bugs: ProtocolBugs{
7836 TimeoutSchedule: []time.Duration{timeouts[0]},
7837 MaxHandshakeRecordLength: 2,
7838 },
7839 },
7840 flags: []string{"-async"},
7841 })
7842
7843 // Test the timeout schedule when a shorter initial timeout duration is set.
7844 testCases = append(testCases, testCase{
7845 protocol: dtls,
7846 name: "DTLS-Retransmit-Short-Client",
7847 config: Config{
7848 MaxVersion: VersionTLS12,
7849 Bugs: ProtocolBugs{
7850 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7851 },
7852 },
7853 resumeSession: true,
7854 flags: []string{
7855 "-async",
7856 "-initial-timeout-duration-ms", "250",
7857 },
7858 })
7859 testCases = append(testCases, testCase{
7860 protocol: dtls,
7861 testType: serverTest,
7862 name: "DTLS-Retransmit-Short-Server",
7863 config: Config{
7864 MaxVersion: VersionTLS12,
7865 Bugs: ProtocolBugs{
7866 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7867 },
7868 },
7869 resumeSession: true,
7870 flags: []string{
7871 "-async",
7872 "-initial-timeout-duration-ms", "250",
7873 },
7874 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7875}
7876
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7877func addExportKeyingMaterialTests() {
7878 for _, vers := range tlsVersions {
7879 if vers.version == VersionSSL30 {
7880 continue
7881 }
7882 testCases = append(testCases, testCase{
7883 name: "ExportKeyingMaterial-" + vers.name,
7884 config: Config{
7885 MaxVersion: vers.version,
7886 },
7887 exportKeyingMaterial: 1024,
7888 exportLabel: "label",
7889 exportContext: "context",
7890 useExportContext: true,
7891 })
7892 testCases = append(testCases, testCase{
7893 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7894 config: Config{
7895 MaxVersion: vers.version,
7896 },
7897 exportKeyingMaterial: 1024,
7898 })
7899 testCases = append(testCases, testCase{
7900 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7901 config: Config{
7902 MaxVersion: vers.version,
7903 },
7904 exportKeyingMaterial: 1024,
7905 useExportContext: true,
7906 })
7907 testCases = append(testCases, testCase{
7908 name: "ExportKeyingMaterial-Small-" + vers.name,
7909 config: Config{
7910 MaxVersion: vers.version,
7911 },
7912 exportKeyingMaterial: 1,
7913 exportLabel: "label",
7914 exportContext: "context",
7915 useExportContext: true,
7916 })
7917 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7918
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7919 testCases = append(testCases, testCase{
7920 name: "ExportKeyingMaterial-SSL3",
7921 config: Config{
7922 MaxVersion: VersionSSL30,
7923 },
7924 exportKeyingMaterial: 1024,
7925 exportLabel: "label",
7926 exportContext: "context",
7927 useExportContext: true,
7928 shouldFail: true,
7929 expectedError: "failed to export keying material",
7930 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7931
7932 // Exporters work during a False Start.
7933 testCases = append(testCases, testCase{
7934 name: "ExportKeyingMaterial-FalseStart",
7935 config: Config{
7936 MaxVersion: VersionTLS12,
7937 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7938 NextProtos: []string{"foo"},
7939 Bugs: ProtocolBugs{
7940 ExpectFalseStart: true,
7941 },
7942 },
7943 flags: []string{
7944 "-false-start",
7945 "-advertise-alpn", "\x03foo",
7946 },
7947 shimWritesFirst: true,
7948 exportKeyingMaterial: 1024,
7949 exportLabel: "label",
7950 exportContext: "context",
7951 useExportContext: true,
7952 })
7953
7954 // Exporters do not work in the middle of a renegotiation. Test this by
7955 // triggering the exporter after every SSL_read call and configuring the
7956 // shim to run asynchronously.
7957 testCases = append(testCases, testCase{
7958 name: "ExportKeyingMaterial-Renegotiate",
7959 config: Config{
7960 MaxVersion: VersionTLS12,
7961 },
7962 renegotiate: 1,
7963 flags: []string{
7964 "-async",
7965 "-use-exporter-between-reads",
7966 "-renegotiate-freely",
7967 "-expect-total-renegotiations", "1",
7968 },
7969 shouldFail: true,
7970 expectedError: "failed to export keying material",
7971 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7972}
7973
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7974func addTLSUniqueTests() {
7975 for _, isClient := range []bool{false, true} {
7976 for _, isResumption := range []bool{false, true} {
7977 for _, hasEMS := range []bool{false, true} {
7978 var suffix string
7979 if isResumption {
7980 suffix = "Resume-"
7981 } else {
7982 suffix = "Full-"
7983 }
7984
7985 if hasEMS {
7986 suffix += "EMS-"
7987 } else {
7988 suffix += "NoEMS-"
7989 }
7990
7991 if isClient {
7992 suffix += "Client"
7993 } else {
7994 suffix += "Server"
7995 }
7996
7997 test := testCase{
7998 name: "TLSUnique-" + suffix,
7999 testTLSUnique: true,
8000 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8001 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8002 Bugs: ProtocolBugs{
8003 NoExtendedMasterSecret: !hasEMS,
8004 },
8005 },
8006 }
8007
8008 if isResumption {
8009 test.resumeSession = true
8010 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8011 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8012 Bugs: ProtocolBugs{
8013 NoExtendedMasterSecret: !hasEMS,
8014 },
8015 }
8016 }
8017
8018 if isResumption && !hasEMS {
8019 test.shouldFail = true
8020 test.expectedError = "failed to get tls-unique"
8021 }
8022
8023 testCases = append(testCases, test)
8024 }
8025 }
8026 }
8027}
8028
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8029func addCustomExtensionTests() {
8030 expectedContents := "custom extension"
8031 emptyString := ""
8032
8033 for _, isClient := range []bool{false, true} {
8034 suffix := "Server"
8035 flag := "-enable-server-custom-extension"
8036 testType := serverTest
8037 if isClient {
8038 suffix = "Client"
8039 flag = "-enable-client-custom-extension"
8040 testType = clientTest
8041 }
8042
8043 testCases = append(testCases, testCase{
8044 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8045 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8046 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8047 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8048 Bugs: ProtocolBugs{
8049 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8050 ExpectedCustomExtension: &expectedContents,
8051 },
8052 },
8053 flags: []string{flag},
8054 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8055 testCases = append(testCases, testCase{
8056 testType: testType,
8057 name: "CustomExtensions-" + suffix + "-TLS13",
8058 config: Config{
8059 MaxVersion: VersionTLS13,
8060 Bugs: ProtocolBugs{
8061 CustomExtension: expectedContents,
8062 ExpectedCustomExtension: &expectedContents,
8063 },
8064 },
8065 flags: []string{flag},
8066 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8067
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]8068 // 0-RTT is not currently supported with Custom Extensions.
8069 testCases = append(testCases, testCase{
8070 testType: testType,
8071 name: "CustomExtensions-" + suffix + "-EarlyData",
8072 config: Config{
8073 MaxVersion: VersionTLS13,
8074 Bugs: ProtocolBugs{
8075 CustomExtension: expectedContents,
8076 ExpectedCustomExtension: &expectedContents,
8077 },
8078 },
8079 shouldFail: true,
8080 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8081 flags: []string{flag, "-enable-early-data"},
8082 })
8083
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8084 // If the parse callback fails, the handshake should also fail.
8085 testCases = append(testCases, testCase{
8086 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8087 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8088 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8089 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8090 Bugs: ProtocolBugs{
8091 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8092 ExpectedCustomExtension: &expectedContents,
8093 },
8094 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8095 flags: []string{flag},
8096 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8097 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8098 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8099 testCases = append(testCases, testCase{
8100 testType: testType,
8101 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
8102 config: Config{
8103 MaxVersion: VersionTLS13,
8104 Bugs: ProtocolBugs{
8105 CustomExtension: expectedContents + "foo",
8106 ExpectedCustomExtension: &expectedContents,
8107 },
8108 },
8109 flags: []string{flag},
8110 shouldFail: true,
8111 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8112 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8113
8114 // If the add callback fails, the handshake should also fail.
8115 testCases = append(testCases, testCase{
8116 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8117 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8118 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8119 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8120 Bugs: ProtocolBugs{
8121 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8122 ExpectedCustomExtension: &expectedContents,
8123 },
8124 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8125 flags: []string{flag, "-custom-extension-fail-add"},
8126 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8127 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8128 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8129 testCases = append(testCases, testCase{
8130 testType: testType,
8131 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
8132 config: Config{
8133 MaxVersion: VersionTLS13,
8134 Bugs: ProtocolBugs{
8135 CustomExtension: expectedContents,
8136 ExpectedCustomExtension: &expectedContents,
8137 },
8138 },
8139 flags: []string{flag, "-custom-extension-fail-add"},
8140 shouldFail: true,
8141 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8142 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8143
8144 // If the add callback returns zero, no extension should be
8145 // added.
8146 skipCustomExtension := expectedContents
8147 if isClient {
8148 // For the case where the client skips sending the
8149 // custom extension, the server must not “echo” it.
8150 skipCustomExtension = ""
8151 }
8152 testCases = append(testCases, testCase{
8153 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8154 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8155 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8156 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8157 Bugs: ProtocolBugs{
8158 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8159 ExpectedCustomExtension: &emptyString,
8160 },
8161 },
8162 flags: []string{flag, "-custom-extension-skip"},
8163 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8164 testCases = append(testCases, testCase{
8165 testType: testType,
8166 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
8167 config: Config{
8168 MaxVersion: VersionTLS13,
8169 Bugs: ProtocolBugs{
8170 CustomExtension: skipCustomExtension,
8171 ExpectedCustomExtension: &emptyString,
8172 },
8173 },
8174 flags: []string{flag, "-custom-extension-skip"},
8175 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8176 }
8177
8178 // The custom extension add callback should not be called if the client
8179 // doesn't send the extension.
8180 testCases = append(testCases, testCase{
8181 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8182 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8183 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8184 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8185 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8186 ExpectedCustomExtension: &emptyString,
8187 },
8188 },
8189 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8190 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8191
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8192 testCases = append(testCases, testCase{
8193 testType: serverTest,
8194 name: "CustomExtensions-NotCalled-Server-TLS13",
8195 config: Config{
8196 MaxVersion: VersionTLS13,
8197 Bugs: ProtocolBugs{
8198 ExpectedCustomExtension: &emptyString,
8199 },
8200 },
8201 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8202 })
8203
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8204 // Test an unknown extension from the server.
8205 testCases = append(testCases, testCase{
8206 testType: clientTest,
8207 name: "UnknownExtension-Client",
8208 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8209 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8210 Bugs: ProtocolBugs{
8211 CustomExtension: expectedContents,
8212 },
8213 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8214 shouldFail: true,
8215 expectedError: ":UNEXPECTED_EXTENSION:",
8216 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8217 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8218 testCases = append(testCases, testCase{
8219 testType: clientTest,
8220 name: "UnknownExtension-Client-TLS13",
8221 config: Config{
8222 MaxVersion: VersionTLS13,
8223 Bugs: ProtocolBugs{
8224 CustomExtension: expectedContents,
8225 },
8226 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8227 shouldFail: true,
8228 expectedError: ":UNEXPECTED_EXTENSION:",
8229 expectedLocalError: "remote error: unsupported extension",
8230 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8231 testCases = append(testCases, testCase{
8232 testType: clientTest,
8233 name: "UnknownUnencryptedExtension-Client-TLS13",
8234 config: Config{
8235 MaxVersion: VersionTLS13,
8236 Bugs: ProtocolBugs{
8237 CustomUnencryptedExtension: expectedContents,
8238 },
8239 },
8240 shouldFail: true,
8241 expectedError: ":UNEXPECTED_EXTENSION:",
8242 // The shim must send an alert, but alerts at this point do not
8243 // get successfully decrypted by the runner.
8244 expectedLocalError: "local error: bad record MAC",
8245 })
8246 testCases = append(testCases, testCase{
8247 testType: clientTest,
8248 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8249 config: Config{
8250 MaxVersion: VersionTLS13,
8251 Bugs: ProtocolBugs{
8252 SendUnencryptedALPN: "foo",
8253 },
8254 },
8255 flags: []string{
8256 "-advertise-alpn", "\x03foo\x03bar",
8257 },
8258 shouldFail: true,
8259 expectedError: ":UNEXPECTED_EXTENSION:",
8260 // The shim must send an alert, but alerts at this point do not
8261 // get successfully decrypted by the runner.
8262 expectedLocalError: "local error: bad record MAC",
8263 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8264
8265 // Test a known but unoffered extension from the server.
8266 testCases = append(testCases, testCase{
8267 testType: clientTest,
8268 name: "UnofferedExtension-Client",
8269 config: Config{
8270 MaxVersion: VersionTLS12,
8271 Bugs: ProtocolBugs{
8272 SendALPN: "alpn",
8273 },
8274 },
8275 shouldFail: true,
8276 expectedError: ":UNEXPECTED_EXTENSION:",
8277 expectedLocalError: "remote error: unsupported extension",
8278 })
8279 testCases = append(testCases, testCase{
8280 testType: clientTest,
8281 name: "UnofferedExtension-Client-TLS13",
8282 config: Config{
8283 MaxVersion: VersionTLS13,
8284 Bugs: ProtocolBugs{
8285 SendALPN: "alpn",
8286 },
8287 },
8288 shouldFail: true,
8289 expectedError: ":UNEXPECTED_EXTENSION:",
8290 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8291 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8292}
8293
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8294func addRSAClientKeyExchangeTests() {
8295 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8296 testCases = append(testCases, testCase{
8297 testType: serverTest,
8298 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8299 config: Config{
8300 // Ensure the ClientHello version and final
8301 // version are different, to detect if the
8302 // server uses the wrong one.
8303 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8304 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8305 Bugs: ProtocolBugs{
8306 BadRSAClientKeyExchange: bad,
8307 },
8308 },
8309 shouldFail: true,
8310 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8311 })
8312 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8313
8314 // The server must compare whatever was in ClientHello.version for the
8315 // RSA premaster.
8316 testCases = append(testCases, testCase{
8317 testType: serverTest,
8318 name: "SendClientVersion-RSA",
8319 config: Config{
8320 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8321 Bugs: ProtocolBugs{
8322 SendClientVersion: 0x1234,
8323 },
8324 },
8325 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8326 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8327}
8328
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8329var testCurves = []struct {
8330 name string
8331 id CurveID
8332}{
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]8333 {"P-224", CurveP224},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8334 {"P-256", CurveP256},
8335 {"P-384", CurveP384},
8336 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8337 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8338}
8339
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8340const bogusCurve = 0x1234
8341
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8342func addCurveTests() {
8343 for _, curve := range testCurves {
8344 testCases = append(testCases, testCase{
8345 name: "CurveTest-Client-" + curve.name,
8346 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8347 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8348 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8349 CurvePreferences: []CurveID{curve.id},
8350 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8351 flags: []string{
8352 "-enable-all-curves",
8353 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8354 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8355 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8356 })
8357 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8358 name: "CurveTest-Client-" + curve.name + "-TLS13",
8359 config: Config{
8360 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8361 CurvePreferences: []CurveID{curve.id},
8362 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8363 flags: []string{
8364 "-enable-all-curves",
8365 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8366 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8367 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8368 })
8369 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8370 testType: serverTest,
8371 name: "CurveTest-Server-" + curve.name,
8372 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8373 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8374 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8375 CurvePreferences: []CurveID{curve.id},
8376 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8377 flags: []string{
8378 "-enable-all-curves",
8379 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8380 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8381 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8382 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8383 testCases = append(testCases, testCase{
8384 testType: serverTest,
8385 name: "CurveTest-Server-" + curve.name + "-TLS13",
8386 config: Config{
8387 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8388 CurvePreferences: []CurveID{curve.id},
8389 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8390 flags: []string{
8391 "-enable-all-curves",
8392 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8393 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8394 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8395 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8396 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8397
8398 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8399 testCases = append(testCases, testCase{
8400 testType: serverTest,
8401 name: "UnknownCurve",
8402 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8403 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8404 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8405 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8406 },
8407 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8408
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8409 // The server must be tolerant to bogus curves.
8410 testCases = append(testCases, testCase{
8411 testType: serverTest,
8412 name: "UnknownCurve-TLS13",
8413 config: Config{
8414 MaxVersion: VersionTLS13,
8415 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8416 },
8417 })
8418
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8419 // The server must not consider ECDHE ciphers when there are no
8420 // supported curves.
8421 testCases = append(testCases, testCase{
8422 testType: serverTest,
8423 name: "NoSupportedCurves",
8424 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8425 MaxVersion: VersionTLS12,
8426 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8427 Bugs: ProtocolBugs{
8428 NoSupportedCurves: true,
8429 },
8430 },
8431 shouldFail: true,
8432 expectedError: ":NO_SHARED_CIPHER:",
8433 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8434 testCases = append(testCases, testCase{
8435 testType: serverTest,
8436 name: "NoSupportedCurves-TLS13",
8437 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8438 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8439 Bugs: ProtocolBugs{
8440 NoSupportedCurves: true,
8441 },
8442 },
8443 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8444 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8445 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8446
8447 // The server must fall back to another cipher when there are no
8448 // supported curves.
8449 testCases = append(testCases, testCase{
8450 testType: serverTest,
8451 name: "NoCommonCurves",
8452 config: Config{
8453 MaxVersion: VersionTLS12,
8454 CipherSuites: []uint16{
8455 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8456 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8457 },
8458 CurvePreferences: []CurveID{CurveP224},
8459 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8460 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8461 })
8462
8463 // The client must reject bogus curves and disabled curves.
8464 testCases = append(testCases, testCase{
8465 name: "BadECDHECurve",
8466 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8467 MaxVersion: VersionTLS12,
8468 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8469 Bugs: ProtocolBugs{
8470 SendCurve: bogusCurve,
8471 },
8472 },
8473 shouldFail: true,
8474 expectedError: ":WRONG_CURVE:",
8475 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8476 testCases = append(testCases, testCase{
8477 name: "BadECDHECurve-TLS13",
8478 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8479 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8480 Bugs: ProtocolBugs{
8481 SendCurve: bogusCurve,
8482 },
8483 },
8484 shouldFail: true,
8485 expectedError: ":WRONG_CURVE:",
8486 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8487
8488 testCases = append(testCases, testCase{
8489 name: "UnsupportedCurve",
8490 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8491 MaxVersion: VersionTLS12,
8492 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8493 CurvePreferences: []CurveID{CurveP256},
8494 Bugs: ProtocolBugs{
8495 IgnorePeerCurvePreferences: true,
8496 },
8497 },
8498 flags: []string{"-p384-only"},
8499 shouldFail: true,
8500 expectedError: ":WRONG_CURVE:",
8501 })
8502
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8503 testCases = append(testCases, testCase{
8504 // TODO(davidben): Add a TLS 1.3 version where
8505 // HelloRetryRequest requests an unsupported curve.
8506 name: "UnsupportedCurve-ServerHello-TLS13",
8507 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8508 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8509 CurvePreferences: []CurveID{CurveP384},
8510 Bugs: ProtocolBugs{
8511 SendCurve: CurveP256,
8512 },
8513 },
8514 flags: []string{"-p384-only"},
8515 shouldFail: true,
8516 expectedError: ":WRONG_CURVE:",
8517 })
8518
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8519 // Test invalid curve points.
8520 testCases = append(testCases, testCase{
8521 name: "InvalidECDHPoint-Client",
8522 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8523 MaxVersion: VersionTLS12,
8524 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8525 CurvePreferences: []CurveID{CurveP256},
8526 Bugs: ProtocolBugs{
8527 InvalidECDHPoint: true,
8528 },
8529 },
8530 shouldFail: true,
8531 expectedError: ":INVALID_ENCODING:",
8532 })
8533 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8534 name: "InvalidECDHPoint-Client-TLS13",
8535 config: Config{
8536 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8537 CurvePreferences: []CurveID{CurveP256},
8538 Bugs: ProtocolBugs{
8539 InvalidECDHPoint: true,
8540 },
8541 },
8542 shouldFail: true,
8543 expectedError: ":INVALID_ENCODING:",
8544 })
8545 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8546 testType: serverTest,
8547 name: "InvalidECDHPoint-Server",
8548 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8549 MaxVersion: VersionTLS12,
8550 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8551 CurvePreferences: []CurveID{CurveP256},
8552 Bugs: ProtocolBugs{
8553 InvalidECDHPoint: true,
8554 },
8555 },
8556 shouldFail: true,
8557 expectedError: ":INVALID_ENCODING:",
8558 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8559 testCases = append(testCases, testCase{
8560 testType: serverTest,
8561 name: "InvalidECDHPoint-Server-TLS13",
8562 config: Config{
8563 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8564 CurvePreferences: []CurveID{CurveP256},
8565 Bugs: ProtocolBugs{
8566 InvalidECDHPoint: true,
8567 },
8568 },
8569 shouldFail: true,
8570 expectedError: ":INVALID_ENCODING:",
8571 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8572
8573 // The previous curve ID should be reported on TLS 1.2 resumption.
8574 testCases = append(testCases, testCase{
8575 name: "CurveID-Resume-Client",
8576 config: Config{
8577 MaxVersion: VersionTLS12,
8578 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8579 CurvePreferences: []CurveID{CurveX25519},
8580 },
8581 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8582 resumeSession: true,
8583 })
8584 testCases = append(testCases, testCase{
8585 testType: serverTest,
8586 name: "CurveID-Resume-Server",
8587 config: Config{
8588 MaxVersion: VersionTLS12,
8589 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8590 CurvePreferences: []CurveID{CurveX25519},
8591 },
8592 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8593 resumeSession: true,
8594 })
8595
8596 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8597 // one should be reported.
8598 testCases = append(testCases, testCase{
8599 name: "CurveID-Resume-Client-TLS13",
8600 config: Config{
8601 MaxVersion: VersionTLS13,
8602 CurvePreferences: []CurveID{CurveX25519},
8603 },
8604 resumeConfig: &Config{
8605 MaxVersion: VersionTLS13,
8606 CurvePreferences: []CurveID{CurveP256},
8607 },
8608 flags: []string{
8609 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8610 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8611 },
8612 resumeSession: true,
8613 })
8614 testCases = append(testCases, testCase{
8615 testType: serverTest,
8616 name: "CurveID-Resume-Server-TLS13",
8617 config: Config{
8618 MaxVersion: VersionTLS13,
8619 CurvePreferences: []CurveID{CurveX25519},
8620 },
8621 resumeConfig: &Config{
8622 MaxVersion: VersionTLS13,
8623 CurvePreferences: []CurveID{CurveP256},
8624 },
8625 flags: []string{
8626 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8627 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8628 },
8629 resumeSession: true,
8630 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8631
8632 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8633 testCases = append(testCases, testCase{
8634 name: "PointFormat-ServerHello-TLS12",
8635 config: Config{
8636 MaxVersion: VersionTLS12,
8637 Bugs: ProtocolBugs{
8638 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8639 },
8640 },
8641 })
8642 testCases = append(testCases, testCase{
8643 name: "PointFormat-EncryptedExtensions-TLS13",
8644 config: Config{
8645 MaxVersion: VersionTLS13,
8646 Bugs: ProtocolBugs{
8647 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8648 },
8649 },
8650 shouldFail: true,
8651 expectedError: ":ERROR_PARSING_EXTENSION:",
8652 })
8653
8654 // Test that we tolerate unknown point formats, as long as
8655 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8656 // check they are still functional.
8657 testCases = append(testCases, testCase{
8658 name: "PointFormat-Client-Tolerance",
8659 config: Config{
8660 MaxVersion: VersionTLS12,
8661 Bugs: ProtocolBugs{
8662 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8663 },
8664 },
8665 })
8666 testCases = append(testCases, testCase{
8667 testType: serverTest,
8668 name: "PointFormat-Server-Tolerance",
8669 config: Config{
8670 MaxVersion: VersionTLS12,
8671 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8672 Bugs: ProtocolBugs{
8673 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8674 },
8675 },
8676 })
8677
8678 // Test TLS 1.2 does not require the point format extension to be
8679 // present.
8680 testCases = append(testCases, testCase{
8681 name: "PointFormat-Client-Missing",
8682 config: Config{
8683 MaxVersion: VersionTLS12,
8684 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8685 Bugs: ProtocolBugs{
8686 SendSupportedPointFormats: []byte{},
8687 },
8688 },
8689 })
8690 testCases = append(testCases, testCase{
8691 testType: serverTest,
8692 name: "PointFormat-Server-Missing",
8693 config: Config{
8694 MaxVersion: VersionTLS12,
8695 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8696 Bugs: ProtocolBugs{
8697 SendSupportedPointFormats: []byte{},
8698 },
8699 },
8700 })
8701
8702 // If the point format extension is present, uncompressed points must be
8703 // offered. BoringSSL requires this whether or not ECDHE is used.
8704 testCases = append(testCases, testCase{
8705 name: "PointFormat-Client-MissingUncompressed",
8706 config: Config{
8707 MaxVersion: VersionTLS12,
8708 Bugs: ProtocolBugs{
8709 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8710 },
8711 },
8712 shouldFail: true,
8713 expectedError: ":ERROR_PARSING_EXTENSION:",
8714 })
8715 testCases = append(testCases, testCase{
8716 testType: serverTest,
8717 name: "PointFormat-Server-MissingUncompressed",
8718 config: Config{
8719 MaxVersion: VersionTLS12,
8720 Bugs: ProtocolBugs{
8721 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8722 },
8723 },
8724 shouldFail: true,
8725 expectedError: ":ERROR_PARSING_EXTENSION:",
8726 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8727}
8728
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8729func addTLS13RecordTests() {
8730 testCases = append(testCases, testCase{
8731 name: "TLS13-RecordPadding",
8732 config: Config{
8733 MaxVersion: VersionTLS13,
8734 MinVersion: VersionTLS13,
8735 Bugs: ProtocolBugs{
8736 RecordPadding: 10,
8737 },
8738 },
8739 })
8740
8741 testCases = append(testCases, testCase{
8742 name: "TLS13-EmptyRecords",
8743 config: Config{
8744 MaxVersion: VersionTLS13,
8745 MinVersion: VersionTLS13,
8746 Bugs: ProtocolBugs{
8747 OmitRecordContents: true,
8748 },
8749 },
8750 shouldFail: true,
8751 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8752 })
8753
8754 testCases = append(testCases, testCase{
8755 name: "TLS13-OnlyPadding",
8756 config: Config{
8757 MaxVersion: VersionTLS13,
8758 MinVersion: VersionTLS13,
8759 Bugs: ProtocolBugs{
8760 OmitRecordContents: true,
8761 RecordPadding: 10,
8762 },
8763 },
8764 shouldFail: true,
8765 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8766 })
8767
8768 testCases = append(testCases, testCase{
8769 name: "TLS13-WrongOuterRecord",
8770 config: Config{
8771 MaxVersion: VersionTLS13,
8772 MinVersion: VersionTLS13,
8773 Bugs: ProtocolBugs{
8774 OuterRecordType: recordTypeHandshake,
8775 },
8776 },
8777 shouldFail: true,
8778 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8779 })
8780}
8781
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8782func addSessionTicketTests() {
8783 testCases = append(testCases, testCase{
8784 // In TLS 1.2 and below, empty NewSessionTicket messages
8785 // mean the server changed its mind on sending a ticket.
8786 name: "SendEmptySessionTicket",
8787 config: Config{
8788 MaxVersion: VersionTLS12,
8789 Bugs: ProtocolBugs{
8790 SendEmptySessionTicket: true,
8791 },
8792 },
8793 flags: []string{"-expect-no-session"},
8794 })
8795
8796 // Test that the server ignores unknown PSK modes.
8797 testCases = append(testCases, testCase{
8798 testType: serverTest,
8799 name: "TLS13-SendUnknownModeSessionTicket-Server",
8800 config: Config{
8801 MaxVersion: VersionTLS13,
8802 Bugs: ProtocolBugs{
8803 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8804 },
8805 },
8806 resumeSession: true,
8807 expectedResumeVersion: VersionTLS13,
8808 })
8809
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8810 // Test that the server does not send session tickets with no matching key exchange mode.
8811 testCases = append(testCases, testCase{
8812 testType: serverTest,
8813 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8814 config: Config{
8815 MaxVersion: VersionTLS13,
8816 Bugs: ProtocolBugs{
8817 SendPSKKeyExchangeModes: []byte{0x1a},
8818 ExpectNoNewSessionTicket: true,
8819 },
8820 },
8821 })
8822
8823 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8824 testCases = append(testCases, testCase{
8825 testType: serverTest,
8826 name: "TLS13-SendBadKEModeSessionTicket-Server",
8827 config: Config{
8828 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8829 },
8830 resumeConfig: &Config{
8831 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8832 Bugs: ProtocolBugs{
8833 SendPSKKeyExchangeModes: []byte{0x1a},
8834 },
8835 },
8836 resumeSession: true,
8837 expectResumeRejected: true,
8838 })
8839
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8840 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8841 testCases = append(testCases, testCase{
8842 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8843 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8844 config: Config{
8845 MaxVersion: VersionTLS13,
8846 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8847 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8848 },
8849 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8850 resumeSession: true,
8851 flags: []string{
8852 "-resumption-delay", "10",
8853 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8854 })
8855
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8856 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8857 testCases = append(testCases, testCase{
8858 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8859 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8860 config: Config{
8861 MaxVersion: VersionTLS13,
8862 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8863 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8864 },
8865 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8866 resumeSession: true,
8867 shouldFail: true,
8868 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8869 })
8870
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8871 // Test that the server's ticket age skew reporting works.
8872 testCases = append(testCases, testCase{
8873 testType: serverTest,
8874 name: "TLS13-TicketAgeSkew-Forward",
8875 config: Config{
8876 MaxVersion: VersionTLS13,
8877 Bugs: ProtocolBugs{
8878 SendTicketAge: 15 * time.Second,
8879 },
8880 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8881 resumeSession: true,
8882 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8883 flags: []string{
8884 "-resumption-delay", "10",
8885 "-expect-ticket-age-skew", "5",
8886 },
8887 })
8888 testCases = append(testCases, testCase{
8889 testType: serverTest,
8890 name: "TLS13-TicketAgeSkew-Backward",
8891 config: Config{
8892 MaxVersion: VersionTLS13,
8893 Bugs: ProtocolBugs{
8894 SendTicketAge: 5 * time.Second,
8895 },
8896 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8897 resumeSession: true,
8898 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8899 flags: []string{
8900 "-resumption-delay", "10",
8901 "-expect-ticket-age-skew", "-5",
8902 },
8903 })
8904
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8905 testCases = append(testCases, testCase{
8906 testType: clientTest,
8907 name: "TLS13-SendTicketEarlyDataInfo",
8908 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8909 MaxVersion: VersionTLS13,
8910 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8911 },
8912 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8913 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8914 "-expect-early-data-info",
8915 },
8916 })
8917
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8918 // Test that 0-RTT tickets are ignored in clients unless opted in.
8919 testCases = append(testCases, testCase{
8920 testType: clientTest,
8921 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8922 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8923 MaxVersion: VersionTLS13,
8924 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8925 },
8926 })
8927
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8928 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8929 testType: clientTest,
8930 name: "TLS13-DuplicateTicketEarlyDataInfo",
8931 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8932 MaxVersion: VersionTLS13,
8933 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8934 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8935 DuplicateTicketEarlyDataInfo: true,
8936 },
8937 },
8938 shouldFail: true,
8939 expectedError: ":DUPLICATE_EXTENSION:",
8940 expectedLocalError: "remote error: illegal parameter",
8941 })
8942
8943 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8944 testType: serverTest,
8945 name: "TLS13-ExpectTicketEarlyDataInfo",
8946 config: Config{
8947 MaxVersion: VersionTLS13,
8948 Bugs: ProtocolBugs{
8949 ExpectTicketEarlyDataInfo: true,
8950 },
8951 },
8952 flags: []string{
8953 "-enable-early-data",
8954 },
8955 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]8956
8957 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
8958 // is honored.
8959 testCases = append(testCases, testCase{
8960 testType: clientTest,
8961 name: "TLS13-HonorServerSessionTicketLifetime",
8962 config: Config{
8963 MaxVersion: VersionTLS13,
8964 Bugs: ProtocolBugs{
8965 SendTicketLifetime: 20 * time.Second,
8966 },
8967 },
8968 flags: []string{
8969 "-resumption-delay", "19",
8970 },
8971 resumeSession: true,
8972 })
8973 testCases = append(testCases, testCase{
8974 testType: clientTest,
8975 name: "TLS13-HonorServerSessionTicketLifetime-2",
8976 config: Config{
8977 MaxVersion: VersionTLS13,
8978 Bugs: ProtocolBugs{
8979 SendTicketLifetime: 20 * time.Second,
8980 // The client should not offer the expired session.
8981 ExpectNoTLS13PSK: true,
8982 },
8983 },
8984 flags: []string{
8985 "-resumption-delay", "21",
8986 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]8987 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]8988 expectResumeRejected: true,
8989 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8990}
8991
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8992func addChangeCipherSpecTests() {
8993 // Test missing ChangeCipherSpecs.
8994 testCases = append(testCases, testCase{
8995 name: "SkipChangeCipherSpec-Client",
8996 config: Config{
8997 MaxVersion: VersionTLS12,
8998 Bugs: ProtocolBugs{
8999 SkipChangeCipherSpec: true,
9000 },
9001 },
9002 shouldFail: true,
9003 expectedError: ":UNEXPECTED_RECORD:",
9004 })
9005 testCases = append(testCases, testCase{
9006 testType: serverTest,
9007 name: "SkipChangeCipherSpec-Server",
9008 config: Config{
9009 MaxVersion: VersionTLS12,
9010 Bugs: ProtocolBugs{
9011 SkipChangeCipherSpec: true,
9012 },
9013 },
9014 shouldFail: true,
9015 expectedError: ":UNEXPECTED_RECORD:",
9016 })
9017 testCases = append(testCases, testCase{
9018 testType: serverTest,
9019 name: "SkipChangeCipherSpec-Server-NPN",
9020 config: Config{
9021 MaxVersion: VersionTLS12,
9022 NextProtos: []string{"bar"},
9023 Bugs: ProtocolBugs{
9024 SkipChangeCipherSpec: true,
9025 },
9026 },
9027 flags: []string{
9028 "-advertise-npn", "\x03foo\x03bar\x03baz",
9029 },
9030 shouldFail: true,
9031 expectedError: ":UNEXPECTED_RECORD:",
9032 })
9033
9034 // Test synchronization between the handshake and ChangeCipherSpec.
9035 // Partial post-CCS handshake messages before ChangeCipherSpec should be
9036 // rejected. Test both with and without handshake packing to handle both
9037 // when the partial post-CCS message is in its own record and when it is
9038 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9039 for _, packed := range []bool{false, true} {
9040 var suffix string
9041 if packed {
9042 suffix = "-Packed"
9043 }
9044
9045 testCases = append(testCases, testCase{
9046 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
9047 config: Config{
9048 MaxVersion: VersionTLS12,
9049 Bugs: ProtocolBugs{
9050 FragmentAcrossChangeCipherSpec: true,
9051 PackHandshakeFlight: packed,
9052 },
9053 },
9054 shouldFail: true,
9055 expectedError: ":UNEXPECTED_RECORD:",
9056 })
9057 testCases = append(testCases, testCase{
9058 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
9059 config: Config{
9060 MaxVersion: VersionTLS12,
9061 },
9062 resumeSession: true,
9063 resumeConfig: &Config{
9064 MaxVersion: VersionTLS12,
9065 Bugs: ProtocolBugs{
9066 FragmentAcrossChangeCipherSpec: true,
9067 PackHandshakeFlight: packed,
9068 },
9069 },
9070 shouldFail: true,
9071 expectedError: ":UNEXPECTED_RECORD:",
9072 })
9073 testCases = append(testCases, testCase{
9074 testType: serverTest,
9075 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
9076 config: Config{
9077 MaxVersion: VersionTLS12,
9078 Bugs: ProtocolBugs{
9079 FragmentAcrossChangeCipherSpec: true,
9080 PackHandshakeFlight: packed,
9081 },
9082 },
9083 shouldFail: true,
9084 expectedError: ":UNEXPECTED_RECORD:",
9085 })
9086 testCases = append(testCases, testCase{
9087 testType: serverTest,
9088 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
9089 config: Config{
9090 MaxVersion: VersionTLS12,
9091 },
9092 resumeSession: true,
9093 resumeConfig: &Config{
9094 MaxVersion: VersionTLS12,
9095 Bugs: ProtocolBugs{
9096 FragmentAcrossChangeCipherSpec: true,
9097 PackHandshakeFlight: packed,
9098 },
9099 },
9100 shouldFail: true,
9101 expectedError: ":UNEXPECTED_RECORD:",
9102 })
9103 testCases = append(testCases, testCase{
9104 testType: serverTest,
9105 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
9106 config: Config{
9107 MaxVersion: VersionTLS12,
9108 NextProtos: []string{"bar"},
9109 Bugs: ProtocolBugs{
9110 FragmentAcrossChangeCipherSpec: true,
9111 PackHandshakeFlight: packed,
9112 },
9113 },
9114 flags: []string{
9115 "-advertise-npn", "\x03foo\x03bar\x03baz",
9116 },
9117 shouldFail: true,
9118 expectedError: ":UNEXPECTED_RECORD:",
9119 })
9120 }
9121
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]9122 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
9123 // messages in the handshake queue. Do this by testing the server
9124 // reading the client Finished, reversing the flight so Finished comes
9125 // first.
9126 testCases = append(testCases, testCase{
9127 protocol: dtls,
9128 testType: serverTest,
9129 name: "SendUnencryptedFinished-DTLS",
9130 config: Config{
9131 MaxVersion: VersionTLS12,
9132 Bugs: ProtocolBugs{
9133 SendUnencryptedFinished: true,
9134 ReverseHandshakeFragments: true,
9135 },
9136 },
9137 shouldFail: true,
9138 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9139 })
9140
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9141 // Test synchronization between encryption changes and the handshake in
9142 // TLS 1.3, where ChangeCipherSpec is implicit.
9143 testCases = append(testCases, testCase{
9144 name: "PartialEncryptedExtensionsWithServerHello",
9145 config: Config{
9146 MaxVersion: VersionTLS13,
9147 Bugs: ProtocolBugs{
9148 PartialEncryptedExtensionsWithServerHello: true,
9149 },
9150 },
9151 shouldFail: true,
9152 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9153 })
9154 testCases = append(testCases, testCase{
9155 testType: serverTest,
9156 name: "PartialClientFinishedWithClientHello",
9157 config: Config{
9158 MaxVersion: VersionTLS13,
9159 Bugs: ProtocolBugs{
9160 PartialClientFinishedWithClientHello: true,
9161 },
9162 },
9163 shouldFail: true,
9164 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9165 })
9166
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9167 // Test that early ChangeCipherSpecs are handled correctly.
9168 testCases = append(testCases, testCase{
9169 testType: serverTest,
9170 name: "EarlyChangeCipherSpec-server-1",
9171 config: Config{
9172 MaxVersion: VersionTLS12,
9173 Bugs: ProtocolBugs{
9174 EarlyChangeCipherSpec: 1,
9175 },
9176 },
9177 shouldFail: true,
9178 expectedError: ":UNEXPECTED_RECORD:",
9179 })
9180 testCases = append(testCases, testCase{
9181 testType: serverTest,
9182 name: "EarlyChangeCipherSpec-server-2",
9183 config: Config{
9184 MaxVersion: VersionTLS12,
9185 Bugs: ProtocolBugs{
9186 EarlyChangeCipherSpec: 2,
9187 },
9188 },
9189 shouldFail: true,
9190 expectedError: ":UNEXPECTED_RECORD:",
9191 })
9192 testCases = append(testCases, testCase{
9193 protocol: dtls,
9194 name: "StrayChangeCipherSpec",
9195 config: Config{
9196 // TODO(davidben): Once DTLS 1.3 exists, test
9197 // that stray ChangeCipherSpec messages are
9198 // rejected.
9199 MaxVersion: VersionTLS12,
9200 Bugs: ProtocolBugs{
9201 StrayChangeCipherSpec: true,
9202 },
9203 },
9204 })
9205
9206 // Test that the contents of ChangeCipherSpec are checked.
9207 testCases = append(testCases, testCase{
9208 name: "BadChangeCipherSpec-1",
9209 config: Config{
9210 MaxVersion: VersionTLS12,
9211 Bugs: ProtocolBugs{
9212 BadChangeCipherSpec: []byte{2},
9213 },
9214 },
9215 shouldFail: true,
9216 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9217 })
9218 testCases = append(testCases, testCase{
9219 name: "BadChangeCipherSpec-2",
9220 config: Config{
9221 MaxVersion: VersionTLS12,
9222 Bugs: ProtocolBugs{
9223 BadChangeCipherSpec: []byte{1, 1},
9224 },
9225 },
9226 shouldFail: true,
9227 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9228 })
9229 testCases = append(testCases, testCase{
9230 protocol: dtls,
9231 name: "BadChangeCipherSpec-DTLS-1",
9232 config: Config{
9233 MaxVersion: VersionTLS12,
9234 Bugs: ProtocolBugs{
9235 BadChangeCipherSpec: []byte{2},
9236 },
9237 },
9238 shouldFail: true,
9239 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9240 })
9241 testCases = append(testCases, testCase{
9242 protocol: dtls,
9243 name: "BadChangeCipherSpec-DTLS-2",
9244 config: Config{
9245 MaxVersion: VersionTLS12,
9246 Bugs: ProtocolBugs{
9247 BadChangeCipherSpec: []byte{1, 1},
9248 },
9249 },
9250 shouldFail: true,
9251 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9252 })
9253}
9254
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9255type perMessageTest struct {
9256 messageType uint8
9257 test testCase
9258}
9259
9260// makePerMessageTests returns a series of test templates which cover each
9261// message in the TLS handshake. These may be used with bugs like
9262// WrongMessageType to fully test a per-message bug.
9263func makePerMessageTests() []perMessageTest {
9264 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9265 for _, protocol := range []protocol{tls, dtls} {
9266 var suffix string
9267 if protocol == dtls {
9268 suffix = "-DTLS"
9269 }
9270
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9271 ret = append(ret, perMessageTest{
9272 messageType: typeClientHello,
9273 test: testCase{
9274 protocol: protocol,
9275 testType: serverTest,
9276 name: "ClientHello" + suffix,
9277 config: Config{
9278 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9279 },
9280 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9281 })
9282
9283 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9284 ret = append(ret, perMessageTest{
9285 messageType: typeHelloVerifyRequest,
9286 test: testCase{
9287 protocol: protocol,
9288 name: "HelloVerifyRequest" + suffix,
9289 config: Config{
9290 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9291 },
9292 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9293 })
9294 }
9295
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9296 ret = append(ret, perMessageTest{
9297 messageType: typeServerHello,
9298 test: testCase{
9299 protocol: protocol,
9300 name: "ServerHello" + suffix,
9301 config: Config{
9302 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9303 },
9304 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9305 })
9306
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9307 ret = append(ret, perMessageTest{
9308 messageType: typeCertificate,
9309 test: testCase{
9310 protocol: protocol,
9311 name: "ServerCertificate" + suffix,
9312 config: Config{
9313 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9314 },
9315 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9316 })
9317
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9318 ret = append(ret, perMessageTest{
9319 messageType: typeCertificateStatus,
9320 test: testCase{
9321 protocol: protocol,
9322 name: "CertificateStatus" + suffix,
9323 config: Config{
9324 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9325 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9326 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9327 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9328 })
9329
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9330 ret = append(ret, perMessageTest{
9331 messageType: typeServerKeyExchange,
9332 test: testCase{
9333 protocol: protocol,
9334 name: "ServerKeyExchange" + suffix,
9335 config: Config{
9336 MaxVersion: VersionTLS12,
9337 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9338 },
9339 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9340 })
9341
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9342 ret = append(ret, perMessageTest{
9343 messageType: typeCertificateRequest,
9344 test: testCase{
9345 protocol: protocol,
9346 name: "CertificateRequest" + suffix,
9347 config: Config{
9348 MaxVersion: VersionTLS12,
9349 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9350 },
9351 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9352 })
9353
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9354 ret = append(ret, perMessageTest{
9355 messageType: typeServerHelloDone,
9356 test: testCase{
9357 protocol: protocol,
9358 name: "ServerHelloDone" + suffix,
9359 config: Config{
9360 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9361 },
9362 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9363 })
9364
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9365 ret = append(ret, perMessageTest{
9366 messageType: typeCertificate,
9367 test: testCase{
9368 testType: serverTest,
9369 protocol: protocol,
9370 name: "ClientCertificate" + suffix,
9371 config: Config{
9372 Certificates: []Certificate{rsaCertificate},
9373 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9374 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9375 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9376 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9377 })
9378
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9379 ret = append(ret, perMessageTest{
9380 messageType: typeCertificateVerify,
9381 test: testCase{
9382 testType: serverTest,
9383 protocol: protocol,
9384 name: "CertificateVerify" + suffix,
9385 config: Config{
9386 Certificates: []Certificate{rsaCertificate},
9387 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9388 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9389 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9390 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9391 })
9392
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9393 ret = append(ret, perMessageTest{
9394 messageType: typeClientKeyExchange,
9395 test: testCase{
9396 testType: serverTest,
9397 protocol: protocol,
9398 name: "ClientKeyExchange" + suffix,
9399 config: Config{
9400 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9401 },
9402 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9403 })
9404
9405 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9406 ret = append(ret, perMessageTest{
9407 messageType: typeNextProtocol,
9408 test: testCase{
9409 testType: serverTest,
9410 protocol: protocol,
9411 name: "NextProtocol" + suffix,
9412 config: Config{
9413 MaxVersion: VersionTLS12,
9414 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9415 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9416 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9417 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9418 })
9419
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9420 ret = append(ret, perMessageTest{
9421 messageType: typeChannelID,
9422 test: testCase{
9423 testType: serverTest,
9424 protocol: protocol,
9425 name: "ChannelID" + suffix,
9426 config: Config{
9427 MaxVersion: VersionTLS12,
9428 ChannelID: channelIDKey,
9429 },
9430 flags: []string{
9431 "-expect-channel-id",
9432 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9433 },
9434 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9435 })
9436 }
9437
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9438 ret = append(ret, perMessageTest{
9439 messageType: typeFinished,
9440 test: testCase{
9441 testType: serverTest,
9442 protocol: protocol,
9443 name: "ClientFinished" + suffix,
9444 config: Config{
9445 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9446 },
9447 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9448 })
9449
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9450 ret = append(ret, perMessageTest{
9451 messageType: typeNewSessionTicket,
9452 test: testCase{
9453 protocol: protocol,
9454 name: "NewSessionTicket" + suffix,
9455 config: Config{
9456 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9457 },
9458 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9459 })
9460
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9461 ret = append(ret, perMessageTest{
9462 messageType: typeFinished,
9463 test: testCase{
9464 protocol: protocol,
9465 name: "ServerFinished" + suffix,
9466 config: Config{
9467 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9468 },
9469 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9470 })
9471
9472 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9473
9474 ret = append(ret, perMessageTest{
9475 messageType: typeClientHello,
9476 test: testCase{
9477 testType: serverTest,
9478 name: "TLS13-ClientHello",
9479 config: Config{
9480 MaxVersion: VersionTLS13,
9481 },
9482 },
9483 })
9484
9485 ret = append(ret, perMessageTest{
9486 messageType: typeServerHello,
9487 test: testCase{
9488 name: "TLS13-ServerHello",
9489 config: Config{
9490 MaxVersion: VersionTLS13,
9491 },
9492 },
9493 })
9494
9495 ret = append(ret, perMessageTest{
9496 messageType: typeEncryptedExtensions,
9497 test: testCase{
9498 name: "TLS13-EncryptedExtensions",
9499 config: Config{
9500 MaxVersion: VersionTLS13,
9501 },
9502 },
9503 })
9504
9505 ret = append(ret, perMessageTest{
9506 messageType: typeCertificateRequest,
9507 test: testCase{
9508 name: "TLS13-CertificateRequest",
9509 config: Config{
9510 MaxVersion: VersionTLS13,
9511 ClientAuth: RequireAnyClientCert,
9512 },
9513 },
9514 })
9515
9516 ret = append(ret, perMessageTest{
9517 messageType: typeCertificate,
9518 test: testCase{
9519 name: "TLS13-ServerCertificate",
9520 config: Config{
9521 MaxVersion: VersionTLS13,
9522 },
9523 },
9524 })
9525
9526 ret = append(ret, perMessageTest{
9527 messageType: typeCertificateVerify,
9528 test: testCase{
9529 name: "TLS13-ServerCertificateVerify",
9530 config: Config{
9531 MaxVersion: VersionTLS13,
9532 },
9533 },
9534 })
9535
9536 ret = append(ret, perMessageTest{
9537 messageType: typeFinished,
9538 test: testCase{
9539 name: "TLS13-ServerFinished",
9540 config: Config{
9541 MaxVersion: VersionTLS13,
9542 },
9543 },
9544 })
9545
9546 ret = append(ret, perMessageTest{
9547 messageType: typeCertificate,
9548 test: testCase{
9549 testType: serverTest,
9550 name: "TLS13-ClientCertificate",
9551 config: Config{
9552 Certificates: []Certificate{rsaCertificate},
9553 MaxVersion: VersionTLS13,
9554 },
9555 flags: []string{"-require-any-client-certificate"},
9556 },
9557 })
9558
9559 ret = append(ret, perMessageTest{
9560 messageType: typeCertificateVerify,
9561 test: testCase{
9562 testType: serverTest,
9563 name: "TLS13-ClientCertificateVerify",
9564 config: Config{
9565 Certificates: []Certificate{rsaCertificate},
9566 MaxVersion: VersionTLS13,
9567 },
9568 flags: []string{"-require-any-client-certificate"},
9569 },
9570 })
9571
9572 ret = append(ret, perMessageTest{
9573 messageType: typeFinished,
9574 test: testCase{
9575 testType: serverTest,
9576 name: "TLS13-ClientFinished",
9577 config: Config{
9578 MaxVersion: VersionTLS13,
9579 },
9580 },
9581 })
9582
9583 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9584}
9585
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9586func addWrongMessageTypeTests() {
9587 for _, t := range makePerMessageTests() {
9588 t.test.name = "WrongMessageType-" + t.test.name
9589 t.test.config.Bugs.SendWrongMessageType = t.messageType
9590 t.test.shouldFail = true
9591 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9592 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9593
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9594 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9595 // In TLS 1.3, a bad ServerHello means the client sends
9596 // an unencrypted alert while the server expects
9597 // encryption, so the alert is not readable by runner.
9598 t.test.expectedLocalError = "local error: bad record MAC"
9599 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9600
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9601 testCases = append(testCases, t.test)
9602 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9603}
9604
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9605func addTrailingMessageDataTests() {
9606 for _, t := range makePerMessageTests() {
9607 t.test.name = "TrailingMessageData-" + t.test.name
9608 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9609 t.test.shouldFail = true
9610 t.test.expectedError = ":DECODE_ERROR:"
9611 t.test.expectedLocalError = "remote error: error decoding message"
9612
9613 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9614 // In TLS 1.3, a bad ServerHello means the client sends
9615 // an unencrypted alert while the server expects
9616 // encryption, so the alert is not readable by runner.
9617 t.test.expectedLocalError = "local error: bad record MAC"
9618 }
9619
9620 if t.messageType == typeFinished {
9621 // Bad Finished messages read as the verify data having
9622 // the wrong length.
9623 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9624 t.test.expectedLocalError = "remote error: error decrypting message"
9625 }
9626
9627 testCases = append(testCases, t.test)
9628 }
9629}
9630
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9631func addTLS13HandshakeTests() {
9632 testCases = append(testCases, testCase{
9633 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9634 name: "NegotiatePSKResumption-TLS13",
9635 config: Config{
9636 MaxVersion: VersionTLS13,
9637 Bugs: ProtocolBugs{
9638 NegotiatePSKResumption: true,
9639 },
9640 },
9641 resumeSession: true,
9642 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9643 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9644 })
9645
9646 testCases = append(testCases, testCase{
9647 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9648 name: "MissingKeyShare-Client",
9649 config: Config{
9650 MaxVersion: VersionTLS13,
9651 Bugs: ProtocolBugs{
9652 MissingKeyShare: true,
9653 },
9654 },
9655 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9656 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9657 })
9658
9659 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9660 testType: serverTest,
9661 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9662 config: Config{
9663 MaxVersion: VersionTLS13,
9664 Bugs: ProtocolBugs{
9665 MissingKeyShare: true,
9666 },
9667 },
9668 shouldFail: true,
9669 expectedError: ":MISSING_KEY_SHARE:",
9670 })
9671
9672 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9673 testType: serverTest,
9674 name: "DuplicateKeyShares",
9675 config: Config{
9676 MaxVersion: VersionTLS13,
9677 Bugs: ProtocolBugs{
9678 DuplicateKeyShares: true,
9679 },
9680 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9681 shouldFail: true,
9682 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9683 })
9684
9685 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9686 testType: serverTest,
9687 name: "SkipEarlyData",
9688 config: Config{
9689 MaxVersion: VersionTLS13,
9690 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9691 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9692 },
9693 },
9694 })
9695
9696 testCases = append(testCases, testCase{
9697 testType: serverTest,
9698 name: "SkipEarlyData-OmitEarlyDataExtension",
9699 config: Config{
9700 MaxVersion: VersionTLS13,
9701 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9702 SendFakeEarlyDataLength: 4,
9703 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9704 },
9705 },
9706 shouldFail: true,
9707 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9708 })
9709
9710 testCases = append(testCases, testCase{
9711 testType: serverTest,
9712 name: "SkipEarlyData-TooMuchData",
9713 config: Config{
9714 MaxVersion: VersionTLS13,
9715 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9716 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9717 },
9718 },
9719 shouldFail: true,
9720 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9721 })
9722
9723 testCases = append(testCases, testCase{
9724 testType: serverTest,
9725 name: "SkipEarlyData-Interleaved",
9726 config: Config{
9727 MaxVersion: VersionTLS13,
9728 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9729 SendFakeEarlyDataLength: 4,
9730 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9731 },
9732 },
9733 shouldFail: true,
9734 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9735 })
9736
9737 testCases = append(testCases, testCase{
9738 testType: serverTest,
9739 name: "SkipEarlyData-EarlyDataInTLS12",
9740 config: Config{
9741 MaxVersion: VersionTLS13,
9742 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9743 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9744 },
9745 },
9746 shouldFail: true,
9747 expectedError: ":UNEXPECTED_RECORD:",
9748 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9749 })
9750
9751 testCases = append(testCases, testCase{
9752 testType: serverTest,
9753 name: "SkipEarlyData-HRR",
9754 config: Config{
9755 MaxVersion: VersionTLS13,
9756 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9757 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9758 },
9759 DefaultCurves: []CurveID{},
9760 },
9761 })
9762
9763 testCases = append(testCases, testCase{
9764 testType: serverTest,
9765 name: "SkipEarlyData-HRR-Interleaved",
9766 config: Config{
9767 MaxVersion: VersionTLS13,
9768 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9769 SendFakeEarlyDataLength: 4,
9770 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9771 },
9772 DefaultCurves: []CurveID{},
9773 },
9774 shouldFail: true,
9775 expectedError: ":UNEXPECTED_RECORD:",
9776 })
9777
9778 testCases = append(testCases, testCase{
9779 testType: serverTest,
9780 name: "SkipEarlyData-HRR-TooMuchData",
9781 config: Config{
9782 MaxVersion: VersionTLS13,
9783 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9784 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9785 },
9786 DefaultCurves: []CurveID{},
9787 },
9788 shouldFail: true,
9789 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9790 })
9791
9792 // Test that skipping early data looking for cleartext correctly
9793 // processes an alert record.
9794 testCases = append(testCases, testCase{
9795 testType: serverTest,
9796 name: "SkipEarlyData-HRR-FatalAlert",
9797 config: Config{
9798 MaxVersion: VersionTLS13,
9799 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9800 SendEarlyAlert: true,
9801 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9802 },
9803 DefaultCurves: []CurveID{},
9804 },
9805 shouldFail: true,
9806 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9807 })
9808
9809 testCases = append(testCases, testCase{
9810 testType: serverTest,
9811 name: "SkipEarlyData-SecondClientHelloEarlyData",
9812 config: Config{
9813 MaxVersion: VersionTLS13,
9814 Bugs: ProtocolBugs{
9815 SendEarlyDataOnSecondClientHello: true,
9816 },
9817 DefaultCurves: []CurveID{},
9818 },
9819 shouldFail: true,
9820 expectedLocalError: "remote error: bad record MAC",
9821 })
9822
9823 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9824 testType: clientTest,
9825 name: "EmptyEncryptedExtensions",
9826 config: Config{
9827 MaxVersion: VersionTLS13,
9828 Bugs: ProtocolBugs{
9829 EmptyEncryptedExtensions: true,
9830 },
9831 },
9832 shouldFail: true,
9833 expectedLocalError: "remote error: error decoding message",
9834 })
9835
9836 testCases = append(testCases, testCase{
9837 testType: clientTest,
9838 name: "EncryptedExtensionsWithKeyShare",
9839 config: Config{
9840 MaxVersion: VersionTLS13,
9841 Bugs: ProtocolBugs{
9842 EncryptedExtensionsWithKeyShare: true,
9843 },
9844 },
9845 shouldFail: true,
9846 expectedLocalError: "remote error: unsupported extension",
9847 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9848
9849 testCases = append(testCases, testCase{
9850 testType: serverTest,
9851 name: "SendHelloRetryRequest",
9852 config: Config{
9853 MaxVersion: VersionTLS13,
9854 // Require a HelloRetryRequest for every curve.
9855 DefaultCurves: []CurveID{},
9856 },
9857 expectedCurveID: CurveX25519,
9858 })
9859
9860 testCases = append(testCases, testCase{
9861 testType: serverTest,
9862 name: "SendHelloRetryRequest-2",
9863 config: Config{
9864 MaxVersion: VersionTLS13,
9865 DefaultCurves: []CurveID{CurveP384},
9866 },
9867 // Although the ClientHello did not predict our preferred curve,
9868 // we always select it whether it is predicted or not.
9869 expectedCurveID: CurveX25519,
9870 })
9871
9872 testCases = append(testCases, testCase{
9873 name: "UnknownCurve-HelloRetryRequest",
9874 config: Config{
9875 MaxVersion: VersionTLS13,
9876 // P-384 requires HelloRetryRequest in BoringSSL.
9877 CurvePreferences: []CurveID{CurveP384},
9878 Bugs: ProtocolBugs{
9879 SendHelloRetryRequestCurve: bogusCurve,
9880 },
9881 },
9882 shouldFail: true,
9883 expectedError: ":WRONG_CURVE:",
9884 })
9885
9886 testCases = append(testCases, testCase{
9887 name: "DisabledCurve-HelloRetryRequest",
9888 config: Config{
9889 MaxVersion: VersionTLS13,
9890 CurvePreferences: []CurveID{CurveP256},
9891 Bugs: ProtocolBugs{
9892 IgnorePeerCurvePreferences: true,
9893 },
9894 },
9895 flags: []string{"-p384-only"},
9896 shouldFail: true,
9897 expectedError: ":WRONG_CURVE:",
9898 })
9899
9900 testCases = append(testCases, testCase{
9901 name: "UnnecessaryHelloRetryRequest",
9902 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9903 MaxVersion: VersionTLS13,
9904 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9905 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9906 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9907 },
9908 },
9909 shouldFail: true,
9910 expectedError: ":WRONG_CURVE:",
9911 })
9912
9913 testCases = append(testCases, testCase{
9914 name: "SecondHelloRetryRequest",
9915 config: Config{
9916 MaxVersion: VersionTLS13,
9917 // P-384 requires HelloRetryRequest in BoringSSL.
9918 CurvePreferences: []CurveID{CurveP384},
9919 Bugs: ProtocolBugs{
9920 SecondHelloRetryRequest: true,
9921 },
9922 },
9923 shouldFail: true,
9924 expectedError: ":UNEXPECTED_MESSAGE:",
9925 })
9926
9927 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9928 name: "HelloRetryRequest-Empty",
9929 config: Config{
9930 MaxVersion: VersionTLS13,
9931 Bugs: ProtocolBugs{
9932 AlwaysSendHelloRetryRequest: true,
9933 },
9934 },
9935 shouldFail: true,
9936 expectedError: ":DECODE_ERROR:",
9937 })
9938
9939 testCases = append(testCases, testCase{
9940 name: "HelloRetryRequest-DuplicateCurve",
9941 config: Config{
9942 MaxVersion: VersionTLS13,
9943 // P-384 requires a HelloRetryRequest against BoringSSL's default
9944 // configuration. Assert this ExpectMissingKeyShare.
9945 CurvePreferences: []CurveID{CurveP384},
9946 Bugs: ProtocolBugs{
9947 ExpectMissingKeyShare: true,
9948 DuplicateHelloRetryRequestExtensions: true,
9949 },
9950 },
9951 shouldFail: true,
9952 expectedError: ":DUPLICATE_EXTENSION:",
9953 expectedLocalError: "remote error: illegal parameter",
9954 })
9955
9956 testCases = append(testCases, testCase{
9957 name: "HelloRetryRequest-Cookie",
9958 config: Config{
9959 MaxVersion: VersionTLS13,
9960 Bugs: ProtocolBugs{
9961 SendHelloRetryRequestCookie: []byte("cookie"),
9962 },
9963 },
9964 })
9965
9966 testCases = append(testCases, testCase{
9967 name: "HelloRetryRequest-DuplicateCookie",
9968 config: Config{
9969 MaxVersion: VersionTLS13,
9970 Bugs: ProtocolBugs{
9971 SendHelloRetryRequestCookie: []byte("cookie"),
9972 DuplicateHelloRetryRequestExtensions: true,
9973 },
9974 },
9975 shouldFail: true,
9976 expectedError: ":DUPLICATE_EXTENSION:",
9977 expectedLocalError: "remote error: illegal parameter",
9978 })
9979
9980 testCases = append(testCases, testCase{
9981 name: "HelloRetryRequest-EmptyCookie",
9982 config: Config{
9983 MaxVersion: VersionTLS13,
9984 Bugs: ProtocolBugs{
9985 SendHelloRetryRequestCookie: []byte{},
9986 },
9987 },
9988 shouldFail: true,
9989 expectedError: ":DECODE_ERROR:",
9990 })
9991
9992 testCases = append(testCases, testCase{
9993 name: "HelloRetryRequest-Cookie-Curve",
9994 config: Config{
9995 MaxVersion: VersionTLS13,
9996 // P-384 requires HelloRetryRequest in BoringSSL.
9997 CurvePreferences: []CurveID{CurveP384},
9998 Bugs: ProtocolBugs{
9999 SendHelloRetryRequestCookie: []byte("cookie"),
10000 ExpectMissingKeyShare: true,
10001 },
10002 },
10003 })
10004
10005 testCases = append(testCases, testCase{
10006 name: "HelloRetryRequest-Unknown",
10007 config: Config{
10008 MaxVersion: VersionTLS13,
10009 Bugs: ProtocolBugs{
10010 CustomHelloRetryRequestExtension: "extension",
10011 },
10012 },
10013 shouldFail: true,
10014 expectedError: ":UNEXPECTED_EXTENSION:",
10015 expectedLocalError: "remote error: unsupported extension",
10016 })
10017
10018 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10019 testType: serverTest,
10020 name: "SecondClientHelloMissingKeyShare",
10021 config: Config{
10022 MaxVersion: VersionTLS13,
10023 DefaultCurves: []CurveID{},
10024 Bugs: ProtocolBugs{
10025 SecondClientHelloMissingKeyShare: true,
10026 },
10027 },
10028 shouldFail: true,
10029 expectedError: ":MISSING_KEY_SHARE:",
10030 })
10031
10032 testCases = append(testCases, testCase{
10033 testType: serverTest,
10034 name: "SecondClientHelloWrongCurve",
10035 config: Config{
10036 MaxVersion: VersionTLS13,
10037 DefaultCurves: []CurveID{},
10038 Bugs: ProtocolBugs{
10039 MisinterpretHelloRetryRequestCurve: CurveP521,
10040 },
10041 },
10042 shouldFail: true,
10043 expectedError: ":WRONG_CURVE:",
10044 })
10045
10046 testCases = append(testCases, testCase{
10047 name: "HelloRetryRequestVersionMismatch",
10048 config: Config{
10049 MaxVersion: VersionTLS13,
10050 // P-384 requires HelloRetryRequest in BoringSSL.
10051 CurvePreferences: []CurveID{CurveP384},
10052 Bugs: ProtocolBugs{
10053 SendServerHelloVersion: 0x0305,
10054 },
10055 },
10056 shouldFail: true,
10057 expectedError: ":WRONG_VERSION_NUMBER:",
10058 })
10059
10060 testCases = append(testCases, testCase{
10061 name: "HelloRetryRequestCurveMismatch",
10062 config: Config{
10063 MaxVersion: VersionTLS13,
10064 // P-384 requires HelloRetryRequest in BoringSSL.
10065 CurvePreferences: []CurveID{CurveP384},
10066 Bugs: ProtocolBugs{
10067 // Send P-384 (correct) in the HelloRetryRequest.
10068 SendHelloRetryRequestCurve: CurveP384,
10069 // But send P-256 in the ServerHello.
10070 SendCurve: CurveP256,
10071 },
10072 },
10073 shouldFail: true,
10074 expectedError: ":WRONG_CURVE:",
10075 })
10076
10077 // Test the server selecting a curve that requires a HelloRetryRequest
10078 // without sending it.
10079 testCases = append(testCases, testCase{
10080 name: "SkipHelloRetryRequest",
10081 config: Config{
10082 MaxVersion: VersionTLS13,
10083 // P-384 requires HelloRetryRequest in BoringSSL.
10084 CurvePreferences: []CurveID{CurveP384},
10085 Bugs: ProtocolBugs{
10086 SkipHelloRetryRequest: true,
10087 },
10088 },
10089 shouldFail: true,
10090 expectedError: ":WRONG_CURVE:",
10091 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]10092
10093 testCases = append(testCases, testCase{
10094 name: "TLS13-RequestContextInHandshake",
10095 config: Config{
10096 MaxVersion: VersionTLS13,
10097 MinVersion: VersionTLS13,
10098 ClientAuth: RequireAnyClientCert,
10099 Bugs: ProtocolBugs{
10100 SendRequestContext: []byte("request context"),
10101 },
10102 },
10103 flags: []string{
10104 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10105 "-key-file", path.Join(*resourceDir, rsaKeyFile),
10106 },
10107 shouldFail: true,
10108 expectedError: ":DECODE_ERROR:",
10109 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]10110
10111 testCases = append(testCases, testCase{
10112 testType: serverTest,
10113 name: "TLS13-TrailingKeyShareData",
10114 config: Config{
10115 MaxVersion: VersionTLS13,
10116 Bugs: ProtocolBugs{
10117 TrailingKeyShareData: true,
10118 },
10119 },
10120 shouldFail: true,
10121 expectedError: ":DECODE_ERROR:",
10122 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]10123
10124 testCases = append(testCases, testCase{
10125 name: "TLS13-AlwaysSelectPSKIdentity",
10126 config: Config{
10127 MaxVersion: VersionTLS13,
10128 Bugs: ProtocolBugs{
10129 AlwaysSelectPSKIdentity: true,
10130 },
10131 },
10132 shouldFail: true,
10133 expectedError: ":UNEXPECTED_EXTENSION:",
10134 })
10135
10136 testCases = append(testCases, testCase{
10137 name: "TLS13-InvalidPSKIdentity",
10138 config: Config{
10139 MaxVersion: VersionTLS13,
10140 Bugs: ProtocolBugs{
10141 SelectPSKIdentityOnResume: 1,
10142 },
10143 },
10144 resumeSession: true,
10145 shouldFail: true,
10146 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
10147 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10148
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10149 testCases = append(testCases, testCase{
10150 testType: serverTest,
10151 name: "TLS13-ExtraPSKIdentity",
10152 config: Config{
10153 MaxVersion: VersionTLS13,
10154 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]10155 ExtraPSKIdentity: true,
10156 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10157 },
10158 },
10159 resumeSession: true,
10160 })
10161
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10162 // Test that unknown NewSessionTicket extensions are tolerated.
10163 testCases = append(testCases, testCase{
10164 name: "TLS13-CustomTicketExtension",
10165 config: Config{
10166 MaxVersion: VersionTLS13,
10167 Bugs: ProtocolBugs{
10168 CustomTicketExtension: "1234",
10169 },
10170 },
10171 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10172
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10173 testCases = append(testCases, testCase{
10174 testType: clientTest,
10175 name: "TLS13-DataLessEarlyData-Reject-Client",
10176 config: Config{
10177 MaxVersion: VersionTLS13,
10178 MaxEarlyDataSize: 16384,
10179 },
10180 resumeConfig: &Config{
10181 MaxVersion: VersionTLS13,
10182 MaxEarlyDataSize: 16384,
10183 Bugs: ProtocolBugs{
10184 AlwaysRejectEarlyData: true,
10185 },
10186 },
10187 resumeSession: true,
10188 flags: []string{
10189 "-enable-early-data",
10190 "-expect-early-data-info",
10191 "-expect-reject-early-data",
10192 },
10193 })
10194
10195 testCases = append(testCases, testCase{
10196 testType: clientTest,
10197 name: "TLS13-DataLessEarlyData-HRR-Client",
10198 config: Config{
10199 MaxVersion: VersionTLS13,
10200 MaxEarlyDataSize: 16384,
10201 },
10202 resumeConfig: &Config{
10203 MaxVersion: VersionTLS13,
10204 MaxEarlyDataSize: 16384,
10205 Bugs: ProtocolBugs{
10206 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10207 },
10208 },
10209 resumeSession: true,
10210 flags: []string{
10211 "-enable-early-data",
10212 "-expect-early-data-info",
10213 "-expect-reject-early-data",
10214 },
10215 })
10216
10217 // The client must check the server does not send the early_data
10218 // extension while rejecting the session.
10219 testCases = append(testCases, testCase{
10220 testType: clientTest,
10221 name: "TLS13-EarlyDataWithoutResume-Client",
10222 config: Config{
10223 MaxVersion: VersionTLS13,
10224 MaxEarlyDataSize: 16384,
10225 },
10226 resumeConfig: &Config{
10227 MaxVersion: VersionTLS13,
10228 SessionTicketsDisabled: true,
10229 Bugs: ProtocolBugs{
10230 SendEarlyDataExtension: true,
10231 },
10232 },
10233 resumeSession: true,
10234 flags: []string{
10235 "-enable-early-data",
10236 "-expect-early-data-info",
10237 },
10238 shouldFail: true,
10239 expectedError: ":UNEXPECTED_EXTENSION:",
10240 })
10241
10242 // The client must fail with a dedicated error code if the server
10243 // responds with TLS 1.2 when offering 0-RTT.
10244 testCases = append(testCases, testCase{
10245 testType: clientTest,
10246 name: "TLS13-EarlyDataVersionDowngrade-Client",
10247 config: Config{
10248 MaxVersion: VersionTLS13,
10249 MaxEarlyDataSize: 16384,
10250 },
10251 resumeConfig: &Config{
10252 MaxVersion: VersionTLS12,
10253 },
10254 resumeSession: true,
10255 flags: []string{
10256 "-enable-early-data",
10257 "-expect-early-data-info",
10258 },
10259 shouldFail: true,
10260 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10261 })
10262
10263 // Test that the client rejects an (unsolicited) early_data extension if
10264 // the server sent an HRR.
10265 testCases = append(testCases, testCase{
10266 testType: clientTest,
10267 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10268 config: Config{
10269 MaxVersion: VersionTLS13,
10270 MaxEarlyDataSize: 16384,
10271 },
10272 resumeConfig: &Config{
10273 MaxVersion: VersionTLS13,
10274 MaxEarlyDataSize: 16384,
10275 Bugs: ProtocolBugs{
10276 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10277 SendEarlyDataExtension: true,
10278 },
10279 },
10280 resumeSession: true,
10281 flags: []string{
10282 "-enable-early-data",
10283 "-expect-early-data-info",
10284 },
10285 shouldFail: true,
10286 expectedError: ":UNEXPECTED_EXTENSION:",
10287 })
10288
10289 fooString := "foo"
10290 barString := "bar"
10291
10292 // Test that the client reports the correct ALPN after a 0-RTT reject
10293 // that changed it.
10294 testCases = append(testCases, testCase{
10295 testType: clientTest,
10296 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10297 config: Config{
10298 MaxVersion: VersionTLS13,
10299 MaxEarlyDataSize: 16384,
10300 Bugs: ProtocolBugs{
10301 ALPNProtocol: &fooString,
10302 },
10303 },
10304 resumeConfig: &Config{
10305 MaxVersion: VersionTLS13,
10306 MaxEarlyDataSize: 16384,
10307 Bugs: ProtocolBugs{
10308 ALPNProtocol: &barString,
10309 },
10310 },
10311 resumeSession: true,
10312 flags: []string{
10313 "-advertise-alpn", "\x03foo\x03bar",
10314 "-enable-early-data",
10315 "-expect-early-data-info",
10316 "-expect-reject-early-data",
10317 "-expect-alpn", "foo",
10318 "-expect-resume-alpn", "bar",
10319 },
10320 })
10321
10322 // Test that the client reports the correct ALPN after a 0-RTT reject if
10323 // ALPN was omitted from the first connection.
10324 testCases = append(testCases, testCase{
10325 testType: clientTest,
10326 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10327 config: Config{
10328 MaxVersion: VersionTLS13,
10329 MaxEarlyDataSize: 16384,
10330 },
10331 resumeConfig: &Config{
10332 MaxVersion: VersionTLS13,
10333 MaxEarlyDataSize: 16384,
10334 NextProtos: []string{"foo"},
10335 },
10336 resumeSession: true,
10337 flags: []string{
10338 "-advertise-alpn", "\x03foo\x03bar",
10339 "-enable-early-data",
10340 "-expect-early-data-info",
10341 "-expect-reject-early-data",
10342 "-expect-no-alpn",
10343 "-expect-resume-alpn", "foo",
10344 },
10345 })
10346
10347 // Test that the client reports the correct ALPN after a 0-RTT reject if
10348 // ALPN was omitted from the second connection.
10349 testCases = append(testCases, testCase{
10350 testType: clientTest,
10351 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10352 config: Config{
10353 MaxVersion: VersionTLS13,
10354 MaxEarlyDataSize: 16384,
10355 NextProtos: []string{"foo"},
10356 },
10357 resumeConfig: &Config{
10358 MaxVersion: VersionTLS13,
10359 MaxEarlyDataSize: 16384,
10360 },
10361 resumeSession: true,
10362 flags: []string{
10363 "-advertise-alpn", "\x03foo\x03bar",
10364 "-enable-early-data",
10365 "-expect-early-data-info",
10366 "-expect-reject-early-data",
10367 "-expect-alpn", "foo",
10368 "-expect-no-resume-alpn",
10369 },
10370 })
10371
10372 // Test that the client enforces ALPN match on 0-RTT accept.
10373 testCases = append(testCases, testCase{
10374 testType: clientTest,
10375 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10376 config: Config{
10377 MaxVersion: VersionTLS13,
10378 MaxEarlyDataSize: 16384,
10379 Bugs: ProtocolBugs{
10380 ALPNProtocol: &fooString,
10381 },
10382 },
10383 resumeConfig: &Config{
10384 MaxVersion: VersionTLS13,
10385 MaxEarlyDataSize: 16384,
10386 Bugs: ProtocolBugs{
10387 AlwaysAcceptEarlyData: true,
10388 ALPNProtocol: &barString,
10389 },
10390 },
10391 resumeSession: true,
10392 flags: []string{
10393 "-advertise-alpn", "\x03foo\x03bar",
10394 "-enable-early-data",
10395 "-expect-early-data-info",
10396 },
10397 shouldFail: true,
10398 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10399 })
10400
10401 // Test that the server correctly rejects 0-RTT when the previous
10402 // session did not allow early data on resumption.
10403 testCases = append(testCases, testCase{
10404 testType: serverTest,
10405 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10406 config: Config{
10407 MaxVersion: VersionTLS13,
10408 },
10409 resumeConfig: &Config{
10410 MaxVersion: VersionTLS13,
10411 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10412 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10413 ExpectEarlyDataAccepted: false,
10414 },
10415 },
10416 resumeSession: true,
10417 flags: []string{
10418 "-enable-resume-early-data",
10419 "-expect-reject-early-data",
10420 },
10421 })
10422
10423 // Test that we reject early data where ALPN is omitted from the first
10424 // connection.
10425 testCases = append(testCases, testCase{
10426 testType: serverTest,
10427 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10428 config: Config{
10429 MaxVersion: VersionTLS13,
10430 NextProtos: []string{},
10431 },
10432 resumeConfig: &Config{
10433 MaxVersion: VersionTLS13,
10434 NextProtos: []string{"foo"},
10435 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10436 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10437 ExpectEarlyDataAccepted: false,
10438 },
10439 },
10440 resumeSession: true,
10441 flags: []string{
10442 "-enable-early-data",
10443 "-select-alpn", "",
10444 "-select-resume-alpn", "foo",
10445 },
10446 })
10447
10448 // Test that we reject early data where ALPN is omitted from the second
10449 // connection.
10450 testCases = append(testCases, testCase{
10451 testType: serverTest,
10452 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10453 config: Config{
10454 MaxVersion: VersionTLS13,
10455 NextProtos: []string{"foo"},
10456 },
10457 resumeConfig: &Config{
10458 MaxVersion: VersionTLS13,
10459 NextProtos: []string{},
10460 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10461 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10462 ExpectEarlyDataAccepted: false,
10463 },
10464 },
10465 resumeSession: true,
10466 flags: []string{
10467 "-enable-early-data",
10468 "-select-alpn", "foo",
10469 "-select-resume-alpn", "",
10470 },
10471 })
10472
10473 // Test that we reject early data with mismatched ALPN.
10474 testCases = append(testCases, testCase{
10475 testType: serverTest,
10476 name: "TLS13-EarlyData-ALPNMismatch-Server",
10477 config: Config{
10478 MaxVersion: VersionTLS13,
10479 NextProtos: []string{"foo"},
10480 },
10481 resumeConfig: &Config{
10482 MaxVersion: VersionTLS13,
10483 NextProtos: []string{"bar"},
10484 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10485 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10486 ExpectEarlyDataAccepted: false,
10487 },
10488 },
10489 resumeSession: true,
10490 flags: []string{
10491 "-enable-early-data",
10492 "-select-alpn", "foo",
10493 "-select-resume-alpn", "bar",
10494 },
10495 })
10496
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10497 // Test that the client offering 0-RTT and Channel ID forbids the server
10498 // from accepting both.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10499 testCases = append(testCases, testCase{
10500 testType: clientTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10501 name: "TLS13-EarlyDataChannelID-AcceptBoth-Client",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10502 config: Config{
10503 MaxVersion: VersionTLS13,
10504 MaxEarlyDataSize: 16384,
10505 RequestChannelID: true,
10506 },
10507 resumeSession: true,
10508 expectChannelID: true,
10509 shouldFail: true,
10510 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
10511 flags: []string{
10512 "-enable-early-data",
10513 "-expect-early-data-info",
10514 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10515 },
10516 })
10517
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10518 // Test that the client offering Channel ID and 0-RTT allows the server
10519 // to decline 0-RTT.
10520 testCases = append(testCases, testCase{
10521 testType: clientTest,
10522 name: "TLS13-EarlyDataChannelID-AcceptChannelID-Client",
10523 config: Config{
10524 MaxVersion: VersionTLS13,
10525 MaxEarlyDataSize: 16384,
10526 RequestChannelID: true,
10527 Bugs: ProtocolBugs{
10528 AlwaysRejectEarlyData: true,
10529 },
10530 },
10531 resumeSession: true,
10532 expectChannelID: true,
10533 flags: []string{
10534 "-enable-early-data",
10535 "-expect-early-data-info",
10536 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10537 "-expect-reject-early-data",
10538 },
10539 })
10540
10541 // Test that the client offering Channel ID and 0-RTT allows the server
10542 // to decline Channel ID.
10543 testCases = append(testCases, testCase{
10544 testType: clientTest,
10545 name: "TLS13-EarlyDataChannelID-AcceptEarlyData-Client",
10546 config: Config{
10547 MaxVersion: VersionTLS13,
10548 MaxEarlyDataSize: 16384,
10549 },
10550 resumeSession: true,
10551 flags: []string{
10552 "-enable-early-data",
10553 "-expect-early-data-info",
10554 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10555 "-expect-accept-early-data",
10556 },
10557 })
10558
10559 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
10560 // if it would negotiate Channel ID.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10561 testCases = append(testCases, testCase{
10562 testType: serverTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10563 name: "TLS13-EarlyDataChannelID-OfferBoth-Server",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10564 config: Config{
10565 MaxVersion: VersionTLS13,
10566 ChannelID: channelIDKey,
10567 Bugs: ProtocolBugs{
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10568 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10569 ExpectEarlyDataAccepted: false,
10570 },
10571 },
10572 resumeSession: true,
10573 expectChannelID: true,
10574 flags: []string{
10575 "-enable-early-data",
10576 "-expect-reject-early-data",
10577 "-expect-channel-id",
10578 base64.StdEncoding.EncodeToString(channelIDBytes),
10579 },
10580 })
10581
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10582 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
10583 // if not offered Channel ID.
10584 testCases = append(testCases, testCase{
10585 testType: serverTest,
10586 name: "TLS13-EarlyDataChannelID-OfferEarlyData-Server",
10587 config: Config{
10588 MaxVersion: VersionTLS13,
10589 Bugs: ProtocolBugs{
10590 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10591 ExpectEarlyDataAccepted: true,
10592 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
10593 },
10594 },
10595 resumeSession: true,
10596 expectChannelID: false,
10597 flags: []string{
10598 "-enable-early-data",
10599 "-expect-accept-early-data",
10600 "-enable-channel-id",
10601 },
10602 })
10603
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10604 // Test that the server rejects 0-RTT streams without end_of_early_data.
10605 // The subsequent records should fail to decrypt.
10606 testCases = append(testCases, testCase{
10607 testType: serverTest,
10608 name: "TLS13-EarlyData-SkipEndOfEarlyData",
10609 config: Config{
10610 MaxVersion: VersionTLS13,
10611 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10612 SendEarlyData: [][]byte{{1, 2, 3, 4}},
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10613 ExpectEarlyDataAccepted: true,
10614 SkipEndOfEarlyData: true,
10615 },
10616 },
10617 resumeSession: true,
10618 flags: []string{"-enable-early-data"},
10619 shouldFail: true,
10620 expectedLocalError: "remote error: bad record MAC",
10621 expectedError: ":BAD_DECRYPT:",
10622 })
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10623
10624 testCases = append(testCases, testCase{
10625 testType: serverTest,
10626 name: "TLS13-EarlyData-UnexpectedHandshake-Server",
10627 config: Config{
10628 MaxVersion: VersionTLS13,
10629 },
10630 resumeConfig: &Config{
10631 MaxVersion: VersionTLS13,
10632 Bugs: ProtocolBugs{
10633 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10634 SendStrayEarlyHandshake: true,
10635 ExpectEarlyDataAccepted: true},
10636 },
10637 resumeSession: true,
10638 shouldFail: true,
10639 expectedError: ":UNEXPECTED_RECORD:",
10640 expectedLocalError: "remote error: unexpected message",
10641 flags: []string{
10642 "-enable-early-data",
10643 },
10644 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10645}
10646
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10647func addTLS13CipherPreferenceTests() {
10648 // Test that client preference is honored if the shim has AES hardware
10649 // and ChaCha20-Poly1305 is preferred otherwise.
10650 testCases = append(testCases, testCase{
10651 testType: serverTest,
10652 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10653 config: Config{
10654 MaxVersion: VersionTLS13,
10655 CipherSuites: []uint16{
10656 TLS_CHACHA20_POLY1305_SHA256,
10657 TLS_AES_128_GCM_SHA256,
10658 },
10659 },
10660 flags: []string{
10661 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10662 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10663 },
10664 })
10665
10666 testCases = append(testCases, testCase{
10667 testType: serverTest,
10668 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10669 config: Config{
10670 MaxVersion: VersionTLS13,
10671 CipherSuites: []uint16{
10672 TLS_AES_128_GCM_SHA256,
10673 TLS_CHACHA20_POLY1305_SHA256,
10674 },
10675 },
10676 flags: []string{
10677 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10678 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10679 },
10680 })
10681
10682 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10683 // whether it has AES hardware.
10684 testCases = append(testCases, testCase{
10685 name: "TLS13-CipherPreference-Client",
10686 config: Config{
10687 MaxVersion: VersionTLS13,
10688 // Use the client cipher order. (This is the default but
10689 // is listed to be explicit.)
10690 PreferServerCipherSuites: false,
10691 },
10692 flags: []string{
10693 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10694 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10695 },
10696 })
10697}
10698
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10699func addPeekTests() {
10700 // Test SSL_peek works, including on empty records.
10701 testCases = append(testCases, testCase{
10702 name: "Peek-Basic",
10703 sendEmptyRecords: 1,
10704 flags: []string{"-peek-then-read"},
10705 })
10706
10707 // Test SSL_peek can drive the initial handshake.
10708 testCases = append(testCases, testCase{
10709 name: "Peek-ImplicitHandshake",
10710 flags: []string{
10711 "-peek-then-read",
10712 "-implicit-handshake",
10713 },
10714 })
10715
10716 // Test SSL_peek can discover and drive a renegotiation.
10717 testCases = append(testCases, testCase{
10718 name: "Peek-Renegotiate",
10719 config: Config{
10720 MaxVersion: VersionTLS12,
10721 },
10722 renegotiate: 1,
10723 flags: []string{
10724 "-peek-then-read",
10725 "-renegotiate-freely",
10726 "-expect-total-renegotiations", "1",
10727 },
10728 })
10729
10730 // Test SSL_peek can discover a close_notify.
10731 testCases = append(testCases, testCase{
10732 name: "Peek-Shutdown",
10733 config: Config{
10734 Bugs: ProtocolBugs{
10735 ExpectCloseNotify: true,
10736 },
10737 },
10738 flags: []string{
10739 "-peek-then-read",
10740 "-check-close-notify",
10741 },
10742 })
10743
10744 // Test SSL_peek can discover an alert.
10745 testCases = append(testCases, testCase{
10746 name: "Peek-Alert",
10747 config: Config{
10748 Bugs: ProtocolBugs{
10749 SendSpuriousAlert: alertRecordOverflow,
10750 },
10751 },
10752 flags: []string{"-peek-then-read"},
10753 shouldFail: true,
10754 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10755 })
10756
10757 // Test SSL_peek can handle KeyUpdate.
10758 testCases = append(testCases, testCase{
10759 name: "Peek-KeyUpdate",
10760 config: Config{
10761 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10762 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]10763 sendKeyUpdates: 1,
10764 keyUpdateRequest: keyUpdateNotRequested,
10765 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10766 })
10767}
10768
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10769func addRecordVersionTests() {
10770 for _, ver := range tlsVersions {
10771 // Test that the record version is enforced.
10772 testCases = append(testCases, testCase{
10773 name: "CheckRecordVersion-" + ver.name,
10774 config: Config{
10775 MinVersion: ver.version,
10776 MaxVersion: ver.version,
10777 Bugs: ProtocolBugs{
10778 SendRecordVersion: 0x03ff,
10779 },
10780 },
10781 shouldFail: true,
10782 expectedError: ":WRONG_VERSION_NUMBER:",
10783 })
10784
10785 // Test that the ClientHello may use any record version, for
10786 // compatibility reasons.
10787 testCases = append(testCases, testCase{
10788 testType: serverTest,
10789 name: "LooseInitialRecordVersion-" + ver.name,
10790 config: Config{
10791 MinVersion: ver.version,
10792 MaxVersion: ver.version,
10793 Bugs: ProtocolBugs{
10794 SendInitialRecordVersion: 0x03ff,
10795 },
10796 },
10797 })
10798
10799 // Test that garbage ClientHello record versions are rejected.
10800 testCases = append(testCases, testCase{
10801 testType: serverTest,
10802 name: "GarbageInitialRecordVersion-" + ver.name,
10803 config: Config{
10804 MinVersion: ver.version,
10805 MaxVersion: ver.version,
10806 Bugs: ProtocolBugs{
10807 SendInitialRecordVersion: 0xffff,
10808 },
10809 },
10810 shouldFail: true,
10811 expectedError: ":WRONG_VERSION_NUMBER:",
10812 })
10813 }
10814}
10815
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10816func addCertificateTests() {
10817 // Test that a certificate chain with intermediate may be sent and
10818 // received as both client and server.
10819 for _, ver := range tlsVersions {
10820 testCases = append(testCases, testCase{
10821 testType: clientTest,
10822 name: "SendReceiveIntermediate-Client-" + ver.name,
10823 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10824 MinVersion: ver.version,
10825 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10826 Certificates: []Certificate{rsaChainCertificate},
10827 ClientAuth: RequireAnyClientCert,
10828 },
10829 expectPeerCertificate: &rsaChainCertificate,
10830 flags: []string{
10831 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10832 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10833 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10834 },
10835 })
10836
10837 testCases = append(testCases, testCase{
10838 testType: serverTest,
10839 name: "SendReceiveIntermediate-Server-" + ver.name,
10840 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10841 MinVersion: ver.version,
10842 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10843 Certificates: []Certificate{rsaChainCertificate},
10844 },
10845 expectPeerCertificate: &rsaChainCertificate,
10846 flags: []string{
10847 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10848 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10849 "-require-any-client-certificate",
10850 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10851 },
10852 })
10853 }
10854}
10855
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10856func addRetainOnlySHA256ClientCertTests() {
10857 for _, ver := range tlsVersions {
10858 // Test that enabling
10859 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10860 // actually requesting a client certificate is a no-op.
10861 testCases = append(testCases, testCase{
10862 testType: serverTest,
10863 name: "RetainOnlySHA256-NoCert-" + ver.name,
10864 config: Config{
10865 MinVersion: ver.version,
10866 MaxVersion: ver.version,
10867 },
10868 flags: []string{
10869 "-retain-only-sha256-client-cert-initial",
10870 "-retain-only-sha256-client-cert-resume",
10871 },
10872 resumeSession: true,
10873 })
10874
10875 // Test that when retaining only a SHA-256 certificate is
10876 // enabled, the hash appears as expected.
10877 testCases = append(testCases, testCase{
10878 testType: serverTest,
10879 name: "RetainOnlySHA256-Cert-" + ver.name,
10880 config: Config{
10881 MinVersion: ver.version,
10882 MaxVersion: ver.version,
10883 Certificates: []Certificate{rsaCertificate},
10884 },
10885 flags: []string{
10886 "-verify-peer",
10887 "-retain-only-sha256-client-cert-initial",
10888 "-retain-only-sha256-client-cert-resume",
10889 "-expect-sha256-client-cert-initial",
10890 "-expect-sha256-client-cert-resume",
10891 },
10892 resumeSession: true,
10893 })
10894
10895 // Test that when the config changes from on to off, a
10896 // resumption is rejected because the server now wants the full
10897 // certificate chain.
10898 testCases = append(testCases, testCase{
10899 testType: serverTest,
10900 name: "RetainOnlySHA256-OnOff-" + ver.name,
10901 config: Config{
10902 MinVersion: ver.version,
10903 MaxVersion: ver.version,
10904 Certificates: []Certificate{rsaCertificate},
10905 },
10906 flags: []string{
10907 "-verify-peer",
10908 "-retain-only-sha256-client-cert-initial",
10909 "-expect-sha256-client-cert-initial",
10910 },
10911 resumeSession: true,
10912 expectResumeRejected: true,
10913 })
10914
10915 // Test that when the config changes from off to on, a
10916 // resumption is rejected because the server now wants just the
10917 // hash.
10918 testCases = append(testCases, testCase{
10919 testType: serverTest,
10920 name: "RetainOnlySHA256-OffOn-" + ver.name,
10921 config: Config{
10922 MinVersion: ver.version,
10923 MaxVersion: ver.version,
10924 Certificates: []Certificate{rsaCertificate},
10925 },
10926 flags: []string{
10927 "-verify-peer",
10928 "-retain-only-sha256-client-cert-resume",
10929 "-expect-sha256-client-cert-resume",
10930 },
10931 resumeSession: true,
10932 expectResumeRejected: true,
10933 })
10934 }
10935}
10936
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10937func addECDSAKeyUsageTests() {
10938 p256 := elliptic.P256()
10939 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
10940 if err != nil {
10941 panic(err)
10942 }
10943
10944 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
10945 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
10946 if err != nil {
10947 panic(err)
10948 }
10949
10950 template := x509.Certificate{
10951 SerialNumber: serialNumber,
10952 Subject: pkix.Name{
10953 Organization: []string{"Acme Co"},
10954 },
10955 NotBefore: time.Now(),
10956 NotAfter: time.Now(),
10957
10958 // An ECC certificate with only the keyAgreement key usgae may
10959 // be used with ECDH, but not ECDSA.
10960 KeyUsage: x509.KeyUsageKeyAgreement,
10961 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
10962 BasicConstraintsValid: true,
10963 }
10964
10965 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
10966 if err != nil {
10967 panic(err)
10968 }
10969
10970 cert := Certificate{
10971 Certificate: [][]byte{derBytes},
10972 PrivateKey: priv,
10973 }
10974
10975 for _, ver := range tlsVersions {
10976 if ver.version < VersionTLS12 {
10977 continue
10978 }
10979
10980 testCases = append(testCases, testCase{
10981 testType: clientTest,
10982 name: "ECDSAKeyUsage-" + ver.name,
10983 config: Config{
10984 MinVersion: ver.version,
10985 MaxVersion: ver.version,
10986 Certificates: []Certificate{cert},
10987 },
10988 shouldFail: true,
10989 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
10990 })
10991 }
10992}
10993
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]10994func addExtraHandshakeTests() {
10995 // An extra SSL_do_handshake is normally a no-op. These tests use -async
10996 // to ensure there is no transport I/O.
10997 testCases = append(testCases, testCase{
10998 testType: clientTest,
10999 name: "ExtraHandshake-Client-TLS12",
11000 config: Config{
11001 MinVersion: VersionTLS12,
11002 MaxVersion: VersionTLS12,
11003 },
11004 flags: []string{
11005 "-async",
11006 "-no-op-extra-handshake",
11007 },
11008 })
11009 testCases = append(testCases, testCase{
11010 testType: serverTest,
11011 name: "ExtraHandshake-Server-TLS12",
11012 config: Config{
11013 MinVersion: VersionTLS12,
11014 MaxVersion: VersionTLS12,
11015 },
11016 flags: []string{
11017 "-async",
11018 "-no-op-extra-handshake",
11019 },
11020 })
11021 testCases = append(testCases, testCase{
11022 testType: clientTest,
11023 name: "ExtraHandshake-Client-TLS13",
11024 config: Config{
11025 MinVersion: VersionTLS13,
11026 MaxVersion: VersionTLS13,
11027 },
11028 flags: []string{
11029 "-async",
11030 "-no-op-extra-handshake",
11031 },
11032 })
11033 testCases = append(testCases, testCase{
11034 testType: serverTest,
11035 name: "ExtraHandshake-Server-TLS13",
11036 config: Config{
11037 MinVersion: VersionTLS13,
11038 MaxVersion: VersionTLS13,
11039 },
11040 flags: []string{
11041 "-async",
11042 "-no-op-extra-handshake",
11043 },
11044 })
11045
11046 // An extra SSL_do_handshake is a no-op in server 0-RTT.
11047 testCases = append(testCases, testCase{
11048 testType: serverTest,
11049 name: "ExtraHandshake-Server-EarlyData-TLS13",
11050 config: Config{
11051 MaxVersion: VersionTLS13,
11052 MinVersion: VersionTLS13,
11053 Bugs: ProtocolBugs{
11054 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11055 ExpectEarlyDataAccepted: true,
11056 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
11057 },
11058 },
11059 messageCount: 2,
11060 resumeSession: true,
11061 flags: []string{
11062 "-async",
11063 "-enable-early-data",
11064 "-expect-accept-early-data",
11065 "-no-op-extra-handshake",
11066 },
11067 })
11068
11069 // An extra SSL_do_handshake drives the handshake to completion in False
11070 // Start. We test this by handshaking twice and asserting the False
11071 // Start does not appear to happen. See AlertBeforeFalseStartTest for
11072 // how the test works.
11073 testCases = append(testCases, testCase{
11074 testType: clientTest,
11075 name: "ExtraHandshake-FalseStart",
11076 config: Config{
11077 MaxVersion: VersionTLS12,
11078 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
11079 NextProtos: []string{"foo"},
11080 Bugs: ProtocolBugs{
11081 ExpectFalseStart: true,
11082 AlertBeforeFalseStartTest: alertAccessDenied,
11083 },
11084 },
11085 flags: []string{
11086 "-handshake-twice",
11087 "-false-start",
11088 "-advertise-alpn", "\x03foo",
11089 },
11090 shimWritesFirst: true,
11091 shouldFail: true,
11092 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
11093 expectedLocalError: "tls: peer did not false start: EOF",
11094 })
11095}
11096
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11097func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11098 defer wg.Done()
11099
11100 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11101 var err error
11102
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11103 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11104 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
11105 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11106 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11107 if err != nil {
11108 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
11109 }
11110 break
11111 }
11112 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11113 } else if *repeatUntilFailure {
11114 for err == nil {
11115 statusChan <- statusMsg{test: test, started: true}
11116 err = runTest(test, shimPath, -1)
11117 }
11118 } else {
11119 statusChan <- statusMsg{test: test, started: true}
11120 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11121 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11122 statusChan <- statusMsg{test: test, err: err}
11123 }
11124}
11125
11126type statusMsg struct {
11127 test *testCase
11128 started bool
11129 err error
11130}
11131
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11132func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11133 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11134
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11135 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11136 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11137 if !*pipe {
11138 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]11139 var erase string
11140 for i := 0; i < lineLen; i++ {
11141 erase += "\b \b"
11142 }
11143 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11144 }
11145
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11146 if msg.started {
11147 started++
11148 } else {
11149 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11150
11151 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11152 if msg.err == errUnimplemented {
11153 if *pipe {
11154 // Print each test instead of a status line.
11155 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
11156 }
11157 unimplemented++
11158 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
11159 } else {
11160 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
11161 failed++
11162 testOutput.addResult(msg.test.name, "FAIL")
11163 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11164 } else {
11165 if *pipe {
11166 // Print each test instead of a status line.
11167 fmt.Printf("PASSED (%s)\n", msg.test.name)
11168 }
11169 testOutput.addResult(msg.test.name, "PASS")
11170 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11171 }
11172
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11173 if !*pipe {
11174 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11175 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11176 lineLen = len(line)
11177 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11178 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11179 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11180
11181 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11182}
11183
11184func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11185 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11186 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]11187 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11188
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11189 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11190 addCipherSuiteTests()
11191 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]11192 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]11193 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]11194 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]11195 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]11196 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]11197 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]11198 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]11199 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]11200 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]11201 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]11202 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]11203 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]11204 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]11205 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]11206 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]11207 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]11208 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]11209 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]11210 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]11211 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]11212 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]11213 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]11214 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]11215 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]11216 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]11217 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11218 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]11219 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11220 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]11221 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11222 addECDSAKeyUsageTests()
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11223 addExtraHandshakeTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11224
11225 var wg sync.WaitGroup
11226
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11227 statusChan := make(chan statusMsg, *numWorkers)
11228 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11229 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11230
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11231 if len(*shimConfigFile) != 0 {
11232 encoded, err := ioutil.ReadFile(*shimConfigFile)
11233 if err != nil {
11234 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
11235 os.Exit(1)
11236 }
11237
11238 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
11239 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
11240 os.Exit(1)
11241 }
11242 }
11243
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11244 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11245
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11246 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11247 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11248 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11249 }
11250
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11251 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11252 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11253 matched := true
11254 if len(*testToRun) != 0 {
11255 var err error
11256 matched, err = filepath.Match(*testToRun, testCases[i].name)
11257 if err != nil {
11258 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
11259 os.Exit(1)
11260 }
11261 }
11262
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11263 if !*includeDisabled {
11264 for pattern := range shimConfig.DisabledTests {
11265 isDisabled, err := filepath.Match(pattern, testCases[i].name)
11266 if err != nil {
11267 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
11268 os.Exit(1)
11269 }
11270
11271 if isDisabled {
11272 matched = false
11273 break
11274 }
11275 }
11276 }
11277
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11278 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11279 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11280 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11281
11282 // Only run one test if repeating until failure.
11283 if *repeatUntilFailure {
11284 break
11285 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11286 }
11287 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11288
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11289 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11290 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11291 os.Exit(1)
11292 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11293
11294 close(testChan)
11295 wg.Wait()
11296 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11297 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11298
11299 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11300
11301 if *jsonOutput != "" {
11302 if err := testOutput.writeTo(*jsonOutput); err != nil {
11303 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
11304 }
11305 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11306
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11307 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
11308 os.Exit(1)
11309 }
11310
11311 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11312 os.Exit(1)
11313 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11314}