Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 96bc12a494891174a8efc48007ceffc0c9fb9127 / . / ssl / test / runner / runner.go
blob: dd6926d7b965eb19e978c2f297209fb826281e91 [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]68 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]69)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]70
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]71// ShimConfigurations is used with the “json” package and represents a shim
72// config file.
73type ShimConfiguration struct {
74 // DisabledTests maps from a glob-based pattern to a freeform string.
75 // The glob pattern is used to exclude tests from being run and the
76 // freeform string is unparsed but expected to explain why the test is
77 // disabled.
78 DisabledTests map[string]string
79
80 // ErrorMap maps from expected error strings to the correct error
81 // string for the shim in question. For example, it might map
82 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
83 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
84 ErrorMap map[string]string
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]85
86 // HalfRTTTickets is the number of half-RTT tickets the client should
87 // expect before half-RTT data when testing 0-RTT.
88 HalfRTTTickets int
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]89}
90
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]91// Setup shimConfig defaults aligning with BoringSSL.
92var shimConfig ShimConfiguration = ShimConfiguration{
93 HalfRTTTickets: 2,
94}
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]95
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]96type testCert int
97
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]98const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]99 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]100 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]101 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]102 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]103 testCertECDSAP256
104 testCertECDSAP384
105 testCertECDSAP521
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]106 testCertEd25519
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]107)
108
109const (
110 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]111 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]112 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]113 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]114 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
115 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
116 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]117 ed25519CertificateFile = "ed25519_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]118)
119
120const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]121 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]122 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]123 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]124 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]125 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
126 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
127 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]128 ed25519KeyFile = "ed25519_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]129 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]130)
131
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]132var (
133 rsaCertificate Certificate
134 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]135 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]136 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]137 ecdsaP256Certificate Certificate
138 ecdsaP384Certificate Certificate
139 ecdsaP521Certificate Certificate
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]140 ed25519Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]141)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]142
143var testCerts = []struct {
144 id testCert
145 certFile, keyFile string
146 cert *Certificate
147}{
148 {
149 id: testCertRSA,
150 certFile: rsaCertificateFile,
151 keyFile: rsaKeyFile,
152 cert: &rsaCertificate,
153 },
154 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]155 id: testCertRSA1024,
156 certFile: rsa1024CertificateFile,
157 keyFile: rsa1024KeyFile,
158 cert: &rsa1024Certificate,
159 },
160 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]161 id: testCertRSAChain,
162 certFile: rsaChainCertificateFile,
163 keyFile: rsaChainKeyFile,
164 cert: &rsaChainCertificate,
165 },
166 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]167 id: testCertECDSAP224,
168 certFile: ecdsaP224CertificateFile,
169 keyFile: ecdsaP224KeyFile,
170 cert: &ecdsaP224Certificate,
171 },
172 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]173 id: testCertECDSAP256,
174 certFile: ecdsaP256CertificateFile,
175 keyFile: ecdsaP256KeyFile,
176 cert: &ecdsaP256Certificate,
177 },
178 {
179 id: testCertECDSAP384,
180 certFile: ecdsaP384CertificateFile,
181 keyFile: ecdsaP384KeyFile,
182 cert: &ecdsaP384Certificate,
183 },
184 {
185 id: testCertECDSAP521,
186 certFile: ecdsaP521CertificateFile,
187 keyFile: ecdsaP521KeyFile,
188 cert: &ecdsaP521Certificate,
189 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]190 {
191 id: testCertEd25519,
192 certFile: ed25519CertificateFile,
193 keyFile: ed25519KeyFile,
194 cert: &ed25519Certificate,
195 },
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]196}
197
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]198var channelIDKey *ecdsa.PrivateKey
199var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]200
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]201var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]202var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]203
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]204var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]205var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]206
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]207func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]208 for i := range testCerts {
209 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
210 if err != nil {
211 panic(err)
212 }
213 cert.OCSPStaple = testOCSPResponse
214 cert.SignedCertificateTimestampList = testSCTList
215 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]216 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]217
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]218 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]219 if err != nil {
220 panic(err)
221 }
222 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
223 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
224 panic("bad key type")
225 }
226 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
227 if err != nil {
228 panic(err)
229 }
230 if channelIDKey.Curve != elliptic.P256() {
231 panic("bad curve")
232 }
233
234 channelIDBytes = make([]byte, 64)
235 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
236 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]237}
238
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]239func getRunnerCertificate(t testCert) Certificate {
240 for _, cert := range testCerts {
241 if cert.id == t {
242 return *cert.cert
243 }
244 }
245 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]246}
247
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]248func getShimCertificate(t testCert) string {
249 for _, cert := range testCerts {
250 if cert.id == t {
251 return cert.certFile
252 }
253 }
254 panic("Unknown test certificate")
255}
256
257func getShimKey(t testCert) string {
258 for _, cert := range testCerts {
259 if cert.id == t {
260 return cert.keyFile
261 }
262 }
263 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]264}
265
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]266// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
267func encodeDERValues(values [][]byte) string {
268 var ret string
269 for i, v := range values {
270 if i > 0 {
271 ret += ","
272 }
273 ret += hex.EncodeToString(v)
274 }
275
276 return ret
277}
278
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]279type testType int
280
281const (
282 clientTest testType = iota
283 serverTest
284)
285
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]286type protocol int
287
288const (
289 tls protocol = iota
290 dtls
291)
292
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]293const (
294 alpn = 1
295 npn = 2
296)
297
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]298type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]299 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]300 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]301 name string
302 config Config
303 shouldFail bool
304 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]305 // expectedLocalError, if not empty, contains a substring that must be
306 // found in the local error.
307 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]308 // expectedVersion, if non-zero, specifies the TLS version that must be
309 // negotiated.
310 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]311 // expectedResumeVersion, if non-zero, specifies the TLS version that
312 // must be negotiated on resumption. If zero, expectedVersion is used.
313 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]314 // expectedCipher, if non-zero, specifies the TLS cipher suite that
315 // should be negotiated.
316 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]317 // expectChannelID controls whether the connection should have
318 // negotiated a Channel ID with channelIDKey.
319 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]320 // expectedNextProto controls whether the connection should
321 // negotiate a next protocol via NPN or ALPN.
322 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]323 // expectNoNextProto, if true, means that no next protocol should be
324 // negotiated.
325 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]326 // expectedNextProtoType, if non-zero, is the expected next
327 // protocol negotiation mechanism.
328 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]329 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
330 // should be negotiated. If zero, none should be negotiated.
331 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]332 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
333 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]334 // expectedSCTList, if not nil, is the expected SCT list to be received.
335 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]336 // expectedPeerSignatureAlgorithm, if not zero, is the signature
337 // algorithm that the peer should have used in the handshake.
338 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]339 // expectedCurveID, if not zero, is the curve that the handshake should
340 // have used.
341 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]342 // messageLen is the length, in bytes, of the test message that will be
343 // sent.
344 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]345 // messageCount is the number of test messages that will be sent.
346 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]347 // certFile is the path to the certificate to use for the server.
348 certFile string
349 // keyFile is the path to the private key to use for the server.
350 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]351 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]352 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]353 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]354 // resumeRenewedSession controls whether a third connection should be
355 // tested which attempts to resume the second connection's session.
356 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]357 // expectResumeRejected, if true, specifies that the attempted
358 // resumption must be rejected by the client. This is only valid for a
359 // serverTest.
360 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]361 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]362 // resumption. Unless newSessionsOnResume is set,
363 // SessionTicketKey, ServerSessionCache, and
364 // ClientSessionCache are copied from the initial connection's
365 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]366 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]367 // newSessionsOnResume, if true, will cause resumeConfig to
368 // use a different session resumption context.
369 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]370 // noSessionCache, if true, will cause the server to run without a
371 // session cache.
372 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]373 // sendPrefix sends a prefix on the socket before actually performing a
374 // handshake.
375 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]376 // shimWritesFirst controls whether the shim sends an initial "hello"
377 // message before doing a roundtrip with the runner.
378 shimWritesFirst bool
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]379 // readWithUnfinishedWrite behaves like shimWritesFirst, but the shim
380 // does not complete the write until responding to the first runner
381 // message.
382 readWithUnfinishedWrite bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]383 // shimShutsDown, if true, runs a test where the shim shuts down the
384 // connection immediately after the handshake rather than echoing
385 // messages from the runner.
386 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]387 // renegotiate indicates the number of times the connection should be
388 // renegotiated during the exchange.
389 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]390 // sendHalfHelloRequest, if true, causes the server to send half a
391 // HelloRequest when the handshake completes.
392 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]393 // renegotiateCiphers is a list of ciphersuite ids that will be
394 // switched in just before renegotiation.
395 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]396 // replayWrites, if true, configures the underlying transport
397 // to replay every write it makes in DTLS tests.
398 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]399 // damageFirstWrite, if true, configures the underlying transport to
400 // damage the final byte of the first application data write.
401 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]402 // exportKeyingMaterial, if non-zero, configures the test to exchange
403 // keying material and verify they match.
404 exportKeyingMaterial int
405 exportLabel string
406 exportContext string
407 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]408 // flags, if not empty, contains a list of command-line flags that will
409 // be passed to the shim program.
410 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]411 // testTLSUnique, if true, causes the shim to send the tls-unique value
412 // which will be compared against the expected value.
413 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]414 // sendEmptyRecords is the number of consecutive empty records to send
415 // before and after the test message.
416 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]417 // sendWarningAlerts is the number of consecutive warning alerts to send
418 // before and after the test message.
419 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]420 // sendKeyUpdates is the number of consecutive key updates to send
421 // before and after the test message.
422 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]423 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
424 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]425 // expectMessageDropped, if true, means the test message is expected to
426 // be dropped by the client rather than echoed back.
427 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]428 // expectPeerCertificate, if not nil, is the certificate chain the peer
429 // is expected to send.
430 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]431}
432
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]433var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]434
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]435func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]436 if len(data) == 0 {
437 return
438 }
439
440 protocol := "tls"
441 if test.protocol == dtls {
442 protocol = "dtls"
443 }
444
445 side := "client"
446 if test.testType == serverTest {
447 side = "server"
448 }
449
450 dir := path.Join(*transcriptDir, protocol, side)
451 if err := os.MkdirAll(dir, 0755); err != nil {
452 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
453 return
454 }
455
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]456 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]457 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
458 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
459 }
460}
461
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]462// A timeoutConn implements an idle timeout on each Read and Write operation.
463type timeoutConn struct {
464 net.Conn
465 timeout time.Duration
466}
467
468func (t *timeoutConn) Read(b []byte) (int, error) {
469 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
470 return 0, err
471 }
472 return t.Conn.Read(b)
473}
474
475func (t *timeoutConn) Write(b []byte) (int, error) {
476 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
477 return 0, err
478 }
479 return t.Conn.Write(b)
480}
481
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]482func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]483 if !test.noSessionCache {
484 if config.ClientSessionCache == nil {
485 config.ClientSessionCache = NewLRUClientSessionCache(1)
486 }
487 if config.ServerSessionCache == nil {
488 config.ServerSessionCache = NewLRUServerSessionCache(1)
489 }
490 }
491 if test.testType == clientTest {
492 if len(config.Certificates) == 0 {
493 config.Certificates = []Certificate{rsaCertificate}
494 }
495 } else {
496 // Supply a ServerName to ensure a constant session cache key,
497 // rather than falling back to net.Conn.RemoteAddr.
498 if len(config.ServerName) == 0 {
499 config.ServerName = "test"
500 }
501 }
502 if *fuzzer {
503 config.Bugs.NullAllCiphers = true
504 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]505 if *deterministic {
506 config.Time = func() time.Time { return time.Unix(1234, 1234) }
507 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]508
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]509 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]510
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]511 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]512 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
513 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]514 }
515
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]516 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]517 local, peer := "client", "server"
518 if test.testType == clientTest {
519 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]520 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]521 connDebug := &recordingConn{
522 Conn: conn,
523 isDatagram: test.protocol == dtls,
524 local: local,
525 peer: peer,
526 }
527 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]528 if *flagDebug {
529 defer connDebug.WriteTo(os.Stdout)
530 }
531 if len(*transcriptDir) != 0 {
532 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]533 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]534 }()
535 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]536
537 if config.Bugs.PacketAdaptor != nil {
538 config.Bugs.PacketAdaptor.debug = connDebug
539 }
540 }
541
542 if test.replayWrites {
543 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]544 }
545
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]546 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]547 if test.damageFirstWrite {
548 connDamage = newDamageAdaptor(conn)
549 conn = connDamage
550 }
551
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]552 if test.sendPrefix != "" {
553 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
554 return err
555 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]556 }
557
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]558 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]559 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]560 if test.protocol == dtls {
561 tlsConn = DTLSServer(conn, config)
562 } else {
563 tlsConn = Server(conn, config)
564 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]565 } else {
566 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]567 if test.protocol == dtls {
568 tlsConn = DTLSClient(conn, config)
569 } else {
570 tlsConn = Client(conn, config)
571 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]572 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]573 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]574
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]575 if err := tlsConn.Handshake(); err != nil {
576 return err
577 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]578
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]579 // TODO(davidben): move all per-connection expectations into a dedicated
580 // expectations struct that can be specified separately for the two
581 // legs.
582 expectedVersion := test.expectedVersion
583 if isResume && test.expectedResumeVersion != 0 {
584 expectedVersion = test.expectedResumeVersion
585 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]586 connState := tlsConn.ConnectionState()
587 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]588 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]589 }
590
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]591 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]592 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
593 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]594 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
595 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
596 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]597
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]598 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]599 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]600 if channelID == nil {
601 return fmt.Errorf("no channel ID negotiated")
602 }
603 if channelID.Curve != channelIDKey.Curve ||
604 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
605 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
606 return fmt.Errorf("incorrect channel ID")
607 }
608 }
609
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]610 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]611 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]612 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
613 }
614 }
615
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]616 if test.expectNoNextProto {
617 if actual := connState.NegotiatedProtocol; actual != "" {
618 return fmt.Errorf("got unexpected next proto %s", actual)
619 }
620 }
621
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]622 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]623 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]624 return fmt.Errorf("next proto type mismatch")
625 }
626 }
627
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]628 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]629 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
630 }
631
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]632 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]633 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]634 }
635
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]636 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
637 return fmt.Errorf("SCT list mismatch")
638 }
639
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]640 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
641 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]642 }
643
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]644 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
645 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
646 }
647
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]648 if test.expectPeerCertificate != nil {
649 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
650 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
651 }
652 for i, cert := range connState.PeerCertificates {
653 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
654 return fmt.Errorf("peer certificate %d did not match", i+1)
655 }
656 }
657 }
658
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]659 if test.exportKeyingMaterial > 0 {
660 actual := make([]byte, test.exportKeyingMaterial)
661 if _, err := io.ReadFull(tlsConn, actual); err != nil {
662 return err
663 }
664 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
665 if err != nil {
666 return err
667 }
668 if !bytes.Equal(actual, expected) {
669 return fmt.Errorf("keying material mismatch")
670 }
671 }
672
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]673 if test.testTLSUnique {
674 var peersValue [12]byte
675 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
676 return err
677 }
678 expected := tlsConn.ConnectionState().TLSUnique
679 if !bytes.Equal(peersValue[:], expected) {
680 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
681 }
682 }
683
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]684 if test.sendHalfHelloRequest {
685 tlsConn.SendHalfHelloRequest()
686 }
687
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]688 shimPrefixPending := test.shimWritesFirst || test.readWithUnfinishedWrite
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]689 if test.renegotiate > 0 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]690 // If readWithUnfinishedWrite is set, the shim prefix will be
691 // available later.
692 if shimPrefixPending && !test.readWithUnfinishedWrite {
693 var buf [5]byte
694 _, err := io.ReadFull(tlsConn, buf[:])
695 if err != nil {
696 return err
697 }
698 if string(buf[:]) != "hello" {
699 return fmt.Errorf("bad initial message")
700 }
701 shimPrefixPending = false
702 }
703
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]704 if test.renegotiateCiphers != nil {
705 config.CipherSuites = test.renegotiateCiphers
706 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]707 for i := 0; i < test.renegotiate; i++ {
708 if err := tlsConn.Renegotiate(); err != nil {
709 return err
710 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]711 }
712 } else if test.renegotiateCiphers != nil {
713 panic("renegotiateCiphers without renegotiate")
714 }
715
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]716 if test.damageFirstWrite {
717 connDamage.setDamage(true)
718 tlsConn.Write([]byte("DAMAGED WRITE"))
719 connDamage.setDamage(false)
720 }
721
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]722 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]723 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]724 if test.protocol == dtls {
725 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
726 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]727 // Read until EOF.
728 _, err := io.Copy(ioutil.Discard, tlsConn)
729 return err
730 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]731 if messageLen == 0 {
732 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]733 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]734
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]735 messageCount := test.messageCount
736 if messageCount == 0 {
737 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]738 }
739
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]740 for j := 0; j < messageCount; j++ {
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]741 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]742 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]743 }
744
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]745 for i := 0; i < test.sendEmptyRecords; i++ {
746 tlsConn.Write(nil)
747 }
748
749 for i := 0; i < test.sendWarningAlerts; i++ {
750 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
751 }
752
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]753 testMessage := make([]byte, messageLen)
754 for i := range testMessage {
755 testMessage[i] = 0x42 ^ byte(j)
756 }
757 tlsConn.Write(testMessage)
758
759 // Consume the shim prefix if needed.
760 if shimPrefixPending {
761 var buf [5]byte
762 _, err := io.ReadFull(tlsConn, buf[:])
763 if err != nil {
764 return err
765 }
766 if string(buf[:]) != "hello" {
767 return fmt.Errorf("bad initial message")
768 }
769 shimPrefixPending = false
770 }
771
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]772 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]773 // The shim will not respond.
774 continue
775 }
776
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]777 // Process the KeyUpdate ACK. However many KeyUpdates the runner
778 // sends, the shim should respond only once.
779 if test.sendKeyUpdates > 0 && test.keyUpdateRequest == keyUpdateRequested {
780 if err := tlsConn.ReadKeyUpdateACK(); err != nil {
781 return err
782 }
783 }
784
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]785 buf := make([]byte, len(testMessage))
786 if test.protocol == dtls {
787 bufTmp := make([]byte, len(buf)+1)
788 n, err := tlsConn.Read(bufTmp)
789 if err != nil {
790 return err
791 }
792 if n != len(buf) {
793 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
794 }
795 copy(buf, bufTmp)
796 } else {
797 _, err := io.ReadFull(tlsConn, buf)
798 if err != nil {
799 return err
800 }
801 }
802
803 for i, v := range buf {
804 if v != testMessage[i]^0xff {
805 return fmt.Errorf("bad reply contents at byte %d", i)
806 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]807 }
808 }
809
810 return nil
811}
812
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]813func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]814 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]815 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]816 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]817 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]818 valgrindArgs = append(valgrindArgs, path)
819 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]820
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]821 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]822}
823
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]824func gdbOf(path string, args ...string) *exec.Cmd {
825 xtermArgs := []string{"-e", "gdb", "--args"}
826 xtermArgs = append(xtermArgs, path)
827 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]828
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]829 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]830}
831
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]832func lldbOf(path string, args ...string) *exec.Cmd {
833 xtermArgs := []string{"-e", "lldb", "--"}
834 xtermArgs = append(xtermArgs, path)
835 xtermArgs = append(xtermArgs, args...)
836
837 return exec.Command("xterm", xtermArgs...)
838}
839
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]840var (
841 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
842 errUnimplemented = errors.New("child process does not implement needed flags")
843)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]844
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]845// accept accepts a connection from listener, unless waitChan signals a process
846// exit first.
847func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
848 type connOrError struct {
849 conn net.Conn
850 err error
851 }
852 connChan := make(chan connOrError, 1)
853 go func() {
854 conn, err := listener.Accept()
855 connChan <- connOrError{conn, err}
856 close(connChan)
857 }()
858 select {
859 case result := <-connChan:
860 return result.conn, result.err
861 case childErr := <-waitChan:
862 waitChan <- childErr
863 return nil, fmt.Errorf("child exited early: %s", childErr)
864 }
865}
866
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]867func translateExpectedError(errorStr string) string {
868 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
869 return translated
870 }
871
872 if *looseErrors {
873 return ""
874 }
875
876 return errorStr
877}
878
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]879func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]880 // Help debugging panics on the Go side.
881 defer func() {
882 if r := recover(); r != nil {
883 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
884 panic(r)
885 }
886 }()
887
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]888 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
889 panic("Error expected without shouldFail in " + test.name)
890 }
891
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]892 if test.expectResumeRejected && !test.resumeSession {
893 panic("expectResumeRejected without resumeSession in " + test.name)
894 }
895
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]896 for _, ver := range tlsVersions {
897 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
898 continue
899 }
900
901 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
902 continue
903 }
904
905 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
906 }
907
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]908 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
909 if err != nil {
910 panic(err)
911 }
912 defer func() {
913 if listener != nil {
914 listener.Close()
915 }
916 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]917
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]918 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]919 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]920 flags = append(flags, "-server")
921
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]922 flags = append(flags, "-key-file")
923 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]924 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]925 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]926 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]927 }
928
929 flags = append(flags, "-cert-file")
930 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]931 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]932 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]933 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]934 }
935 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]936
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]937 if test.protocol == dtls {
938 flags = append(flags, "-dtls")
939 }
940
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]941 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]942 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]943 resumeCount++
944 if test.resumeRenewedSession {
945 resumeCount++
946 }
947 }
948
949 if resumeCount > 0 {
950 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]951 }
952
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]953 if test.shimWritesFirst {
954 flags = append(flags, "-shim-writes-first")
955 }
956
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]957 if test.readWithUnfinishedWrite {
958 flags = append(flags, "-read-with-unfinished-write")
959 }
960
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]961 if test.shimShutsDown {
962 flags = append(flags, "-shim-shuts-down")
963 }
964
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]965 if test.exportKeyingMaterial > 0 {
966 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
967 flags = append(flags, "-export-label", test.exportLabel)
968 flags = append(flags, "-export-context", test.exportContext)
969 if test.useExportContext {
970 flags = append(flags, "-use-export-context")
971 }
972 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]973 if test.expectResumeRejected {
974 flags = append(flags, "-expect-session-miss")
975 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]976
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]977 if test.testTLSUnique {
978 flags = append(flags, "-tls-unique")
979 }
980
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]981 flags = append(flags, test.flags...)
982
983 var shim *exec.Cmd
984 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]985 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]986 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]987 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]988 } else if *useLLDB {
989 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]990 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]991 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]992 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]993 shim.Stdin = os.Stdin
994 var stdoutBuf, stderrBuf bytes.Buffer
995 shim.Stdout = &stdoutBuf
996 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]997 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]998 shim.Env = os.Environ()
999 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1000 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]1001 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1002 }
1003 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
1004 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1005
1006 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1007 panic(err)
1008 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1009 waitChan := make(chan error, 1)
1010 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1011
1012 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1013
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]1014 if *deterministic {
1015 config.Rand = &deterministicRand{}
1016 }
1017
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1018 conn, err := acceptOrWait(listener, waitChan)
1019 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1020 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1021 conn.Close()
1022 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]1023
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]1024 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1025 var resumeConfig Config
1026 if test.resumeConfig != nil {
1027 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]1028 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1029 resumeConfig.SessionTicketKey = config.SessionTicketKey
1030 resumeConfig.ClientSessionCache = config.ClientSessionCache
1031 resumeConfig.ServerSessionCache = config.ServerSessionCache
1032 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]1033 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1034 } else {
1035 resumeConfig = config
1036 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1037 var connResume net.Conn
1038 connResume, err = acceptOrWait(listener, waitChan)
1039 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1040 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1041 connResume.Close()
1042 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1043 }
1044
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1045 // Close the listener now. This is to avoid hangs should the shim try to
1046 // open more connections than expected.
1047 listener.Close()
1048 listener = nil
1049
1050 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1051 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1052 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1053 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1054 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1055 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1056 case 89:
1057 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1058 case 99:
1059 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1060 }
1061 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1062
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1063 // Account for Windows line endings.
1064 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1065 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1066
1067 // Separate the errors from the shim and those from tools like
1068 // AddressSanitizer.
1069 var extraStderr string
1070 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1071 stderr = stderrParts[0]
1072 extraStderr = stderrParts[1]
1073 }
1074
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1075 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1076 expectedError := translateExpectedError(test.expectedError)
1077 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1078
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1079 localError := "none"
1080 if err != nil {
1081 localError = err.Error()
1082 }
1083 if len(test.expectedLocalError) != 0 {
1084 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1085 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1086
1087 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1088 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1089 if childErr != nil {
1090 childError = childErr.Error()
1091 }
1092
1093 var msg string
1094 switch {
1095 case failed && !test.shouldFail:
1096 msg = "unexpected failure"
1097 case !failed && test.shouldFail:
1098 msg = "unexpected success"
1099 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1100 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1101 default:
1102 panic("internal error")
1103 }
1104
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1105 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1106 }
1107
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1108 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1109 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1110 }
1111
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1112 if *useValgrind && isValgrindError {
1113 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1114 }
1115
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1116 return nil
1117}
1118
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1119type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1120 name string
1121 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1122 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1123 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1124}
1125
1126var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1127 {"SSL3", VersionSSL30, "-no-ssl3", false},
1128 {"TLS1", VersionTLS10, "-no-tls1", true},
1129 {"TLS11", VersionTLS11, "-no-tls11", false},
1130 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1131 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1132}
1133
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1134type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1135 name string
1136 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1137}
1138
1139var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1140 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1141 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1142 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1143 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1144 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1145 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1146 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1147 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1148 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1149 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1150 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1151 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1152 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1153 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1154 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1155 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1156 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1157 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1158 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1159 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1160 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1161 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1162 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1163 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1164 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1165 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1166 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1167 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1168 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1169 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1170}
1171
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1172func hasComponent(suiteName, component string) bool {
1173 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1174}
1175
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1176func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1177 return hasComponent(suiteName, "GCM") ||
1178 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1179 hasComponent(suiteName, "SHA384") ||
1180 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1181}
1182
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1183func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1184 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1185}
1186
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1187func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1188 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1189}
1190
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1191func bigFromHex(hex string) *big.Int {
1192 ret, ok := new(big.Int).SetString(hex, 16)
1193 if !ok {
1194 panic("failed to parse hex number 0x" + hex)
1195 }
1196 return ret
1197}
1198
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1199func addBasicTests() {
1200 basicTests := []testCase{
1201 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1202 name: "NoFallbackSCSV",
1203 config: Config{
1204 Bugs: ProtocolBugs{
1205 FailIfNotFallbackSCSV: true,
1206 },
1207 },
1208 shouldFail: true,
1209 expectedLocalError: "no fallback SCSV found",
1210 },
1211 {
1212 name: "SendFallbackSCSV",
1213 config: Config{
1214 Bugs: ProtocolBugs{
1215 FailIfNotFallbackSCSV: true,
1216 },
1217 },
1218 flags: []string{"-fallback-scsv"},
1219 },
1220 {
1221 name: "ClientCertificateTypes",
1222 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1223 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1224 ClientAuth: RequestClientCert,
1225 ClientCertificateTypes: []byte{
1226 CertTypeDSSSign,
1227 CertTypeRSASign,
1228 CertTypeECDSASign,
1229 },
1230 },
1231 flags: []string{
1232 "-expect-certificate-types",
1233 base64.StdEncoding.EncodeToString([]byte{
1234 CertTypeDSSSign,
1235 CertTypeRSASign,
1236 CertTypeECDSASign,
1237 }),
1238 },
1239 },
1240 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1241 name: "UnauthenticatedECDH",
1242 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1243 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1244 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1245 Bugs: ProtocolBugs{
1246 UnauthenticatedECDH: true,
1247 },
1248 },
1249 shouldFail: true,
1250 expectedError: ":UNEXPECTED_MESSAGE:",
1251 },
1252 {
1253 name: "SkipCertificateStatus",
1254 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1255 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1256 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1257 Bugs: ProtocolBugs{
1258 SkipCertificateStatus: true,
1259 },
1260 },
1261 flags: []string{
1262 "-enable-ocsp-stapling",
1263 },
1264 },
1265 {
1266 name: "SkipServerKeyExchange",
1267 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1268 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1269 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1270 Bugs: ProtocolBugs{
1271 SkipServerKeyExchange: true,
1272 },
1273 },
1274 shouldFail: true,
1275 expectedError: ":UNEXPECTED_MESSAGE:",
1276 },
1277 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1278 testType: serverTest,
1279 name: "Alert",
1280 config: Config{
1281 Bugs: ProtocolBugs{
1282 SendSpuriousAlert: alertRecordOverflow,
1283 },
1284 },
1285 shouldFail: true,
1286 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1287 },
1288 {
1289 protocol: dtls,
1290 testType: serverTest,
1291 name: "Alert-DTLS",
1292 config: Config{
1293 Bugs: ProtocolBugs{
1294 SendSpuriousAlert: alertRecordOverflow,
1295 },
1296 },
1297 shouldFail: true,
1298 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1299 },
1300 {
1301 testType: serverTest,
1302 name: "FragmentAlert",
1303 config: Config{
1304 Bugs: ProtocolBugs{
1305 FragmentAlert: true,
1306 SendSpuriousAlert: alertRecordOverflow,
1307 },
1308 },
1309 shouldFail: true,
1310 expectedError: ":BAD_ALERT:",
1311 },
1312 {
1313 protocol: dtls,
1314 testType: serverTest,
1315 name: "FragmentAlert-DTLS",
1316 config: Config{
1317 Bugs: ProtocolBugs{
1318 FragmentAlert: true,
1319 SendSpuriousAlert: alertRecordOverflow,
1320 },
1321 },
1322 shouldFail: true,
1323 expectedError: ":BAD_ALERT:",
1324 },
1325 {
1326 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1327 name: "DoubleAlert",
1328 config: Config{
1329 Bugs: ProtocolBugs{
1330 DoubleAlert: true,
1331 SendSpuriousAlert: alertRecordOverflow,
1332 },
1333 },
1334 shouldFail: true,
1335 expectedError: ":BAD_ALERT:",
1336 },
1337 {
1338 protocol: dtls,
1339 testType: serverTest,
1340 name: "DoubleAlert-DTLS",
1341 config: Config{
1342 Bugs: ProtocolBugs{
1343 DoubleAlert: true,
1344 SendSpuriousAlert: alertRecordOverflow,
1345 },
1346 },
1347 shouldFail: true,
1348 expectedError: ":BAD_ALERT:",
1349 },
1350 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1351 name: "SkipNewSessionTicket",
1352 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1353 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1354 Bugs: ProtocolBugs{
1355 SkipNewSessionTicket: true,
1356 },
1357 },
1358 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1359 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1360 },
1361 {
1362 testType: serverTest,
1363 name: "FallbackSCSV",
1364 config: Config{
1365 MaxVersion: VersionTLS11,
1366 Bugs: ProtocolBugs{
1367 SendFallbackSCSV: true,
1368 },
1369 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1370 shouldFail: true,
1371 expectedError: ":INAPPROPRIATE_FALLBACK:",
1372 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1373 },
1374 {
1375 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1376 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1377 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1378 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1379 Bugs: ProtocolBugs{
1380 SendFallbackSCSV: true,
1381 },
1382 },
1383 },
1384 {
1385 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1386 name: "FallbackSCSV-VersionMatch-TLS12",
1387 config: Config{
1388 MaxVersion: VersionTLS12,
1389 Bugs: ProtocolBugs{
1390 SendFallbackSCSV: true,
1391 },
1392 },
1393 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1394 },
1395 {
1396 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1397 name: "FragmentedClientVersion",
1398 config: Config{
1399 Bugs: ProtocolBugs{
1400 MaxHandshakeRecordLength: 1,
1401 FragmentClientVersion: true,
1402 },
1403 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1404 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1405 },
1406 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1407 testType: serverTest,
1408 name: "HttpGET",
1409 sendPrefix: "GET / HTTP/1.0\n",
1410 shouldFail: true,
1411 expectedError: ":HTTP_REQUEST:",
1412 },
1413 {
1414 testType: serverTest,
1415 name: "HttpPOST",
1416 sendPrefix: "POST / HTTP/1.0\n",
1417 shouldFail: true,
1418 expectedError: ":HTTP_REQUEST:",
1419 },
1420 {
1421 testType: serverTest,
1422 name: "HttpHEAD",
1423 sendPrefix: "HEAD / HTTP/1.0\n",
1424 shouldFail: true,
1425 expectedError: ":HTTP_REQUEST:",
1426 },
1427 {
1428 testType: serverTest,
1429 name: "HttpPUT",
1430 sendPrefix: "PUT / HTTP/1.0\n",
1431 shouldFail: true,
1432 expectedError: ":HTTP_REQUEST:",
1433 },
1434 {
1435 testType: serverTest,
1436 name: "HttpCONNECT",
1437 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1438 shouldFail: true,
1439 expectedError: ":HTTPS_PROXY_REQUEST:",
1440 },
1441 {
1442 testType: serverTest,
1443 name: "Garbage",
1444 sendPrefix: "blah",
1445 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1446 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1447 },
1448 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1449 name: "RSAEphemeralKey",
1450 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1451 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1452 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1453 Bugs: ProtocolBugs{
1454 RSAEphemeralKey: true,
1455 },
1456 },
1457 shouldFail: true,
1458 expectedError: ":UNEXPECTED_MESSAGE:",
1459 },
1460 {
1461 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1462 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1463 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1464 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1465 },
1466 {
1467 protocol: dtls,
1468 name: "DisableEverything-DTLS",
1469 flags: []string{"-no-tls12", "-no-tls1"},
1470 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1471 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1472 },
1473 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1474 protocol: dtls,
1475 testType: serverTest,
1476 name: "MTU",
1477 config: Config{
1478 Bugs: ProtocolBugs{
1479 MaxPacketLength: 256,
1480 },
1481 },
1482 flags: []string{"-mtu", "256"},
1483 },
1484 {
1485 protocol: dtls,
1486 testType: serverTest,
1487 name: "MTUExceeded",
1488 config: Config{
1489 Bugs: ProtocolBugs{
1490 MaxPacketLength: 255,
1491 },
1492 },
1493 flags: []string{"-mtu", "256"},
1494 shouldFail: true,
1495 expectedLocalError: "dtls: exceeded maximum packet length",
1496 },
1497 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1498 name: "EmptyCertificateList",
1499 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1500 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1501 Bugs: ProtocolBugs{
1502 EmptyCertificateList: true,
1503 },
1504 },
1505 shouldFail: true,
1506 expectedError: ":DECODE_ERROR:",
1507 },
1508 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1509 name: "EmptyCertificateList-TLS13",
1510 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1511 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1512 Bugs: ProtocolBugs{
1513 EmptyCertificateList: true,
1514 },
1515 },
1516 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1517 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1518 },
1519 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1520 name: "TLSFatalBadPackets",
1521 damageFirstWrite: true,
1522 shouldFail: true,
1523 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1524 },
1525 {
1526 protocol: dtls,
1527 name: "DTLSIgnoreBadPackets",
1528 damageFirstWrite: true,
1529 },
1530 {
1531 protocol: dtls,
1532 name: "DTLSIgnoreBadPackets-Async",
1533 damageFirstWrite: true,
1534 flags: []string{"-async"},
1535 },
1536 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1537 name: "AppDataBeforeHandshake",
1538 config: Config{
1539 Bugs: ProtocolBugs{
1540 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1541 },
1542 },
1543 shouldFail: true,
1544 expectedError: ":UNEXPECTED_RECORD:",
1545 },
1546 {
1547 name: "AppDataBeforeHandshake-Empty",
1548 config: Config{
1549 Bugs: ProtocolBugs{
1550 AppDataBeforeHandshake: []byte{},
1551 },
1552 },
1553 shouldFail: true,
1554 expectedError: ":UNEXPECTED_RECORD:",
1555 },
1556 {
1557 protocol: dtls,
1558 name: "AppDataBeforeHandshake-DTLS",
1559 config: Config{
1560 Bugs: ProtocolBugs{
1561 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1562 },
1563 },
1564 shouldFail: true,
1565 expectedError: ":UNEXPECTED_RECORD:",
1566 },
1567 {
1568 protocol: dtls,
1569 name: "AppDataBeforeHandshake-DTLS-Empty",
1570 config: Config{
1571 Bugs: ProtocolBugs{
1572 AppDataBeforeHandshake: []byte{},
1573 },
1574 },
1575 shouldFail: true,
1576 expectedError: ":UNEXPECTED_RECORD:",
1577 },
1578 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1579 name: "AppDataAfterChangeCipherSpec",
1580 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1581 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1582 Bugs: ProtocolBugs{
1583 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1584 },
1585 },
1586 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1587 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1588 },
1589 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1590 name: "AppDataAfterChangeCipherSpec-Empty",
1591 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1592 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1593 Bugs: ProtocolBugs{
1594 AppDataAfterChangeCipherSpec: []byte{},
1595 },
1596 },
1597 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1598 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1599 },
1600 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1601 protocol: dtls,
1602 name: "AppDataAfterChangeCipherSpec-DTLS",
1603 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1604 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1605 Bugs: ProtocolBugs{
1606 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1607 },
1608 },
1609 // BoringSSL's DTLS implementation will drop the out-of-order
1610 // application data.
1611 },
1612 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1613 protocol: dtls,
1614 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1615 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1616 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1617 Bugs: ProtocolBugs{
1618 AppDataAfterChangeCipherSpec: []byte{},
1619 },
1620 },
1621 // BoringSSL's DTLS implementation will drop the out-of-order
1622 // application data.
1623 },
1624 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1625 name: "AlertAfterChangeCipherSpec",
1626 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1627 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1628 Bugs: ProtocolBugs{
1629 AlertAfterChangeCipherSpec: alertRecordOverflow,
1630 },
1631 },
1632 shouldFail: true,
1633 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1634 },
1635 {
1636 protocol: dtls,
1637 name: "AlertAfterChangeCipherSpec-DTLS",
1638 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1639 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1640 Bugs: ProtocolBugs{
1641 AlertAfterChangeCipherSpec: alertRecordOverflow,
1642 },
1643 },
1644 shouldFail: true,
1645 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1646 },
1647 {
1648 protocol: dtls,
1649 name: "ReorderHandshakeFragments-Small-DTLS",
1650 config: Config{
1651 Bugs: ProtocolBugs{
1652 ReorderHandshakeFragments: true,
1653 // Small enough that every handshake message is
1654 // fragmented.
1655 MaxHandshakeRecordLength: 2,
1656 },
1657 },
1658 },
1659 {
1660 protocol: dtls,
1661 name: "ReorderHandshakeFragments-Large-DTLS",
1662 config: Config{
1663 Bugs: ProtocolBugs{
1664 ReorderHandshakeFragments: true,
1665 // Large enough that no handshake message is
1666 // fragmented.
1667 MaxHandshakeRecordLength: 2048,
1668 },
1669 },
1670 },
1671 {
1672 protocol: dtls,
1673 name: "MixCompleteMessageWithFragments-DTLS",
1674 config: Config{
1675 Bugs: ProtocolBugs{
1676 ReorderHandshakeFragments: true,
1677 MixCompleteMessageWithFragments: true,
1678 MaxHandshakeRecordLength: 2,
1679 },
1680 },
1681 },
1682 {
1683 name: "SendInvalidRecordType",
1684 config: Config{
1685 Bugs: ProtocolBugs{
1686 SendInvalidRecordType: true,
1687 },
1688 },
1689 shouldFail: true,
1690 expectedError: ":UNEXPECTED_RECORD:",
1691 },
1692 {
1693 protocol: dtls,
1694 name: "SendInvalidRecordType-DTLS",
1695 config: Config{
1696 Bugs: ProtocolBugs{
1697 SendInvalidRecordType: true,
1698 },
1699 },
1700 shouldFail: true,
1701 expectedError: ":UNEXPECTED_RECORD:",
1702 },
1703 {
1704 name: "FalseStart-SkipServerSecondLeg",
1705 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1706 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1707 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1708 NextProtos: []string{"foo"},
1709 Bugs: ProtocolBugs{
1710 SkipNewSessionTicket: true,
1711 SkipChangeCipherSpec: true,
1712 SkipFinished: true,
1713 ExpectFalseStart: true,
1714 },
1715 },
1716 flags: []string{
1717 "-false-start",
1718 "-handshake-never-done",
1719 "-advertise-alpn", "\x03foo",
1720 },
1721 shimWritesFirst: true,
1722 shouldFail: true,
1723 expectedError: ":UNEXPECTED_RECORD:",
1724 },
1725 {
1726 name: "FalseStart-SkipServerSecondLeg-Implicit",
1727 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1728 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1729 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1730 NextProtos: []string{"foo"},
1731 Bugs: ProtocolBugs{
1732 SkipNewSessionTicket: true,
1733 SkipChangeCipherSpec: true,
1734 SkipFinished: true,
1735 },
1736 },
1737 flags: []string{
1738 "-implicit-handshake",
1739 "-false-start",
1740 "-handshake-never-done",
1741 "-advertise-alpn", "\x03foo",
1742 },
1743 shouldFail: true,
1744 expectedError: ":UNEXPECTED_RECORD:",
1745 },
1746 {
1747 testType: serverTest,
1748 name: "FailEarlyCallback",
1749 flags: []string{"-fail-early-callback"},
1750 shouldFail: true,
1751 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1752 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1753 },
1754 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1755 name: "FailCertCallback-Client-TLS12",
1756 config: Config{
1757 MaxVersion: VersionTLS12,
1758 ClientAuth: RequestClientCert,
1759 },
1760 flags: []string{"-fail-cert-callback"},
1761 shouldFail: true,
1762 expectedError: ":CERT_CB_ERROR:",
1763 expectedLocalError: "remote error: internal error",
1764 },
1765 {
1766 testType: serverTest,
1767 name: "FailCertCallback-Server-TLS12",
1768 config: Config{
1769 MaxVersion: VersionTLS12,
1770 },
1771 flags: []string{"-fail-cert-callback"},
1772 shouldFail: true,
1773 expectedError: ":CERT_CB_ERROR:",
1774 expectedLocalError: "remote error: internal error",
1775 },
1776 {
1777 name: "FailCertCallback-Client-TLS13",
1778 config: Config{
1779 MaxVersion: VersionTLS13,
1780 ClientAuth: RequestClientCert,
1781 },
1782 flags: []string{"-fail-cert-callback"},
1783 shouldFail: true,
1784 expectedError: ":CERT_CB_ERROR:",
1785 expectedLocalError: "remote error: internal error",
1786 },
1787 {
1788 testType: serverTest,
1789 name: "FailCertCallback-Server-TLS13",
1790 config: Config{
1791 MaxVersion: VersionTLS13,
1792 },
1793 flags: []string{"-fail-cert-callback"},
1794 shouldFail: true,
1795 expectedError: ":CERT_CB_ERROR:",
1796 expectedLocalError: "remote error: internal error",
1797 },
1798 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1799 protocol: dtls,
1800 name: "FragmentMessageTypeMismatch-DTLS",
1801 config: Config{
1802 Bugs: ProtocolBugs{
1803 MaxHandshakeRecordLength: 2,
1804 FragmentMessageTypeMismatch: true,
1805 },
1806 },
1807 shouldFail: true,
1808 expectedError: ":FRAGMENT_MISMATCH:",
1809 },
1810 {
1811 protocol: dtls,
1812 name: "FragmentMessageLengthMismatch-DTLS",
1813 config: Config{
1814 Bugs: ProtocolBugs{
1815 MaxHandshakeRecordLength: 2,
1816 FragmentMessageLengthMismatch: true,
1817 },
1818 },
1819 shouldFail: true,
1820 expectedError: ":FRAGMENT_MISMATCH:",
1821 },
1822 {
1823 protocol: dtls,
1824 name: "SplitFragments-Header-DTLS",
1825 config: Config{
1826 Bugs: ProtocolBugs{
1827 SplitFragments: 2,
1828 },
1829 },
1830 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1831 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1832 },
1833 {
1834 protocol: dtls,
1835 name: "SplitFragments-Boundary-DTLS",
1836 config: Config{
1837 Bugs: ProtocolBugs{
1838 SplitFragments: dtlsRecordHeaderLen,
1839 },
1840 },
1841 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1842 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1843 },
1844 {
1845 protocol: dtls,
1846 name: "SplitFragments-Body-DTLS",
1847 config: Config{
1848 Bugs: ProtocolBugs{
1849 SplitFragments: dtlsRecordHeaderLen + 1,
1850 },
1851 },
1852 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1853 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1854 },
1855 {
1856 protocol: dtls,
1857 name: "SendEmptyFragments-DTLS",
1858 config: Config{
1859 Bugs: ProtocolBugs{
1860 SendEmptyFragments: true,
1861 },
1862 },
1863 },
1864 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1865 name: "BadFinished-Client",
1866 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1867 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1868 Bugs: ProtocolBugs{
1869 BadFinished: true,
1870 },
1871 },
1872 shouldFail: true,
1873 expectedError: ":DIGEST_CHECK_FAILED:",
1874 },
1875 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1876 name: "BadFinished-Client-TLS13",
1877 config: Config{
1878 MaxVersion: VersionTLS13,
1879 Bugs: ProtocolBugs{
1880 BadFinished: true,
1881 },
1882 },
1883 shouldFail: true,
1884 expectedError: ":DIGEST_CHECK_FAILED:",
1885 },
1886 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1887 testType: serverTest,
1888 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1889 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1890 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1891 Bugs: ProtocolBugs{
1892 BadFinished: true,
1893 },
1894 },
1895 shouldFail: true,
1896 expectedError: ":DIGEST_CHECK_FAILED:",
1897 },
1898 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1899 testType: serverTest,
1900 name: "BadFinished-Server-TLS13",
1901 config: Config{
1902 MaxVersion: VersionTLS13,
1903 Bugs: ProtocolBugs{
1904 BadFinished: true,
1905 },
1906 },
1907 shouldFail: true,
1908 expectedError: ":DIGEST_CHECK_FAILED:",
1909 },
1910 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1911 name: "FalseStart-BadFinished",
1912 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1913 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1914 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1915 NextProtos: []string{"foo"},
1916 Bugs: ProtocolBugs{
1917 BadFinished: true,
1918 ExpectFalseStart: true,
1919 },
1920 },
1921 flags: []string{
1922 "-false-start",
1923 "-handshake-never-done",
1924 "-advertise-alpn", "\x03foo",
1925 },
1926 shimWritesFirst: true,
1927 shouldFail: true,
1928 expectedError: ":DIGEST_CHECK_FAILED:",
1929 },
1930 {
1931 name: "NoFalseStart-NoALPN",
1932 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1933 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1934 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1935 Bugs: ProtocolBugs{
1936 ExpectFalseStart: true,
1937 AlertBeforeFalseStartTest: alertAccessDenied,
1938 },
1939 },
1940 flags: []string{
1941 "-false-start",
1942 },
1943 shimWritesFirst: true,
1944 shouldFail: true,
1945 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1946 expectedLocalError: "tls: peer did not false start: EOF",
1947 },
1948 {
1949 name: "NoFalseStart-NoAEAD",
1950 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1951 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1952 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1953 NextProtos: []string{"foo"},
1954 Bugs: ProtocolBugs{
1955 ExpectFalseStart: true,
1956 AlertBeforeFalseStartTest: alertAccessDenied,
1957 },
1958 },
1959 flags: []string{
1960 "-false-start",
1961 "-advertise-alpn", "\x03foo",
1962 },
1963 shimWritesFirst: true,
1964 shouldFail: true,
1965 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1966 expectedLocalError: "tls: peer did not false start: EOF",
1967 },
1968 {
1969 name: "NoFalseStart-RSA",
1970 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1971 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1972 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1973 NextProtos: []string{"foo"},
1974 Bugs: ProtocolBugs{
1975 ExpectFalseStart: true,
1976 AlertBeforeFalseStartTest: alertAccessDenied,
1977 },
1978 },
1979 flags: []string{
1980 "-false-start",
1981 "-advertise-alpn", "\x03foo",
1982 },
1983 shimWritesFirst: true,
1984 shouldFail: true,
1985 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1986 expectedLocalError: "tls: peer did not false start: EOF",
1987 },
1988 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1989 protocol: dtls,
1990 name: "SendSplitAlert-Sync",
1991 config: Config{
1992 Bugs: ProtocolBugs{
1993 SendSplitAlert: true,
1994 },
1995 },
1996 },
1997 {
1998 protocol: dtls,
1999 name: "SendSplitAlert-Async",
2000 config: Config{
2001 Bugs: ProtocolBugs{
2002 SendSplitAlert: true,
2003 },
2004 },
2005 flags: []string{"-async"},
2006 },
2007 {
2008 protocol: dtls,
2009 name: "PackDTLSHandshake",
2010 config: Config{
2011 Bugs: ProtocolBugs{
2012 MaxHandshakeRecordLength: 2,
2013 PackHandshakeFragments: 20,
2014 PackHandshakeRecords: 200,
2015 },
2016 },
2017 },
2018 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2019 name: "SendEmptyRecords-Pass",
2020 sendEmptyRecords: 32,
2021 },
2022 {
2023 name: "SendEmptyRecords",
2024 sendEmptyRecords: 33,
2025 shouldFail: true,
2026 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2027 },
2028 {
2029 name: "SendEmptyRecords-Async",
2030 sendEmptyRecords: 33,
2031 flags: []string{"-async"},
2032 shouldFail: true,
2033 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2034 },
2035 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2036 name: "SendWarningAlerts-Pass",
2037 config: Config{
2038 MaxVersion: VersionTLS12,
2039 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2040 sendWarningAlerts: 4,
2041 },
2042 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2043 protocol: dtls,
2044 name: "SendWarningAlerts-DTLS-Pass",
2045 config: Config{
2046 MaxVersion: VersionTLS12,
2047 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2048 sendWarningAlerts: 4,
2049 },
2050 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2051 name: "SendWarningAlerts-TLS13",
2052 config: Config{
2053 MaxVersion: VersionTLS13,
2054 },
2055 sendWarningAlerts: 4,
2056 shouldFail: true,
2057 expectedError: ":BAD_ALERT:",
2058 expectedLocalError: "remote error: error decoding message",
2059 },
2060 {
2061 name: "SendWarningAlerts",
2062 config: Config{
2063 MaxVersion: VersionTLS12,
2064 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2065 sendWarningAlerts: 5,
2066 shouldFail: true,
2067 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2068 },
2069 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2070 name: "SendWarningAlerts-Async",
2071 config: Config{
2072 MaxVersion: VersionTLS12,
2073 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2074 sendWarningAlerts: 5,
2075 flags: []string{"-async"},
2076 shouldFail: true,
2077 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2078 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2079 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2080 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2081 config: Config{
2082 MaxVersion: VersionTLS13,
2083 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2084 sendKeyUpdates: 33,
2085 keyUpdateRequest: keyUpdateNotRequested,
2086 shouldFail: true,
2087 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2088 },
2089 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2090 name: "EmptySessionID",
2091 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2092 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2093 SessionTicketsDisabled: true,
2094 },
2095 noSessionCache: true,
2096 flags: []string{"-expect-no-session"},
2097 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2098 {
2099 name: "Unclean-Shutdown",
2100 config: Config{
2101 Bugs: ProtocolBugs{
2102 NoCloseNotify: true,
2103 ExpectCloseNotify: true,
2104 },
2105 },
2106 shimShutsDown: true,
2107 flags: []string{"-check-close-notify"},
2108 shouldFail: true,
2109 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2110 },
2111 {
2112 name: "Unclean-Shutdown-Ignored",
2113 config: Config{
2114 Bugs: ProtocolBugs{
2115 NoCloseNotify: true,
2116 },
2117 },
2118 shimShutsDown: true,
2119 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2120 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2121 name: "Unclean-Shutdown-Alert",
2122 config: Config{
2123 Bugs: ProtocolBugs{
2124 SendAlertOnShutdown: alertDecompressionFailure,
2125 ExpectCloseNotify: true,
2126 },
2127 },
2128 shimShutsDown: true,
2129 flags: []string{"-check-close-notify"},
2130 shouldFail: true,
2131 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2132 },
2133 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2134 name: "LargePlaintext",
2135 config: Config{
2136 Bugs: ProtocolBugs{
2137 SendLargeRecords: true,
2138 },
2139 },
2140 messageLen: maxPlaintext + 1,
2141 shouldFail: true,
2142 expectedError: ":DATA_LENGTH_TOO_LONG:",
2143 },
2144 {
2145 protocol: dtls,
2146 name: "LargePlaintext-DTLS",
2147 config: Config{
2148 Bugs: ProtocolBugs{
2149 SendLargeRecords: true,
2150 },
2151 },
2152 messageLen: maxPlaintext + 1,
2153 shouldFail: true,
2154 expectedError: ":DATA_LENGTH_TOO_LONG:",
2155 },
2156 {
2157 name: "LargeCiphertext",
2158 config: Config{
2159 Bugs: ProtocolBugs{
2160 SendLargeRecords: true,
2161 },
2162 },
2163 messageLen: maxPlaintext * 2,
2164 shouldFail: true,
2165 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2166 },
2167 {
2168 protocol: dtls,
2169 name: "LargeCiphertext-DTLS",
2170 config: Config{
2171 Bugs: ProtocolBugs{
2172 SendLargeRecords: true,
2173 },
2174 },
2175 messageLen: maxPlaintext * 2,
2176 // Unlike the other four cases, DTLS drops records which
2177 // are invalid before authentication, so the connection
2178 // does not fail.
2179 expectMessageDropped: true,
2180 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2181 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2182 name: "BadHelloRequest-1",
2183 renegotiate: 1,
2184 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2185 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2186 Bugs: ProtocolBugs{
2187 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2188 },
2189 },
2190 flags: []string{
2191 "-renegotiate-freely",
2192 "-expect-total-renegotiations", "1",
2193 },
2194 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2195 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2196 },
2197 {
2198 name: "BadHelloRequest-2",
2199 renegotiate: 1,
2200 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2201 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2202 Bugs: ProtocolBugs{
2203 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2204 },
2205 },
2206 flags: []string{
2207 "-renegotiate-freely",
2208 "-expect-total-renegotiations", "1",
2209 },
2210 shouldFail: true,
2211 expectedError: ":BAD_HELLO_REQUEST:",
2212 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2213 {
2214 testType: serverTest,
2215 name: "SupportTicketsWithSessionID",
2216 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2217 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2218 SessionTicketsDisabled: true,
2219 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2220 resumeConfig: &Config{
2221 MaxVersion: VersionTLS12,
2222 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2223 resumeSession: true,
2224 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2225 {
2226 protocol: dtls,
2227 name: "DTLS-SendExtraFinished",
2228 config: Config{
2229 Bugs: ProtocolBugs{
2230 SendExtraFinished: true,
2231 },
2232 },
2233 shouldFail: true,
2234 expectedError: ":UNEXPECTED_RECORD:",
2235 },
2236 {
2237 protocol: dtls,
2238 name: "DTLS-SendExtraFinished-Reordered",
2239 config: Config{
2240 Bugs: ProtocolBugs{
2241 MaxHandshakeRecordLength: 2,
2242 ReorderHandshakeFragments: true,
2243 SendExtraFinished: true,
2244 },
2245 },
2246 shouldFail: true,
2247 expectedError: ":UNEXPECTED_RECORD:",
2248 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2249 {
2250 testType: serverTest,
2251 name: "V2ClientHello-EmptyRecordPrefix",
2252 config: Config{
2253 // Choose a cipher suite that does not involve
2254 // elliptic curves, so no extensions are
2255 // involved.
2256 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2257 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2258 Bugs: ProtocolBugs{
2259 SendV2ClientHello: true,
2260 },
2261 },
2262 sendPrefix: string([]byte{
2263 byte(recordTypeHandshake),
2264 3, 1, // version
2265 0, 0, // length
2266 }),
2267 // A no-op empty record may not be sent before V2ClientHello.
2268 shouldFail: true,
2269 expectedError: ":WRONG_VERSION_NUMBER:",
2270 },
2271 {
2272 testType: serverTest,
2273 name: "V2ClientHello-WarningAlertPrefix",
2274 config: Config{
2275 // Choose a cipher suite that does not involve
2276 // elliptic curves, so no extensions are
2277 // involved.
2278 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2279 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2280 Bugs: ProtocolBugs{
2281 SendV2ClientHello: true,
2282 },
2283 },
2284 sendPrefix: string([]byte{
2285 byte(recordTypeAlert),
2286 3, 1, // version
2287 0, 2, // length
2288 alertLevelWarning, byte(alertDecompressionFailure),
2289 }),
2290 // A no-op warning alert may not be sent before V2ClientHello.
2291 shouldFail: true,
2292 expectedError: ":WRONG_VERSION_NUMBER:",
2293 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2294 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2295 name: "KeyUpdate-Client",
2296 config: Config{
2297 MaxVersion: VersionTLS13,
2298 },
2299 sendKeyUpdates: 1,
2300 keyUpdateRequest: keyUpdateNotRequested,
2301 },
2302 {
2303 testType: serverTest,
2304 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2305 config: Config{
2306 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2307 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2308 sendKeyUpdates: 1,
2309 keyUpdateRequest: keyUpdateNotRequested,
2310 },
2311 {
2312 name: "KeyUpdate-InvalidRequestMode",
2313 config: Config{
2314 MaxVersion: VersionTLS13,
2315 },
2316 sendKeyUpdates: 1,
2317 keyUpdateRequest: 42,
2318 shouldFail: true,
2319 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2320 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2321 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]2322 // Test that KeyUpdates are acknowledged properly.
2323 name: "KeyUpdate-RequestACK",
2324 config: Config{
2325 MaxVersion: VersionTLS13,
2326 Bugs: ProtocolBugs{
2327 RejectUnsolicitedKeyUpdate: true,
2328 },
2329 },
2330 // Test the shim receiving many KeyUpdates in a row.
2331 sendKeyUpdates: 5,
2332 messageCount: 5,
2333 keyUpdateRequest: keyUpdateRequested,
2334 },
2335 {
2336 // Test that KeyUpdates are acknowledged properly if the
2337 // peer's KeyUpdate is discovered while a write is
2338 // pending.
2339 name: "KeyUpdate-RequestACK-UnfinishedWrite",
2340 config: Config{
2341 MaxVersion: VersionTLS13,
2342 Bugs: ProtocolBugs{
2343 RejectUnsolicitedKeyUpdate: true,
2344 },
2345 },
2346 // Test the shim receiving many KeyUpdates in a row.
2347 sendKeyUpdates: 5,
2348 messageCount: 5,
2349 keyUpdateRequest: keyUpdateRequested,
2350 readWithUnfinishedWrite: true,
2351 flags: []string{"-async"},
2352 },
2353 {
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2354 name: "SendSNIWarningAlert",
2355 config: Config{
2356 MaxVersion: VersionTLS12,
2357 Bugs: ProtocolBugs{
2358 SendSNIWarningAlert: true,
2359 },
2360 },
2361 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2362 {
2363 testType: serverTest,
2364 name: "ExtraCompressionMethods-TLS12",
2365 config: Config{
2366 MaxVersion: VersionTLS12,
2367 Bugs: ProtocolBugs{
2368 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2369 },
2370 },
2371 },
2372 {
2373 testType: serverTest,
2374 name: "ExtraCompressionMethods-TLS13",
2375 config: Config{
2376 MaxVersion: VersionTLS13,
2377 Bugs: ProtocolBugs{
2378 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2379 },
2380 },
2381 shouldFail: true,
2382 expectedError: ":INVALID_COMPRESSION_LIST:",
2383 expectedLocalError: "remote error: illegal parameter",
2384 },
2385 {
2386 testType: serverTest,
2387 name: "NoNullCompression-TLS12",
2388 config: Config{
2389 MaxVersion: VersionTLS12,
2390 Bugs: ProtocolBugs{
2391 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2392 },
2393 },
2394 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2395 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2396 expectedLocalError: "remote error: illegal parameter",
2397 },
2398 {
2399 testType: serverTest,
2400 name: "NoNullCompression-TLS13",
2401 config: Config{
2402 MaxVersion: VersionTLS13,
2403 Bugs: ProtocolBugs{
2404 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2405 },
2406 },
2407 shouldFail: true,
2408 expectedError: ":INVALID_COMPRESSION_LIST:",
2409 expectedLocalError: "remote error: illegal parameter",
2410 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2411 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2412 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2413 config: Config{
2414 MaxVersion: VersionTLS12,
2415 Bugs: ProtocolBugs{
2416 ExpectGREASE: true,
2417 },
2418 },
2419 flags: []string{"-enable-grease"},
2420 },
2421 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2422 name: "GREASE-Client-TLS13",
2423 config: Config{
2424 MaxVersion: VersionTLS13,
2425 Bugs: ProtocolBugs{
2426 ExpectGREASE: true,
2427 },
2428 },
2429 flags: []string{"-enable-grease"},
2430 },
2431 {
2432 testType: serverTest,
2433 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2434 config: Config{
2435 MaxVersion: VersionTLS13,
2436 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2437 // TLS 1.3 servers are expected to
2438 // always enable GREASE. TLS 1.3 is new,
2439 // so there is no existing ecosystem to
2440 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2441 ExpectGREASE: true,
2442 },
2443 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2444 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2445 {
2446 // Test the server so there is a large certificate as
2447 // well as application data.
2448 testType: serverTest,
2449 name: "MaxSendFragment",
2450 config: Config{
2451 Bugs: ProtocolBugs{
2452 MaxReceivePlaintext: 512,
2453 },
2454 },
2455 messageLen: 1024,
2456 flags: []string{
2457 "-max-send-fragment", "512",
2458 "-read-size", "1024",
2459 },
2460 },
2461 {
2462 // Test the server so there is a large certificate as
2463 // well as application data.
2464 testType: serverTest,
2465 name: "MaxSendFragment-TooLarge",
2466 config: Config{
2467 Bugs: ProtocolBugs{
2468 // Ensure that some of the records are
2469 // 512.
2470 MaxReceivePlaintext: 511,
2471 },
2472 },
2473 messageLen: 1024,
2474 flags: []string{
2475 "-max-send-fragment", "512",
2476 "-read-size", "1024",
2477 },
2478 shouldFail: true,
2479 expectedLocalError: "local error: record overflow",
2480 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2481 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2482 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2483
2484 // Test that very large messages can be received.
2485 cert := rsaCertificate
2486 for i := 0; i < 50; i++ {
2487 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2488 }
2489 testCases = append(testCases, testCase{
2490 name: "LargeMessage",
2491 config: Config{
2492 Certificates: []Certificate{cert},
2493 },
2494 })
2495 testCases = append(testCases, testCase{
2496 protocol: dtls,
2497 name: "LargeMessage-DTLS",
2498 config: Config{
2499 Certificates: []Certificate{cert},
2500 },
2501 })
2502
2503 // They are rejected if the maximum certificate chain length is capped.
2504 testCases = append(testCases, testCase{
2505 name: "LargeMessage-Reject",
2506 config: Config{
2507 Certificates: []Certificate{cert},
2508 },
2509 flags: []string{"-max-cert-list", "16384"},
2510 shouldFail: true,
2511 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2512 })
2513 testCases = append(testCases, testCase{
2514 protocol: dtls,
2515 name: "LargeMessage-Reject-DTLS",
2516 config: Config{
2517 Certificates: []Certificate{cert},
2518 },
2519 flags: []string{"-max-cert-list", "16384"},
2520 shouldFail: true,
2521 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2522 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2523}
2524
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2525func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2526 const psk = "12345"
2527 const pskIdentity = "luggage combo"
2528
2529 var prefix string
2530 if protocol == dtls {
2531 if !ver.hasDTLS {
2532 return
2533 }
2534 prefix = "D"
2535 }
2536
2537 var cert Certificate
2538 var certFile string
2539 var keyFile string
2540 if hasComponent(suite.name, "ECDSA") {
2541 cert = ecdsaP256Certificate
2542 certFile = ecdsaP256CertificateFile
2543 keyFile = ecdsaP256KeyFile
2544 } else {
2545 cert = rsaCertificate
2546 certFile = rsaCertificateFile
2547 keyFile = rsaKeyFile
2548 }
2549
2550 var flags []string
2551 if hasComponent(suite.name, "PSK") {
2552 flags = append(flags,
2553 "-psk", psk,
2554 "-psk-identity", pskIdentity)
2555 }
2556 if hasComponent(suite.name, "NULL") {
2557 // NULL ciphers must be explicitly enabled.
2558 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2559 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2560
2561 var shouldServerFail, shouldClientFail bool
2562 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2563 // BoringSSL clients accept ECDHE on SSLv3, but
2564 // a BoringSSL server will never select it
2565 // because the extension is missing.
2566 shouldServerFail = true
2567 }
2568 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2569 shouldClientFail = true
2570 shouldServerFail = true
2571 }
2572 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2573 shouldClientFail = true
2574 shouldServerFail = true
2575 }
2576 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2577 shouldClientFail = true
2578 shouldServerFail = true
2579 }
2580 if !isDTLSCipher(suite.name) && protocol == dtls {
2581 shouldClientFail = true
2582 shouldServerFail = true
2583 }
2584
2585 var sendCipherSuite uint16
2586 var expectedServerError, expectedClientError string
2587 serverCipherSuites := []uint16{suite.id}
2588 if shouldServerFail {
2589 expectedServerError = ":NO_SHARED_CIPHER:"
2590 }
2591 if shouldClientFail {
2592 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2593 // Configure the server to select ciphers as normal but
2594 // select an incompatible cipher in ServerHello.
2595 serverCipherSuites = nil
2596 sendCipherSuite = suite.id
2597 }
2598
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2599 // For cipher suites and versions where exporters are defined, verify
2600 // that they interoperate.
2601 var exportKeyingMaterial int
2602 if ver.version > VersionSSL30 {
2603 exportKeyingMaterial = 1024
2604 }
2605
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2606 testCases = append(testCases, testCase{
2607 testType: serverTest,
2608 protocol: protocol,
2609 name: prefix + ver.name + "-" + suite.name + "-server",
2610 config: Config{
2611 MinVersion: ver.version,
2612 MaxVersion: ver.version,
2613 CipherSuites: []uint16{suite.id},
2614 Certificates: []Certificate{cert},
2615 PreSharedKey: []byte(psk),
2616 PreSharedKeyIdentity: pskIdentity,
2617 Bugs: ProtocolBugs{
2618 AdvertiseAllConfiguredCiphers: true,
2619 },
2620 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2621 certFile: certFile,
2622 keyFile: keyFile,
2623 flags: flags,
2624 resumeSession: true,
2625 shouldFail: shouldServerFail,
2626 expectedError: expectedServerError,
2627 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2628 })
2629
2630 testCases = append(testCases, testCase{
2631 testType: clientTest,
2632 protocol: protocol,
2633 name: prefix + ver.name + "-" + suite.name + "-client",
2634 config: Config{
2635 MinVersion: ver.version,
2636 MaxVersion: ver.version,
2637 CipherSuites: serverCipherSuites,
2638 Certificates: []Certificate{cert},
2639 PreSharedKey: []byte(psk),
2640 PreSharedKeyIdentity: pskIdentity,
2641 Bugs: ProtocolBugs{
2642 IgnorePeerCipherPreferences: shouldClientFail,
2643 SendCipherSuite: sendCipherSuite,
2644 },
2645 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2646 flags: flags,
2647 resumeSession: true,
2648 shouldFail: shouldClientFail,
2649 expectedError: expectedClientError,
2650 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2651 })
2652
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2653 if shouldClientFail {
2654 return
2655 }
2656
2657 // Ensure the maximum record size is accepted.
2658 testCases = append(testCases, testCase{
2659 protocol: protocol,
2660 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2661 config: Config{
2662 MinVersion: ver.version,
2663 MaxVersion: ver.version,
2664 CipherSuites: []uint16{suite.id},
2665 Certificates: []Certificate{cert},
2666 PreSharedKey: []byte(psk),
2667 PreSharedKeyIdentity: pskIdentity,
2668 },
2669 flags: flags,
2670 messageLen: maxPlaintext,
2671 })
2672
2673 // Test bad records for all ciphers. Bad records are fatal in TLS
2674 // and ignored in DTLS.
2675 var shouldFail bool
2676 var expectedError string
2677 if protocol == tls {
2678 shouldFail = true
2679 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2680 }
2681
2682 testCases = append(testCases, testCase{
2683 protocol: protocol,
2684 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2685 config: Config{
2686 MinVersion: ver.version,
2687 MaxVersion: ver.version,
2688 CipherSuites: []uint16{suite.id},
2689 Certificates: []Certificate{cert},
2690 PreSharedKey: []byte(psk),
2691 PreSharedKeyIdentity: pskIdentity,
2692 },
2693 flags: flags,
2694 damageFirstWrite: true,
2695 messageLen: maxPlaintext,
2696 shouldFail: shouldFail,
2697 expectedError: expectedError,
2698 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2699}
2700
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2701func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2702 const bogusCipher = 0xfe00
2703
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2704 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2705 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2706 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2707 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2708 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2709 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2710 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2711
2712 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2713 name: "NoSharedCipher",
2714 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2715 MaxVersion: VersionTLS12,
2716 CipherSuites: []uint16{},
2717 },
2718 shouldFail: true,
2719 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2720 })
2721
2722 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2723 name: "NoSharedCipher-TLS13",
2724 config: Config{
2725 MaxVersion: VersionTLS13,
2726 CipherSuites: []uint16{},
2727 },
2728 shouldFail: true,
2729 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2730 })
2731
2732 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2733 name: "UnsupportedCipherSuite",
2734 config: Config{
2735 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2736 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2737 Bugs: ProtocolBugs{
2738 IgnorePeerCipherPreferences: true,
2739 },
2740 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2741 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2742 shouldFail: true,
2743 expectedError: ":WRONG_CIPHER_RETURNED:",
2744 })
2745
2746 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2747 name: "ServerHelloBogusCipher",
2748 config: Config{
2749 MaxVersion: VersionTLS12,
2750 Bugs: ProtocolBugs{
2751 SendCipherSuite: bogusCipher,
2752 },
2753 },
2754 shouldFail: true,
2755 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2756 })
2757 testCases = append(testCases, testCase{
2758 name: "ServerHelloBogusCipher-TLS13",
2759 config: Config{
2760 MaxVersion: VersionTLS13,
2761 Bugs: ProtocolBugs{
2762 SendCipherSuite: bogusCipher,
2763 },
2764 },
2765 shouldFail: true,
2766 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2767 })
2768
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2769 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2770 testCases = append(testCases, testCase{
2771 testType: serverTest,
2772 name: "UnknownCipher",
2773 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2774 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2775 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2776 Bugs: ProtocolBugs{
2777 AdvertiseAllConfiguredCiphers: true,
2778 },
2779 },
2780 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2781
2782 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2783 testCases = append(testCases, testCase{
2784 testType: serverTest,
2785 name: "UnknownCipher-TLS13",
2786 config: Config{
2787 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2788 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2789 Bugs: ProtocolBugs{
2790 AdvertiseAllConfiguredCiphers: true,
2791 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2792 },
2793 })
2794
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2795 // Test empty ECDHE_PSK identity hints work as expected.
2796 testCases = append(testCases, testCase{
2797 name: "EmptyECDHEPSKHint",
2798 config: Config{
2799 MaxVersion: VersionTLS12,
2800 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2801 PreSharedKey: []byte("secret"),
2802 },
2803 flags: []string{"-psk", "secret"},
2804 })
2805
2806 // Test empty PSK identity hints work as expected, even if an explicit
2807 // ServerKeyExchange is sent.
2808 testCases = append(testCases, testCase{
2809 name: "ExplicitEmptyPSKHint",
2810 config: Config{
2811 MaxVersion: VersionTLS12,
2812 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2813 PreSharedKey: []byte("secret"),
2814 Bugs: ProtocolBugs{
2815 AlwaysSendPreSharedKeyIdentityHint: true,
2816 },
2817 },
2818 flags: []string{"-psk", "secret"},
2819 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]2820
2821 // Test that clients enforce that the server-sent certificate and cipher
2822 // suite match in TLS 1.2.
2823 testCases = append(testCases, testCase{
2824 name: "CertificateCipherMismatch-RSA",
2825 config: Config{
2826 MaxVersion: VersionTLS12,
2827 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2828 Certificates: []Certificate{rsaCertificate},
2829 Bugs: ProtocolBugs{
2830 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2831 },
2832 },
2833 shouldFail: true,
2834 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2835 })
2836 testCases = append(testCases, testCase{
2837 name: "CertificateCipherMismatch-ECDSA",
2838 config: Config{
2839 MaxVersion: VersionTLS12,
2840 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2841 Certificates: []Certificate{ecdsaP256Certificate},
2842 Bugs: ProtocolBugs{
2843 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2844 },
2845 },
2846 shouldFail: true,
2847 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2848 })
2849 testCases = append(testCases, testCase{
2850 name: "CertificateCipherMismatch-Ed25519",
2851 config: Config{
2852 MaxVersion: VersionTLS12,
2853 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2854 Certificates: []Certificate{ed25519Certificate},
2855 Bugs: ProtocolBugs{
2856 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2857 },
2858 },
2859 shouldFail: true,
2860 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2861 })
2862
2863 // Test that servers decline to select a cipher suite which is
2864 // inconsistent with their configured certificate.
2865 testCases = append(testCases, testCase{
2866 testType: serverTest,
2867 name: "ServerCipherFilter-RSA",
2868 config: Config{
2869 MaxVersion: VersionTLS12,
2870 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2871 },
2872 flags: []string{
2873 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2874 "-key-file", path.Join(*resourceDir, rsaKeyFile),
2875 },
2876 shouldFail: true,
2877 expectedError: ":NO_SHARED_CIPHER:",
2878 })
2879 testCases = append(testCases, testCase{
2880 testType: serverTest,
2881 name: "ServerCipherFilter-ECDSA",
2882 config: Config{
2883 MaxVersion: VersionTLS12,
2884 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2885 },
2886 flags: []string{
2887 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2888 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
2889 },
2890 shouldFail: true,
2891 expectedError: ":NO_SHARED_CIPHER:",
2892 })
2893 testCases = append(testCases, testCase{
2894 testType: serverTest,
2895 name: "ServerCipherFilter-Ed25519",
2896 config: Config{
2897 MaxVersion: VersionTLS12,
2898 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2899 },
2900 flags: []string{
2901 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
2902 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
2903 },
2904 shouldFail: true,
2905 expectedError: ":NO_SHARED_CIPHER:",
2906 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2907}
2908
2909func addBadECDSASignatureTests() {
2910 for badR := BadValue(1); badR < NumBadValues; badR++ {
2911 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2912 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2913 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2914 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2915 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2916 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2917 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2918 Bugs: ProtocolBugs{
2919 BadECDSAR: badR,
2920 BadECDSAS: badS,
2921 },
2922 },
2923 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2924 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2925 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2926 testCases = append(testCases, testCase{
2927 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2928 config: Config{
2929 MaxVersion: VersionTLS13,
2930 Certificates: []Certificate{ecdsaP256Certificate},
2931 Bugs: ProtocolBugs{
2932 BadECDSAR: badR,
2933 BadECDSAS: badS,
2934 },
2935 },
2936 shouldFail: true,
2937 expectedError: ":BAD_SIGNATURE:",
2938 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2939 }
2940 }
2941}
2942
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2943func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2944 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2945 name: "MaxCBCPadding",
2946 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2947 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2948 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2949 Bugs: ProtocolBugs{
2950 MaxPadding: true,
2951 },
2952 },
2953 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2954 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2955 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2956 name: "BadCBCPadding",
2957 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2958 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2959 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2960 Bugs: ProtocolBugs{
2961 PaddingFirstByteBad: true,
2962 },
2963 },
2964 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2965 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2966 })
2967 // OpenSSL previously had an issue where the first byte of padding in
2968 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2969 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2970 name: "BadCBCPadding255",
2971 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2972 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2973 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2974 Bugs: ProtocolBugs{
2975 MaxPadding: true,
2976 PaddingFirstByteBadIf255: true,
2977 },
2978 },
2979 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2980 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2981 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2982 })
2983}
2984
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2985func addCBCSplittingTests() {
2986 testCases = append(testCases, testCase{
2987 name: "CBCRecordSplitting",
2988 config: Config{
2989 MaxVersion: VersionTLS10,
2990 MinVersion: VersionTLS10,
2991 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2992 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]2993 messageLen: -1, // read until EOF
2994 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2995 flags: []string{
2996 "-async",
2997 "-write-different-record-sizes",
2998 "-cbc-record-splitting",
2999 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]3000 })
3001 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3002 name: "CBCRecordSplittingPartialWrite",
3003 config: Config{
3004 MaxVersion: VersionTLS10,
3005 MinVersion: VersionTLS10,
3006 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3007 },
3008 messageLen: -1, // read until EOF
3009 flags: []string{
3010 "-async",
3011 "-write-different-record-sizes",
3012 "-cbc-record-splitting",
3013 "-partial-write",
3014 },
3015 })
3016}
3017
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3018func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3019 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3020 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3021 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3022 cert, err := x509.ParseCertificate(cert.Certificate[0])
3023 if err != nil {
3024 panic(err)
3025 }
3026 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3027 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3028 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3029
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3030 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3031 testCases = append(testCases, testCase{
3032 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3033 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3034 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3035 MinVersion: ver.version,
3036 MaxVersion: ver.version,
3037 ClientAuth: RequireAnyClientCert,
3038 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3039 },
3040 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3041 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3042 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3043 },
3044 })
3045 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3046 testType: serverTest,
3047 name: ver.name + "-Server-ClientAuth-RSA",
3048 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3049 MinVersion: ver.version,
3050 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3051 Certificates: []Certificate{rsaCertificate},
3052 },
3053 flags: []string{"-require-any-client-certificate"},
3054 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3055 if ver.version != VersionSSL30 {
3056 testCases = append(testCases, testCase{
3057 testType: serverTest,
3058 name: ver.name + "-Server-ClientAuth-ECDSA",
3059 config: Config{
3060 MinVersion: ver.version,
3061 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3062 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3063 },
3064 flags: []string{"-require-any-client-certificate"},
3065 })
3066 testCases = append(testCases, testCase{
3067 testType: clientTest,
3068 name: ver.name + "-Client-ClientAuth-ECDSA",
3069 config: Config{
3070 MinVersion: ver.version,
3071 MaxVersion: ver.version,
3072 ClientAuth: RequireAnyClientCert,
3073 ClientCAs: certPool,
3074 },
3075 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3076 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3077 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3078 },
3079 })
3080 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3081
3082 testCases = append(testCases, testCase{
3083 name: "NoClientCertificate-" + ver.name,
3084 config: Config{
3085 MinVersion: ver.version,
3086 MaxVersion: ver.version,
3087 ClientAuth: RequireAnyClientCert,
3088 },
3089 shouldFail: true,
3090 expectedLocalError: "client didn't provide a certificate",
3091 })
3092
3093 testCases = append(testCases, testCase{
3094 // Even if not configured to expect a certificate, OpenSSL will
3095 // return X509_V_OK as the verify_result.
3096 testType: serverTest,
3097 name: "NoClientCertificateRequested-Server-" + ver.name,
3098 config: Config{
3099 MinVersion: ver.version,
3100 MaxVersion: ver.version,
3101 },
3102 flags: []string{
3103 "-expect-verify-result",
3104 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3105 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3106 })
3107
3108 testCases = append(testCases, testCase{
3109 // If a client certificate is not provided, OpenSSL will still
3110 // return X509_V_OK as the verify_result.
3111 testType: serverTest,
3112 name: "NoClientCertificate-Server-" + ver.name,
3113 config: Config{
3114 MinVersion: ver.version,
3115 MaxVersion: ver.version,
3116 },
3117 flags: []string{
3118 "-expect-verify-result",
3119 "-verify-peer",
3120 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3121 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3122 })
3123
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3124 certificateRequired := "remote error: certificate required"
3125 if ver.version < VersionTLS13 {
3126 // Prior to TLS 1.3, the generic handshake_failure alert
3127 // was used.
3128 certificateRequired = "remote error: handshake failure"
3129 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3130 testCases = append(testCases, testCase{
3131 testType: serverTest,
3132 name: "RequireAnyClientCertificate-" + ver.name,
3133 config: Config{
3134 MinVersion: ver.version,
3135 MaxVersion: ver.version,
3136 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3137 flags: []string{"-require-any-client-certificate"},
3138 shouldFail: true,
3139 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3140 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3141 })
3142
3143 if ver.version != VersionSSL30 {
3144 testCases = append(testCases, testCase{
3145 testType: serverTest,
3146 name: "SkipClientCertificate-" + ver.name,
3147 config: Config{
3148 MinVersion: ver.version,
3149 MaxVersion: ver.version,
3150 Bugs: ProtocolBugs{
3151 SkipClientCertificate: true,
3152 },
3153 },
3154 // Setting SSL_VERIFY_PEER allows anonymous clients.
3155 flags: []string{"-verify-peer"},
3156 shouldFail: true,
3157 expectedError: ":UNEXPECTED_MESSAGE:",
3158 })
3159 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3160
3161 testCases = append(testCases, testCase{
3162 testType: serverTest,
3163 name: ver.name + "-Server-CertReq-CA-List",
3164 config: Config{
3165 MinVersion: ver.version,
3166 MaxVersion: ver.version,
3167 Certificates: []Certificate{rsaCertificate},
3168 Bugs: ProtocolBugs{
3169 ExpectCertificateReqNames: caNames,
3170 },
3171 },
3172 flags: []string{
3173 "-require-any-client-certificate",
3174 "-use-client-ca-list", encodeDERValues(caNames),
3175 },
3176 })
3177
3178 testCases = append(testCases, testCase{
3179 testType: clientTest,
3180 name: ver.name + "-Client-CertReq-CA-List",
3181 config: Config{
3182 MinVersion: ver.version,
3183 MaxVersion: ver.version,
3184 Certificates: []Certificate{rsaCertificate},
3185 ClientAuth: RequireAnyClientCert,
3186 ClientCAs: certPool,
3187 },
3188 flags: []string{
3189 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3190 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3191 "-expect-client-ca-list", encodeDERValues(caNames),
3192 },
3193 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3194 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3195
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3196 // Client auth is only legal in certificate-based ciphers.
3197 testCases = append(testCases, testCase{
3198 testType: clientTest,
3199 name: "ClientAuth-PSK",
3200 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3201 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3202 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3203 PreSharedKey: []byte("secret"),
3204 ClientAuth: RequireAnyClientCert,
3205 },
3206 flags: []string{
3207 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3208 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3209 "-psk", "secret",
3210 },
3211 shouldFail: true,
3212 expectedError: ":UNEXPECTED_MESSAGE:",
3213 })
3214 testCases = append(testCases, testCase{
3215 testType: clientTest,
3216 name: "ClientAuth-ECDHE_PSK",
3217 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3218 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3219 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3220 PreSharedKey: []byte("secret"),
3221 ClientAuth: RequireAnyClientCert,
3222 },
3223 flags: []string{
3224 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3225 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3226 "-psk", "secret",
3227 },
3228 shouldFail: true,
3229 expectedError: ":UNEXPECTED_MESSAGE:",
3230 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3231
3232 // Regression test for a bug where the client CA list, if explicitly
3233 // set to NULL, was mis-encoded.
3234 testCases = append(testCases, testCase{
3235 testType: serverTest,
3236 name: "Null-Client-CA-List",
3237 config: Config{
3238 MaxVersion: VersionTLS12,
3239 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3240 Bugs: ProtocolBugs{
3241 ExpectCertificateReqNames: [][]byte{},
3242 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3243 },
3244 flags: []string{
3245 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3246 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3247 },
3248 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3249}
3250
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3251func addExtendedMasterSecretTests() {
3252 const expectEMSFlag = "-expect-extended-master-secret"
3253
3254 for _, with := range []bool{false, true} {
3255 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3256 if with {
3257 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3258 }
3259
3260 for _, isClient := range []bool{false, true} {
3261 suffix := "-Server"
3262 testType := serverTest
3263 if isClient {
3264 suffix = "-Client"
3265 testType = clientTest
3266 }
3267
3268 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3269 // In TLS 1.3, the extension is irrelevant and
3270 // always reports as enabled.
3271 var flags []string
3272 if with || ver.version >= VersionTLS13 {
3273 flags = []string{expectEMSFlag}
3274 }
3275
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3276 test := testCase{
3277 testType: testType,
3278 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3279 config: Config{
3280 MinVersion: ver.version,
3281 MaxVersion: ver.version,
3282 Bugs: ProtocolBugs{
3283 NoExtendedMasterSecret: !with,
3284 RequireExtendedMasterSecret: with,
3285 },
3286 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3287 flags: flags,
3288 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3289 }
3290 if test.shouldFail {
3291 test.expectedLocalError = "extended master secret required but not supported by peer"
3292 }
3293 testCases = append(testCases, test)
3294 }
3295 }
3296 }
3297
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3298 for _, isClient := range []bool{false, true} {
3299 for _, supportedInFirstConnection := range []bool{false, true} {
3300 for _, supportedInResumeConnection := range []bool{false, true} {
3301 boolToWord := func(b bool) string {
3302 if b {
3303 return "Yes"
3304 }
3305 return "No"
3306 }
3307 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3308 if isClient {
3309 suffix += "Client"
3310 } else {
3311 suffix += "Server"
3312 }
3313
3314 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3315 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3316 Bugs: ProtocolBugs{
3317 RequireExtendedMasterSecret: true,
3318 },
3319 }
3320
3321 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3322 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3323 Bugs: ProtocolBugs{
3324 NoExtendedMasterSecret: true,
3325 },
3326 }
3327
3328 test := testCase{
3329 name: "ExtendedMasterSecret-" + suffix,
3330 resumeSession: true,
3331 }
3332
3333 if !isClient {
3334 test.testType = serverTest
3335 }
3336
3337 if supportedInFirstConnection {
3338 test.config = supportedConfig
3339 } else {
3340 test.config = noSupportConfig
3341 }
3342
3343 if supportedInResumeConnection {
3344 test.resumeConfig = &supportedConfig
3345 } else {
3346 test.resumeConfig = &noSupportConfig
3347 }
3348
3349 switch suffix {
3350 case "YesToYes-Client", "YesToYes-Server":
3351 // When a session is resumed, it should
3352 // still be aware that its master
3353 // secret was generated via EMS and
3354 // thus it's safe to use tls-unique.
3355 test.flags = []string{expectEMSFlag}
3356 case "NoToYes-Server":
3357 // If an original connection did not
3358 // contain EMS, but a resumption
3359 // handshake does, then a server should
3360 // not resume the session.
3361 test.expectResumeRejected = true
3362 case "YesToNo-Server":
3363 // Resuming an EMS session without the
3364 // EMS extension should cause the
3365 // server to abort the connection.
3366 test.shouldFail = true
3367 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3368 case "NoToYes-Client":
3369 // A client should abort a connection
3370 // where the server resumed a non-EMS
3371 // session but echoed the EMS
3372 // extension.
3373 test.shouldFail = true
3374 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3375 case "YesToNo-Client":
3376 // A client should abort a connection
3377 // where the server didn't echo EMS
3378 // when the session used it.
3379 test.shouldFail = true
3380 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3381 }
3382
3383 testCases = append(testCases, test)
3384 }
3385 }
3386 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3387
3388 // Switching EMS on renegotiation is forbidden.
3389 testCases = append(testCases, testCase{
3390 name: "ExtendedMasterSecret-Renego-NoEMS",
3391 config: Config{
3392 MaxVersion: VersionTLS12,
3393 Bugs: ProtocolBugs{
3394 NoExtendedMasterSecret: true,
3395 NoExtendedMasterSecretOnRenegotiation: true,
3396 },
3397 },
3398 renegotiate: 1,
3399 flags: []string{
3400 "-renegotiate-freely",
3401 "-expect-total-renegotiations", "1",
3402 },
3403 })
3404
3405 testCases = append(testCases, testCase{
3406 name: "ExtendedMasterSecret-Renego-Upgrade",
3407 config: Config{
3408 MaxVersion: VersionTLS12,
3409 Bugs: ProtocolBugs{
3410 NoExtendedMasterSecret: true,
3411 },
3412 },
3413 renegotiate: 1,
3414 flags: []string{
3415 "-renegotiate-freely",
3416 "-expect-total-renegotiations", "1",
3417 },
3418 shouldFail: true,
3419 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3420 })
3421
3422 testCases = append(testCases, testCase{
3423 name: "ExtendedMasterSecret-Renego-Downgrade",
3424 config: Config{
3425 MaxVersion: VersionTLS12,
3426 Bugs: ProtocolBugs{
3427 NoExtendedMasterSecretOnRenegotiation: true,
3428 },
3429 },
3430 renegotiate: 1,
3431 flags: []string{
3432 "-renegotiate-freely",
3433 "-expect-total-renegotiations", "1",
3434 },
3435 shouldFail: true,
3436 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3437 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3438}
3439
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3440type stateMachineTestConfig struct {
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3441 protocol protocol
3442 async bool
3443 splitHandshake bool
3444 packHandshakeFlight bool
3445 implicitHandshake bool
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3446}
3447
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3448// Adds tests that try to cover the range of the handshake state machine, under
3449// various conditions. Some of these are redundant with other tests, but they
3450// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3451func addAllStateMachineCoverageTests() {
3452 for _, async := range []bool{false, true} {
3453 for _, protocol := range []protocol{tls, dtls} {
3454 addStateMachineCoverageTests(stateMachineTestConfig{
3455 protocol: protocol,
3456 async: async,
3457 })
3458 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3459 protocol: protocol,
3460 async: async,
3461 implicitHandshake: true,
3462 })
3463 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3464 protocol: protocol,
3465 async: async,
3466 splitHandshake: true,
3467 })
3468 if protocol == tls {
3469 addStateMachineCoverageTests(stateMachineTestConfig{
3470 protocol: protocol,
3471 async: async,
3472 packHandshakeFlight: true,
3473 })
3474 }
3475 }
3476 }
3477}
3478
3479func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3480 var tests []testCase
3481
3482 // Basic handshake, with resumption. Client and server,
3483 // session ID and session ticket.
3484 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3485 name: "Basic-Client",
3486 config: Config{
3487 MaxVersion: VersionTLS12,
3488 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3489 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3490 // Ensure session tickets are used, not session IDs.
3491 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3492 })
3493 tests = append(tests, testCase{
3494 name: "Basic-Client-RenewTicket",
3495 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3496 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3497 Bugs: ProtocolBugs{
3498 RenewTicketOnResume: true,
3499 },
3500 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3501 flags: []string{"-expect-ticket-renewal"},
3502 resumeSession: true,
3503 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3504 })
3505 tests = append(tests, testCase{
3506 name: "Basic-Client-NoTicket",
3507 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3508 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3509 SessionTicketsDisabled: true,
3510 },
3511 resumeSession: true,
3512 })
3513 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3514 testType: serverTest,
3515 name: "Basic-Server",
3516 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3517 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3518 Bugs: ProtocolBugs{
3519 RequireSessionTickets: true,
3520 },
3521 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3522 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3523 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3524 })
3525 tests = append(tests, testCase{
3526 testType: serverTest,
3527 name: "Basic-Server-NoTickets",
3528 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3529 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3530 SessionTicketsDisabled: true,
3531 },
3532 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3533 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3534 })
3535 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3536 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3537 name: "Basic-Server-EarlyCallback",
3538 config: Config{
3539 MaxVersion: VersionTLS12,
3540 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3541 flags: []string{"-use-early-callback"},
3542 resumeSession: true,
3543 })
3544
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3545 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3546 if config.protocol == tls {
3547 tests = append(tests, testCase{
3548 name: "TLS13-1RTT-Client",
3549 config: Config{
3550 MaxVersion: VersionTLS13,
3551 MinVersion: VersionTLS13,
3552 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3553 resumeSession: true,
3554 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3555 })
3556
3557 tests = append(tests, testCase{
3558 testType: serverTest,
3559 name: "TLS13-1RTT-Server",
3560 config: Config{
3561 MaxVersion: VersionTLS13,
3562 MinVersion: VersionTLS13,
3563 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3564 resumeSession: true,
3565 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3566 // TLS 1.3 uses tickets, so the session should not be
3567 // cached statefully.
3568 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3569 })
3570
3571 tests = append(tests, testCase{
3572 name: "TLS13-HelloRetryRequest-Client",
3573 config: Config{
3574 MaxVersion: VersionTLS13,
3575 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3576 // P-384 requires a HelloRetryRequest against BoringSSL's default
3577 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3578 CurvePreferences: []CurveID{CurveP384},
3579 Bugs: ProtocolBugs{
3580 ExpectMissingKeyShare: true,
3581 },
3582 },
3583 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3584 resumeSession: true,
3585 })
3586
3587 tests = append(tests, testCase{
3588 testType: serverTest,
3589 name: "TLS13-HelloRetryRequest-Server",
3590 config: Config{
3591 MaxVersion: VersionTLS13,
3592 MinVersion: VersionTLS13,
3593 // Require a HelloRetryRequest for every curve.
3594 DefaultCurves: []CurveID{},
3595 },
3596 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3597 resumeSession: true,
3598 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3599
3600 // TODO(svaldez): Send data on early data once implemented.
3601 tests = append(tests, testCase{
3602 testType: clientTest,
3603 name: "TLS13-EarlyData-Client",
3604 config: Config{
3605 MaxVersion: VersionTLS13,
3606 MinVersion: VersionTLS13,
3607 MaxEarlyDataSize: 16384,
3608 },
3609 resumeSession: true,
3610 flags: []string{
3611 "-enable-early-data",
3612 "-expect-early-data-info",
3613 "-expect-accept-early-data",
3614 },
3615 })
3616
3617 tests = append(tests, testCase{
3618 testType: serverTest,
3619 name: "TLS13-EarlyData-Server",
3620 config: Config{
3621 MaxVersion: VersionTLS13,
3622 MinVersion: VersionTLS13,
3623 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3624 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3625 ExpectEarlyDataAccepted: true,
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3626 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3627 },
3628 },
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3629 messageCount: 2,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3630 resumeSession: true,
3631 flags: []string{
3632 "-enable-early-data",
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3633 "-expect-accept-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3634 },
3635 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3636 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3637
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3638 // TLS client auth.
3639 tests = append(tests, testCase{
3640 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3641 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3642 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3643 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3644 ClientAuth: RequestClientCert,
3645 },
3646 })
3647 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3648 testType: serverTest,
3649 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3650 config: Config{
3651 MaxVersion: VersionTLS12,
3652 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3653 // Setting SSL_VERIFY_PEER allows anonymous clients.
3654 flags: []string{"-verify-peer"},
3655 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3656 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3657 tests = append(tests, testCase{
3658 testType: clientTest,
3659 name: "ClientAuth-NoCertificate-Client-SSL3",
3660 config: Config{
3661 MaxVersion: VersionSSL30,
3662 ClientAuth: RequestClientCert,
3663 },
3664 })
3665 tests = append(tests, testCase{
3666 testType: serverTest,
3667 name: "ClientAuth-NoCertificate-Server-SSL3",
3668 config: Config{
3669 MaxVersion: VersionSSL30,
3670 },
3671 // Setting SSL_VERIFY_PEER allows anonymous clients.
3672 flags: []string{"-verify-peer"},
3673 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3674 tests = append(tests, testCase{
3675 testType: clientTest,
3676 name: "ClientAuth-NoCertificate-Client-TLS13",
3677 config: Config{
3678 MaxVersion: VersionTLS13,
3679 ClientAuth: RequestClientCert,
3680 },
3681 })
3682 tests = append(tests, testCase{
3683 testType: serverTest,
3684 name: "ClientAuth-NoCertificate-Server-TLS13",
3685 config: Config{
3686 MaxVersion: VersionTLS13,
3687 },
3688 // Setting SSL_VERIFY_PEER allows anonymous clients.
3689 flags: []string{"-verify-peer"},
3690 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3691 }
3692 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3693 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3694 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3695 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3696 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3697 ClientAuth: RequireAnyClientCert,
3698 },
3699 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3700 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3701 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3702 },
3703 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3704 tests = append(tests, testCase{
3705 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3706 name: "ClientAuth-RSA-Client-TLS13",
3707 config: Config{
3708 MaxVersion: VersionTLS13,
3709 ClientAuth: RequireAnyClientCert,
3710 },
3711 flags: []string{
3712 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3713 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3714 },
3715 })
3716 tests = append(tests, testCase{
3717 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3718 name: "ClientAuth-ECDSA-Client",
3719 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3720 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3721 ClientAuth: RequireAnyClientCert,
3722 },
3723 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3724 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3725 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3726 },
3727 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3728 tests = append(tests, testCase{
3729 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3730 name: "ClientAuth-ECDSA-Client-TLS13",
3731 config: Config{
3732 MaxVersion: VersionTLS13,
3733 ClientAuth: RequireAnyClientCert,
3734 },
3735 flags: []string{
3736 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3737 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3738 },
3739 })
3740 tests = append(tests, testCase{
3741 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3742 name: "ClientAuth-NoCertificate-OldCallback",
3743 config: Config{
3744 MaxVersion: VersionTLS12,
3745 ClientAuth: RequestClientCert,
3746 },
3747 flags: []string{"-use-old-client-cert-callback"},
3748 })
3749 tests = append(tests, testCase{
3750 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3751 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3752 config: Config{
3753 MaxVersion: VersionTLS13,
3754 ClientAuth: RequestClientCert,
3755 },
3756 flags: []string{"-use-old-client-cert-callback"},
3757 })
3758 tests = append(tests, testCase{
3759 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3760 name: "ClientAuth-OldCallback",
3761 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3762 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3763 ClientAuth: RequireAnyClientCert,
3764 },
3765 flags: []string{
3766 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3767 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3768 "-use-old-client-cert-callback",
3769 },
3770 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3771 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3772 testType: clientTest,
3773 name: "ClientAuth-OldCallback-TLS13",
3774 config: Config{
3775 MaxVersion: VersionTLS13,
3776 ClientAuth: RequireAnyClientCert,
3777 },
3778 flags: []string{
3779 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3780 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3781 "-use-old-client-cert-callback",
3782 },
3783 })
3784 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3785 testType: serverTest,
3786 name: "ClientAuth-Server",
3787 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3788 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3789 Certificates: []Certificate{rsaCertificate},
3790 },
3791 flags: []string{"-require-any-client-certificate"},
3792 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3793 tests = append(tests, testCase{
3794 testType: serverTest,
3795 name: "ClientAuth-Server-TLS13",
3796 config: Config{
3797 MaxVersion: VersionTLS13,
3798 Certificates: []Certificate{rsaCertificate},
3799 },
3800 flags: []string{"-require-any-client-certificate"},
3801 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3802
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3803 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3804 tests = append(tests, testCase{
3805 testType: serverTest,
3806 name: "Basic-Server-RSA",
3807 config: Config{
3808 MaxVersion: VersionTLS12,
3809 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3810 },
3811 flags: []string{
3812 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3813 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3814 },
3815 })
3816 tests = append(tests, testCase{
3817 testType: serverTest,
3818 name: "Basic-Server-ECDHE-RSA",
3819 config: Config{
3820 MaxVersion: VersionTLS12,
3821 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3822 },
3823 flags: []string{
3824 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3825 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3826 },
3827 })
3828 tests = append(tests, testCase{
3829 testType: serverTest,
3830 name: "Basic-Server-ECDHE-ECDSA",
3831 config: Config{
3832 MaxVersion: VersionTLS12,
3833 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3834 },
3835 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3836 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3837 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3838 },
3839 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]3840 tests = append(tests, testCase{
3841 testType: serverTest,
3842 name: "Basic-Server-Ed25519",
3843 config: Config{
3844 MaxVersion: VersionTLS12,
3845 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3846 },
3847 flags: []string{
3848 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3849 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
3850 "-enable-ed25519",
3851 },
3852 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3853
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3854 // No session ticket support; server doesn't send NewSessionTicket.
3855 tests = append(tests, testCase{
3856 name: "SessionTicketsDisabled-Client",
3857 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3858 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3859 SessionTicketsDisabled: true,
3860 },
3861 })
3862 tests = append(tests, testCase{
3863 testType: serverTest,
3864 name: "SessionTicketsDisabled-Server",
3865 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3866 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3867 SessionTicketsDisabled: true,
3868 },
3869 })
3870
3871 // Skip ServerKeyExchange in PSK key exchange if there's no
3872 // identity hint.
3873 tests = append(tests, testCase{
3874 name: "EmptyPSKHint-Client",
3875 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3876 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3877 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3878 PreSharedKey: []byte("secret"),
3879 },
3880 flags: []string{"-psk", "secret"},
3881 })
3882 tests = append(tests, testCase{
3883 testType: serverTest,
3884 name: "EmptyPSKHint-Server",
3885 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3886 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3887 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3888 PreSharedKey: []byte("secret"),
3889 },
3890 flags: []string{"-psk", "secret"},
3891 })
3892
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3893 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3894 tests = append(tests, testCase{
3895 testType: clientTest,
3896 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3897 config: Config{
3898 MaxVersion: VersionTLS12,
3899 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3900 flags: []string{
3901 "-enable-ocsp-stapling",
3902 "-expect-ocsp-response",
3903 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3904 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3905 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3906 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3907 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3908 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3909 testType: serverTest,
3910 name: "OCSPStapling-Server",
3911 config: Config{
3912 MaxVersion: VersionTLS12,
3913 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3914 expectedOCSPResponse: testOCSPResponse,
3915 flags: []string{
3916 "-ocsp-response",
3917 base64.StdEncoding.EncodeToString(testOCSPResponse),
3918 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3919 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3920 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3921 tests = append(tests, testCase{
3922 testType: clientTest,
3923 name: "OCSPStapling-Client-TLS13",
3924 config: Config{
3925 MaxVersion: VersionTLS13,
3926 },
3927 flags: []string{
3928 "-enable-ocsp-stapling",
3929 "-expect-ocsp-response",
3930 base64.StdEncoding.EncodeToString(testOCSPResponse),
3931 "-verify-peer",
3932 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3933 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3934 })
3935 tests = append(tests, testCase{
3936 testType: serverTest,
3937 name: "OCSPStapling-Server-TLS13",
3938 config: Config{
3939 MaxVersion: VersionTLS13,
3940 },
3941 expectedOCSPResponse: testOCSPResponse,
3942 flags: []string{
3943 "-ocsp-response",
3944 base64.StdEncoding.EncodeToString(testOCSPResponse),
3945 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3946 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3947 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3948
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3949 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3950 for _, vers := range tlsVersions {
3951 if config.protocol == dtls && !vers.hasDTLS {
3952 continue
3953 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3954 for _, testType := range []testType{clientTest, serverTest} {
3955 suffix := "-Client"
3956 if testType == serverTest {
3957 suffix = "-Server"
3958 }
3959 suffix += "-" + vers.name
3960
3961 flag := "-verify-peer"
3962 if testType == serverTest {
3963 flag = "-require-any-client-certificate"
3964 }
3965
3966 tests = append(tests, testCase{
3967 testType: testType,
3968 name: "CertificateVerificationSucceed" + suffix,
3969 config: Config{
3970 MaxVersion: vers.version,
3971 Certificates: []Certificate{rsaCertificate},
3972 },
3973 flags: []string{
3974 flag,
3975 "-expect-verify-result",
3976 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3977 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3978 })
3979 tests = append(tests, testCase{
3980 testType: testType,
3981 name: "CertificateVerificationFail" + suffix,
3982 config: Config{
3983 MaxVersion: vers.version,
3984 Certificates: []Certificate{rsaCertificate},
3985 },
3986 flags: []string{
3987 flag,
3988 "-verify-fail",
3989 },
3990 shouldFail: true,
3991 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
3992 })
3993 }
3994
3995 // By default, the client is in a soft fail mode where the peer
3996 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3997 tests = append(tests, testCase{
3998 testType: clientTest,
3999 name: "CertificateVerificationSoftFail-" + vers.name,
4000 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4001 MaxVersion: vers.version,
4002 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4003 },
4004 flags: []string{
4005 "-verify-fail",
4006 "-expect-verify-result",
4007 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4008 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4009 })
4010 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]4011
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]4012 tests = append(tests, testCase{
4013 name: "ShimSendAlert",
4014 flags: []string{"-send-alert"},
4015 shimWritesFirst: true,
4016 shouldFail: true,
4017 expectedLocalError: "remote error: decompression failure",
4018 })
4019
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4020 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4021 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4022 name: "Renegotiate-Client",
4023 config: Config{
4024 MaxVersion: VersionTLS12,
4025 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]4026 renegotiate: 1,
4027 flags: []string{
4028 "-renegotiate-freely",
4029 "-expect-total-renegotiations", "1",
4030 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4031 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4032
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]4033 tests = append(tests, testCase{
4034 name: "SendHalfHelloRequest",
4035 config: Config{
4036 MaxVersion: VersionTLS12,
4037 Bugs: ProtocolBugs{
4038 PackHelloRequestWithFinished: config.packHandshakeFlight,
4039 },
4040 },
4041 sendHalfHelloRequest: true,
4042 flags: []string{"-renegotiate-ignore"},
4043 shouldFail: true,
4044 expectedError: ":UNEXPECTED_RECORD:",
4045 })
4046
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4047 // NPN on client and server; results in post-handshake message.
4048 tests = append(tests, testCase{
4049 name: "NPN-Client",
4050 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4051 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4052 NextProtos: []string{"foo"},
4053 },
4054 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4055 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4056 expectedNextProto: "foo",
4057 expectedNextProtoType: npn,
4058 })
4059 tests = append(tests, testCase{
4060 testType: serverTest,
4061 name: "NPN-Server",
4062 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4063 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4064 NextProtos: []string{"bar"},
4065 },
4066 flags: []string{
4067 "-advertise-npn", "\x03foo\x03bar\x03baz",
4068 "-expect-next-proto", "bar",
4069 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4070 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4071 expectedNextProto: "bar",
4072 expectedNextProtoType: npn,
4073 })
4074
4075 // TODO(davidben): Add tests for when False Start doesn't trigger.
4076
4077 // Client does False Start and negotiates NPN.
4078 tests = append(tests, testCase{
4079 name: "FalseStart",
4080 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4081 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4082 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4083 NextProtos: []string{"foo"},
4084 Bugs: ProtocolBugs{
4085 ExpectFalseStart: true,
4086 },
4087 },
4088 flags: []string{
4089 "-false-start",
4090 "-select-next-proto", "foo",
4091 },
4092 shimWritesFirst: true,
4093 resumeSession: true,
4094 })
4095
4096 // Client does False Start and negotiates ALPN.
4097 tests = append(tests, testCase{
4098 name: "FalseStart-ALPN",
4099 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4100 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4101 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4102 NextProtos: []string{"foo"},
4103 Bugs: ProtocolBugs{
4104 ExpectFalseStart: true,
4105 },
4106 },
4107 flags: []string{
4108 "-false-start",
4109 "-advertise-alpn", "\x03foo",
4110 },
4111 shimWritesFirst: true,
4112 resumeSession: true,
4113 })
4114
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4115 // False Start without session tickets.
4116 tests = append(tests, testCase{
4117 name: "FalseStart-SessionTicketsDisabled",
4118 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4119 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4120 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4121 NextProtos: []string{"foo"},
4122 SessionTicketsDisabled: true,
4123 Bugs: ProtocolBugs{
4124 ExpectFalseStart: true,
4125 },
4126 },
4127 flags: []string{
4128 "-false-start",
4129 "-select-next-proto", "foo",
4130 },
4131 shimWritesFirst: true,
4132 })
4133
4134 // Server parses a V2ClientHello.
4135 tests = append(tests, testCase{
4136 testType: serverTest,
4137 name: "SendV2ClientHello",
4138 config: Config{
4139 // Choose a cipher suite that does not involve
4140 // elliptic curves, so no extensions are
4141 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4142 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4143 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4144 Bugs: ProtocolBugs{
4145 SendV2ClientHello: true,
4146 },
4147 },
4148 })
4149
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4150 // Test Channel ID
4151 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4152 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4153 continue
4154 }
4155 // Client sends a Channel ID.
4156 tests = append(tests, testCase{
4157 name: "ChannelID-Client-" + ver.name,
4158 config: Config{
4159 MaxVersion: ver.version,
4160 RequestChannelID: true,
4161 },
4162 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4163 resumeSession: true,
4164 expectChannelID: true,
4165 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4166
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4167 // Server accepts a Channel ID.
4168 tests = append(tests, testCase{
4169 testType: serverTest,
4170 name: "ChannelID-Server-" + ver.name,
4171 config: Config{
4172 MaxVersion: ver.version,
4173 ChannelID: channelIDKey,
4174 },
4175 flags: []string{
4176 "-expect-channel-id",
4177 base64.StdEncoding.EncodeToString(channelIDBytes),
4178 },
4179 resumeSession: true,
4180 expectChannelID: true,
4181 })
4182
4183 tests = append(tests, testCase{
4184 testType: serverTest,
4185 name: "InvalidChannelIDSignature-" + ver.name,
4186 config: Config{
4187 MaxVersion: ver.version,
4188 ChannelID: channelIDKey,
4189 Bugs: ProtocolBugs{
4190 InvalidChannelIDSignature: true,
4191 },
4192 },
4193 flags: []string{"-enable-channel-id"},
4194 shouldFail: true,
4195 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4196 })
4197 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4198
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4199 // Channel ID and NPN at the same time, to ensure their relative
4200 // ordering is correct.
4201 tests = append(tests, testCase{
4202 name: "ChannelID-NPN-Client",
4203 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4204 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4205 RequestChannelID: true,
4206 NextProtos: []string{"foo"},
4207 },
4208 flags: []string{
4209 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4210 "-select-next-proto", "foo",
4211 },
4212 resumeSession: true,
4213 expectChannelID: true,
4214 expectedNextProto: "foo",
4215 expectedNextProtoType: npn,
4216 })
4217 tests = append(tests, testCase{
4218 testType: serverTest,
4219 name: "ChannelID-NPN-Server",
4220 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4221 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4222 ChannelID: channelIDKey,
4223 NextProtos: []string{"bar"},
4224 },
4225 flags: []string{
4226 "-expect-channel-id",
4227 base64.StdEncoding.EncodeToString(channelIDBytes),
4228 "-advertise-npn", "\x03foo\x03bar\x03baz",
4229 "-expect-next-proto", "bar",
4230 },
4231 resumeSession: true,
4232 expectChannelID: true,
4233 expectedNextProto: "bar",
4234 expectedNextProtoType: npn,
4235 })
4236
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4237 // Bidirectional shutdown with the runner initiating.
4238 tests = append(tests, testCase{
4239 name: "Shutdown-Runner",
4240 config: Config{
4241 Bugs: ProtocolBugs{
4242 ExpectCloseNotify: true,
4243 },
4244 },
4245 flags: []string{"-check-close-notify"},
4246 })
4247
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4248 if !config.implicitHandshake {
4249 // Bidirectional shutdown with the shim initiating. The runner,
4250 // in the meantime, sends garbage before the close_notify which
4251 // the shim must ignore. This test is disabled under implicit
4252 // handshake tests because the shim never reads or writes.
4253 tests = append(tests, testCase{
4254 name: "Shutdown-Shim",
4255 config: Config{
4256 MaxVersion: VersionTLS12,
4257 Bugs: ProtocolBugs{
4258 ExpectCloseNotify: true,
4259 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4260 },
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4261 shimShutsDown: true,
4262 sendEmptyRecords: 1,
4263 sendWarningAlerts: 1,
4264 flags: []string{"-check-close-notify"},
4265 })
4266 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4267 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4268 // TODO(davidben): DTLS 1.3 will want a similar thing for
4269 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4270 tests = append(tests, testCase{
4271 name: "SkipHelloVerifyRequest",
4272 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4273 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4274 Bugs: ProtocolBugs{
4275 SkipHelloVerifyRequest: true,
4276 },
4277 },
4278 })
4279 }
4280
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4281 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4282 test.protocol = config.protocol
4283 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4284 test.name += "-DTLS"
4285 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4286 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4287 test.name += "-Async"
4288 test.flags = append(test.flags, "-async")
4289 } else {
4290 test.name += "-Sync"
4291 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4292 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4293 test.name += "-SplitHandshakeRecords"
4294 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4295 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4296 test.config.Bugs.MaxPacketLength = 256
4297 test.flags = append(test.flags, "-mtu", "256")
4298 }
4299 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4300 if config.packHandshakeFlight {
4301 test.name += "-PackHandshakeFlight"
4302 test.config.Bugs.PackHandshakeFlight = true
4303 }
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4304 if config.implicitHandshake {
4305 test.name += "-ImplicitHandshake"
4306 test.flags = append(test.flags, "-implicit-handshake")
4307 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4308 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4309 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4310}
4311
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4312func addDDoSCallbackTests() {
4313 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4314 for _, resume := range []bool{false, true} {
4315 suffix := "Resume"
4316 if resume {
4317 suffix = "No" + suffix
4318 }
4319
4320 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4321 testType: serverTest,
4322 name: "Server-DDoS-OK-" + suffix,
4323 config: Config{
4324 MaxVersion: VersionTLS12,
4325 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4326 flags: []string{"-install-ddos-callback"},
4327 resumeSession: resume,
4328 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4329 testCases = append(testCases, testCase{
4330 testType: serverTest,
4331 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4332 config: Config{
4333 MaxVersion: VersionTLS13,
4334 },
4335 flags: []string{"-install-ddos-callback"},
4336 resumeSession: resume,
4337 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4338
4339 failFlag := "-fail-ddos-callback"
4340 if resume {
4341 failFlag = "-fail-second-ddos-callback"
4342 }
4343 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4344 testType: serverTest,
4345 name: "Server-DDoS-Reject-" + suffix,
4346 config: Config{
4347 MaxVersion: VersionTLS12,
4348 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4349 flags: []string{"-install-ddos-callback", failFlag},
4350 resumeSession: resume,
4351 shouldFail: true,
4352 expectedError: ":CONNECTION_REJECTED:",
4353 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4354 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4355 testCases = append(testCases, testCase{
4356 testType: serverTest,
4357 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4358 config: Config{
4359 MaxVersion: VersionTLS13,
4360 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4361 flags: []string{"-install-ddos-callback", failFlag},
4362 resumeSession: resume,
4363 shouldFail: true,
4364 expectedError: ":CONNECTION_REJECTED:",
4365 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4366 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4367 }
4368}
4369
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4370func addVersionNegotiationTests() {
4371 for i, shimVers := range tlsVersions {
4372 // Assemble flags to disable all newer versions on the shim.
4373 var flags []string
4374 for _, vers := range tlsVersions[i+1:] {
4375 flags = append(flags, vers.flag)
4376 }
4377
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4378 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4379 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4380 protocols := []protocol{tls}
4381 if runnerVers.hasDTLS && shimVers.hasDTLS {
4382 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4383 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4384 for _, protocol := range protocols {
4385 expectedVersion := shimVers.version
4386 if runnerVers.version < shimVers.version {
4387 expectedVersion = runnerVers.version
4388 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4389
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4390 suffix := shimVers.name + "-" + runnerVers.name
4391 if protocol == dtls {
4392 suffix += "-DTLS"
4393 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4394
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4395 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4396
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4397 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4398 clientVers := shimVers.version
4399 if clientVers > VersionTLS10 {
4400 clientVers = VersionTLS10
4401 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4402 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4403 serverVers := expectedVersion
4404 if expectedVersion >= VersionTLS13 {
4405 serverVers = VersionTLS10
4406 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4407 serverVers = versionToWire(serverVers, protocol == dtls)
4408
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4409 testCases = append(testCases, testCase{
4410 protocol: protocol,
4411 testType: clientTest,
4412 name: "VersionNegotiation-Client-" + suffix,
4413 config: Config{
4414 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4415 Bugs: ProtocolBugs{
4416 ExpectInitialRecordVersion: clientVers,
4417 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4418 },
4419 flags: flags,
4420 expectedVersion: expectedVersion,
4421 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4422 testCases = append(testCases, testCase{
4423 protocol: protocol,
4424 testType: clientTest,
4425 name: "VersionNegotiation-Client2-" + suffix,
4426 config: Config{
4427 MaxVersion: runnerVers.version,
4428 Bugs: ProtocolBugs{
4429 ExpectInitialRecordVersion: clientVers,
4430 },
4431 },
4432 flags: []string{"-max-version", shimVersFlag},
4433 expectedVersion: expectedVersion,
4434 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4435
4436 testCases = append(testCases, testCase{
4437 protocol: protocol,
4438 testType: serverTest,
4439 name: "VersionNegotiation-Server-" + suffix,
4440 config: Config{
4441 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4442 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4443 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4444 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4445 },
4446 flags: flags,
4447 expectedVersion: expectedVersion,
4448 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4449 testCases = append(testCases, testCase{
4450 protocol: protocol,
4451 testType: serverTest,
4452 name: "VersionNegotiation-Server2-" + suffix,
4453 config: Config{
4454 MaxVersion: runnerVers.version,
4455 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4456 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4457 },
4458 },
4459 flags: []string{"-max-version", shimVersFlag},
4460 expectedVersion: expectedVersion,
4461 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4462 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4463 }
4464 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4465
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4466 // Test the version extension at all versions.
4467 for _, vers := range tlsVersions {
4468 protocols := []protocol{tls}
4469 if vers.hasDTLS {
4470 protocols = append(protocols, dtls)
4471 }
4472 for _, protocol := range protocols {
4473 suffix := vers.name
4474 if protocol == dtls {
4475 suffix += "-DTLS"
4476 }
4477
4478 wireVersion := versionToWire(vers.version, protocol == dtls)
4479 testCases = append(testCases, testCase{
4480 protocol: protocol,
4481 testType: serverTest,
4482 name: "VersionNegotiationExtension-" + suffix,
4483 config: Config{
4484 Bugs: ProtocolBugs{
4485 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4486 },
4487 },
4488 expectedVersion: vers.version,
4489 })
4490 }
4491
4492 }
4493
4494 // If all versions are unknown, negotiation fails.
4495 testCases = append(testCases, testCase{
4496 testType: serverTest,
4497 name: "NoSupportedVersions",
4498 config: Config{
4499 Bugs: ProtocolBugs{
4500 SendSupportedVersions: []uint16{0x1111},
4501 },
4502 },
4503 shouldFail: true,
4504 expectedError: ":UNSUPPORTED_PROTOCOL:",
4505 })
4506 testCases = append(testCases, testCase{
4507 protocol: dtls,
4508 testType: serverTest,
4509 name: "NoSupportedVersions-DTLS",
4510 config: Config{
4511 Bugs: ProtocolBugs{
4512 SendSupportedVersions: []uint16{0x1111},
4513 },
4514 },
4515 shouldFail: true,
4516 expectedError: ":UNSUPPORTED_PROTOCOL:",
4517 })
4518
4519 testCases = append(testCases, testCase{
4520 testType: serverTest,
4521 name: "ClientHelloVersionTooHigh",
4522 config: Config{
4523 MaxVersion: VersionTLS13,
4524 Bugs: ProtocolBugs{
4525 SendClientVersion: 0x0304,
4526 OmitSupportedVersions: true,
4527 },
4528 },
4529 expectedVersion: VersionTLS12,
4530 })
4531
4532 testCases = append(testCases, testCase{
4533 testType: serverTest,
4534 name: "ConflictingVersionNegotiation",
4535 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4536 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4537 SendClientVersion: VersionTLS12,
4538 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4539 },
4540 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4541 // The extension takes precedence over the ClientHello version.
4542 expectedVersion: VersionTLS11,
4543 })
4544
4545 testCases = append(testCases, testCase{
4546 testType: serverTest,
4547 name: "ConflictingVersionNegotiation-2",
4548 config: Config{
4549 Bugs: ProtocolBugs{
4550 SendClientVersion: VersionTLS11,
4551 SendSupportedVersions: []uint16{VersionTLS12},
4552 },
4553 },
4554 // The extension takes precedence over the ClientHello version.
4555 expectedVersion: VersionTLS12,
4556 })
4557
4558 testCases = append(testCases, testCase{
4559 testType: serverTest,
4560 name: "RejectFinalTLS13",
4561 config: Config{
4562 Bugs: ProtocolBugs{
4563 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4564 },
4565 },
4566 // We currently implement a draft TLS 1.3 version. Ensure that
4567 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4568 expectedVersion: VersionTLS12,
4569 })
4570
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4571 // Test that the maximum version is selected regardless of the
4572 // client-sent order.
4573 testCases = append(testCases, testCase{
4574 testType: serverTest,
4575 name: "IgnoreClientVersionOrder",
4576 config: Config{
4577 Bugs: ProtocolBugs{
4578 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4579 },
4580 },
4581 expectedVersion: VersionTLS13,
4582 })
4583
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4584 // Test for version tolerance.
4585 testCases = append(testCases, testCase{
4586 testType: serverTest,
4587 name: "MinorVersionTolerance",
4588 config: Config{
4589 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4590 SendClientVersion: 0x03ff,
4591 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4592 },
4593 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4594 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4595 })
4596 testCases = append(testCases, testCase{
4597 testType: serverTest,
4598 name: "MajorVersionTolerance",
4599 config: Config{
4600 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4601 SendClientVersion: 0x0400,
4602 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4603 },
4604 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4605 // TLS 1.3 must be negotiated with the supported_versions
4606 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4607 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4608 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4609 testCases = append(testCases, testCase{
4610 testType: serverTest,
4611 name: "VersionTolerance-TLS13",
4612 config: Config{
4613 Bugs: ProtocolBugs{
4614 // Although TLS 1.3 does not use
4615 // ClientHello.version, it still tolerates high
4616 // values there.
4617 SendClientVersion: 0x0400,
4618 },
4619 },
4620 expectedVersion: VersionTLS13,
4621 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4622
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4623 testCases = append(testCases, testCase{
4624 protocol: dtls,
4625 testType: serverTest,
4626 name: "MinorVersionTolerance-DTLS",
4627 config: Config{
4628 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4629 SendClientVersion: 0xfe00,
4630 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4631 },
4632 },
4633 expectedVersion: VersionTLS12,
4634 })
4635 testCases = append(testCases, testCase{
4636 protocol: dtls,
4637 testType: serverTest,
4638 name: "MajorVersionTolerance-DTLS",
4639 config: Config{
4640 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4641 SendClientVersion: 0xfdff,
4642 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4643 },
4644 },
4645 expectedVersion: VersionTLS12,
4646 })
4647
4648 // Test that versions below 3.0 are rejected.
4649 testCases = append(testCases, testCase{
4650 testType: serverTest,
4651 name: "VersionTooLow",
4652 config: Config{
4653 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4654 SendClientVersion: 0x0200,
4655 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4656 },
4657 },
4658 shouldFail: true,
4659 expectedError: ":UNSUPPORTED_PROTOCOL:",
4660 })
4661 testCases = append(testCases, testCase{
4662 protocol: dtls,
4663 testType: serverTest,
4664 name: "VersionTooLow-DTLS",
4665 config: Config{
4666 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4667 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4668 },
4669 },
4670 shouldFail: true,
4671 expectedError: ":UNSUPPORTED_PROTOCOL:",
4672 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4673
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4674 testCases = append(testCases, testCase{
4675 name: "ServerBogusVersion",
4676 config: Config{
4677 Bugs: ProtocolBugs{
4678 SendServerHelloVersion: 0x1234,
4679 },
4680 },
4681 shouldFail: true,
4682 expectedError: ":UNSUPPORTED_PROTOCOL:",
4683 })
4684
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4685 // Test TLS 1.3's downgrade signal.
4686 testCases = append(testCases, testCase{
4687 name: "Downgrade-TLS12-Client",
4688 config: Config{
4689 Bugs: ProtocolBugs{
4690 NegotiateVersion: VersionTLS12,
4691 },
4692 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4693 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4694 // TODO(davidben): This test should fail once TLS 1.3 is final
4695 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4696 })
4697 testCases = append(testCases, testCase{
4698 testType: serverTest,
4699 name: "Downgrade-TLS12-Server",
4700 config: Config{
4701 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4702 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4703 },
4704 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4705 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4706 // TODO(davidben): This test should fail once TLS 1.3 is final
4707 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4708 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4709}
4710
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4711func addMinimumVersionTests() {
4712 for i, shimVers := range tlsVersions {
4713 // Assemble flags to disable all older versions on the shim.
4714 var flags []string
4715 for _, vers := range tlsVersions[:i] {
4716 flags = append(flags, vers.flag)
4717 }
4718
4719 for _, runnerVers := range tlsVersions {
4720 protocols := []protocol{tls}
4721 if runnerVers.hasDTLS && shimVers.hasDTLS {
4722 protocols = append(protocols, dtls)
4723 }
4724 for _, protocol := range protocols {
4725 suffix := shimVers.name + "-" + runnerVers.name
4726 if protocol == dtls {
4727 suffix += "-DTLS"
4728 }
4729 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4730
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4731 var expectedVersion uint16
4732 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4733 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4734 if runnerVers.version >= shimVers.version {
4735 expectedVersion = runnerVers.version
4736 } else {
4737 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4738 expectedError = ":UNSUPPORTED_PROTOCOL:"
4739 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4740 }
4741
4742 testCases = append(testCases, testCase{
4743 protocol: protocol,
4744 testType: clientTest,
4745 name: "MinimumVersion-Client-" + suffix,
4746 config: Config{
4747 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4748 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4749 // Ensure the server does not decline to
4750 // select a version (versions extension) or
4751 // cipher (some ciphers depend on versions).
4752 NegotiateVersion: runnerVers.version,
4753 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4754 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4755 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4756 flags: flags,
4757 expectedVersion: expectedVersion,
4758 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4759 expectedError: expectedError,
4760 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4761 })
4762 testCases = append(testCases, testCase{
4763 protocol: protocol,
4764 testType: clientTest,
4765 name: "MinimumVersion-Client2-" + suffix,
4766 config: Config{
4767 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4768 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4769 // Ensure the server does not decline to
4770 // select a version (versions extension) or
4771 // cipher (some ciphers depend on versions).
4772 NegotiateVersion: runnerVers.version,
4773 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4774 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4775 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4776 flags: []string{"-min-version", shimVersFlag},
4777 expectedVersion: expectedVersion,
4778 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4779 expectedError: expectedError,
4780 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4781 })
4782
4783 testCases = append(testCases, testCase{
4784 protocol: protocol,
4785 testType: serverTest,
4786 name: "MinimumVersion-Server-" + suffix,
4787 config: Config{
4788 MaxVersion: runnerVers.version,
4789 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4790 flags: flags,
4791 expectedVersion: expectedVersion,
4792 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4793 expectedError: expectedError,
4794 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4795 })
4796 testCases = append(testCases, testCase{
4797 protocol: protocol,
4798 testType: serverTest,
4799 name: "MinimumVersion-Server2-" + suffix,
4800 config: Config{
4801 MaxVersion: runnerVers.version,
4802 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4803 flags: []string{"-min-version", shimVersFlag},
4804 expectedVersion: expectedVersion,
4805 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4806 expectedError: expectedError,
4807 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4808 })
4809 }
4810 }
4811 }
4812}
4813
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4814func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4815 // TODO(davidben): Extensions, where applicable, all move their server
4816 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4817 // tests for both. Also test interaction with 0-RTT when implemented.
4818
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4819 // Repeat extensions tests all versions except SSL 3.0.
4820 for _, ver := range tlsVersions {
4821 if ver.version == VersionSSL30 {
4822 continue
4823 }
4824
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4825 // Test that duplicate extensions are rejected.
4826 testCases = append(testCases, testCase{
4827 testType: clientTest,
4828 name: "DuplicateExtensionClient-" + ver.name,
4829 config: Config{
4830 MaxVersion: ver.version,
4831 Bugs: ProtocolBugs{
4832 DuplicateExtension: true,
4833 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4834 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4835 shouldFail: true,
4836 expectedLocalError: "remote error: error decoding message",
4837 })
4838 testCases = append(testCases, testCase{
4839 testType: serverTest,
4840 name: "DuplicateExtensionServer-" + ver.name,
4841 config: Config{
4842 MaxVersion: ver.version,
4843 Bugs: ProtocolBugs{
4844 DuplicateExtension: true,
4845 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4846 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4847 shouldFail: true,
4848 expectedLocalError: "remote error: error decoding message",
4849 })
4850
4851 // Test SNI.
4852 testCases = append(testCases, testCase{
4853 testType: clientTest,
4854 name: "ServerNameExtensionClient-" + ver.name,
4855 config: Config{
4856 MaxVersion: ver.version,
4857 Bugs: ProtocolBugs{
4858 ExpectServerName: "example.com",
4859 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4860 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4861 flags: []string{"-host-name", "example.com"},
4862 })
4863 testCases = append(testCases, testCase{
4864 testType: clientTest,
4865 name: "ServerNameExtensionClientMismatch-" + ver.name,
4866 config: Config{
4867 MaxVersion: ver.version,
4868 Bugs: ProtocolBugs{
4869 ExpectServerName: "mismatch.com",
4870 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4871 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4872 flags: []string{"-host-name", "example.com"},
4873 shouldFail: true,
4874 expectedLocalError: "tls: unexpected server name",
4875 })
4876 testCases = append(testCases, testCase{
4877 testType: clientTest,
4878 name: "ServerNameExtensionClientMissing-" + ver.name,
4879 config: Config{
4880 MaxVersion: ver.version,
4881 Bugs: ProtocolBugs{
4882 ExpectServerName: "missing.com",
4883 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4884 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4885 shouldFail: true,
4886 expectedLocalError: "tls: unexpected server name",
4887 })
4888 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]4889 testType: clientTest,
4890 name: "TolerateServerNameAck-" + ver.name,
4891 config: Config{
4892 MaxVersion: ver.version,
4893 Bugs: ProtocolBugs{
4894 SendServerNameAck: true,
4895 },
4896 },
4897 flags: []string{"-host-name", "example.com"},
4898 resumeSession: true,
4899 })
4900 testCases = append(testCases, testCase{
4901 testType: clientTest,
4902 name: "UnsolicitedServerNameAck-" + ver.name,
4903 config: Config{
4904 MaxVersion: ver.version,
4905 Bugs: ProtocolBugs{
4906 SendServerNameAck: true,
4907 },
4908 },
4909 shouldFail: true,
4910 expectedError: ":UNEXPECTED_EXTENSION:",
4911 expectedLocalError: "remote error: unsupported extension",
4912 })
4913 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4914 testType: serverTest,
4915 name: "ServerNameExtensionServer-" + ver.name,
4916 config: Config{
4917 MaxVersion: ver.version,
4918 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4919 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4920 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4921 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4922 })
4923
4924 // Test ALPN.
4925 testCases = append(testCases, testCase{
4926 testType: clientTest,
4927 name: "ALPNClient-" + ver.name,
4928 config: Config{
4929 MaxVersion: ver.version,
4930 NextProtos: []string{"foo"},
4931 },
4932 flags: []string{
4933 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4934 "-expect-alpn", "foo",
4935 },
4936 expectedNextProto: "foo",
4937 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4938 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4939 })
4940 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4941 testType: clientTest,
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4942 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4943 config: Config{
4944 MaxVersion: ver.version,
4945 Bugs: ProtocolBugs{
4946 SendALPN: "baz",
4947 },
4948 },
4949 flags: []string{
4950 "-advertise-alpn", "\x03foo\x03bar",
4951 },
4952 shouldFail: true,
4953 expectedError: ":INVALID_ALPN_PROTOCOL:",
4954 expectedLocalError: "remote error: illegal parameter",
4955 })
4956 testCases = append(testCases, testCase{
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4957 testType: clientTest,
4958 name: "ALPNClient-AllowUnknown-" + ver.name,
4959 config: Config{
4960 MaxVersion: ver.version,
4961 Bugs: ProtocolBugs{
4962 SendALPN: "baz",
4963 },
4964 },
4965 flags: []string{
4966 "-advertise-alpn", "\x03foo\x03bar",
4967 "-allow-unknown-alpn-protos",
4968 },
4969 })
4970 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4971 testType: serverTest,
4972 name: "ALPNServer-" + ver.name,
4973 config: Config{
4974 MaxVersion: ver.version,
4975 NextProtos: []string{"foo", "bar", "baz"},
4976 },
4977 flags: []string{
4978 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4979 "-select-alpn", "foo",
4980 },
4981 expectedNextProto: "foo",
4982 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4983 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4984 })
4985 testCases = append(testCases, testCase{
4986 testType: serverTest,
4987 name: "ALPNServer-Decline-" + ver.name,
4988 config: Config{
4989 MaxVersion: ver.version,
4990 NextProtos: []string{"foo", "bar", "baz"},
4991 },
4992 flags: []string{"-decline-alpn"},
4993 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4994 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4995 })
4996
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4997 // Test ALPN in async mode as well to ensure that extensions callbacks are only
4998 // called once.
4999 testCases = append(testCases, testCase{
5000 testType: serverTest,
5001 name: "ALPNServer-Async-" + ver.name,
5002 config: Config{
5003 MaxVersion: ver.version,
5004 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]5005 // Prior to TLS 1.3, exercise the asynchronous session callback.
5006 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5007 },
5008 flags: []string{
5009 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5010 "-select-alpn", "foo",
5011 "-async",
5012 },
5013 expectedNextProto: "foo",
5014 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5015 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5016 })
5017
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5018 var emptyString string
5019 testCases = append(testCases, testCase{
5020 testType: clientTest,
5021 name: "ALPNClient-EmptyProtocolName-" + ver.name,
5022 config: Config{
5023 MaxVersion: ver.version,
5024 NextProtos: []string{""},
5025 Bugs: ProtocolBugs{
5026 // A server returning an empty ALPN protocol
5027 // should be rejected.
5028 ALPNProtocol: &emptyString,
5029 },
5030 },
5031 flags: []string{
5032 "-advertise-alpn", "\x03foo",
5033 },
5034 shouldFail: true,
5035 expectedError: ":PARSE_TLSEXT:",
5036 })
5037 testCases = append(testCases, testCase{
5038 testType: serverTest,
5039 name: "ALPNServer-EmptyProtocolName-" + ver.name,
5040 config: Config{
5041 MaxVersion: ver.version,
5042 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5043 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5044 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5045 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5046 flags: []string{
5047 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5048 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5049 shouldFail: true,
5050 expectedError: ":PARSE_TLSEXT:",
5051 })
5052
5053 // Test NPN and the interaction with ALPN.
5054 if ver.version < VersionTLS13 {
5055 // Test that the server prefers ALPN over NPN.
5056 testCases = append(testCases, testCase{
5057 testType: serverTest,
5058 name: "ALPNServer-Preferred-" + ver.name,
5059 config: Config{
5060 MaxVersion: ver.version,
5061 NextProtos: []string{"foo", "bar", "baz"},
5062 },
5063 flags: []string{
5064 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5065 "-select-alpn", "foo",
5066 "-advertise-npn", "\x03foo\x03bar\x03baz",
5067 },
5068 expectedNextProto: "foo",
5069 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5070 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5071 })
5072 testCases = append(testCases, testCase{
5073 testType: serverTest,
5074 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5075 config: Config{
5076 MaxVersion: ver.version,
5077 NextProtos: []string{"foo", "bar", "baz"},
5078 Bugs: ProtocolBugs{
5079 SwapNPNAndALPN: true,
5080 },
5081 },
5082 flags: []string{
5083 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5084 "-select-alpn", "foo",
5085 "-advertise-npn", "\x03foo\x03bar\x03baz",
5086 },
5087 expectedNextProto: "foo",
5088 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5089 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5090 })
5091
5092 // Test that negotiating both NPN and ALPN is forbidden.
5093 testCases = append(testCases, testCase{
5094 name: "NegotiateALPNAndNPN-" + ver.name,
5095 config: Config{
5096 MaxVersion: ver.version,
5097 NextProtos: []string{"foo", "bar", "baz"},
5098 Bugs: ProtocolBugs{
5099 NegotiateALPNAndNPN: true,
5100 },
5101 },
5102 flags: []string{
5103 "-advertise-alpn", "\x03foo",
5104 "-select-next-proto", "foo",
5105 },
5106 shouldFail: true,
5107 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5108 })
5109 testCases = append(testCases, testCase{
5110 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5111 config: Config{
5112 MaxVersion: ver.version,
5113 NextProtos: []string{"foo", "bar", "baz"},
5114 Bugs: ProtocolBugs{
5115 NegotiateALPNAndNPN: true,
5116 SwapNPNAndALPN: true,
5117 },
5118 },
5119 flags: []string{
5120 "-advertise-alpn", "\x03foo",
5121 "-select-next-proto", "foo",
5122 },
5123 shouldFail: true,
5124 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5125 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5126 }
5127
5128 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5129
5130 // Resume with a corrupt ticket.
5131 testCases = append(testCases, testCase{
5132 testType: serverTest,
5133 name: "CorruptTicket-" + ver.name,
5134 config: Config{
5135 MaxVersion: ver.version,
5136 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5137 FilterTicket: func(in []byte) ([]byte, error) {
5138 in[len(in)-1] ^= 1
5139 return in, nil
5140 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5141 },
5142 },
5143 resumeSession: true,
5144 expectResumeRejected: true,
5145 })
5146 // Test the ticket callback, with and without renewal.
5147 testCases = append(testCases, testCase{
5148 testType: serverTest,
5149 name: "TicketCallback-" + ver.name,
5150 config: Config{
5151 MaxVersion: ver.version,
5152 },
5153 resumeSession: true,
5154 flags: []string{"-use-ticket-callback"},
5155 })
5156 testCases = append(testCases, testCase{
5157 testType: serverTest,
5158 name: "TicketCallback-Renew-" + ver.name,
5159 config: Config{
5160 MaxVersion: ver.version,
5161 Bugs: ProtocolBugs{
5162 ExpectNewTicket: true,
5163 },
5164 },
5165 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5166 resumeSession: true,
5167 })
5168
5169 // Test that the ticket callback is only called once when everything before
5170 // it in the ClientHello is asynchronous. This corrupts the ticket so
5171 // certificate selection callbacks run.
5172 testCases = append(testCases, testCase{
5173 testType: serverTest,
5174 name: "TicketCallback-SingleCall-" + ver.name,
5175 config: Config{
5176 MaxVersion: ver.version,
5177 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5178 FilterTicket: func(in []byte) ([]byte, error) {
5179 in[len(in)-1] ^= 1
5180 return in, nil
5181 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5182 },
5183 },
5184 resumeSession: true,
5185 expectResumeRejected: true,
5186 flags: []string{
5187 "-use-ticket-callback",
5188 "-async",
5189 },
5190 })
5191
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5192 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5193 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5194 testCases = append(testCases, testCase{
5195 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5196 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5197 config: Config{
5198 MaxVersion: ver.version,
5199 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5200 EmptyTicketSessionID: true,
5201 },
5202 },
5203 resumeSession: true,
5204 })
5205 testCases = append(testCases, testCase{
5206 testType: serverTest,
5207 name: "TicketSessionIDLength-16-" + ver.name,
5208 config: Config{
5209 MaxVersion: ver.version,
5210 Bugs: ProtocolBugs{
5211 TicketSessionIDLength: 16,
5212 },
5213 },
5214 resumeSession: true,
5215 })
5216 testCases = append(testCases, testCase{
5217 testType: serverTest,
5218 name: "TicketSessionIDLength-32-" + ver.name,
5219 config: Config{
5220 MaxVersion: ver.version,
5221 Bugs: ProtocolBugs{
5222 TicketSessionIDLength: 32,
5223 },
5224 },
5225 resumeSession: true,
5226 })
5227 testCases = append(testCases, testCase{
5228 testType: serverTest,
5229 name: "TicketSessionIDLength-33-" + ver.name,
5230 config: Config{
5231 MaxVersion: ver.version,
5232 Bugs: ProtocolBugs{
5233 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5234 },
5235 },
5236 resumeSession: true,
5237 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5238 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5239 expectedError: ":DECODE_ERROR:",
5240 })
5241 }
5242
5243 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5244 // are ignored.
5245 if ver.hasDTLS {
5246 testCases = append(testCases, testCase{
5247 protocol: dtls,
5248 name: "SRTP-Client-" + ver.name,
5249 config: Config{
5250 MaxVersion: ver.version,
5251 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5252 },
5253 flags: []string{
5254 "-srtp-profiles",
5255 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5256 },
5257 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5258 })
5259 testCases = append(testCases, testCase{
5260 protocol: dtls,
5261 testType: serverTest,
5262 name: "SRTP-Server-" + ver.name,
5263 config: Config{
5264 MaxVersion: ver.version,
5265 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5266 },
5267 flags: []string{
5268 "-srtp-profiles",
5269 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5270 },
5271 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5272 })
5273 // Test that the MKI is ignored.
5274 testCases = append(testCases, testCase{
5275 protocol: dtls,
5276 testType: serverTest,
5277 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5278 config: Config{
5279 MaxVersion: ver.version,
5280 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5281 Bugs: ProtocolBugs{
5282 SRTPMasterKeyIdentifer: "bogus",
5283 },
5284 },
5285 flags: []string{
5286 "-srtp-profiles",
5287 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5288 },
5289 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5290 })
5291 // Test that SRTP isn't negotiated on the server if there were
5292 // no matching profiles.
5293 testCases = append(testCases, testCase{
5294 protocol: dtls,
5295 testType: serverTest,
5296 name: "SRTP-Server-NoMatch-" + ver.name,
5297 config: Config{
5298 MaxVersion: ver.version,
5299 SRTPProtectionProfiles: []uint16{100, 101, 102},
5300 },
5301 flags: []string{
5302 "-srtp-profiles",
5303 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5304 },
5305 expectedSRTPProtectionProfile: 0,
5306 })
5307 // Test that the server returning an invalid SRTP profile is
5308 // flagged as an error by the client.
5309 testCases = append(testCases, testCase{
5310 protocol: dtls,
5311 name: "SRTP-Client-NoMatch-" + ver.name,
5312 config: Config{
5313 MaxVersion: ver.version,
5314 Bugs: ProtocolBugs{
5315 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5316 },
5317 },
5318 flags: []string{
5319 "-srtp-profiles",
5320 "SRTP_AES128_CM_SHA1_80",
5321 },
5322 shouldFail: true,
5323 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5324 })
5325 }
5326
5327 // Test SCT list.
5328 testCases = append(testCases, testCase{
5329 name: "SignedCertificateTimestampList-Client-" + ver.name,
5330 testType: clientTest,
5331 config: Config{
5332 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5333 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5334 flags: []string{
5335 "-enable-signed-cert-timestamps",
5336 "-expect-signed-cert-timestamps",
5337 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5338 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5339 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5340 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5341
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5342 var differentSCTList []byte
5343 differentSCTList = append(differentSCTList, testSCTList...)
5344 differentSCTList[len(differentSCTList)-1] ^= 1
5345
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5346 // The SCT extension did not specify that it must only be sent on resumption as it
5347 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5348 testCases = append(testCases, testCase{
5349 name: "SendSCTListOnResume-" + ver.name,
5350 config: Config{
5351 MaxVersion: ver.version,
5352 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5353 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5354 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5355 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5356 flags: []string{
5357 "-enable-signed-cert-timestamps",
5358 "-expect-signed-cert-timestamps",
5359 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5360 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5361 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5362 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5363
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5364 testCases = append(testCases, testCase{
5365 name: "SignedCertificateTimestampList-Server-" + ver.name,
5366 testType: serverTest,
5367 config: Config{
5368 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5369 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5370 flags: []string{
5371 "-signed-cert-timestamps",
5372 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5373 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5374 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5375 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5376 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5377
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5378 emptySCTListCert := *testCerts[0].cert
5379 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5380
5381 // Test empty SCT list.
5382 testCases = append(testCases, testCase{
5383 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5384 testType: clientTest,
5385 config: Config{
5386 MaxVersion: ver.version,
5387 Certificates: []Certificate{emptySCTListCert},
5388 },
5389 flags: []string{
5390 "-enable-signed-cert-timestamps",
5391 },
5392 shouldFail: true,
5393 expectedError: ":ERROR_PARSING_EXTENSION:",
5394 })
5395
5396 emptySCTCert := *testCerts[0].cert
5397 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5398
5399 // Test empty SCT in non-empty list.
5400 testCases = append(testCases, testCase{
5401 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5402 testType: clientTest,
5403 config: Config{
5404 MaxVersion: ver.version,
5405 Certificates: []Certificate{emptySCTCert},
5406 },
5407 flags: []string{
5408 "-enable-signed-cert-timestamps",
5409 },
5410 shouldFail: true,
5411 expectedError: ":ERROR_PARSING_EXTENSION:",
5412 })
5413
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5414 // Test that certificate-related extensions are not sent unsolicited.
5415 testCases = append(testCases, testCase{
5416 testType: serverTest,
5417 name: "UnsolicitedCertificateExtensions-" + ver.name,
5418 config: Config{
5419 MaxVersion: ver.version,
5420 Bugs: ProtocolBugs{
5421 NoOCSPStapling: true,
5422 NoSignedCertificateTimestamps: true,
5423 },
5424 },
5425 flags: []string{
5426 "-ocsp-response",
5427 base64.StdEncoding.EncodeToString(testOCSPResponse),
5428 "-signed-cert-timestamps",
5429 base64.StdEncoding.EncodeToString(testSCTList),
5430 },
5431 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5432 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5433
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5434 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5435 testType: clientTest,
5436 name: "ClientHelloPadding",
5437 config: Config{
5438 Bugs: ProtocolBugs{
5439 RequireClientHelloSize: 512,
5440 },
5441 },
5442 // This hostname just needs to be long enough to push the
5443 // ClientHello into F5's danger zone between 256 and 511 bytes
5444 // long.
5445 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5446 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5447
5448 // Extensions should not function in SSL 3.0.
5449 testCases = append(testCases, testCase{
5450 testType: serverTest,
5451 name: "SSLv3Extensions-NoALPN",
5452 config: Config{
5453 MaxVersion: VersionSSL30,
5454 NextProtos: []string{"foo", "bar", "baz"},
5455 },
5456 flags: []string{
5457 "-select-alpn", "foo",
5458 },
5459 expectNoNextProto: true,
5460 })
5461
5462 // Test session tickets separately as they follow a different codepath.
5463 testCases = append(testCases, testCase{
5464 testType: serverTest,
5465 name: "SSLv3Extensions-NoTickets",
5466 config: Config{
5467 MaxVersion: VersionSSL30,
5468 Bugs: ProtocolBugs{
5469 // Historically, session tickets in SSL 3.0
5470 // failed in different ways depending on whether
5471 // the client supported renegotiation_info.
5472 NoRenegotiationInfo: true,
5473 },
5474 },
5475 resumeSession: true,
5476 })
5477 testCases = append(testCases, testCase{
5478 testType: serverTest,
5479 name: "SSLv3Extensions-NoTickets2",
5480 config: Config{
5481 MaxVersion: VersionSSL30,
5482 },
5483 resumeSession: true,
5484 })
5485
5486 // But SSL 3.0 does send and process renegotiation_info.
5487 testCases = append(testCases, testCase{
5488 testType: serverTest,
5489 name: "SSLv3Extensions-RenegotiationInfo",
5490 config: Config{
5491 MaxVersion: VersionSSL30,
5492 Bugs: ProtocolBugs{
5493 RequireRenegotiationInfo: true,
5494 },
5495 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5496 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5497 })
5498 testCases = append(testCases, testCase{
5499 testType: serverTest,
5500 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5501 config: Config{
5502 MaxVersion: VersionSSL30,
5503 Bugs: ProtocolBugs{
5504 NoRenegotiationInfo: true,
5505 SendRenegotiationSCSV: true,
5506 RequireRenegotiationInfo: true,
5507 },
5508 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5509 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5510 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5511
5512 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5513 // in ServerHello.
5514 testCases = append(testCases, testCase{
5515 name: "NPN-Forbidden-TLS13",
5516 config: Config{
5517 MaxVersion: VersionTLS13,
5518 NextProtos: []string{"foo"},
5519 Bugs: ProtocolBugs{
5520 NegotiateNPNAtAllVersions: true,
5521 },
5522 },
5523 flags: []string{"-select-next-proto", "foo"},
5524 shouldFail: true,
5525 expectedError: ":ERROR_PARSING_EXTENSION:",
5526 })
5527 testCases = append(testCases, testCase{
5528 name: "EMS-Forbidden-TLS13",
5529 config: Config{
5530 MaxVersion: VersionTLS13,
5531 Bugs: ProtocolBugs{
5532 NegotiateEMSAtAllVersions: true,
5533 },
5534 },
5535 shouldFail: true,
5536 expectedError: ":ERROR_PARSING_EXTENSION:",
5537 })
5538 testCases = append(testCases, testCase{
5539 name: "RenegotiationInfo-Forbidden-TLS13",
5540 config: Config{
5541 MaxVersion: VersionTLS13,
5542 Bugs: ProtocolBugs{
5543 NegotiateRenegotiationInfoAtAllVersions: true,
5544 },
5545 },
5546 shouldFail: true,
5547 expectedError: ":ERROR_PARSING_EXTENSION:",
5548 })
5549 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5550 name: "Ticket-Forbidden-TLS13",
5551 config: Config{
5552 MaxVersion: VersionTLS12,
5553 },
5554 resumeConfig: &Config{
5555 MaxVersion: VersionTLS13,
5556 Bugs: ProtocolBugs{
5557 AdvertiseTicketExtension: true,
5558 },
5559 },
5560 resumeSession: true,
5561 shouldFail: true,
5562 expectedError: ":ERROR_PARSING_EXTENSION:",
5563 })
5564
5565 // Test that illegal extensions in TLS 1.3 are declined by the server if
5566 // offered in ClientHello. The runner's server will fail if this occurs,
5567 // so we exercise the offering path. (EMS and Renegotiation Info are
5568 // implicit in every test.)
5569 testCases = append(testCases, testCase{
5570 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5571 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5572 config: Config{
5573 MaxVersion: VersionTLS13,
5574 NextProtos: []string{"bar"},
5575 },
5576 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5577 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5578
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5579 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5580 // tolerated.
5581 testCases = append(testCases, testCase{
5582 name: "SendOCSPResponseOnResume-TLS12",
5583 config: Config{
5584 MaxVersion: VersionTLS12,
5585 Bugs: ProtocolBugs{
5586 SendOCSPResponseOnResume: []byte("bogus"),
5587 },
5588 },
5589 flags: []string{
5590 "-enable-ocsp-stapling",
5591 "-expect-ocsp-response",
5592 base64.StdEncoding.EncodeToString(testOCSPResponse),
5593 },
5594 resumeSession: true,
5595 })
5596
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5597 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5598 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5599 config: Config{
5600 MaxVersion: VersionTLS13,
5601 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5602 SendExtensionOnCertificate: testOCSPExtension,
5603 },
5604 },
5605 shouldFail: true,
5606 expectedError: ":UNEXPECTED_EXTENSION:",
5607 })
5608
5609 testCases = append(testCases, testCase{
5610 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5611 config: Config{
5612 MaxVersion: VersionTLS13,
5613 Bugs: ProtocolBugs{
5614 SendExtensionOnCertificate: testSCTExtension,
5615 },
5616 },
5617 shouldFail: true,
5618 expectedError: ":UNEXPECTED_EXTENSION:",
5619 })
5620
5621 // Test that extensions on client certificates are never accepted.
5622 testCases = append(testCases, testCase{
5623 name: "SendExtensionOnClientCertificate-TLS13",
5624 testType: serverTest,
5625 config: Config{
5626 MaxVersion: VersionTLS13,
5627 Certificates: []Certificate{rsaCertificate},
5628 Bugs: ProtocolBugs{
5629 SendExtensionOnCertificate: testOCSPExtension,
5630 },
5631 },
5632 flags: []string{
5633 "-enable-ocsp-stapling",
5634 "-require-any-client-certificate",
5635 },
5636 shouldFail: true,
5637 expectedError: ":UNEXPECTED_EXTENSION:",
5638 })
5639
5640 testCases = append(testCases, testCase{
5641 name: "SendUnknownExtensionOnCertificate-TLS13",
5642 config: Config{
5643 MaxVersion: VersionTLS13,
5644 Bugs: ProtocolBugs{
5645 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5646 },
5647 },
5648 shouldFail: true,
5649 expectedError: ":UNEXPECTED_EXTENSION:",
5650 })
5651
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5652 var differentSCTList []byte
5653 differentSCTList = append(differentSCTList, testSCTList...)
5654 differentSCTList[len(differentSCTList)-1] ^= 1
5655
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5656 // Test that extensions on intermediates are allowed but ignored.
5657 testCases = append(testCases, testCase{
5658 name: "IgnoreExtensionsOnIntermediates-TLS13",
5659 config: Config{
5660 MaxVersion: VersionTLS13,
5661 Certificates: []Certificate{rsaChainCertificate},
5662 Bugs: ProtocolBugs{
5663 // Send different values on the intermediate. This tests
5664 // the intermediate's extensions do not override the
5665 // leaf's.
5666 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5667 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5668 },
5669 },
5670 flags: []string{
5671 "-enable-ocsp-stapling",
5672 "-expect-ocsp-response",
5673 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5674 "-enable-signed-cert-timestamps",
5675 "-expect-signed-cert-timestamps",
5676 base64.StdEncoding.EncodeToString(testSCTList),
5677 },
5678 resumeSession: true,
5679 })
5680
5681 // Test that extensions are not sent on intermediates when configured
5682 // only for a leaf.
5683 testCases = append(testCases, testCase{
5684 testType: serverTest,
5685 name: "SendNoExtensionsOnIntermediate-TLS13",
5686 config: Config{
5687 MaxVersion: VersionTLS13,
5688 Bugs: ProtocolBugs{
5689 ExpectNoExtensionsOnIntermediate: true,
5690 },
5691 },
5692 flags: []string{
5693 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5694 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5695 "-ocsp-response",
5696 base64.StdEncoding.EncodeToString(testOCSPResponse),
5697 "-signed-cert-timestamps",
5698 base64.StdEncoding.EncodeToString(testSCTList),
5699 },
5700 })
5701
5702 // Test that extensions are not sent on client certificates.
5703 testCases = append(testCases, testCase{
5704 name: "SendNoClientCertificateExtensions-TLS13",
5705 config: Config{
5706 MaxVersion: VersionTLS13,
5707 ClientAuth: RequireAnyClientCert,
5708 },
5709 flags: []string{
5710 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5711 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5712 "-ocsp-response",
5713 base64.StdEncoding.EncodeToString(testOCSPResponse),
5714 "-signed-cert-timestamps",
5715 base64.StdEncoding.EncodeToString(testSCTList),
5716 },
5717 })
5718
5719 testCases = append(testCases, testCase{
5720 name: "SendDuplicateExtensionsOnCerts-TLS13",
5721 config: Config{
5722 MaxVersion: VersionTLS13,
5723 Bugs: ProtocolBugs{
5724 SendDuplicateCertExtensions: true,
5725 },
5726 },
5727 flags: []string{
5728 "-enable-ocsp-stapling",
5729 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5730 },
5731 resumeSession: true,
5732 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5733 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5734 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5735
5736 testCases = append(testCases, testCase{
5737 name: "SignedCertificateTimestampListInvalid-Server",
5738 testType: serverTest,
5739 flags: []string{
5740 "-signed-cert-timestamps",
5741 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5742 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5743 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5744 expectedError: ":INVALID_SCT_LIST:",
5745 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5746}
5747
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5748func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5749 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5750 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5751 // SSL 3.0 does not have tickets and TLS 1.3 does not
5752 // have session IDs, so skip their cross-resumption
5753 // tests.
5754 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5755 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5756 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5757 }
5758
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5759 protocols := []protocol{tls}
5760 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5761 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5762 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5763 for _, protocol := range protocols {
5764 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5765 if protocol == dtls {
5766 suffix += "-DTLS"
5767 }
5768
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5769 if sessionVers.version == resumeVers.version {
5770 testCases = append(testCases, testCase{
5771 protocol: protocol,
5772 name: "Resume-Client" + suffix,
5773 resumeSession: true,
5774 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5775 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5776 Bugs: ProtocolBugs{
5777 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5778 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5779 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5780 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5781 expectedVersion: sessionVers.version,
5782 expectedResumeVersion: resumeVers.version,
5783 })
5784 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5785 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5786
5787 // Offering a TLS 1.3 session sends an empty session ID, so
5788 // there is no way to convince a non-lookahead client the
5789 // session was resumed. It will appear to the client that a
5790 // stray ChangeCipherSpec was sent.
5791 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5792 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5793 }
5794
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5795 testCases = append(testCases, testCase{
5796 protocol: protocol,
5797 name: "Resume-Client-Mismatch" + suffix,
5798 resumeSession: true,
5799 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5800 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5801 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5802 expectedVersion: sessionVers.version,
5803 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5804 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5805 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5806 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5807 },
5808 },
5809 expectedResumeVersion: resumeVers.version,
5810 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5811 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5812 })
5813 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5814
5815 testCases = append(testCases, testCase{
5816 protocol: protocol,
5817 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5818 resumeSession: true,
5819 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5820 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5821 },
5822 expectedVersion: sessionVers.version,
5823 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5824 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5825 },
5826 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5827 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5828 expectedResumeVersion: resumeVers.version,
5829 })
5830
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5831 testCases = append(testCases, testCase{
5832 protocol: protocol,
5833 testType: serverTest,
5834 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5835 resumeSession: true,
5836 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5837 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5838 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5839 expectedVersion: sessionVers.version,
5840 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5841 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5842 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5843 Bugs: ProtocolBugs{
5844 SendBothTickets: true,
5845 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5846 },
5847 expectedResumeVersion: resumeVers.version,
5848 })
5849 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5850 }
5851 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5852
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5853 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5854 testCases = append(testCases, testCase{
5855 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5856 name: "ShimTicketRewritable",
5857 resumeSession: true,
5858 config: Config{
5859 MaxVersion: VersionTLS12,
5860 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5861 Bugs: ProtocolBugs{
5862 FilterTicket: func(in []byte) ([]byte, error) {
5863 in, err := SetShimTicketVersion(in, VersionTLS12)
5864 if err != nil {
5865 return nil, err
5866 }
5867 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5868 },
5869 },
5870 },
5871 flags: []string{
5872 "-ticket-key",
5873 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5874 },
5875 })
5876
5877 // Resumptions are declined if the version does not match.
5878 testCases = append(testCases, testCase{
5879 testType: serverTest,
5880 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5881 resumeSession: true,
5882 config: Config{
5883 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5884 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5885 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5886 FilterTicket: func(in []byte) ([]byte, error) {
5887 return SetShimTicketVersion(in, VersionTLS13)
5888 },
5889 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5890 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5891 flags: []string{
5892 "-ticket-key",
5893 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5894 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5895 expectResumeRejected: true,
5896 })
5897
5898 testCases = append(testCases, testCase{
5899 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5900 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5901 resumeSession: true,
5902 config: Config{
5903 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5904 Bugs: ProtocolBugs{
5905 FilterTicket: func(in []byte) ([]byte, error) {
5906 return SetShimTicketVersion(in, VersionTLS12)
5907 },
5908 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5909 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5910 flags: []string{
5911 "-ticket-key",
5912 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5913 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5914 expectResumeRejected: true,
5915 })
5916
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5917 // Resumptions are declined if the cipher is invalid or disabled.
5918 testCases = append(testCases, testCase{
5919 testType: serverTest,
5920 name: "Resume-Server-DeclineBadCipher",
5921 resumeSession: true,
5922 config: Config{
5923 MaxVersion: VersionTLS12,
5924 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5925 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5926 FilterTicket: func(in []byte) ([]byte, error) {
5927 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5928 },
5929 },
5930 },
5931 flags: []string{
5932 "-ticket-key",
5933 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5934 },
5935 expectResumeRejected: true,
5936 })
5937
5938 testCases = append(testCases, testCase{
5939 testType: serverTest,
5940 name: "Resume-Server-DeclineBadCipher-2",
5941 resumeSession: true,
5942 config: Config{
5943 MaxVersion: VersionTLS12,
5944 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5945 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5946 FilterTicket: func(in []byte) ([]byte, error) {
5947 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5948 },
5949 },
5950 },
5951 flags: []string{
5952 "-cipher", "AES128",
5953 "-ticket-key",
5954 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5955 },
5956 expectResumeRejected: true,
5957 })
5958
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5959 // Sessions are not resumed if they do not use the preferred cipher.
5960 testCases = append(testCases, testCase{
5961 testType: serverTest,
5962 name: "Resume-Server-CipherNotPreferred",
5963 resumeSession: true,
5964 config: Config{
5965 MaxVersion: VersionTLS12,
5966 Bugs: ProtocolBugs{
5967 ExpectNewTicket: true,
5968 FilterTicket: func(in []byte) ([]byte, error) {
5969 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
5970 },
5971 },
5972 },
5973 flags: []string{
5974 "-ticket-key",
5975 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5976 },
5977 shouldFail: false,
5978 expectResumeRejected: true,
5979 })
5980
5981 // TLS 1.3 allows sessions to be resumed at a different cipher if their
5982 // PRF hashes match, but BoringSSL will always decline such resumptions.
5983 testCases = append(testCases, testCase{
5984 testType: serverTest,
5985 name: "Resume-Server-CipherNotPreferred-TLS13",
5986 resumeSession: true,
5987 config: Config{
5988 MaxVersion: VersionTLS13,
5989 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
5990 Bugs: ProtocolBugs{
5991 FilterTicket: func(in []byte) ([]byte, error) {
5992 // If the client (runner) offers ChaCha20-Poly1305 first, the
5993 // server (shim) always prefers it. Switch it to AES-GCM.
5994 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5995 },
5996 },
5997 },
5998 flags: []string{
5999 "-ticket-key",
6000 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6001 },
6002 shouldFail: false,
6003 expectResumeRejected: true,
6004 })
6005
6006 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6007 testCases = append(testCases, testCase{
6008 testType: serverTest,
6009 name: "Resume-Server-DeclineBadCipher-TLS13",
6010 resumeSession: true,
6011 config: Config{
6012 MaxVersion: VersionTLS13,
6013 Bugs: ProtocolBugs{
6014 FilterTicket: func(in []byte) ([]byte, error) {
6015 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
6016 },
6017 },
6018 },
6019 flags: []string{
6020 "-ticket-key",
6021 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6022 },
6023 expectResumeRejected: true,
6024 })
6025
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6026 // If the client does not offer the cipher from the session, decline to
6027 // resume. Clients are forbidden from doing this, but BoringSSL selects
6028 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6029 testCases = append(testCases, testCase{
6030 testType: serverTest,
6031 name: "Resume-Server-UnofferedCipher",
6032 resumeSession: true,
6033 config: Config{
6034 MaxVersion: VersionTLS12,
6035 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6036 },
6037 resumeConfig: &Config{
6038 MaxVersion: VersionTLS12,
6039 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6040 Bugs: ProtocolBugs{
6041 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6042 },
6043 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6044 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6045 })
6046
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6047 // In TLS 1.3, clients may advertise a cipher list which does not
6048 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]6049 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
6050 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6051 testCases = append(testCases, testCase{
6052 testType: serverTest,
6053 name: "Resume-Server-UnofferedCipher-TLS13",
6054 resumeSession: true,
6055 config: Config{
6056 MaxVersion: VersionTLS13,
6057 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6058 },
6059 resumeConfig: &Config{
6060 MaxVersion: VersionTLS13,
6061 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6062 Bugs: ProtocolBugs{
6063 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6064 },
6065 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6066 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6067 })
6068
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6069 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6070 testCases = append(testCases, testCase{
6071 name: "Resume-Client-CipherMismatch",
6072 resumeSession: true,
6073 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6074 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6075 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6076 },
6077 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6078 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6079 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6080 Bugs: ProtocolBugs{
6081 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6082 },
6083 },
6084 shouldFail: true,
6085 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6086 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6087
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6088 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6089 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6090 testCases = append(testCases, testCase{
6091 name: "Resume-Client-CipherMismatch-TLS13",
6092 resumeSession: true,
6093 config: Config{
6094 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6095 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6096 },
6097 resumeConfig: &Config{
6098 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6099 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6100 },
6101 })
6102
6103 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6104 testCases = append(testCases, testCase{
6105 name: "Resume-Client-PRFMismatch-TLS13",
6106 resumeSession: true,
6107 config: Config{
6108 MaxVersion: VersionTLS13,
6109 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6110 },
6111 resumeConfig: &Config{
6112 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6113 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6114 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6115 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6116 },
6117 },
6118 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6119 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6120 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6121
6122 testCases = append(testCases, testCase{
6123 testType: serverTest,
6124 name: "Resume-Server-BinderWrongLength",
6125 resumeSession: true,
6126 config: Config{
6127 MaxVersion: VersionTLS13,
6128 Bugs: ProtocolBugs{
6129 SendShortPSKBinder: true,
6130 },
6131 },
6132 shouldFail: true,
6133 expectedLocalError: "remote error: error decrypting message",
6134 expectedError: ":DIGEST_CHECK_FAILED:",
6135 })
6136
6137 testCases = append(testCases, testCase{
6138 testType: serverTest,
6139 name: "Resume-Server-NoPSKBinder",
6140 resumeSession: true,
6141 config: Config{
6142 MaxVersion: VersionTLS13,
6143 Bugs: ProtocolBugs{
6144 SendNoPSKBinder: true,
6145 },
6146 },
6147 shouldFail: true,
6148 expectedLocalError: "remote error: error decoding message",
6149 expectedError: ":DECODE_ERROR:",
6150 })
6151
6152 testCases = append(testCases, testCase{
6153 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6154 name: "Resume-Server-ExtraPSKBinder",
6155 resumeSession: true,
6156 config: Config{
6157 MaxVersion: VersionTLS13,
6158 Bugs: ProtocolBugs{
6159 SendExtraPSKBinder: true,
6160 },
6161 },
6162 shouldFail: true,
6163 expectedLocalError: "remote error: illegal parameter",
6164 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6165 })
6166
6167 testCases = append(testCases, testCase{
6168 testType: serverTest,
6169 name: "Resume-Server-ExtraIdentityNoBinder",
6170 resumeSession: true,
6171 config: Config{
6172 MaxVersion: VersionTLS13,
6173 Bugs: ProtocolBugs{
6174 ExtraPSKIdentity: true,
6175 },
6176 },
6177 shouldFail: true,
6178 expectedLocalError: "remote error: illegal parameter",
6179 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6180 })
6181
6182 testCases = append(testCases, testCase{
6183 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6184 name: "Resume-Server-InvalidPSKBinder",
6185 resumeSession: true,
6186 config: Config{
6187 MaxVersion: VersionTLS13,
6188 Bugs: ProtocolBugs{
6189 SendInvalidPSKBinder: true,
6190 },
6191 },
6192 shouldFail: true,
6193 expectedLocalError: "remote error: error decrypting message",
6194 expectedError: ":DIGEST_CHECK_FAILED:",
6195 })
6196
6197 testCases = append(testCases, testCase{
6198 testType: serverTest,
6199 name: "Resume-Server-PSKBinderFirstExtension",
6200 resumeSession: true,
6201 config: Config{
6202 MaxVersion: VersionTLS13,
6203 Bugs: ProtocolBugs{
6204 PSKBinderFirst: true,
6205 },
6206 },
6207 shouldFail: true,
6208 expectedLocalError: "remote error: illegal parameter",
6209 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6210 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6211}
6212
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6213func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6214 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6215 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6216 testType: serverTest,
6217 name: "Renegotiate-Server-Forbidden",
6218 config: Config{
6219 MaxVersion: VersionTLS12,
6220 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6221 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6222 shouldFail: true,
6223 expectedError: ":NO_RENEGOTIATION:",
6224 expectedLocalError: "remote error: no renegotiation",
6225 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6226 // The server shouldn't echo the renegotiation extension unless
6227 // requested by the client.
6228 testCases = append(testCases, testCase{
6229 testType: serverTest,
6230 name: "Renegotiate-Server-NoExt",
6231 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6232 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6233 Bugs: ProtocolBugs{
6234 NoRenegotiationInfo: true,
6235 RequireRenegotiationInfo: true,
6236 },
6237 },
6238 shouldFail: true,
6239 expectedLocalError: "renegotiation extension missing",
6240 })
6241 // The renegotiation SCSV should be sufficient for the server to echo
6242 // the extension.
6243 testCases = append(testCases, testCase{
6244 testType: serverTest,
6245 name: "Renegotiate-Server-NoExt-SCSV",
6246 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6247 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6248 Bugs: ProtocolBugs{
6249 NoRenegotiationInfo: true,
6250 SendRenegotiationSCSV: true,
6251 RequireRenegotiationInfo: true,
6252 },
6253 },
6254 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6255 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6256 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6257 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6258 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6259 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6260 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6261 },
6262 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6263 renegotiate: 1,
6264 flags: []string{
6265 "-renegotiate-freely",
6266 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6267 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6268 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6269 })
6270 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6271 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6272 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6273 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6274 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6275 Bugs: ProtocolBugs{
6276 EmptyRenegotiationInfo: true,
6277 },
6278 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6279 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6280 shouldFail: true,
6281 expectedError: ":RENEGOTIATION_MISMATCH:",
6282 })
6283 testCases = append(testCases, testCase{
6284 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6285 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6286 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6287 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6288 Bugs: ProtocolBugs{
6289 BadRenegotiationInfo: true,
6290 },
6291 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6292 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6293 shouldFail: true,
6294 expectedError: ":RENEGOTIATION_MISMATCH:",
6295 })
6296 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6297 name: "Renegotiate-Client-Downgrade",
6298 renegotiate: 1,
6299 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6300 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6301 Bugs: ProtocolBugs{
6302 NoRenegotiationInfoAfterInitial: true,
6303 },
6304 },
6305 flags: []string{"-renegotiate-freely"},
6306 shouldFail: true,
6307 expectedError: ":RENEGOTIATION_MISMATCH:",
6308 })
6309 testCases = append(testCases, testCase{
6310 name: "Renegotiate-Client-Upgrade",
6311 renegotiate: 1,
6312 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6313 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6314 Bugs: ProtocolBugs{
6315 NoRenegotiationInfoInInitial: true,
6316 },
6317 },
6318 flags: []string{"-renegotiate-freely"},
6319 shouldFail: true,
6320 expectedError: ":RENEGOTIATION_MISMATCH:",
6321 })
6322 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6323 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6324 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6325 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6326 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6327 Bugs: ProtocolBugs{
6328 NoRenegotiationInfo: true,
6329 },
6330 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6331 flags: []string{
6332 "-renegotiate-freely",
6333 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6334 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6335 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6336 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6337
6338 // Test that the server may switch ciphers on renegotiation without
6339 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6340 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6341 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6342 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6343 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6344 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6345 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6346 },
6347 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6348 flags: []string{
6349 "-renegotiate-freely",
6350 "-expect-total-renegotiations", "1",
6351 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6352 })
6353 testCases = append(testCases, testCase{
6354 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6355 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6356 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6357 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6358 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6359 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6360 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6361 flags: []string{
6362 "-renegotiate-freely",
6363 "-expect-total-renegotiations", "1",
6364 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6365 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6366
6367 // Test that the server may not switch versions on renegotiation.
6368 testCases = append(testCases, testCase{
6369 name: "Renegotiate-Client-SwitchVersion",
6370 config: Config{
6371 MaxVersion: VersionTLS12,
6372 // Pick a cipher which exists at both versions.
6373 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6374 Bugs: ProtocolBugs{
6375 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6376 // Avoid failing early at the record layer.
6377 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6378 },
6379 },
6380 renegotiate: 1,
6381 flags: []string{
6382 "-renegotiate-freely",
6383 "-expect-total-renegotiations", "1",
6384 },
6385 shouldFail: true,
6386 expectedError: ":WRONG_SSL_VERSION:",
6387 })
6388
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6389 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6390 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6391 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6392 config: Config{
6393 MaxVersion: VersionTLS10,
6394 Bugs: ProtocolBugs{
6395 RequireSameRenegoClientVersion: true,
6396 },
6397 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6398 flags: []string{
6399 "-renegotiate-freely",
6400 "-expect-total-renegotiations", "1",
6401 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6402 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6403 testCases = append(testCases, testCase{
6404 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6405 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6406 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6407 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6408 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6409 NextProtos: []string{"foo"},
6410 },
6411 flags: []string{
6412 "-false-start",
6413 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6414 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6415 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6416 },
6417 shimWritesFirst: true,
6418 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6419
6420 // Client-side renegotiation controls.
6421 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6422 name: "Renegotiate-Client-Forbidden-1",
6423 config: Config{
6424 MaxVersion: VersionTLS12,
6425 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6426 renegotiate: 1,
6427 shouldFail: true,
6428 expectedError: ":NO_RENEGOTIATION:",
6429 expectedLocalError: "remote error: no renegotiation",
6430 })
6431 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6432 name: "Renegotiate-Client-Once-1",
6433 config: Config{
6434 MaxVersion: VersionTLS12,
6435 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6436 renegotiate: 1,
6437 flags: []string{
6438 "-renegotiate-once",
6439 "-expect-total-renegotiations", "1",
6440 },
6441 })
6442 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6443 name: "Renegotiate-Client-Freely-1",
6444 config: Config{
6445 MaxVersion: VersionTLS12,
6446 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6447 renegotiate: 1,
6448 flags: []string{
6449 "-renegotiate-freely",
6450 "-expect-total-renegotiations", "1",
6451 },
6452 })
6453 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6454 name: "Renegotiate-Client-Once-2",
6455 config: Config{
6456 MaxVersion: VersionTLS12,
6457 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6458 renegotiate: 2,
6459 flags: []string{"-renegotiate-once"},
6460 shouldFail: true,
6461 expectedError: ":NO_RENEGOTIATION:",
6462 expectedLocalError: "remote error: no renegotiation",
6463 })
6464 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6465 name: "Renegotiate-Client-Freely-2",
6466 config: Config{
6467 MaxVersion: VersionTLS12,
6468 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6469 renegotiate: 2,
6470 flags: []string{
6471 "-renegotiate-freely",
6472 "-expect-total-renegotiations", "2",
6473 },
6474 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6475 testCases = append(testCases, testCase{
6476 name: "Renegotiate-Client-NoIgnore",
6477 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6478 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6479 Bugs: ProtocolBugs{
6480 SendHelloRequestBeforeEveryAppDataRecord: true,
6481 },
6482 },
6483 shouldFail: true,
6484 expectedError: ":NO_RENEGOTIATION:",
6485 })
6486 testCases = append(testCases, testCase{
6487 name: "Renegotiate-Client-Ignore",
6488 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6489 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6490 Bugs: ProtocolBugs{
6491 SendHelloRequestBeforeEveryAppDataRecord: true,
6492 },
6493 },
6494 flags: []string{
6495 "-renegotiate-ignore",
6496 "-expect-total-renegotiations", "0",
6497 },
6498 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6499
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6500 // Renegotiation is not allowed at SSL 3.0.
6501 testCases = append(testCases, testCase{
6502 name: "Renegotiate-Client-SSL3",
6503 config: Config{
6504 MaxVersion: VersionSSL30,
6505 },
6506 renegotiate: 1,
6507 flags: []string{
6508 "-renegotiate-freely",
6509 "-expect-total-renegotiations", "1",
6510 },
6511 shouldFail: true,
6512 expectedError: ":NO_RENEGOTIATION:",
6513 expectedLocalError: "remote error: no renegotiation",
6514 })
6515
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6516 // Renegotiation is not allowed when there is an unfinished write.
6517 testCases = append(testCases, testCase{
6518 name: "Renegotiate-Client-UnfinishedWrite",
6519 config: Config{
6520 MaxVersion: VersionTLS12,
6521 },
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]6522 renegotiate: 1,
6523 readWithUnfinishedWrite: true,
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6524 flags: []string{
6525 "-async",
6526 "-renegotiate-freely",
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6527 },
6528 shouldFail: true,
6529 expectedError: ":NO_RENEGOTIATION:",
6530 // We do not successfully send the no_renegotiation alert in
6531 // this case. https://crbug.com/boringssl/130
6532 })
6533
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6534 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6535 testCases = append(testCases, testCase{
6536 name: "StrayHelloRequest",
6537 config: Config{
6538 MaxVersion: VersionTLS12,
6539 Bugs: ProtocolBugs{
6540 SendHelloRequestBeforeEveryHandshakeMessage: true,
6541 },
6542 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6543 shouldFail: true,
6544 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6545 })
6546 testCases = append(testCases, testCase{
6547 name: "StrayHelloRequest-Packed",
6548 config: Config{
6549 MaxVersion: VersionTLS12,
6550 Bugs: ProtocolBugs{
6551 PackHandshakeFlight: true,
6552 SendHelloRequestBeforeEveryHandshakeMessage: true,
6553 },
6554 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6555 shouldFail: true,
6556 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6557 })
6558
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6559 // Test renegotiation works if HelloRequest and server Finished come in
6560 // the same record.
6561 testCases = append(testCases, testCase{
6562 name: "Renegotiate-Client-Packed",
6563 config: Config{
6564 MaxVersion: VersionTLS12,
6565 Bugs: ProtocolBugs{
6566 PackHandshakeFlight: true,
6567 PackHelloRequestWithFinished: true,
6568 },
6569 },
6570 renegotiate: 1,
6571 flags: []string{
6572 "-renegotiate-freely",
6573 "-expect-total-renegotiations", "1",
6574 },
6575 })
6576
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6577 // Renegotiation is forbidden in TLS 1.3.
6578 testCases = append(testCases, testCase{
6579 name: "Renegotiate-Client-TLS13",
6580 config: Config{
6581 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6582 Bugs: ProtocolBugs{
6583 SendHelloRequestBeforeEveryAppDataRecord: true,
6584 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6585 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6586 flags: []string{
6587 "-renegotiate-freely",
6588 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6589 shouldFail: true,
6590 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6591 })
6592
6593 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6594 testCases = append(testCases, testCase{
6595 name: "StrayHelloRequest-TLS13",
6596 config: Config{
6597 MaxVersion: VersionTLS13,
6598 Bugs: ProtocolBugs{
6599 SendHelloRequestBeforeEveryHandshakeMessage: true,
6600 },
6601 },
6602 shouldFail: true,
6603 expectedError: ":UNEXPECTED_MESSAGE:",
6604 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6605
6606 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6607 // always reads as supporting it, regardless of whether it was
6608 // negotiated.
6609 testCases = append(testCases, testCase{
6610 name: "AlwaysReportRenegotiationInfo-TLS13",
6611 config: Config{
6612 MaxVersion: VersionTLS13,
6613 Bugs: ProtocolBugs{
6614 NoRenegotiationInfo: true,
6615 },
6616 },
6617 flags: []string{
6618 "-expect-secure-renegotiation",
6619 },
6620 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]6621
6622 // Certificates may not change on renegotiation.
6623 testCases = append(testCases, testCase{
6624 name: "Renegotiation-CertificateChange",
6625 config: Config{
6626 MaxVersion: VersionTLS12,
6627 Certificates: []Certificate{rsaCertificate},
6628 Bugs: ProtocolBugs{
6629 RenegotiationCertificate: &rsaChainCertificate,
6630 },
6631 },
6632 renegotiate: 1,
6633 flags: []string{"-renegotiate-freely"},
6634 shouldFail: true,
6635 expectedError: ":SERVER_CERT_CHANGED:",
6636 })
6637 testCases = append(testCases, testCase{
6638 name: "Renegotiation-CertificateChange-2",
6639 config: Config{
6640 MaxVersion: VersionTLS12,
6641 Certificates: []Certificate{rsaCertificate},
6642 Bugs: ProtocolBugs{
6643 RenegotiationCertificate: &rsa1024Certificate,
6644 },
6645 },
6646 renegotiate: 1,
6647 flags: []string{"-renegotiate-freely"},
6648 shouldFail: true,
6649 expectedError: ":SERVER_CERT_CHANGED:",
6650 })
David Benjaminbbf42462017-03-14 21:27:10 -0400[diff] [blame]6651
6652 // We do not negotiate ALPN after the initial handshake. This is
6653 // error-prone and only risks bugs in consumers.
6654 testCases = append(testCases, testCase{
6655 testType: clientTest,
6656 name: "Renegotiation-ForbidALPN",
6657 config: Config{
6658 MaxVersion: VersionTLS12,
6659 Bugs: ProtocolBugs{
6660 // Forcibly negotiate ALPN on both initial and
6661 // renegotiation handshakes. The test stack will
6662 // internally check the client does not offer
6663 // it.
6664 SendALPN: "foo",
6665 },
6666 },
6667 flags: []string{
6668 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6669 "-expect-alpn", "foo",
6670 "-renegotiate-freely",
6671 },
6672 renegotiate: 1,
6673 shouldFail: true,
6674 expectedError: ":UNEXPECTED_EXTENSION:",
6675 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6676}
6677
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6678func addDTLSReplayTests() {
6679 // Test that sequence number replays are detected.
6680 testCases = append(testCases, testCase{
6681 protocol: dtls,
6682 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6683 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6684 replayWrites: true,
6685 })
6686
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6687 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6688 // than the retransmit window.
6689 testCases = append(testCases, testCase{
6690 protocol: dtls,
6691 name: "DTLS-Replay-LargeGaps",
6692 config: Config{
6693 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6694 SequenceNumberMapping: func(in uint64) uint64 {
6695 return in * 127
6696 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6697 },
6698 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6699 messageCount: 200,
6700 replayWrites: true,
6701 })
6702
6703 // Test the incoming sequence number changing non-monotonically.
6704 testCases = append(testCases, testCase{
6705 protocol: dtls,
6706 name: "DTLS-Replay-NonMonotonic",
6707 config: Config{
6708 Bugs: ProtocolBugs{
6709 SequenceNumberMapping: func(in uint64) uint64 {
6710 return in ^ 31
6711 },
6712 },
6713 },
6714 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6715 replayWrites: true,
6716 })
6717}
6718
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6719var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6720 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6721 id signatureAlgorithm
6722 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6723}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6724 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6725 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6726 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6727 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6728 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6729 // The “P256” in the following line is not a mistake. In TLS 1.2 the
6730 // hash function doesn't have to match the curve and so the same
6731 // signature algorithm works with P-224.
6732 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6733 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6734 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6735 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6736 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6737 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6738 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6739 {"Ed25519", signatureEd25519, testCertEd25519},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6740 // Tests for key types prior to TLS 1.2.
6741 {"RSA", 0, testCertRSA},
6742 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6743}
6744
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6745const fakeSigAlg1 signatureAlgorithm = 0x2a01
6746const fakeSigAlg2 signatureAlgorithm = 0xff01
6747
6748func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6749 // Not all ciphers involve a signature. Advertise a list which gives all
6750 // versions a signing cipher.
6751 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6752 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6753 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6754 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6755 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6756 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6757 }
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6758
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6759 var allAlgorithms []signatureAlgorithm
6760 for _, alg := range testSignatureAlgorithms {
6761 if alg.id != 0 {
6762 allAlgorithms = append(allAlgorithms, alg.id)
6763 }
6764 }
6765
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6766 // Make sure each signature algorithm works. Include some fake values in
6767 // the list and ensure they're ignored.
6768 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6769 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6770 if (ver.version < VersionTLS12) != (alg.id == 0) {
6771 continue
6772 }
6773
6774 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6775 // or remove it in C.
6776 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6777 continue
6778 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6779
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6780 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6781 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6782 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6783 shouldSignFail = true
6784 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6785 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6786 // RSA-PKCS1 does not exist in TLS 1.3.
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6787 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
6788 shouldSignFail = true
6789 shouldVerifyFail = true
6790 }
6791 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
6792 // the curve has to match the hash size.
6793 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6794 shouldSignFail = true
6795 shouldVerifyFail = true
6796 }
6797
6798 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6799 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6800 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6801 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6802
6803 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6804 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6805 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6806 }
6807 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6808 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6809 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6810
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6811 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6812
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6813 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6814 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6815 config: Config{
6816 MaxVersion: ver.version,
6817 ClientAuth: RequireAnyClientCert,
6818 VerifySignatureAlgorithms: []signatureAlgorithm{
6819 fakeSigAlg1,
6820 alg.id,
6821 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6822 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6823 },
6824 flags: []string{
6825 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6826 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6827 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6828 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6829 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6830 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6831 expectedError: signError,
6832 expectedPeerSignatureAlgorithm: alg.id,
6833 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6834
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6835 testCases = append(testCases, testCase{
6836 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6837 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6838 config: Config{
6839 MaxVersion: ver.version,
6840 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6841 SignSignatureAlgorithms: []signatureAlgorithm{
6842 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6843 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6844 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6845 SkipECDSACurveCheck: shouldVerifyFail,
6846 IgnoreSignatureVersionChecks: shouldVerifyFail,
6847 // Some signature algorithms may not be advertised.
6848 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6849 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6850 },
6851 flags: []string{
6852 "-require-any-client-certificate",
6853 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6854 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6855 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6856 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6857 // Resume the session to assert the peer signature
6858 // algorithm is reported on both handshakes.
6859 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6860 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6861 expectedError: verifyError,
6862 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6863
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6864 // No signing cipher for SSL 3.0.
David Benjamin96bc12a2017-04-14 16:48:08 -0400[diff] [blame^]6865 if ver.version > VersionSSL30 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6866 testCases = append(testCases, testCase{
6867 testType: serverTest,
6868 name: "ServerAuth-Sign" + suffix,
6869 config: Config{
6870 MaxVersion: ver.version,
6871 CipherSuites: signingCiphers,
6872 VerifySignatureAlgorithms: []signatureAlgorithm{
6873 fakeSigAlg1,
6874 alg.id,
6875 fakeSigAlg2,
6876 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6877 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6878 flags: []string{
6879 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6880 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6881 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6882 "-enable-ed25519",
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6883 },
6884 shouldFail: shouldSignFail,
6885 expectedError: signError,
6886 expectedPeerSignatureAlgorithm: alg.id,
6887 })
6888 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6889
6890 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6891 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6892 config: Config{
6893 MaxVersion: ver.version,
6894 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6895 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6896 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6897 alg.id,
6898 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6899 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6900 SkipECDSACurveCheck: shouldVerifyFail,
6901 IgnoreSignatureVersionChecks: shouldVerifyFail,
6902 // Some signature algorithms may not be advertised.
6903 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6904 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6905 },
6906 flags: []string{
6907 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6908 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6909 "-enable-ed25519",
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6910 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6911 // Resume the session to assert the peer signature
6912 // algorithm is reported on both handshakes.
6913 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6914 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6915 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6916 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6917
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6918 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6919 testCases = append(testCases, testCase{
6920 testType: serverTest,
6921 name: "ClientAuth-InvalidSignature" + suffix,
6922 config: Config{
6923 MaxVersion: ver.version,
6924 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6925 SignSignatureAlgorithms: []signatureAlgorithm{
6926 alg.id,
6927 },
6928 Bugs: ProtocolBugs{
6929 InvalidSignature: true,
6930 },
6931 },
6932 flags: []string{
6933 "-require-any-client-certificate",
6934 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6935 "-enable-ed25519",
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6936 },
6937 shouldFail: true,
6938 expectedError: ":BAD_SIGNATURE:",
6939 })
6940
6941 testCases = append(testCases, testCase{
6942 name: "ServerAuth-InvalidSignature" + suffix,
6943 config: Config{
6944 MaxVersion: ver.version,
6945 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6946 CipherSuites: signingCiphers,
6947 SignSignatureAlgorithms: []signatureAlgorithm{
6948 alg.id,
6949 },
6950 Bugs: ProtocolBugs{
6951 InvalidSignature: true,
6952 },
6953 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6954 flags: []string{
6955 "-enable-all-curves",
6956 "-enable-ed25519",
6957 },
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6958 shouldFail: true,
6959 expectedError: ":BAD_SIGNATURE:",
6960 })
6961 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6962
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6963 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6964 testCases = append(testCases, testCase{
6965 name: "ClientAuth-Sign-Negotiate" + suffix,
6966 config: Config{
6967 MaxVersion: ver.version,
6968 ClientAuth: RequireAnyClientCert,
6969 VerifySignatureAlgorithms: allAlgorithms,
6970 },
6971 flags: []string{
6972 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6973 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6974 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6975 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6976 "-signing-prefs", strconv.Itoa(int(alg.id)),
6977 },
6978 expectedPeerSignatureAlgorithm: alg.id,
6979 })
6980
6981 testCases = append(testCases, testCase{
6982 testType: serverTest,
6983 name: "ServerAuth-Sign-Negotiate" + suffix,
6984 config: Config{
6985 MaxVersion: ver.version,
6986 CipherSuites: signingCiphers,
6987 VerifySignatureAlgorithms: allAlgorithms,
6988 },
6989 flags: []string{
6990 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6991 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6992 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6993 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6994 "-signing-prefs", strconv.Itoa(int(alg.id)),
6995 },
6996 expectedPeerSignatureAlgorithm: alg.id,
6997 })
6998 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6999 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7000 }
7001
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7002 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7003 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7004 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7005 config: Config{
7006 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7007 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7008 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7009 signatureECDSAWithP521AndSHA512,
7010 signatureRSAPKCS1WithSHA384,
7011 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7012 },
7013 },
7014 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7015 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7016 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7017 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7018 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7019 })
7020
7021 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7022 name: "ClientAuth-SignatureType-TLS13",
7023 config: Config{
7024 ClientAuth: RequireAnyClientCert,
7025 MaxVersion: VersionTLS13,
7026 VerifySignatureAlgorithms: []signatureAlgorithm{
7027 signatureECDSAWithP521AndSHA512,
7028 signatureRSAPKCS1WithSHA384,
7029 signatureRSAPSSWithSHA384,
7030 signatureECDSAWithSHA1,
7031 },
7032 },
7033 flags: []string{
7034 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7035 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7036 },
7037 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7038 })
7039
7040 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7041 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7042 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7043 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7044 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7045 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7046 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7047 signatureECDSAWithP521AndSHA512,
7048 signatureRSAPKCS1WithSHA384,
7049 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7050 },
7051 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7052 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7053 })
7054
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7055 testCases = append(testCases, testCase{
7056 testType: serverTest,
7057 name: "ServerAuth-SignatureType-TLS13",
7058 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7059 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7060 VerifySignatureAlgorithms: []signatureAlgorithm{
7061 signatureECDSAWithP521AndSHA512,
7062 signatureRSAPKCS1WithSHA384,
7063 signatureRSAPSSWithSHA384,
7064 signatureECDSAWithSHA1,
7065 },
7066 },
7067 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7068 })
7069
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7070 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7071 testCases = append(testCases, testCase{
7072 testType: serverTest,
7073 name: "Verify-ClientAuth-SignatureType",
7074 config: Config{
7075 MaxVersion: VersionTLS12,
7076 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7077 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7078 signatureRSAPKCS1WithSHA256,
7079 },
7080 Bugs: ProtocolBugs{
7081 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7082 },
7083 },
7084 flags: []string{
7085 "-require-any-client-certificate",
7086 },
7087 shouldFail: true,
7088 expectedError: ":WRONG_SIGNATURE_TYPE:",
7089 })
7090
7091 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7092 testType: serverTest,
7093 name: "Verify-ClientAuth-SignatureType-TLS13",
7094 config: Config{
7095 MaxVersion: VersionTLS13,
7096 Certificates: []Certificate{rsaCertificate},
7097 SignSignatureAlgorithms: []signatureAlgorithm{
7098 signatureRSAPSSWithSHA256,
7099 },
7100 Bugs: ProtocolBugs{
7101 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7102 },
7103 },
7104 flags: []string{
7105 "-require-any-client-certificate",
7106 },
7107 shouldFail: true,
7108 expectedError: ":WRONG_SIGNATURE_TYPE:",
7109 })
7110
7111 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7112 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7113 config: Config{
7114 MaxVersion: VersionTLS12,
7115 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7116 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7117 signatureRSAPKCS1WithSHA256,
7118 },
7119 Bugs: ProtocolBugs{
7120 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7121 },
7122 },
7123 shouldFail: true,
7124 expectedError: ":WRONG_SIGNATURE_TYPE:",
7125 })
7126
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7127 testCases = append(testCases, testCase{
7128 name: "Verify-ServerAuth-SignatureType-TLS13",
7129 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7130 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7131 SignSignatureAlgorithms: []signatureAlgorithm{
7132 signatureRSAPSSWithSHA256,
7133 },
7134 Bugs: ProtocolBugs{
7135 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7136 },
7137 },
7138 shouldFail: true,
7139 expectedError: ":WRONG_SIGNATURE_TYPE:",
7140 })
7141
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7142 // Test that, if the list is missing, the peer falls back to SHA-1 in
7143 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7144 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7145 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7146 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7147 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7148 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7149 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7150 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7151 },
7152 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7153 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7154 },
7155 },
7156 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7157 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7158 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7159 },
7160 })
7161
7162 testCases = append(testCases, testCase{
7163 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7164 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7165 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7166 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7167 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7168 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7169 },
7170 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7171 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7172 },
7173 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7174 flags: []string{
7175 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7176 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7177 },
7178 })
7179
7180 testCases = append(testCases, testCase{
7181 name: "ClientAuth-SHA1-Fallback-ECDSA",
7182 config: Config{
7183 MaxVersion: VersionTLS12,
7184 ClientAuth: RequireAnyClientCert,
7185 VerifySignatureAlgorithms: []signatureAlgorithm{
7186 signatureECDSAWithSHA1,
7187 },
7188 Bugs: ProtocolBugs{
7189 NoSignatureAlgorithms: true,
7190 },
7191 },
7192 flags: []string{
7193 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7194 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7195 },
7196 })
7197
7198 testCases = append(testCases, testCase{
7199 testType: serverTest,
7200 name: "ServerAuth-SHA1-Fallback-ECDSA",
7201 config: Config{
7202 MaxVersion: VersionTLS12,
7203 VerifySignatureAlgorithms: []signatureAlgorithm{
7204 signatureECDSAWithSHA1,
7205 },
7206 Bugs: ProtocolBugs{
7207 NoSignatureAlgorithms: true,
7208 },
7209 },
7210 flags: []string{
7211 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7212 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7213 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7214 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7215
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7216 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7217 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7218 config: Config{
7219 MaxVersion: VersionTLS13,
7220 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7221 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7222 signatureRSAPKCS1WithSHA1,
7223 },
7224 Bugs: ProtocolBugs{
7225 NoSignatureAlgorithms: true,
7226 },
7227 },
7228 flags: []string{
7229 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7230 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7231 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7232 shouldFail: true,
7233 // An empty CertificateRequest signature algorithm list is a
7234 // syntax error in TLS 1.3.
7235 expectedError: ":DECODE_ERROR:",
7236 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7237 })
7238
7239 testCases = append(testCases, testCase{
7240 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7241 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7242 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7243 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7244 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7245 signatureRSAPKCS1WithSHA1,
7246 },
7247 Bugs: ProtocolBugs{
7248 NoSignatureAlgorithms: true,
7249 },
7250 },
7251 shouldFail: true,
7252 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7253 })
7254
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7255 // Test that hash preferences are enforced. BoringSSL does not implement
7256 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7257 testCases = append(testCases, testCase{
7258 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7259 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7260 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7261 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7262 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7263 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7264 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7265 },
7266 Bugs: ProtocolBugs{
7267 IgnorePeerSignatureAlgorithmPreferences: true,
7268 },
7269 },
7270 flags: []string{"-require-any-client-certificate"},
7271 shouldFail: true,
7272 expectedError: ":WRONG_SIGNATURE_TYPE:",
7273 })
7274
7275 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7276 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7277 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7278 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7279 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7280 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7281 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7282 },
7283 Bugs: ProtocolBugs{
7284 IgnorePeerSignatureAlgorithmPreferences: true,
7285 },
7286 },
7287 shouldFail: true,
7288 expectedError: ":WRONG_SIGNATURE_TYPE:",
7289 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7290 testCases = append(testCases, testCase{
7291 testType: serverTest,
7292 name: "ClientAuth-Enforced-TLS13",
7293 config: Config{
7294 MaxVersion: VersionTLS13,
7295 Certificates: []Certificate{rsaCertificate},
7296 SignSignatureAlgorithms: []signatureAlgorithm{
7297 signatureRSAPKCS1WithMD5,
7298 },
7299 Bugs: ProtocolBugs{
7300 IgnorePeerSignatureAlgorithmPreferences: true,
7301 IgnoreSignatureVersionChecks: true,
7302 },
7303 },
7304 flags: []string{"-require-any-client-certificate"},
7305 shouldFail: true,
7306 expectedError: ":WRONG_SIGNATURE_TYPE:",
7307 })
7308
7309 testCases = append(testCases, testCase{
7310 name: "ServerAuth-Enforced-TLS13",
7311 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7312 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7313 SignSignatureAlgorithms: []signatureAlgorithm{
7314 signatureRSAPKCS1WithMD5,
7315 },
7316 Bugs: ProtocolBugs{
7317 IgnorePeerSignatureAlgorithmPreferences: true,
7318 IgnoreSignatureVersionChecks: true,
7319 },
7320 },
7321 shouldFail: true,
7322 expectedError: ":WRONG_SIGNATURE_TYPE:",
7323 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7324
7325 // Test that the agreed upon digest respects the client preferences and
7326 // the server digests.
7327 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7328 name: "NoCommonAlgorithms-Digests",
7329 config: Config{
7330 MaxVersion: VersionTLS12,
7331 ClientAuth: RequireAnyClientCert,
7332 VerifySignatureAlgorithms: []signatureAlgorithm{
7333 signatureRSAPKCS1WithSHA512,
7334 signatureRSAPKCS1WithSHA1,
7335 },
7336 },
7337 flags: []string{
7338 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7339 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7340 "-digest-prefs", "SHA256",
7341 },
7342 shouldFail: true,
7343 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7344 })
7345 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7346 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7347 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7348 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7349 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7350 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7351 signatureRSAPKCS1WithSHA512,
7352 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7353 },
7354 },
7355 flags: []string{
7356 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7357 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7358 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7359 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7360 shouldFail: true,
7361 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7362 })
7363 testCases = append(testCases, testCase{
7364 name: "NoCommonAlgorithms-TLS13",
7365 config: Config{
7366 MaxVersion: VersionTLS13,
7367 ClientAuth: RequireAnyClientCert,
7368 VerifySignatureAlgorithms: []signatureAlgorithm{
7369 signatureRSAPSSWithSHA512,
7370 signatureRSAPSSWithSHA384,
7371 },
7372 },
7373 flags: []string{
7374 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7375 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7376 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7377 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7378 shouldFail: true,
7379 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7380 })
7381 testCases = append(testCases, testCase{
7382 name: "Agree-Digest-SHA256",
7383 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7384 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7385 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7386 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7387 signatureRSAPKCS1WithSHA1,
7388 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7389 },
7390 },
7391 flags: []string{
7392 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7393 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7394 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7395 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7396 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7397 })
7398 testCases = append(testCases, testCase{
7399 name: "Agree-Digest-SHA1",
7400 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7401 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7402 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7403 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7404 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7405 },
7406 },
7407 flags: []string{
7408 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7409 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7410 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7411 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7412 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7413 })
7414 testCases = append(testCases, testCase{
7415 name: "Agree-Digest-Default",
7416 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7417 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7418 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7419 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7420 signatureRSAPKCS1WithSHA256,
7421 signatureECDSAWithP256AndSHA256,
7422 signatureRSAPKCS1WithSHA1,
7423 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7424 },
7425 },
7426 flags: []string{
7427 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7428 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7429 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7430 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7431 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7432
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7433 // Test that the signing preference list may include extra algorithms
7434 // without negotiation problems.
7435 testCases = append(testCases, testCase{
7436 testType: serverTest,
7437 name: "FilterExtraAlgorithms",
7438 config: Config{
7439 MaxVersion: VersionTLS12,
7440 VerifySignatureAlgorithms: []signatureAlgorithm{
7441 signatureRSAPKCS1WithSHA256,
7442 },
7443 },
7444 flags: []string{
7445 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7446 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7447 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7448 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7449 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7450 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7451 },
7452 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7453 })
7454
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7455 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7456 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7457 testCases = append(testCases, testCase{
7458 name: "CheckLeafCurve",
7459 config: Config{
7460 MaxVersion: VersionTLS12,
7461 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7462 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7463 },
7464 flags: []string{"-p384-only"},
7465 shouldFail: true,
7466 expectedError: ":BAD_ECC_CERT:",
7467 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7468
7469 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7470 testCases = append(testCases, testCase{
7471 name: "CheckLeafCurve-TLS13",
7472 config: Config{
7473 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7474 Certificates: []Certificate{ecdsaP256Certificate},
7475 },
7476 flags: []string{"-p384-only"},
7477 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7478
7479 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7480 testCases = append(testCases, testCase{
7481 name: "ECDSACurveMismatch-Verify-TLS12",
7482 config: Config{
7483 MaxVersion: VersionTLS12,
7484 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7485 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7486 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7487 signatureECDSAWithP384AndSHA384,
7488 },
7489 },
7490 })
7491
7492 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7493 testCases = append(testCases, testCase{
7494 name: "ECDSACurveMismatch-Verify-TLS13",
7495 config: Config{
7496 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7497 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7498 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7499 signatureECDSAWithP384AndSHA384,
7500 },
7501 Bugs: ProtocolBugs{
7502 SkipECDSACurveCheck: true,
7503 },
7504 },
7505 shouldFail: true,
7506 expectedError: ":WRONG_SIGNATURE_TYPE:",
7507 })
7508
7509 // Signature algorithm selection in TLS 1.3 should take the curve into
7510 // account.
7511 testCases = append(testCases, testCase{
7512 testType: serverTest,
7513 name: "ECDSACurveMismatch-Sign-TLS13",
7514 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7515 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7516 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7517 signatureECDSAWithP384AndSHA384,
7518 signatureECDSAWithP256AndSHA256,
7519 },
7520 },
7521 flags: []string{
7522 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7523 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7524 },
7525 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7526 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7527
7528 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7529 // server does not attempt to sign in that case.
7530 testCases = append(testCases, testCase{
7531 testType: serverTest,
7532 name: "RSA-PSS-Large",
7533 config: Config{
7534 MaxVersion: VersionTLS13,
7535 VerifySignatureAlgorithms: []signatureAlgorithm{
7536 signatureRSAPSSWithSHA512,
7537 },
7538 },
7539 flags: []string{
7540 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7541 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7542 },
7543 shouldFail: true,
7544 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7545 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7546
7547 // Test that RSA-PSS is enabled by default for TLS 1.2.
7548 testCases = append(testCases, testCase{
7549 testType: clientTest,
7550 name: "RSA-PSS-Default-Verify",
7551 config: Config{
7552 MaxVersion: VersionTLS12,
7553 SignSignatureAlgorithms: []signatureAlgorithm{
7554 signatureRSAPSSWithSHA256,
7555 },
7556 },
7557 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7558 })
7559
7560 testCases = append(testCases, testCase{
7561 testType: serverTest,
7562 name: "RSA-PSS-Default-Sign",
7563 config: Config{
7564 MaxVersion: VersionTLS12,
7565 VerifySignatureAlgorithms: []signatureAlgorithm{
7566 signatureRSAPSSWithSHA256,
7567 },
7568 },
7569 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7570 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7571
7572 // TLS 1.1 and below has no way to advertise support for or negotiate
7573 // Ed25519's signature algorithm.
7574 testCases = append(testCases, testCase{
7575 testType: clientTest,
7576 name: "NoEd25519-TLS11-ServerAuth-Verify",
7577 config: Config{
7578 MaxVersion: VersionTLS11,
7579 Certificates: []Certificate{ed25519Certificate},
7580 Bugs: ProtocolBugs{
7581 // Sign with Ed25519 even though it is TLS 1.1.
7582 UseLegacySigningAlgorithm: signatureEd25519,
7583 },
7584 },
7585 flags: []string{"-enable-ed25519"},
7586 shouldFail: true,
7587 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7588 })
7589 testCases = append(testCases, testCase{
7590 testType: serverTest,
7591 name: "NoEd25519-TLS11-ServerAuth-Sign",
7592 config: Config{
7593 MaxVersion: VersionTLS11,
7594 },
7595 flags: []string{
7596 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7597 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7598 },
7599 shouldFail: true,
7600 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7601 })
7602 testCases = append(testCases, testCase{
7603 testType: serverTest,
7604 name: "NoEd25519-TLS11-ClientAuth-Verify",
7605 config: Config{
7606 MaxVersion: VersionTLS11,
7607 Certificates: []Certificate{ed25519Certificate},
7608 Bugs: ProtocolBugs{
7609 // Sign with Ed25519 even though it is TLS 1.1.
7610 UseLegacySigningAlgorithm: signatureEd25519,
7611 },
7612 },
7613 flags: []string{
7614 "-enable-ed25519",
7615 "-require-any-client-certificate",
7616 },
7617 shouldFail: true,
7618 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7619 })
7620 testCases = append(testCases, testCase{
7621 testType: clientTest,
7622 name: "NoEd25519-TLS11-ClientAuth-Sign",
7623 config: Config{
7624 MaxVersion: VersionTLS11,
7625 ClientAuth: RequireAnyClientCert,
7626 },
7627 flags: []string{
7628 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7629 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7630 },
7631 shouldFail: true,
7632 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7633 })
7634
7635 // Test Ed25519 is not advertised by default.
7636 testCases = append(testCases, testCase{
7637 testType: clientTest,
7638 name: "Ed25519DefaultDisable-NoAdvertise",
7639 config: Config{
7640 Certificates: []Certificate{ed25519Certificate},
7641 },
7642 shouldFail: true,
7643 expectedLocalError: "tls: no common signature algorithms",
7644 })
7645
7646 // Test Ed25519, when disabled, is not accepted if the peer ignores our
7647 // preferences.
7648 testCases = append(testCases, testCase{
7649 testType: clientTest,
7650 name: "Ed25519DefaultDisable-NoAccept",
7651 config: Config{
7652 Certificates: []Certificate{ed25519Certificate},
7653 Bugs: ProtocolBugs{
7654 IgnorePeerSignatureAlgorithmPreferences: true,
7655 },
7656 },
7657 shouldFail: true,
7658 expectedLocalError: "remote error: illegal parameter",
7659 expectedError: ":WRONG_SIGNATURE_TYPE:",
7660 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7661}
7662
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7663// timeouts is the retransmit schedule for BoringSSL. It doubles and
7664// caps at 60 seconds. On the 13th timeout, it gives up.
7665var timeouts = []time.Duration{
7666 1 * time.Second,
7667 2 * time.Second,
7668 4 * time.Second,
7669 8 * time.Second,
7670 16 * time.Second,
7671 32 * time.Second,
7672 60 * time.Second,
7673 60 * time.Second,
7674 60 * time.Second,
7675 60 * time.Second,
7676 60 * time.Second,
7677 60 * time.Second,
7678 60 * time.Second,
7679}
7680
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7681// shortTimeouts is an alternate set of timeouts which would occur if the
7682// initial timeout duration was set to 250ms.
7683var shortTimeouts = []time.Duration{
7684 250 * time.Millisecond,
7685 500 * time.Millisecond,
7686 1 * time.Second,
7687 2 * time.Second,
7688 4 * time.Second,
7689 8 * time.Second,
7690 16 * time.Second,
7691 32 * time.Second,
7692 60 * time.Second,
7693 60 * time.Second,
7694 60 * time.Second,
7695 60 * time.Second,
7696 60 * time.Second,
7697}
7698
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7699func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7700 // These tests work by coordinating some behavior on both the shim and
7701 // the runner.
7702 //
7703 // TimeoutSchedule configures the runner to send a series of timeout
7704 // opcodes to the shim (see packetAdaptor) immediately before reading
7705 // each peer handshake flight N. The timeout opcode both simulates a
7706 // timeout in the shim and acts as a synchronization point to help the
7707 // runner bracket each handshake flight.
7708 //
7709 // We assume the shim does not read from the channel eagerly. It must
7710 // first wait until it has sent flight N and is ready to receive
7711 // handshake flight N+1. At this point, it will process the timeout
7712 // opcode. It must then immediately respond with a timeout ACK and act
7713 // as if the shim was idle for the specified amount of time.
7714 //
7715 // The runner then drops all packets received before the ACK and
7716 // continues waiting for flight N. This ordering results in one attempt
7717 // at sending flight N to be dropped. For the test to complete, the
7718 // shim must send flight N again, testing that the shim implements DTLS
7719 // retransmit on a timeout.
7720
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7721 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7722 // likely be more epochs to cross and the final message's retransmit may
7723 // be more complex.
7724
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7725 // Test that this is indeed the timeout schedule. Stress all
7726 // four patterns of handshake.
7727 for i := 1; i < len(timeouts); i++ {
7728 number := strconv.Itoa(i)
7729 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7730 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7731 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7732 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7733 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7734 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7735 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7736 },
7737 },
7738 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7739 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7740 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7741 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7742 protocol: dtls,
7743 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7744 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7745 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7746 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7747 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7748 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7749 },
7750 },
7751 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7752 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7753 })
7754 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7755
7756 // Test that exceeding the timeout schedule hits a read
7757 // timeout.
7758 testCases = append(testCases, testCase{
7759 protocol: dtls,
7760 name: "DTLS-Retransmit-Timeout",
7761 config: Config{
7762 MaxVersion: VersionTLS12,
7763 Bugs: ProtocolBugs{
7764 TimeoutSchedule: timeouts,
7765 },
7766 },
7767 resumeSession: true,
7768 flags: []string{"-async"},
7769 shouldFail: true,
7770 expectedError: ":READ_TIMEOUT_EXPIRED:",
7771 })
7772
7773 // Test that timeout handling has a fudge factor, due to API
7774 // problems.
7775 testCases = append(testCases, testCase{
7776 protocol: dtls,
7777 name: "DTLS-Retransmit-Fudge",
7778 config: Config{
7779 MaxVersion: VersionTLS12,
7780 Bugs: ProtocolBugs{
7781 TimeoutSchedule: []time.Duration{
7782 timeouts[0] - 10*time.Millisecond,
7783 },
7784 },
7785 },
7786 resumeSession: true,
7787 flags: []string{"-async"},
7788 })
7789
7790 // Test that the final Finished retransmitting isn't
7791 // duplicated if the peer badly fragments everything.
7792 testCases = append(testCases, testCase{
7793 testType: serverTest,
7794 protocol: dtls,
7795 name: "DTLS-Retransmit-Fragmented",
7796 config: Config{
7797 MaxVersion: VersionTLS12,
7798 Bugs: ProtocolBugs{
7799 TimeoutSchedule: []time.Duration{timeouts[0]},
7800 MaxHandshakeRecordLength: 2,
7801 },
7802 },
7803 flags: []string{"-async"},
7804 })
7805
7806 // Test the timeout schedule when a shorter initial timeout duration is set.
7807 testCases = append(testCases, testCase{
7808 protocol: dtls,
7809 name: "DTLS-Retransmit-Short-Client",
7810 config: Config{
7811 MaxVersion: VersionTLS12,
7812 Bugs: ProtocolBugs{
7813 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7814 },
7815 },
7816 resumeSession: true,
7817 flags: []string{
7818 "-async",
7819 "-initial-timeout-duration-ms", "250",
7820 },
7821 })
7822 testCases = append(testCases, testCase{
7823 protocol: dtls,
7824 testType: serverTest,
7825 name: "DTLS-Retransmit-Short-Server",
7826 config: Config{
7827 MaxVersion: VersionTLS12,
7828 Bugs: ProtocolBugs{
7829 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7830 },
7831 },
7832 resumeSession: true,
7833 flags: []string{
7834 "-async",
7835 "-initial-timeout-duration-ms", "250",
7836 },
7837 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7838}
7839
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7840func addExportKeyingMaterialTests() {
7841 for _, vers := range tlsVersions {
7842 if vers.version == VersionSSL30 {
7843 continue
7844 }
7845 testCases = append(testCases, testCase{
7846 name: "ExportKeyingMaterial-" + vers.name,
7847 config: Config{
7848 MaxVersion: vers.version,
7849 },
7850 exportKeyingMaterial: 1024,
7851 exportLabel: "label",
7852 exportContext: "context",
7853 useExportContext: true,
7854 })
7855 testCases = append(testCases, testCase{
7856 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7857 config: Config{
7858 MaxVersion: vers.version,
7859 },
7860 exportKeyingMaterial: 1024,
7861 })
7862 testCases = append(testCases, testCase{
7863 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7864 config: Config{
7865 MaxVersion: vers.version,
7866 },
7867 exportKeyingMaterial: 1024,
7868 useExportContext: true,
7869 })
7870 testCases = append(testCases, testCase{
7871 name: "ExportKeyingMaterial-Small-" + vers.name,
7872 config: Config{
7873 MaxVersion: vers.version,
7874 },
7875 exportKeyingMaterial: 1,
7876 exportLabel: "label",
7877 exportContext: "context",
7878 useExportContext: true,
7879 })
7880 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7881
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7882 testCases = append(testCases, testCase{
7883 name: "ExportKeyingMaterial-SSL3",
7884 config: Config{
7885 MaxVersion: VersionSSL30,
7886 },
7887 exportKeyingMaterial: 1024,
7888 exportLabel: "label",
7889 exportContext: "context",
7890 useExportContext: true,
7891 shouldFail: true,
7892 expectedError: "failed to export keying material",
7893 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7894
7895 // Exporters work during a False Start.
7896 testCases = append(testCases, testCase{
7897 name: "ExportKeyingMaterial-FalseStart",
7898 config: Config{
7899 MaxVersion: VersionTLS12,
7900 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7901 NextProtos: []string{"foo"},
7902 Bugs: ProtocolBugs{
7903 ExpectFalseStart: true,
7904 },
7905 },
7906 flags: []string{
7907 "-false-start",
7908 "-advertise-alpn", "\x03foo",
7909 },
7910 shimWritesFirst: true,
7911 exportKeyingMaterial: 1024,
7912 exportLabel: "label",
7913 exportContext: "context",
7914 useExportContext: true,
7915 })
7916
7917 // Exporters do not work in the middle of a renegotiation. Test this by
7918 // triggering the exporter after every SSL_read call and configuring the
7919 // shim to run asynchronously.
7920 testCases = append(testCases, testCase{
7921 name: "ExportKeyingMaterial-Renegotiate",
7922 config: Config{
7923 MaxVersion: VersionTLS12,
7924 },
7925 renegotiate: 1,
7926 flags: []string{
7927 "-async",
7928 "-use-exporter-between-reads",
7929 "-renegotiate-freely",
7930 "-expect-total-renegotiations", "1",
7931 },
7932 shouldFail: true,
7933 expectedError: "failed to export keying material",
7934 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7935}
7936
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7937func addTLSUniqueTests() {
7938 for _, isClient := range []bool{false, true} {
7939 for _, isResumption := range []bool{false, true} {
7940 for _, hasEMS := range []bool{false, true} {
7941 var suffix string
7942 if isResumption {
7943 suffix = "Resume-"
7944 } else {
7945 suffix = "Full-"
7946 }
7947
7948 if hasEMS {
7949 suffix += "EMS-"
7950 } else {
7951 suffix += "NoEMS-"
7952 }
7953
7954 if isClient {
7955 suffix += "Client"
7956 } else {
7957 suffix += "Server"
7958 }
7959
7960 test := testCase{
7961 name: "TLSUnique-" + suffix,
7962 testTLSUnique: true,
7963 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7964 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7965 Bugs: ProtocolBugs{
7966 NoExtendedMasterSecret: !hasEMS,
7967 },
7968 },
7969 }
7970
7971 if isResumption {
7972 test.resumeSession = true
7973 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7974 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7975 Bugs: ProtocolBugs{
7976 NoExtendedMasterSecret: !hasEMS,
7977 },
7978 }
7979 }
7980
7981 if isResumption && !hasEMS {
7982 test.shouldFail = true
7983 test.expectedError = "failed to get tls-unique"
7984 }
7985
7986 testCases = append(testCases, test)
7987 }
7988 }
7989 }
7990}
7991
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7992func addCustomExtensionTests() {
7993 expectedContents := "custom extension"
7994 emptyString := ""
7995
7996 for _, isClient := range []bool{false, true} {
7997 suffix := "Server"
7998 flag := "-enable-server-custom-extension"
7999 testType := serverTest
8000 if isClient {
8001 suffix = "Client"
8002 flag = "-enable-client-custom-extension"
8003 testType = clientTest
8004 }
8005
8006 testCases = append(testCases, testCase{
8007 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8008 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8009 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8010 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8011 Bugs: ProtocolBugs{
8012 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8013 ExpectedCustomExtension: &expectedContents,
8014 },
8015 },
8016 flags: []string{flag},
8017 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8018 testCases = append(testCases, testCase{
8019 testType: testType,
8020 name: "CustomExtensions-" + suffix + "-TLS13",
8021 config: Config{
8022 MaxVersion: VersionTLS13,
8023 Bugs: ProtocolBugs{
8024 CustomExtension: expectedContents,
8025 ExpectedCustomExtension: &expectedContents,
8026 },
8027 },
8028 flags: []string{flag},
8029 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8030
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]8031 // 0-RTT is not currently supported with Custom Extensions.
8032 testCases = append(testCases, testCase{
8033 testType: testType,
8034 name: "CustomExtensions-" + suffix + "-EarlyData",
8035 config: Config{
8036 MaxVersion: VersionTLS13,
8037 Bugs: ProtocolBugs{
8038 CustomExtension: expectedContents,
8039 ExpectedCustomExtension: &expectedContents,
8040 },
8041 },
8042 shouldFail: true,
8043 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8044 flags: []string{flag, "-enable-early-data"},
8045 })
8046
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8047 // If the parse callback fails, the handshake should also fail.
8048 testCases = append(testCases, testCase{
8049 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8050 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8051 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8052 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8053 Bugs: ProtocolBugs{
8054 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8055 ExpectedCustomExtension: &expectedContents,
8056 },
8057 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8058 flags: []string{flag},
8059 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8060 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8061 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8062 testCases = append(testCases, testCase{
8063 testType: testType,
8064 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
8065 config: Config{
8066 MaxVersion: VersionTLS13,
8067 Bugs: ProtocolBugs{
8068 CustomExtension: expectedContents + "foo",
8069 ExpectedCustomExtension: &expectedContents,
8070 },
8071 },
8072 flags: []string{flag},
8073 shouldFail: true,
8074 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8075 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8076
8077 // If the add callback fails, the handshake should also fail.
8078 testCases = append(testCases, testCase{
8079 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8080 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8081 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8082 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8083 Bugs: ProtocolBugs{
8084 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8085 ExpectedCustomExtension: &expectedContents,
8086 },
8087 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8088 flags: []string{flag, "-custom-extension-fail-add"},
8089 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8090 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8091 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8092 testCases = append(testCases, testCase{
8093 testType: testType,
8094 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
8095 config: Config{
8096 MaxVersion: VersionTLS13,
8097 Bugs: ProtocolBugs{
8098 CustomExtension: expectedContents,
8099 ExpectedCustomExtension: &expectedContents,
8100 },
8101 },
8102 flags: []string{flag, "-custom-extension-fail-add"},
8103 shouldFail: true,
8104 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8105 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8106
8107 // If the add callback returns zero, no extension should be
8108 // added.
8109 skipCustomExtension := expectedContents
8110 if isClient {
8111 // For the case where the client skips sending the
8112 // custom extension, the server must not “echo” it.
8113 skipCustomExtension = ""
8114 }
8115 testCases = append(testCases, testCase{
8116 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8117 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8118 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8119 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8120 Bugs: ProtocolBugs{
8121 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8122 ExpectedCustomExtension: &emptyString,
8123 },
8124 },
8125 flags: []string{flag, "-custom-extension-skip"},
8126 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8127 testCases = append(testCases, testCase{
8128 testType: testType,
8129 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
8130 config: Config{
8131 MaxVersion: VersionTLS13,
8132 Bugs: ProtocolBugs{
8133 CustomExtension: skipCustomExtension,
8134 ExpectedCustomExtension: &emptyString,
8135 },
8136 },
8137 flags: []string{flag, "-custom-extension-skip"},
8138 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8139 }
8140
8141 // The custom extension add callback should not be called if the client
8142 // doesn't send the extension.
8143 testCases = append(testCases, testCase{
8144 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8145 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8146 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8147 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8148 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8149 ExpectedCustomExtension: &emptyString,
8150 },
8151 },
8152 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8153 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8154
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8155 testCases = append(testCases, testCase{
8156 testType: serverTest,
8157 name: "CustomExtensions-NotCalled-Server-TLS13",
8158 config: Config{
8159 MaxVersion: VersionTLS13,
8160 Bugs: ProtocolBugs{
8161 ExpectedCustomExtension: &emptyString,
8162 },
8163 },
8164 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8165 })
8166
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8167 // Test an unknown extension from the server.
8168 testCases = append(testCases, testCase{
8169 testType: clientTest,
8170 name: "UnknownExtension-Client",
8171 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8172 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8173 Bugs: ProtocolBugs{
8174 CustomExtension: expectedContents,
8175 },
8176 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8177 shouldFail: true,
8178 expectedError: ":UNEXPECTED_EXTENSION:",
8179 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8180 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8181 testCases = append(testCases, testCase{
8182 testType: clientTest,
8183 name: "UnknownExtension-Client-TLS13",
8184 config: Config{
8185 MaxVersion: VersionTLS13,
8186 Bugs: ProtocolBugs{
8187 CustomExtension: expectedContents,
8188 },
8189 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8190 shouldFail: true,
8191 expectedError: ":UNEXPECTED_EXTENSION:",
8192 expectedLocalError: "remote error: unsupported extension",
8193 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8194 testCases = append(testCases, testCase{
8195 testType: clientTest,
8196 name: "UnknownUnencryptedExtension-Client-TLS13",
8197 config: Config{
8198 MaxVersion: VersionTLS13,
8199 Bugs: ProtocolBugs{
8200 CustomUnencryptedExtension: expectedContents,
8201 },
8202 },
8203 shouldFail: true,
8204 expectedError: ":UNEXPECTED_EXTENSION:",
8205 // The shim must send an alert, but alerts at this point do not
8206 // get successfully decrypted by the runner.
8207 expectedLocalError: "local error: bad record MAC",
8208 })
8209 testCases = append(testCases, testCase{
8210 testType: clientTest,
8211 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8212 config: Config{
8213 MaxVersion: VersionTLS13,
8214 Bugs: ProtocolBugs{
8215 SendUnencryptedALPN: "foo",
8216 },
8217 },
8218 flags: []string{
8219 "-advertise-alpn", "\x03foo\x03bar",
8220 },
8221 shouldFail: true,
8222 expectedError: ":UNEXPECTED_EXTENSION:",
8223 // The shim must send an alert, but alerts at this point do not
8224 // get successfully decrypted by the runner.
8225 expectedLocalError: "local error: bad record MAC",
8226 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8227
8228 // Test a known but unoffered extension from the server.
8229 testCases = append(testCases, testCase{
8230 testType: clientTest,
8231 name: "UnofferedExtension-Client",
8232 config: Config{
8233 MaxVersion: VersionTLS12,
8234 Bugs: ProtocolBugs{
8235 SendALPN: "alpn",
8236 },
8237 },
8238 shouldFail: true,
8239 expectedError: ":UNEXPECTED_EXTENSION:",
8240 expectedLocalError: "remote error: unsupported extension",
8241 })
8242 testCases = append(testCases, testCase{
8243 testType: clientTest,
8244 name: "UnofferedExtension-Client-TLS13",
8245 config: Config{
8246 MaxVersion: VersionTLS13,
8247 Bugs: ProtocolBugs{
8248 SendALPN: "alpn",
8249 },
8250 },
8251 shouldFail: true,
8252 expectedError: ":UNEXPECTED_EXTENSION:",
8253 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8254 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8255}
8256
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8257func addRSAClientKeyExchangeTests() {
8258 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8259 testCases = append(testCases, testCase{
8260 testType: serverTest,
8261 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8262 config: Config{
8263 // Ensure the ClientHello version and final
8264 // version are different, to detect if the
8265 // server uses the wrong one.
8266 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8267 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8268 Bugs: ProtocolBugs{
8269 BadRSAClientKeyExchange: bad,
8270 },
8271 },
8272 shouldFail: true,
8273 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8274 })
8275 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8276
8277 // The server must compare whatever was in ClientHello.version for the
8278 // RSA premaster.
8279 testCases = append(testCases, testCase{
8280 testType: serverTest,
8281 name: "SendClientVersion-RSA",
8282 config: Config{
8283 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8284 Bugs: ProtocolBugs{
8285 SendClientVersion: 0x1234,
8286 },
8287 },
8288 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8289 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8290}
8291
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8292var testCurves = []struct {
8293 name string
8294 id CurveID
8295}{
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]8296 {"P-224", CurveP224},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8297 {"P-256", CurveP256},
8298 {"P-384", CurveP384},
8299 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8300 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8301}
8302
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8303const bogusCurve = 0x1234
8304
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8305func addCurveTests() {
8306 for _, curve := range testCurves {
8307 testCases = append(testCases, testCase{
8308 name: "CurveTest-Client-" + curve.name,
8309 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8310 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8311 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8312 CurvePreferences: []CurveID{curve.id},
8313 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8314 flags: []string{
8315 "-enable-all-curves",
8316 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8317 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8318 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8319 })
8320 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8321 name: "CurveTest-Client-" + curve.name + "-TLS13",
8322 config: Config{
8323 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8324 CurvePreferences: []CurveID{curve.id},
8325 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8326 flags: []string{
8327 "-enable-all-curves",
8328 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8329 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8330 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8331 })
8332 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8333 testType: serverTest,
8334 name: "CurveTest-Server-" + curve.name,
8335 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8336 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8337 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8338 CurvePreferences: []CurveID{curve.id},
8339 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8340 flags: []string{
8341 "-enable-all-curves",
8342 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8343 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8344 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8345 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8346 testCases = append(testCases, testCase{
8347 testType: serverTest,
8348 name: "CurveTest-Server-" + curve.name + "-TLS13",
8349 config: Config{
8350 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8351 CurvePreferences: []CurveID{curve.id},
8352 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8353 flags: []string{
8354 "-enable-all-curves",
8355 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8356 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8357 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8358 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8359 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8360
8361 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8362 testCases = append(testCases, testCase{
8363 testType: serverTest,
8364 name: "UnknownCurve",
8365 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8366 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8367 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8368 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8369 },
8370 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8371
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8372 // The server must be tolerant to bogus curves.
8373 testCases = append(testCases, testCase{
8374 testType: serverTest,
8375 name: "UnknownCurve-TLS13",
8376 config: Config{
8377 MaxVersion: VersionTLS13,
8378 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8379 },
8380 })
8381
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8382 // The server must not consider ECDHE ciphers when there are no
8383 // supported curves.
8384 testCases = append(testCases, testCase{
8385 testType: serverTest,
8386 name: "NoSupportedCurves",
8387 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8388 MaxVersion: VersionTLS12,
8389 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8390 Bugs: ProtocolBugs{
8391 NoSupportedCurves: true,
8392 },
8393 },
8394 shouldFail: true,
8395 expectedError: ":NO_SHARED_CIPHER:",
8396 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8397 testCases = append(testCases, testCase{
8398 testType: serverTest,
8399 name: "NoSupportedCurves-TLS13",
8400 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8401 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8402 Bugs: ProtocolBugs{
8403 NoSupportedCurves: true,
8404 },
8405 },
8406 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8407 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8408 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8409
8410 // The server must fall back to another cipher when there are no
8411 // supported curves.
8412 testCases = append(testCases, testCase{
8413 testType: serverTest,
8414 name: "NoCommonCurves",
8415 config: Config{
8416 MaxVersion: VersionTLS12,
8417 CipherSuites: []uint16{
8418 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8419 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8420 },
8421 CurvePreferences: []CurveID{CurveP224},
8422 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8423 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8424 })
8425
8426 // The client must reject bogus curves and disabled curves.
8427 testCases = append(testCases, testCase{
8428 name: "BadECDHECurve",
8429 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8430 MaxVersion: VersionTLS12,
8431 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8432 Bugs: ProtocolBugs{
8433 SendCurve: bogusCurve,
8434 },
8435 },
8436 shouldFail: true,
8437 expectedError: ":WRONG_CURVE:",
8438 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8439 testCases = append(testCases, testCase{
8440 name: "BadECDHECurve-TLS13",
8441 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8442 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8443 Bugs: ProtocolBugs{
8444 SendCurve: bogusCurve,
8445 },
8446 },
8447 shouldFail: true,
8448 expectedError: ":WRONG_CURVE:",
8449 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8450
8451 testCases = append(testCases, testCase{
8452 name: "UnsupportedCurve",
8453 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8454 MaxVersion: VersionTLS12,
8455 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8456 CurvePreferences: []CurveID{CurveP256},
8457 Bugs: ProtocolBugs{
8458 IgnorePeerCurvePreferences: true,
8459 },
8460 },
8461 flags: []string{"-p384-only"},
8462 shouldFail: true,
8463 expectedError: ":WRONG_CURVE:",
8464 })
8465
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8466 testCases = append(testCases, testCase{
8467 // TODO(davidben): Add a TLS 1.3 version where
8468 // HelloRetryRequest requests an unsupported curve.
8469 name: "UnsupportedCurve-ServerHello-TLS13",
8470 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8471 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8472 CurvePreferences: []CurveID{CurveP384},
8473 Bugs: ProtocolBugs{
8474 SendCurve: CurveP256,
8475 },
8476 },
8477 flags: []string{"-p384-only"},
8478 shouldFail: true,
8479 expectedError: ":WRONG_CURVE:",
8480 })
8481
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8482 // Test invalid curve points.
8483 testCases = append(testCases, testCase{
8484 name: "InvalidECDHPoint-Client",
8485 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8486 MaxVersion: VersionTLS12,
8487 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8488 CurvePreferences: []CurveID{CurveP256},
8489 Bugs: ProtocolBugs{
8490 InvalidECDHPoint: true,
8491 },
8492 },
8493 shouldFail: true,
8494 expectedError: ":INVALID_ENCODING:",
8495 })
8496 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8497 name: "InvalidECDHPoint-Client-TLS13",
8498 config: Config{
8499 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8500 CurvePreferences: []CurveID{CurveP256},
8501 Bugs: ProtocolBugs{
8502 InvalidECDHPoint: true,
8503 },
8504 },
8505 shouldFail: true,
8506 expectedError: ":INVALID_ENCODING:",
8507 })
8508 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8509 testType: serverTest,
8510 name: "InvalidECDHPoint-Server",
8511 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8512 MaxVersion: VersionTLS12,
8513 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8514 CurvePreferences: []CurveID{CurveP256},
8515 Bugs: ProtocolBugs{
8516 InvalidECDHPoint: true,
8517 },
8518 },
8519 shouldFail: true,
8520 expectedError: ":INVALID_ENCODING:",
8521 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8522 testCases = append(testCases, testCase{
8523 testType: serverTest,
8524 name: "InvalidECDHPoint-Server-TLS13",
8525 config: Config{
8526 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8527 CurvePreferences: []CurveID{CurveP256},
8528 Bugs: ProtocolBugs{
8529 InvalidECDHPoint: true,
8530 },
8531 },
8532 shouldFail: true,
8533 expectedError: ":INVALID_ENCODING:",
8534 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8535
8536 // The previous curve ID should be reported on TLS 1.2 resumption.
8537 testCases = append(testCases, testCase{
8538 name: "CurveID-Resume-Client",
8539 config: Config{
8540 MaxVersion: VersionTLS12,
8541 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8542 CurvePreferences: []CurveID{CurveX25519},
8543 },
8544 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8545 resumeSession: true,
8546 })
8547 testCases = append(testCases, testCase{
8548 testType: serverTest,
8549 name: "CurveID-Resume-Server",
8550 config: Config{
8551 MaxVersion: VersionTLS12,
8552 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8553 CurvePreferences: []CurveID{CurveX25519},
8554 },
8555 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8556 resumeSession: true,
8557 })
8558
8559 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8560 // one should be reported.
8561 testCases = append(testCases, testCase{
8562 name: "CurveID-Resume-Client-TLS13",
8563 config: Config{
8564 MaxVersion: VersionTLS13,
8565 CurvePreferences: []CurveID{CurveX25519},
8566 },
8567 resumeConfig: &Config{
8568 MaxVersion: VersionTLS13,
8569 CurvePreferences: []CurveID{CurveP256},
8570 },
8571 flags: []string{
8572 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8573 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8574 },
8575 resumeSession: true,
8576 })
8577 testCases = append(testCases, testCase{
8578 testType: serverTest,
8579 name: "CurveID-Resume-Server-TLS13",
8580 config: Config{
8581 MaxVersion: VersionTLS13,
8582 CurvePreferences: []CurveID{CurveX25519},
8583 },
8584 resumeConfig: &Config{
8585 MaxVersion: VersionTLS13,
8586 CurvePreferences: []CurveID{CurveP256},
8587 },
8588 flags: []string{
8589 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8590 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8591 },
8592 resumeSession: true,
8593 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8594
8595 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8596 testCases = append(testCases, testCase{
8597 name: "PointFormat-ServerHello-TLS12",
8598 config: Config{
8599 MaxVersion: VersionTLS12,
8600 Bugs: ProtocolBugs{
8601 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8602 },
8603 },
8604 })
8605 testCases = append(testCases, testCase{
8606 name: "PointFormat-EncryptedExtensions-TLS13",
8607 config: Config{
8608 MaxVersion: VersionTLS13,
8609 Bugs: ProtocolBugs{
8610 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8611 },
8612 },
8613 shouldFail: true,
8614 expectedError: ":ERROR_PARSING_EXTENSION:",
8615 })
8616
8617 // Test that we tolerate unknown point formats, as long as
8618 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8619 // check they are still functional.
8620 testCases = append(testCases, testCase{
8621 name: "PointFormat-Client-Tolerance",
8622 config: Config{
8623 MaxVersion: VersionTLS12,
8624 Bugs: ProtocolBugs{
8625 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8626 },
8627 },
8628 })
8629 testCases = append(testCases, testCase{
8630 testType: serverTest,
8631 name: "PointFormat-Server-Tolerance",
8632 config: Config{
8633 MaxVersion: VersionTLS12,
8634 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8635 Bugs: ProtocolBugs{
8636 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8637 },
8638 },
8639 })
8640
8641 // Test TLS 1.2 does not require the point format extension to be
8642 // present.
8643 testCases = append(testCases, testCase{
8644 name: "PointFormat-Client-Missing",
8645 config: Config{
8646 MaxVersion: VersionTLS12,
8647 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8648 Bugs: ProtocolBugs{
8649 SendSupportedPointFormats: []byte{},
8650 },
8651 },
8652 })
8653 testCases = append(testCases, testCase{
8654 testType: serverTest,
8655 name: "PointFormat-Server-Missing",
8656 config: Config{
8657 MaxVersion: VersionTLS12,
8658 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8659 Bugs: ProtocolBugs{
8660 SendSupportedPointFormats: []byte{},
8661 },
8662 },
8663 })
8664
8665 // If the point format extension is present, uncompressed points must be
8666 // offered. BoringSSL requires this whether or not ECDHE is used.
8667 testCases = append(testCases, testCase{
8668 name: "PointFormat-Client-MissingUncompressed",
8669 config: Config{
8670 MaxVersion: VersionTLS12,
8671 Bugs: ProtocolBugs{
8672 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8673 },
8674 },
8675 shouldFail: true,
8676 expectedError: ":ERROR_PARSING_EXTENSION:",
8677 })
8678 testCases = append(testCases, testCase{
8679 testType: serverTest,
8680 name: "PointFormat-Server-MissingUncompressed",
8681 config: Config{
8682 MaxVersion: VersionTLS12,
8683 Bugs: ProtocolBugs{
8684 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8685 },
8686 },
8687 shouldFail: true,
8688 expectedError: ":ERROR_PARSING_EXTENSION:",
8689 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8690}
8691
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8692func addTLS13RecordTests() {
8693 testCases = append(testCases, testCase{
8694 name: "TLS13-RecordPadding",
8695 config: Config{
8696 MaxVersion: VersionTLS13,
8697 MinVersion: VersionTLS13,
8698 Bugs: ProtocolBugs{
8699 RecordPadding: 10,
8700 },
8701 },
8702 })
8703
8704 testCases = append(testCases, testCase{
8705 name: "TLS13-EmptyRecords",
8706 config: Config{
8707 MaxVersion: VersionTLS13,
8708 MinVersion: VersionTLS13,
8709 Bugs: ProtocolBugs{
8710 OmitRecordContents: true,
8711 },
8712 },
8713 shouldFail: true,
8714 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8715 })
8716
8717 testCases = append(testCases, testCase{
8718 name: "TLS13-OnlyPadding",
8719 config: Config{
8720 MaxVersion: VersionTLS13,
8721 MinVersion: VersionTLS13,
8722 Bugs: ProtocolBugs{
8723 OmitRecordContents: true,
8724 RecordPadding: 10,
8725 },
8726 },
8727 shouldFail: true,
8728 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8729 })
8730
8731 testCases = append(testCases, testCase{
8732 name: "TLS13-WrongOuterRecord",
8733 config: Config{
8734 MaxVersion: VersionTLS13,
8735 MinVersion: VersionTLS13,
8736 Bugs: ProtocolBugs{
8737 OuterRecordType: recordTypeHandshake,
8738 },
8739 },
8740 shouldFail: true,
8741 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8742 })
8743}
8744
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8745func addSessionTicketTests() {
8746 testCases = append(testCases, testCase{
8747 // In TLS 1.2 and below, empty NewSessionTicket messages
8748 // mean the server changed its mind on sending a ticket.
8749 name: "SendEmptySessionTicket",
8750 config: Config{
8751 MaxVersion: VersionTLS12,
8752 Bugs: ProtocolBugs{
8753 SendEmptySessionTicket: true,
8754 },
8755 },
8756 flags: []string{"-expect-no-session"},
8757 })
8758
8759 // Test that the server ignores unknown PSK modes.
8760 testCases = append(testCases, testCase{
8761 testType: serverTest,
8762 name: "TLS13-SendUnknownModeSessionTicket-Server",
8763 config: Config{
8764 MaxVersion: VersionTLS13,
8765 Bugs: ProtocolBugs{
8766 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8767 },
8768 },
8769 resumeSession: true,
8770 expectedResumeVersion: VersionTLS13,
8771 })
8772
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8773 // Test that the server does not send session tickets with no matching key exchange mode.
8774 testCases = append(testCases, testCase{
8775 testType: serverTest,
8776 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8777 config: Config{
8778 MaxVersion: VersionTLS13,
8779 Bugs: ProtocolBugs{
8780 SendPSKKeyExchangeModes: []byte{0x1a},
8781 ExpectNoNewSessionTicket: true,
8782 },
8783 },
8784 })
8785
8786 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8787 testCases = append(testCases, testCase{
8788 testType: serverTest,
8789 name: "TLS13-SendBadKEModeSessionTicket-Server",
8790 config: Config{
8791 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8792 },
8793 resumeConfig: &Config{
8794 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8795 Bugs: ProtocolBugs{
8796 SendPSKKeyExchangeModes: []byte{0x1a},
8797 },
8798 },
8799 resumeSession: true,
8800 expectResumeRejected: true,
8801 })
8802
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8803 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8804 testCases = append(testCases, testCase{
8805 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8806 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8807 config: Config{
8808 MaxVersion: VersionTLS13,
8809 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8810 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8811 },
8812 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8813 resumeSession: true,
8814 flags: []string{
8815 "-resumption-delay", "10",
8816 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8817 })
8818
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8819 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8820 testCases = append(testCases, testCase{
8821 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8822 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8823 config: Config{
8824 MaxVersion: VersionTLS13,
8825 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8826 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8827 },
8828 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8829 resumeSession: true,
8830 shouldFail: true,
8831 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8832 })
8833
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8834 // Test that the server's ticket age skew reporting works.
8835 testCases = append(testCases, testCase{
8836 testType: serverTest,
8837 name: "TLS13-TicketAgeSkew-Forward",
8838 config: Config{
8839 MaxVersion: VersionTLS13,
8840 Bugs: ProtocolBugs{
8841 SendTicketAge: 15 * time.Second,
8842 },
8843 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8844 resumeSession: true,
8845 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8846 flags: []string{
8847 "-resumption-delay", "10",
8848 "-expect-ticket-age-skew", "5",
8849 },
8850 })
8851 testCases = append(testCases, testCase{
8852 testType: serverTest,
8853 name: "TLS13-TicketAgeSkew-Backward",
8854 config: Config{
8855 MaxVersion: VersionTLS13,
8856 Bugs: ProtocolBugs{
8857 SendTicketAge: 5 * time.Second,
8858 },
8859 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8860 resumeSession: true,
8861 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8862 flags: []string{
8863 "-resumption-delay", "10",
8864 "-expect-ticket-age-skew", "-5",
8865 },
8866 })
8867
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8868 testCases = append(testCases, testCase{
8869 testType: clientTest,
8870 name: "TLS13-SendTicketEarlyDataInfo",
8871 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8872 MaxVersion: VersionTLS13,
8873 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8874 },
8875 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8876 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8877 "-expect-early-data-info",
8878 },
8879 })
8880
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8881 // Test that 0-RTT tickets are ignored in clients unless opted in.
8882 testCases = append(testCases, testCase{
8883 testType: clientTest,
8884 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8885 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8886 MaxVersion: VersionTLS13,
8887 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8888 },
8889 })
8890
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8891 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8892 testType: clientTest,
8893 name: "TLS13-DuplicateTicketEarlyDataInfo",
8894 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8895 MaxVersion: VersionTLS13,
8896 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8897 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8898 DuplicateTicketEarlyDataInfo: true,
8899 },
8900 },
8901 shouldFail: true,
8902 expectedError: ":DUPLICATE_EXTENSION:",
8903 expectedLocalError: "remote error: illegal parameter",
8904 })
8905
8906 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8907 testType: serverTest,
8908 name: "TLS13-ExpectTicketEarlyDataInfo",
8909 config: Config{
8910 MaxVersion: VersionTLS13,
8911 Bugs: ProtocolBugs{
8912 ExpectTicketEarlyDataInfo: true,
8913 },
8914 },
8915 flags: []string{
8916 "-enable-early-data",
8917 },
8918 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]8919
8920 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
8921 // is honored.
8922 testCases = append(testCases, testCase{
8923 testType: clientTest,
8924 name: "TLS13-HonorServerSessionTicketLifetime",
8925 config: Config{
8926 MaxVersion: VersionTLS13,
8927 Bugs: ProtocolBugs{
8928 SendTicketLifetime: 20 * time.Second,
8929 },
8930 },
8931 flags: []string{
8932 "-resumption-delay", "19",
8933 },
8934 resumeSession: true,
8935 })
8936 testCases = append(testCases, testCase{
8937 testType: clientTest,
8938 name: "TLS13-HonorServerSessionTicketLifetime-2",
8939 config: Config{
8940 MaxVersion: VersionTLS13,
8941 Bugs: ProtocolBugs{
8942 SendTicketLifetime: 20 * time.Second,
8943 // The client should not offer the expired session.
8944 ExpectNoTLS13PSK: true,
8945 },
8946 },
8947 flags: []string{
8948 "-resumption-delay", "21",
8949 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]8950 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]8951 expectResumeRejected: true,
8952 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8953}
8954
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8955func addChangeCipherSpecTests() {
8956 // Test missing ChangeCipherSpecs.
8957 testCases = append(testCases, testCase{
8958 name: "SkipChangeCipherSpec-Client",
8959 config: Config{
8960 MaxVersion: VersionTLS12,
8961 Bugs: ProtocolBugs{
8962 SkipChangeCipherSpec: true,
8963 },
8964 },
8965 shouldFail: true,
8966 expectedError: ":UNEXPECTED_RECORD:",
8967 })
8968 testCases = append(testCases, testCase{
8969 testType: serverTest,
8970 name: "SkipChangeCipherSpec-Server",
8971 config: Config{
8972 MaxVersion: VersionTLS12,
8973 Bugs: ProtocolBugs{
8974 SkipChangeCipherSpec: true,
8975 },
8976 },
8977 shouldFail: true,
8978 expectedError: ":UNEXPECTED_RECORD:",
8979 })
8980 testCases = append(testCases, testCase{
8981 testType: serverTest,
8982 name: "SkipChangeCipherSpec-Server-NPN",
8983 config: Config{
8984 MaxVersion: VersionTLS12,
8985 NextProtos: []string{"bar"},
8986 Bugs: ProtocolBugs{
8987 SkipChangeCipherSpec: true,
8988 },
8989 },
8990 flags: []string{
8991 "-advertise-npn", "\x03foo\x03bar\x03baz",
8992 },
8993 shouldFail: true,
8994 expectedError: ":UNEXPECTED_RECORD:",
8995 })
8996
8997 // Test synchronization between the handshake and ChangeCipherSpec.
8998 // Partial post-CCS handshake messages before ChangeCipherSpec should be
8999 // rejected. Test both with and without handshake packing to handle both
9000 // when the partial post-CCS message is in its own record and when it is
9001 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9002 for _, packed := range []bool{false, true} {
9003 var suffix string
9004 if packed {
9005 suffix = "-Packed"
9006 }
9007
9008 testCases = append(testCases, testCase{
9009 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
9010 config: Config{
9011 MaxVersion: VersionTLS12,
9012 Bugs: ProtocolBugs{
9013 FragmentAcrossChangeCipherSpec: true,
9014 PackHandshakeFlight: packed,
9015 },
9016 },
9017 shouldFail: true,
9018 expectedError: ":UNEXPECTED_RECORD:",
9019 })
9020 testCases = append(testCases, testCase{
9021 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
9022 config: Config{
9023 MaxVersion: VersionTLS12,
9024 },
9025 resumeSession: true,
9026 resumeConfig: &Config{
9027 MaxVersion: VersionTLS12,
9028 Bugs: ProtocolBugs{
9029 FragmentAcrossChangeCipherSpec: true,
9030 PackHandshakeFlight: packed,
9031 },
9032 },
9033 shouldFail: true,
9034 expectedError: ":UNEXPECTED_RECORD:",
9035 })
9036 testCases = append(testCases, testCase{
9037 testType: serverTest,
9038 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
9039 config: Config{
9040 MaxVersion: VersionTLS12,
9041 Bugs: ProtocolBugs{
9042 FragmentAcrossChangeCipherSpec: true,
9043 PackHandshakeFlight: packed,
9044 },
9045 },
9046 shouldFail: true,
9047 expectedError: ":UNEXPECTED_RECORD:",
9048 })
9049 testCases = append(testCases, testCase{
9050 testType: serverTest,
9051 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
9052 config: Config{
9053 MaxVersion: VersionTLS12,
9054 },
9055 resumeSession: true,
9056 resumeConfig: &Config{
9057 MaxVersion: VersionTLS12,
9058 Bugs: ProtocolBugs{
9059 FragmentAcrossChangeCipherSpec: true,
9060 PackHandshakeFlight: packed,
9061 },
9062 },
9063 shouldFail: true,
9064 expectedError: ":UNEXPECTED_RECORD:",
9065 })
9066 testCases = append(testCases, testCase{
9067 testType: serverTest,
9068 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
9069 config: Config{
9070 MaxVersion: VersionTLS12,
9071 NextProtos: []string{"bar"},
9072 Bugs: ProtocolBugs{
9073 FragmentAcrossChangeCipherSpec: true,
9074 PackHandshakeFlight: packed,
9075 },
9076 },
9077 flags: []string{
9078 "-advertise-npn", "\x03foo\x03bar\x03baz",
9079 },
9080 shouldFail: true,
9081 expectedError: ":UNEXPECTED_RECORD:",
9082 })
9083 }
9084
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]9085 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
9086 // messages in the handshake queue. Do this by testing the server
9087 // reading the client Finished, reversing the flight so Finished comes
9088 // first.
9089 testCases = append(testCases, testCase{
9090 protocol: dtls,
9091 testType: serverTest,
9092 name: "SendUnencryptedFinished-DTLS",
9093 config: Config{
9094 MaxVersion: VersionTLS12,
9095 Bugs: ProtocolBugs{
9096 SendUnencryptedFinished: true,
9097 ReverseHandshakeFragments: true,
9098 },
9099 },
9100 shouldFail: true,
9101 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9102 })
9103
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9104 // Test synchronization between encryption changes and the handshake in
9105 // TLS 1.3, where ChangeCipherSpec is implicit.
9106 testCases = append(testCases, testCase{
9107 name: "PartialEncryptedExtensionsWithServerHello",
9108 config: Config{
9109 MaxVersion: VersionTLS13,
9110 Bugs: ProtocolBugs{
9111 PartialEncryptedExtensionsWithServerHello: true,
9112 },
9113 },
9114 shouldFail: true,
9115 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9116 })
9117 testCases = append(testCases, testCase{
9118 testType: serverTest,
9119 name: "PartialClientFinishedWithClientHello",
9120 config: Config{
9121 MaxVersion: VersionTLS13,
9122 Bugs: ProtocolBugs{
9123 PartialClientFinishedWithClientHello: true,
9124 },
9125 },
9126 shouldFail: true,
9127 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9128 })
9129
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9130 // Test that early ChangeCipherSpecs are handled correctly.
9131 testCases = append(testCases, testCase{
9132 testType: serverTest,
9133 name: "EarlyChangeCipherSpec-server-1",
9134 config: Config{
9135 MaxVersion: VersionTLS12,
9136 Bugs: ProtocolBugs{
9137 EarlyChangeCipherSpec: 1,
9138 },
9139 },
9140 shouldFail: true,
9141 expectedError: ":UNEXPECTED_RECORD:",
9142 })
9143 testCases = append(testCases, testCase{
9144 testType: serverTest,
9145 name: "EarlyChangeCipherSpec-server-2",
9146 config: Config{
9147 MaxVersion: VersionTLS12,
9148 Bugs: ProtocolBugs{
9149 EarlyChangeCipherSpec: 2,
9150 },
9151 },
9152 shouldFail: true,
9153 expectedError: ":UNEXPECTED_RECORD:",
9154 })
9155 testCases = append(testCases, testCase{
9156 protocol: dtls,
9157 name: "StrayChangeCipherSpec",
9158 config: Config{
9159 // TODO(davidben): Once DTLS 1.3 exists, test
9160 // that stray ChangeCipherSpec messages are
9161 // rejected.
9162 MaxVersion: VersionTLS12,
9163 Bugs: ProtocolBugs{
9164 StrayChangeCipherSpec: true,
9165 },
9166 },
9167 })
9168
9169 // Test that the contents of ChangeCipherSpec are checked.
9170 testCases = append(testCases, testCase{
9171 name: "BadChangeCipherSpec-1",
9172 config: Config{
9173 MaxVersion: VersionTLS12,
9174 Bugs: ProtocolBugs{
9175 BadChangeCipherSpec: []byte{2},
9176 },
9177 },
9178 shouldFail: true,
9179 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9180 })
9181 testCases = append(testCases, testCase{
9182 name: "BadChangeCipherSpec-2",
9183 config: Config{
9184 MaxVersion: VersionTLS12,
9185 Bugs: ProtocolBugs{
9186 BadChangeCipherSpec: []byte{1, 1},
9187 },
9188 },
9189 shouldFail: true,
9190 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9191 })
9192 testCases = append(testCases, testCase{
9193 protocol: dtls,
9194 name: "BadChangeCipherSpec-DTLS-1",
9195 config: Config{
9196 MaxVersion: VersionTLS12,
9197 Bugs: ProtocolBugs{
9198 BadChangeCipherSpec: []byte{2},
9199 },
9200 },
9201 shouldFail: true,
9202 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9203 })
9204 testCases = append(testCases, testCase{
9205 protocol: dtls,
9206 name: "BadChangeCipherSpec-DTLS-2",
9207 config: Config{
9208 MaxVersion: VersionTLS12,
9209 Bugs: ProtocolBugs{
9210 BadChangeCipherSpec: []byte{1, 1},
9211 },
9212 },
9213 shouldFail: true,
9214 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9215 })
9216}
9217
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9218type perMessageTest struct {
9219 messageType uint8
9220 test testCase
9221}
9222
9223// makePerMessageTests returns a series of test templates which cover each
9224// message in the TLS handshake. These may be used with bugs like
9225// WrongMessageType to fully test a per-message bug.
9226func makePerMessageTests() []perMessageTest {
9227 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9228 for _, protocol := range []protocol{tls, dtls} {
9229 var suffix string
9230 if protocol == dtls {
9231 suffix = "-DTLS"
9232 }
9233
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9234 ret = append(ret, perMessageTest{
9235 messageType: typeClientHello,
9236 test: testCase{
9237 protocol: protocol,
9238 testType: serverTest,
9239 name: "ClientHello" + suffix,
9240 config: Config{
9241 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9242 },
9243 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9244 })
9245
9246 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9247 ret = append(ret, perMessageTest{
9248 messageType: typeHelloVerifyRequest,
9249 test: testCase{
9250 protocol: protocol,
9251 name: "HelloVerifyRequest" + suffix,
9252 config: Config{
9253 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9254 },
9255 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9256 })
9257 }
9258
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9259 ret = append(ret, perMessageTest{
9260 messageType: typeServerHello,
9261 test: testCase{
9262 protocol: protocol,
9263 name: "ServerHello" + suffix,
9264 config: Config{
9265 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9266 },
9267 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9268 })
9269
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9270 ret = append(ret, perMessageTest{
9271 messageType: typeCertificate,
9272 test: testCase{
9273 protocol: protocol,
9274 name: "ServerCertificate" + suffix,
9275 config: Config{
9276 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9277 },
9278 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9279 })
9280
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9281 ret = append(ret, perMessageTest{
9282 messageType: typeCertificateStatus,
9283 test: testCase{
9284 protocol: protocol,
9285 name: "CertificateStatus" + suffix,
9286 config: Config{
9287 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9288 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9289 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9290 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9291 })
9292
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9293 ret = append(ret, perMessageTest{
9294 messageType: typeServerKeyExchange,
9295 test: testCase{
9296 protocol: protocol,
9297 name: "ServerKeyExchange" + suffix,
9298 config: Config{
9299 MaxVersion: VersionTLS12,
9300 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9301 },
9302 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9303 })
9304
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9305 ret = append(ret, perMessageTest{
9306 messageType: typeCertificateRequest,
9307 test: testCase{
9308 protocol: protocol,
9309 name: "CertificateRequest" + suffix,
9310 config: Config{
9311 MaxVersion: VersionTLS12,
9312 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9313 },
9314 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9315 })
9316
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9317 ret = append(ret, perMessageTest{
9318 messageType: typeServerHelloDone,
9319 test: testCase{
9320 protocol: protocol,
9321 name: "ServerHelloDone" + suffix,
9322 config: Config{
9323 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9324 },
9325 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9326 })
9327
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9328 ret = append(ret, perMessageTest{
9329 messageType: typeCertificate,
9330 test: testCase{
9331 testType: serverTest,
9332 protocol: protocol,
9333 name: "ClientCertificate" + suffix,
9334 config: Config{
9335 Certificates: []Certificate{rsaCertificate},
9336 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9337 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9338 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9339 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9340 })
9341
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9342 ret = append(ret, perMessageTest{
9343 messageType: typeCertificateVerify,
9344 test: testCase{
9345 testType: serverTest,
9346 protocol: protocol,
9347 name: "CertificateVerify" + suffix,
9348 config: Config{
9349 Certificates: []Certificate{rsaCertificate},
9350 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9351 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9352 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9353 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9354 })
9355
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9356 ret = append(ret, perMessageTest{
9357 messageType: typeClientKeyExchange,
9358 test: testCase{
9359 testType: serverTest,
9360 protocol: protocol,
9361 name: "ClientKeyExchange" + suffix,
9362 config: Config{
9363 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9364 },
9365 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9366 })
9367
9368 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9369 ret = append(ret, perMessageTest{
9370 messageType: typeNextProtocol,
9371 test: testCase{
9372 testType: serverTest,
9373 protocol: protocol,
9374 name: "NextProtocol" + suffix,
9375 config: Config{
9376 MaxVersion: VersionTLS12,
9377 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9378 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9379 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9380 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9381 })
9382
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9383 ret = append(ret, perMessageTest{
9384 messageType: typeChannelID,
9385 test: testCase{
9386 testType: serverTest,
9387 protocol: protocol,
9388 name: "ChannelID" + suffix,
9389 config: Config{
9390 MaxVersion: VersionTLS12,
9391 ChannelID: channelIDKey,
9392 },
9393 flags: []string{
9394 "-expect-channel-id",
9395 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9396 },
9397 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9398 })
9399 }
9400
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9401 ret = append(ret, perMessageTest{
9402 messageType: typeFinished,
9403 test: testCase{
9404 testType: serverTest,
9405 protocol: protocol,
9406 name: "ClientFinished" + suffix,
9407 config: Config{
9408 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9409 },
9410 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9411 })
9412
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9413 ret = append(ret, perMessageTest{
9414 messageType: typeNewSessionTicket,
9415 test: testCase{
9416 protocol: protocol,
9417 name: "NewSessionTicket" + suffix,
9418 config: Config{
9419 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9420 },
9421 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9422 })
9423
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9424 ret = append(ret, perMessageTest{
9425 messageType: typeFinished,
9426 test: testCase{
9427 protocol: protocol,
9428 name: "ServerFinished" + suffix,
9429 config: Config{
9430 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9431 },
9432 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9433 })
9434
9435 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9436
9437 ret = append(ret, perMessageTest{
9438 messageType: typeClientHello,
9439 test: testCase{
9440 testType: serverTest,
9441 name: "TLS13-ClientHello",
9442 config: Config{
9443 MaxVersion: VersionTLS13,
9444 },
9445 },
9446 })
9447
9448 ret = append(ret, perMessageTest{
9449 messageType: typeServerHello,
9450 test: testCase{
9451 name: "TLS13-ServerHello",
9452 config: Config{
9453 MaxVersion: VersionTLS13,
9454 },
9455 },
9456 })
9457
9458 ret = append(ret, perMessageTest{
9459 messageType: typeEncryptedExtensions,
9460 test: testCase{
9461 name: "TLS13-EncryptedExtensions",
9462 config: Config{
9463 MaxVersion: VersionTLS13,
9464 },
9465 },
9466 })
9467
9468 ret = append(ret, perMessageTest{
9469 messageType: typeCertificateRequest,
9470 test: testCase{
9471 name: "TLS13-CertificateRequest",
9472 config: Config{
9473 MaxVersion: VersionTLS13,
9474 ClientAuth: RequireAnyClientCert,
9475 },
9476 },
9477 })
9478
9479 ret = append(ret, perMessageTest{
9480 messageType: typeCertificate,
9481 test: testCase{
9482 name: "TLS13-ServerCertificate",
9483 config: Config{
9484 MaxVersion: VersionTLS13,
9485 },
9486 },
9487 })
9488
9489 ret = append(ret, perMessageTest{
9490 messageType: typeCertificateVerify,
9491 test: testCase{
9492 name: "TLS13-ServerCertificateVerify",
9493 config: Config{
9494 MaxVersion: VersionTLS13,
9495 },
9496 },
9497 })
9498
9499 ret = append(ret, perMessageTest{
9500 messageType: typeFinished,
9501 test: testCase{
9502 name: "TLS13-ServerFinished",
9503 config: Config{
9504 MaxVersion: VersionTLS13,
9505 },
9506 },
9507 })
9508
9509 ret = append(ret, perMessageTest{
9510 messageType: typeCertificate,
9511 test: testCase{
9512 testType: serverTest,
9513 name: "TLS13-ClientCertificate",
9514 config: Config{
9515 Certificates: []Certificate{rsaCertificate},
9516 MaxVersion: VersionTLS13,
9517 },
9518 flags: []string{"-require-any-client-certificate"},
9519 },
9520 })
9521
9522 ret = append(ret, perMessageTest{
9523 messageType: typeCertificateVerify,
9524 test: testCase{
9525 testType: serverTest,
9526 name: "TLS13-ClientCertificateVerify",
9527 config: Config{
9528 Certificates: []Certificate{rsaCertificate},
9529 MaxVersion: VersionTLS13,
9530 },
9531 flags: []string{"-require-any-client-certificate"},
9532 },
9533 })
9534
9535 ret = append(ret, perMessageTest{
9536 messageType: typeFinished,
9537 test: testCase{
9538 testType: serverTest,
9539 name: "TLS13-ClientFinished",
9540 config: Config{
9541 MaxVersion: VersionTLS13,
9542 },
9543 },
9544 })
9545
9546 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9547}
9548
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9549func addWrongMessageTypeTests() {
9550 for _, t := range makePerMessageTests() {
9551 t.test.name = "WrongMessageType-" + t.test.name
9552 t.test.config.Bugs.SendWrongMessageType = t.messageType
9553 t.test.shouldFail = true
9554 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9555 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9556
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9557 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9558 // In TLS 1.3, a bad ServerHello means the client sends
9559 // an unencrypted alert while the server expects
9560 // encryption, so the alert is not readable by runner.
9561 t.test.expectedLocalError = "local error: bad record MAC"
9562 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9563
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9564 testCases = append(testCases, t.test)
9565 }
David Benjaminebacdee2017-04-08 11:00:45 -0400[diff] [blame]9566
9567 // The processing order for TLS 1.3 version negotiation is such that one
9568 // may accidentally accept a HelloRetryRequest in lieu of ServerHello in
9569 // TLS 1.2. Test that we do not do this.
9570 testCases = append(testCases, testCase{
9571 name: "SendServerHelloAsHelloRetryRequest",
9572 config: Config{
9573 MaxVersion: VersionTLS12,
9574 Bugs: ProtocolBugs{
9575 SendServerHelloAsHelloRetryRequest: true,
9576 },
9577 },
9578 shouldFail: true,
9579 expectedError: ":UNEXPECTED_MESSAGE:",
9580 expectedLocalError: "remote error: unexpected message",
9581 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9582}
9583
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9584func addTrailingMessageDataTests() {
9585 for _, t := range makePerMessageTests() {
9586 t.test.name = "TrailingMessageData-" + t.test.name
9587 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9588 t.test.shouldFail = true
9589 t.test.expectedError = ":DECODE_ERROR:"
9590 t.test.expectedLocalError = "remote error: error decoding message"
9591
9592 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9593 // In TLS 1.3, a bad ServerHello means the client sends
9594 // an unencrypted alert while the server expects
9595 // encryption, so the alert is not readable by runner.
9596 t.test.expectedLocalError = "local error: bad record MAC"
9597 }
9598
9599 if t.messageType == typeFinished {
9600 // Bad Finished messages read as the verify data having
9601 // the wrong length.
9602 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9603 t.test.expectedLocalError = "remote error: error decrypting message"
9604 }
9605
9606 testCases = append(testCases, t.test)
9607 }
9608}
9609
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9610func addTLS13HandshakeTests() {
9611 testCases = append(testCases, testCase{
9612 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9613 name: "NegotiatePSKResumption-TLS13",
9614 config: Config{
9615 MaxVersion: VersionTLS13,
9616 Bugs: ProtocolBugs{
9617 NegotiatePSKResumption: true,
9618 },
9619 },
9620 resumeSession: true,
9621 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9622 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9623 })
9624
9625 testCases = append(testCases, testCase{
9626 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9627 name: "MissingKeyShare-Client",
9628 config: Config{
9629 MaxVersion: VersionTLS13,
9630 Bugs: ProtocolBugs{
9631 MissingKeyShare: true,
9632 },
9633 },
9634 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9635 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9636 })
9637
9638 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9639 testType: serverTest,
9640 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9641 config: Config{
9642 MaxVersion: VersionTLS13,
9643 Bugs: ProtocolBugs{
9644 MissingKeyShare: true,
9645 },
9646 },
9647 shouldFail: true,
9648 expectedError: ":MISSING_KEY_SHARE:",
9649 })
9650
9651 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9652 testType: serverTest,
9653 name: "DuplicateKeyShares",
9654 config: Config{
9655 MaxVersion: VersionTLS13,
9656 Bugs: ProtocolBugs{
9657 DuplicateKeyShares: true,
9658 },
9659 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9660 shouldFail: true,
9661 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9662 })
9663
9664 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9665 testType: serverTest,
9666 name: "SkipEarlyData",
9667 config: Config{
9668 MaxVersion: VersionTLS13,
9669 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9670 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9671 },
9672 },
9673 })
9674
9675 testCases = append(testCases, testCase{
9676 testType: serverTest,
9677 name: "SkipEarlyData-OmitEarlyDataExtension",
9678 config: Config{
9679 MaxVersion: VersionTLS13,
9680 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9681 SendFakeEarlyDataLength: 4,
9682 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9683 },
9684 },
9685 shouldFail: true,
9686 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9687 })
9688
9689 testCases = append(testCases, testCase{
9690 testType: serverTest,
9691 name: "SkipEarlyData-TooMuchData",
9692 config: Config{
9693 MaxVersion: VersionTLS13,
9694 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9695 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9696 },
9697 },
9698 shouldFail: true,
9699 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9700 })
9701
9702 testCases = append(testCases, testCase{
9703 testType: serverTest,
9704 name: "SkipEarlyData-Interleaved",
9705 config: Config{
9706 MaxVersion: VersionTLS13,
9707 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9708 SendFakeEarlyDataLength: 4,
9709 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9710 },
9711 },
9712 shouldFail: true,
9713 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9714 })
9715
9716 testCases = append(testCases, testCase{
9717 testType: serverTest,
9718 name: "SkipEarlyData-EarlyDataInTLS12",
9719 config: Config{
9720 MaxVersion: VersionTLS13,
9721 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9722 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9723 },
9724 },
9725 shouldFail: true,
9726 expectedError: ":UNEXPECTED_RECORD:",
9727 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9728 })
9729
9730 testCases = append(testCases, testCase{
9731 testType: serverTest,
9732 name: "SkipEarlyData-HRR",
9733 config: Config{
9734 MaxVersion: VersionTLS13,
9735 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9736 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9737 },
9738 DefaultCurves: []CurveID{},
9739 },
9740 })
9741
9742 testCases = append(testCases, testCase{
9743 testType: serverTest,
9744 name: "SkipEarlyData-HRR-Interleaved",
9745 config: Config{
9746 MaxVersion: VersionTLS13,
9747 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9748 SendFakeEarlyDataLength: 4,
9749 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9750 },
9751 DefaultCurves: []CurveID{},
9752 },
9753 shouldFail: true,
9754 expectedError: ":UNEXPECTED_RECORD:",
9755 })
9756
9757 testCases = append(testCases, testCase{
9758 testType: serverTest,
9759 name: "SkipEarlyData-HRR-TooMuchData",
9760 config: Config{
9761 MaxVersion: VersionTLS13,
9762 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9763 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9764 },
9765 DefaultCurves: []CurveID{},
9766 },
9767 shouldFail: true,
9768 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9769 })
9770
9771 // Test that skipping early data looking for cleartext correctly
9772 // processes an alert record.
9773 testCases = append(testCases, testCase{
9774 testType: serverTest,
9775 name: "SkipEarlyData-HRR-FatalAlert",
9776 config: Config{
9777 MaxVersion: VersionTLS13,
9778 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9779 SendEarlyAlert: true,
9780 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9781 },
9782 DefaultCurves: []CurveID{},
9783 },
9784 shouldFail: true,
9785 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9786 })
9787
9788 testCases = append(testCases, testCase{
9789 testType: serverTest,
9790 name: "SkipEarlyData-SecondClientHelloEarlyData",
9791 config: Config{
9792 MaxVersion: VersionTLS13,
9793 Bugs: ProtocolBugs{
9794 SendEarlyDataOnSecondClientHello: true,
9795 },
9796 DefaultCurves: []CurveID{},
9797 },
9798 shouldFail: true,
9799 expectedLocalError: "remote error: bad record MAC",
9800 })
9801
9802 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9803 testType: clientTest,
9804 name: "EmptyEncryptedExtensions",
9805 config: Config{
9806 MaxVersion: VersionTLS13,
9807 Bugs: ProtocolBugs{
9808 EmptyEncryptedExtensions: true,
9809 },
9810 },
9811 shouldFail: true,
9812 expectedLocalError: "remote error: error decoding message",
9813 })
9814
9815 testCases = append(testCases, testCase{
9816 testType: clientTest,
9817 name: "EncryptedExtensionsWithKeyShare",
9818 config: Config{
9819 MaxVersion: VersionTLS13,
9820 Bugs: ProtocolBugs{
9821 EncryptedExtensionsWithKeyShare: true,
9822 },
9823 },
9824 shouldFail: true,
9825 expectedLocalError: "remote error: unsupported extension",
9826 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9827
9828 testCases = append(testCases, testCase{
9829 testType: serverTest,
9830 name: "SendHelloRetryRequest",
9831 config: Config{
9832 MaxVersion: VersionTLS13,
9833 // Require a HelloRetryRequest for every curve.
9834 DefaultCurves: []CurveID{},
9835 },
9836 expectedCurveID: CurveX25519,
9837 })
9838
9839 testCases = append(testCases, testCase{
9840 testType: serverTest,
9841 name: "SendHelloRetryRequest-2",
9842 config: Config{
9843 MaxVersion: VersionTLS13,
9844 DefaultCurves: []CurveID{CurveP384},
9845 },
9846 // Although the ClientHello did not predict our preferred curve,
9847 // we always select it whether it is predicted or not.
9848 expectedCurveID: CurveX25519,
9849 })
9850
9851 testCases = append(testCases, testCase{
9852 name: "UnknownCurve-HelloRetryRequest",
9853 config: Config{
9854 MaxVersion: VersionTLS13,
9855 // P-384 requires HelloRetryRequest in BoringSSL.
9856 CurvePreferences: []CurveID{CurveP384},
9857 Bugs: ProtocolBugs{
9858 SendHelloRetryRequestCurve: bogusCurve,
9859 },
9860 },
9861 shouldFail: true,
9862 expectedError: ":WRONG_CURVE:",
9863 })
9864
9865 testCases = append(testCases, testCase{
9866 name: "DisabledCurve-HelloRetryRequest",
9867 config: Config{
9868 MaxVersion: VersionTLS13,
9869 CurvePreferences: []CurveID{CurveP256},
9870 Bugs: ProtocolBugs{
9871 IgnorePeerCurvePreferences: true,
9872 },
9873 },
9874 flags: []string{"-p384-only"},
9875 shouldFail: true,
9876 expectedError: ":WRONG_CURVE:",
9877 })
9878
9879 testCases = append(testCases, testCase{
9880 name: "UnnecessaryHelloRetryRequest",
9881 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9882 MaxVersion: VersionTLS13,
9883 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9884 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9885 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9886 },
9887 },
9888 shouldFail: true,
9889 expectedError: ":WRONG_CURVE:",
9890 })
9891
9892 testCases = append(testCases, testCase{
9893 name: "SecondHelloRetryRequest",
9894 config: Config{
9895 MaxVersion: VersionTLS13,
9896 // P-384 requires HelloRetryRequest in BoringSSL.
9897 CurvePreferences: []CurveID{CurveP384},
9898 Bugs: ProtocolBugs{
9899 SecondHelloRetryRequest: true,
9900 },
9901 },
9902 shouldFail: true,
9903 expectedError: ":UNEXPECTED_MESSAGE:",
9904 })
9905
9906 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9907 name: "HelloRetryRequest-Empty",
9908 config: Config{
9909 MaxVersion: VersionTLS13,
9910 Bugs: ProtocolBugs{
9911 AlwaysSendHelloRetryRequest: true,
9912 },
9913 },
9914 shouldFail: true,
9915 expectedError: ":DECODE_ERROR:",
9916 })
9917
9918 testCases = append(testCases, testCase{
9919 name: "HelloRetryRequest-DuplicateCurve",
9920 config: Config{
9921 MaxVersion: VersionTLS13,
9922 // P-384 requires a HelloRetryRequest against BoringSSL's default
9923 // configuration. Assert this ExpectMissingKeyShare.
9924 CurvePreferences: []CurveID{CurveP384},
9925 Bugs: ProtocolBugs{
9926 ExpectMissingKeyShare: true,
9927 DuplicateHelloRetryRequestExtensions: true,
9928 },
9929 },
9930 shouldFail: true,
9931 expectedError: ":DUPLICATE_EXTENSION:",
9932 expectedLocalError: "remote error: illegal parameter",
9933 })
9934
9935 testCases = append(testCases, testCase{
9936 name: "HelloRetryRequest-Cookie",
9937 config: Config{
9938 MaxVersion: VersionTLS13,
9939 Bugs: ProtocolBugs{
9940 SendHelloRetryRequestCookie: []byte("cookie"),
9941 },
9942 },
9943 })
9944
9945 testCases = append(testCases, testCase{
9946 name: "HelloRetryRequest-DuplicateCookie",
9947 config: Config{
9948 MaxVersion: VersionTLS13,
9949 Bugs: ProtocolBugs{
9950 SendHelloRetryRequestCookie: []byte("cookie"),
9951 DuplicateHelloRetryRequestExtensions: true,
9952 },
9953 },
9954 shouldFail: true,
9955 expectedError: ":DUPLICATE_EXTENSION:",
9956 expectedLocalError: "remote error: illegal parameter",
9957 })
9958
9959 testCases = append(testCases, testCase{
9960 name: "HelloRetryRequest-EmptyCookie",
9961 config: Config{
9962 MaxVersion: VersionTLS13,
9963 Bugs: ProtocolBugs{
9964 SendHelloRetryRequestCookie: []byte{},
9965 },
9966 },
9967 shouldFail: true,
9968 expectedError: ":DECODE_ERROR:",
9969 })
9970
9971 testCases = append(testCases, testCase{
9972 name: "HelloRetryRequest-Cookie-Curve",
9973 config: Config{
9974 MaxVersion: VersionTLS13,
9975 // P-384 requires HelloRetryRequest in BoringSSL.
9976 CurvePreferences: []CurveID{CurveP384},
9977 Bugs: ProtocolBugs{
9978 SendHelloRetryRequestCookie: []byte("cookie"),
9979 ExpectMissingKeyShare: true,
9980 },
9981 },
9982 })
9983
9984 testCases = append(testCases, testCase{
9985 name: "HelloRetryRequest-Unknown",
9986 config: Config{
9987 MaxVersion: VersionTLS13,
9988 Bugs: ProtocolBugs{
9989 CustomHelloRetryRequestExtension: "extension",
9990 },
9991 },
9992 shouldFail: true,
9993 expectedError: ":UNEXPECTED_EXTENSION:",
9994 expectedLocalError: "remote error: unsupported extension",
9995 })
9996
9997 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9998 testType: serverTest,
9999 name: "SecondClientHelloMissingKeyShare",
10000 config: Config{
10001 MaxVersion: VersionTLS13,
10002 DefaultCurves: []CurveID{},
10003 Bugs: ProtocolBugs{
10004 SecondClientHelloMissingKeyShare: true,
10005 },
10006 },
10007 shouldFail: true,
10008 expectedError: ":MISSING_KEY_SHARE:",
10009 })
10010
10011 testCases = append(testCases, testCase{
10012 testType: serverTest,
10013 name: "SecondClientHelloWrongCurve",
10014 config: Config{
10015 MaxVersion: VersionTLS13,
10016 DefaultCurves: []CurveID{},
10017 Bugs: ProtocolBugs{
10018 MisinterpretHelloRetryRequestCurve: CurveP521,
10019 },
10020 },
10021 shouldFail: true,
10022 expectedError: ":WRONG_CURVE:",
10023 })
10024
10025 testCases = append(testCases, testCase{
10026 name: "HelloRetryRequestVersionMismatch",
10027 config: Config{
10028 MaxVersion: VersionTLS13,
10029 // P-384 requires HelloRetryRequest in BoringSSL.
10030 CurvePreferences: []CurveID{CurveP384},
10031 Bugs: ProtocolBugs{
10032 SendServerHelloVersion: 0x0305,
10033 },
10034 },
10035 shouldFail: true,
10036 expectedError: ":WRONG_VERSION_NUMBER:",
10037 })
10038
10039 testCases = append(testCases, testCase{
10040 name: "HelloRetryRequestCurveMismatch",
10041 config: Config{
10042 MaxVersion: VersionTLS13,
10043 // P-384 requires HelloRetryRequest in BoringSSL.
10044 CurvePreferences: []CurveID{CurveP384},
10045 Bugs: ProtocolBugs{
10046 // Send P-384 (correct) in the HelloRetryRequest.
10047 SendHelloRetryRequestCurve: CurveP384,
10048 // But send P-256 in the ServerHello.
10049 SendCurve: CurveP256,
10050 },
10051 },
10052 shouldFail: true,
10053 expectedError: ":WRONG_CURVE:",
10054 })
10055
10056 // Test the server selecting a curve that requires a HelloRetryRequest
10057 // without sending it.
10058 testCases = append(testCases, testCase{
10059 name: "SkipHelloRetryRequest",
10060 config: Config{
10061 MaxVersion: VersionTLS13,
10062 // P-384 requires HelloRetryRequest in BoringSSL.
10063 CurvePreferences: []CurveID{CurveP384},
10064 Bugs: ProtocolBugs{
10065 SkipHelloRetryRequest: true,
10066 },
10067 },
10068 shouldFail: true,
10069 expectedError: ":WRONG_CURVE:",
10070 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]10071
10072 testCases = append(testCases, testCase{
10073 name: "TLS13-RequestContextInHandshake",
10074 config: Config{
10075 MaxVersion: VersionTLS13,
10076 MinVersion: VersionTLS13,
10077 ClientAuth: RequireAnyClientCert,
10078 Bugs: ProtocolBugs{
10079 SendRequestContext: []byte("request context"),
10080 },
10081 },
10082 flags: []string{
10083 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10084 "-key-file", path.Join(*resourceDir, rsaKeyFile),
10085 },
10086 shouldFail: true,
10087 expectedError: ":DECODE_ERROR:",
10088 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]10089
10090 testCases = append(testCases, testCase{
10091 testType: serverTest,
10092 name: "TLS13-TrailingKeyShareData",
10093 config: Config{
10094 MaxVersion: VersionTLS13,
10095 Bugs: ProtocolBugs{
10096 TrailingKeyShareData: true,
10097 },
10098 },
10099 shouldFail: true,
10100 expectedError: ":DECODE_ERROR:",
10101 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]10102
10103 testCases = append(testCases, testCase{
10104 name: "TLS13-AlwaysSelectPSKIdentity",
10105 config: Config{
10106 MaxVersion: VersionTLS13,
10107 Bugs: ProtocolBugs{
10108 AlwaysSelectPSKIdentity: true,
10109 },
10110 },
10111 shouldFail: true,
10112 expectedError: ":UNEXPECTED_EXTENSION:",
10113 })
10114
10115 testCases = append(testCases, testCase{
10116 name: "TLS13-InvalidPSKIdentity",
10117 config: Config{
10118 MaxVersion: VersionTLS13,
10119 Bugs: ProtocolBugs{
10120 SelectPSKIdentityOnResume: 1,
10121 },
10122 },
10123 resumeSession: true,
10124 shouldFail: true,
10125 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
10126 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10127
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10128 testCases = append(testCases, testCase{
10129 testType: serverTest,
10130 name: "TLS13-ExtraPSKIdentity",
10131 config: Config{
10132 MaxVersion: VersionTLS13,
10133 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]10134 ExtraPSKIdentity: true,
10135 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10136 },
10137 },
10138 resumeSession: true,
10139 })
10140
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10141 // Test that unknown NewSessionTicket extensions are tolerated.
10142 testCases = append(testCases, testCase{
10143 name: "TLS13-CustomTicketExtension",
10144 config: Config{
10145 MaxVersion: VersionTLS13,
10146 Bugs: ProtocolBugs{
10147 CustomTicketExtension: "1234",
10148 },
10149 },
10150 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10151
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10152 testCases = append(testCases, testCase{
10153 testType: clientTest,
10154 name: "TLS13-DataLessEarlyData-Reject-Client",
10155 config: Config{
10156 MaxVersion: VersionTLS13,
10157 MaxEarlyDataSize: 16384,
10158 },
10159 resumeConfig: &Config{
10160 MaxVersion: VersionTLS13,
10161 MaxEarlyDataSize: 16384,
10162 Bugs: ProtocolBugs{
10163 AlwaysRejectEarlyData: true,
10164 },
10165 },
10166 resumeSession: true,
10167 flags: []string{
10168 "-enable-early-data",
10169 "-expect-early-data-info",
10170 "-expect-reject-early-data",
10171 },
10172 })
10173
10174 testCases = append(testCases, testCase{
10175 testType: clientTest,
10176 name: "TLS13-DataLessEarlyData-HRR-Client",
10177 config: Config{
10178 MaxVersion: VersionTLS13,
10179 MaxEarlyDataSize: 16384,
10180 },
10181 resumeConfig: &Config{
10182 MaxVersion: VersionTLS13,
10183 MaxEarlyDataSize: 16384,
10184 Bugs: ProtocolBugs{
10185 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10186 },
10187 },
10188 resumeSession: true,
10189 flags: []string{
10190 "-enable-early-data",
10191 "-expect-early-data-info",
10192 "-expect-reject-early-data",
10193 },
10194 })
10195
10196 // The client must check the server does not send the early_data
10197 // extension while rejecting the session.
10198 testCases = append(testCases, testCase{
10199 testType: clientTest,
10200 name: "TLS13-EarlyDataWithoutResume-Client",
10201 config: Config{
10202 MaxVersion: VersionTLS13,
10203 MaxEarlyDataSize: 16384,
10204 },
10205 resumeConfig: &Config{
10206 MaxVersion: VersionTLS13,
10207 SessionTicketsDisabled: true,
10208 Bugs: ProtocolBugs{
10209 SendEarlyDataExtension: true,
10210 },
10211 },
10212 resumeSession: true,
10213 flags: []string{
10214 "-enable-early-data",
10215 "-expect-early-data-info",
10216 },
10217 shouldFail: true,
10218 expectedError: ":UNEXPECTED_EXTENSION:",
10219 })
10220
10221 // The client must fail with a dedicated error code if the server
10222 // responds with TLS 1.2 when offering 0-RTT.
10223 testCases = append(testCases, testCase{
10224 testType: clientTest,
10225 name: "TLS13-EarlyDataVersionDowngrade-Client",
10226 config: Config{
10227 MaxVersion: VersionTLS13,
10228 MaxEarlyDataSize: 16384,
10229 },
10230 resumeConfig: &Config{
10231 MaxVersion: VersionTLS12,
10232 },
10233 resumeSession: true,
10234 flags: []string{
10235 "-enable-early-data",
10236 "-expect-early-data-info",
10237 },
10238 shouldFail: true,
10239 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10240 })
10241
10242 // Test that the client rejects an (unsolicited) early_data extension if
10243 // the server sent an HRR.
10244 testCases = append(testCases, testCase{
10245 testType: clientTest,
10246 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10247 config: Config{
10248 MaxVersion: VersionTLS13,
10249 MaxEarlyDataSize: 16384,
10250 },
10251 resumeConfig: &Config{
10252 MaxVersion: VersionTLS13,
10253 MaxEarlyDataSize: 16384,
10254 Bugs: ProtocolBugs{
10255 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10256 SendEarlyDataExtension: true,
10257 },
10258 },
10259 resumeSession: true,
10260 flags: []string{
10261 "-enable-early-data",
10262 "-expect-early-data-info",
10263 },
10264 shouldFail: true,
10265 expectedError: ":UNEXPECTED_EXTENSION:",
10266 })
10267
10268 fooString := "foo"
10269 barString := "bar"
10270
10271 // Test that the client reports the correct ALPN after a 0-RTT reject
10272 // that changed it.
10273 testCases = append(testCases, testCase{
10274 testType: clientTest,
10275 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10276 config: Config{
10277 MaxVersion: VersionTLS13,
10278 MaxEarlyDataSize: 16384,
10279 Bugs: ProtocolBugs{
10280 ALPNProtocol: &fooString,
10281 },
10282 },
10283 resumeConfig: &Config{
10284 MaxVersion: VersionTLS13,
10285 MaxEarlyDataSize: 16384,
10286 Bugs: ProtocolBugs{
10287 ALPNProtocol: &barString,
10288 },
10289 },
10290 resumeSession: true,
10291 flags: []string{
10292 "-advertise-alpn", "\x03foo\x03bar",
10293 "-enable-early-data",
10294 "-expect-early-data-info",
10295 "-expect-reject-early-data",
10296 "-expect-alpn", "foo",
10297 "-expect-resume-alpn", "bar",
10298 },
10299 })
10300
10301 // Test that the client reports the correct ALPN after a 0-RTT reject if
10302 // ALPN was omitted from the first connection.
10303 testCases = append(testCases, testCase{
10304 testType: clientTest,
10305 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10306 config: Config{
10307 MaxVersion: VersionTLS13,
10308 MaxEarlyDataSize: 16384,
10309 },
10310 resumeConfig: &Config{
10311 MaxVersion: VersionTLS13,
10312 MaxEarlyDataSize: 16384,
10313 NextProtos: []string{"foo"},
10314 },
10315 resumeSession: true,
10316 flags: []string{
10317 "-advertise-alpn", "\x03foo\x03bar",
10318 "-enable-early-data",
10319 "-expect-early-data-info",
10320 "-expect-reject-early-data",
10321 "-expect-no-alpn",
10322 "-expect-resume-alpn", "foo",
10323 },
10324 })
10325
10326 // Test that the client reports the correct ALPN after a 0-RTT reject if
10327 // ALPN was omitted from the second connection.
10328 testCases = append(testCases, testCase{
10329 testType: clientTest,
10330 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10331 config: Config{
10332 MaxVersion: VersionTLS13,
10333 MaxEarlyDataSize: 16384,
10334 NextProtos: []string{"foo"},
10335 },
10336 resumeConfig: &Config{
10337 MaxVersion: VersionTLS13,
10338 MaxEarlyDataSize: 16384,
10339 },
10340 resumeSession: true,
10341 flags: []string{
10342 "-advertise-alpn", "\x03foo\x03bar",
10343 "-enable-early-data",
10344 "-expect-early-data-info",
10345 "-expect-reject-early-data",
10346 "-expect-alpn", "foo",
10347 "-expect-no-resume-alpn",
10348 },
10349 })
10350
10351 // Test that the client enforces ALPN match on 0-RTT accept.
10352 testCases = append(testCases, testCase{
10353 testType: clientTest,
10354 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10355 config: Config{
10356 MaxVersion: VersionTLS13,
10357 MaxEarlyDataSize: 16384,
10358 Bugs: ProtocolBugs{
10359 ALPNProtocol: &fooString,
10360 },
10361 },
10362 resumeConfig: &Config{
10363 MaxVersion: VersionTLS13,
10364 MaxEarlyDataSize: 16384,
10365 Bugs: ProtocolBugs{
10366 AlwaysAcceptEarlyData: true,
10367 ALPNProtocol: &barString,
10368 },
10369 },
10370 resumeSession: true,
10371 flags: []string{
10372 "-advertise-alpn", "\x03foo\x03bar",
10373 "-enable-early-data",
10374 "-expect-early-data-info",
10375 },
10376 shouldFail: true,
10377 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10378 })
10379
10380 // Test that the server correctly rejects 0-RTT when the previous
10381 // session did not allow early data on resumption.
10382 testCases = append(testCases, testCase{
10383 testType: serverTest,
10384 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10385 config: Config{
10386 MaxVersion: VersionTLS13,
10387 },
10388 resumeConfig: &Config{
10389 MaxVersion: VersionTLS13,
10390 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10391 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10392 ExpectEarlyDataAccepted: false,
10393 },
10394 },
10395 resumeSession: true,
10396 flags: []string{
10397 "-enable-resume-early-data",
10398 "-expect-reject-early-data",
10399 },
10400 })
10401
10402 // Test that we reject early data where ALPN is omitted from the first
10403 // connection.
10404 testCases = append(testCases, testCase{
10405 testType: serverTest,
10406 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10407 config: Config{
10408 MaxVersion: VersionTLS13,
10409 NextProtos: []string{},
10410 },
10411 resumeConfig: &Config{
10412 MaxVersion: VersionTLS13,
10413 NextProtos: []string{"foo"},
10414 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10415 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10416 ExpectEarlyDataAccepted: false,
10417 },
10418 },
10419 resumeSession: true,
10420 flags: []string{
10421 "-enable-early-data",
10422 "-select-alpn", "",
10423 "-select-resume-alpn", "foo",
10424 },
10425 })
10426
10427 // Test that we reject early data where ALPN is omitted from the second
10428 // connection.
10429 testCases = append(testCases, testCase{
10430 testType: serverTest,
10431 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10432 config: Config{
10433 MaxVersion: VersionTLS13,
10434 NextProtos: []string{"foo"},
10435 },
10436 resumeConfig: &Config{
10437 MaxVersion: VersionTLS13,
10438 NextProtos: []string{},
10439 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10440 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10441 ExpectEarlyDataAccepted: false,
10442 },
10443 },
10444 resumeSession: true,
10445 flags: []string{
10446 "-enable-early-data",
10447 "-select-alpn", "foo",
10448 "-select-resume-alpn", "",
10449 },
10450 })
10451
10452 // Test that we reject early data with mismatched ALPN.
10453 testCases = append(testCases, testCase{
10454 testType: serverTest,
10455 name: "TLS13-EarlyData-ALPNMismatch-Server",
10456 config: Config{
10457 MaxVersion: VersionTLS13,
10458 NextProtos: []string{"foo"},
10459 },
10460 resumeConfig: &Config{
10461 MaxVersion: VersionTLS13,
10462 NextProtos: []string{"bar"},
10463 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10464 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10465 ExpectEarlyDataAccepted: false,
10466 },
10467 },
10468 resumeSession: true,
10469 flags: []string{
10470 "-enable-early-data",
10471 "-select-alpn", "foo",
10472 "-select-resume-alpn", "bar",
10473 },
10474 })
10475
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10476 // Test that the client offering 0-RTT and Channel ID forbids the server
10477 // from accepting both.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10478 testCases = append(testCases, testCase{
10479 testType: clientTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10480 name: "TLS13-EarlyDataChannelID-AcceptBoth-Client",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10481 config: Config{
10482 MaxVersion: VersionTLS13,
10483 MaxEarlyDataSize: 16384,
10484 RequestChannelID: true,
10485 },
10486 resumeSession: true,
10487 expectChannelID: true,
10488 shouldFail: true,
10489 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
10490 flags: []string{
10491 "-enable-early-data",
10492 "-expect-early-data-info",
10493 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10494 },
10495 })
10496
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10497 // Test that the client offering Channel ID and 0-RTT allows the server
10498 // to decline 0-RTT.
10499 testCases = append(testCases, testCase{
10500 testType: clientTest,
10501 name: "TLS13-EarlyDataChannelID-AcceptChannelID-Client",
10502 config: Config{
10503 MaxVersion: VersionTLS13,
10504 MaxEarlyDataSize: 16384,
10505 RequestChannelID: true,
10506 Bugs: ProtocolBugs{
10507 AlwaysRejectEarlyData: true,
10508 },
10509 },
10510 resumeSession: true,
10511 expectChannelID: true,
10512 flags: []string{
10513 "-enable-early-data",
10514 "-expect-early-data-info",
10515 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10516 "-expect-reject-early-data",
10517 },
10518 })
10519
10520 // Test that the client offering Channel ID and 0-RTT allows the server
10521 // to decline Channel ID.
10522 testCases = append(testCases, testCase{
10523 testType: clientTest,
10524 name: "TLS13-EarlyDataChannelID-AcceptEarlyData-Client",
10525 config: Config{
10526 MaxVersion: VersionTLS13,
10527 MaxEarlyDataSize: 16384,
10528 },
10529 resumeSession: true,
10530 flags: []string{
10531 "-enable-early-data",
10532 "-expect-early-data-info",
10533 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10534 "-expect-accept-early-data",
10535 },
10536 })
10537
10538 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
10539 // if it would negotiate Channel ID.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10540 testCases = append(testCases, testCase{
10541 testType: serverTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10542 name: "TLS13-EarlyDataChannelID-OfferBoth-Server",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10543 config: Config{
10544 MaxVersion: VersionTLS13,
10545 ChannelID: channelIDKey,
10546 Bugs: ProtocolBugs{
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10547 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10548 ExpectEarlyDataAccepted: false,
10549 },
10550 },
10551 resumeSession: true,
10552 expectChannelID: true,
10553 flags: []string{
10554 "-enable-early-data",
10555 "-expect-reject-early-data",
10556 "-expect-channel-id",
10557 base64.StdEncoding.EncodeToString(channelIDBytes),
10558 },
10559 })
10560
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10561 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
10562 // if not offered Channel ID.
10563 testCases = append(testCases, testCase{
10564 testType: serverTest,
10565 name: "TLS13-EarlyDataChannelID-OfferEarlyData-Server",
10566 config: Config{
10567 MaxVersion: VersionTLS13,
10568 Bugs: ProtocolBugs{
10569 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10570 ExpectEarlyDataAccepted: true,
10571 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
10572 },
10573 },
10574 resumeSession: true,
10575 expectChannelID: false,
10576 flags: []string{
10577 "-enable-early-data",
10578 "-expect-accept-early-data",
10579 "-enable-channel-id",
10580 },
10581 })
10582
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10583 // Test that the server rejects 0-RTT streams without end_of_early_data.
10584 // The subsequent records should fail to decrypt.
10585 testCases = append(testCases, testCase{
10586 testType: serverTest,
10587 name: "TLS13-EarlyData-SkipEndOfEarlyData",
10588 config: Config{
10589 MaxVersion: VersionTLS13,
10590 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10591 SendEarlyData: [][]byte{{1, 2, 3, 4}},
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10592 ExpectEarlyDataAccepted: true,
10593 SkipEndOfEarlyData: true,
10594 },
10595 },
10596 resumeSession: true,
10597 flags: []string{"-enable-early-data"},
10598 shouldFail: true,
10599 expectedLocalError: "remote error: bad record MAC",
10600 expectedError: ":BAD_DECRYPT:",
10601 })
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10602
10603 testCases = append(testCases, testCase{
10604 testType: serverTest,
10605 name: "TLS13-EarlyData-UnexpectedHandshake-Server",
10606 config: Config{
10607 MaxVersion: VersionTLS13,
10608 },
10609 resumeConfig: &Config{
10610 MaxVersion: VersionTLS13,
10611 Bugs: ProtocolBugs{
10612 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10613 SendStrayEarlyHandshake: true,
10614 ExpectEarlyDataAccepted: true},
10615 },
10616 resumeSession: true,
10617 shouldFail: true,
10618 expectedError: ":UNEXPECTED_RECORD:",
10619 expectedLocalError: "remote error: unexpected message",
10620 flags: []string{
10621 "-enable-early-data",
10622 },
10623 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10624}
10625
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10626func addTLS13CipherPreferenceTests() {
10627 // Test that client preference is honored if the shim has AES hardware
10628 // and ChaCha20-Poly1305 is preferred otherwise.
10629 testCases = append(testCases, testCase{
10630 testType: serverTest,
10631 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10632 config: Config{
10633 MaxVersion: VersionTLS13,
10634 CipherSuites: []uint16{
10635 TLS_CHACHA20_POLY1305_SHA256,
10636 TLS_AES_128_GCM_SHA256,
10637 },
10638 },
10639 flags: []string{
10640 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10641 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10642 },
10643 })
10644
10645 testCases = append(testCases, testCase{
10646 testType: serverTest,
10647 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10648 config: Config{
10649 MaxVersion: VersionTLS13,
10650 CipherSuites: []uint16{
10651 TLS_AES_128_GCM_SHA256,
10652 TLS_CHACHA20_POLY1305_SHA256,
10653 },
10654 },
10655 flags: []string{
10656 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10657 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10658 },
10659 })
10660
10661 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10662 // whether it has AES hardware.
10663 testCases = append(testCases, testCase{
10664 name: "TLS13-CipherPreference-Client",
10665 config: Config{
10666 MaxVersion: VersionTLS13,
10667 // Use the client cipher order. (This is the default but
10668 // is listed to be explicit.)
10669 PreferServerCipherSuites: false,
10670 },
10671 flags: []string{
10672 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10673 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10674 },
10675 })
10676}
10677
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10678func addPeekTests() {
10679 // Test SSL_peek works, including on empty records.
10680 testCases = append(testCases, testCase{
10681 name: "Peek-Basic",
10682 sendEmptyRecords: 1,
10683 flags: []string{"-peek-then-read"},
10684 })
10685
10686 // Test SSL_peek can drive the initial handshake.
10687 testCases = append(testCases, testCase{
10688 name: "Peek-ImplicitHandshake",
10689 flags: []string{
10690 "-peek-then-read",
10691 "-implicit-handshake",
10692 },
10693 })
10694
10695 // Test SSL_peek can discover and drive a renegotiation.
10696 testCases = append(testCases, testCase{
10697 name: "Peek-Renegotiate",
10698 config: Config{
10699 MaxVersion: VersionTLS12,
10700 },
10701 renegotiate: 1,
10702 flags: []string{
10703 "-peek-then-read",
10704 "-renegotiate-freely",
10705 "-expect-total-renegotiations", "1",
10706 },
10707 })
10708
10709 // Test SSL_peek can discover a close_notify.
10710 testCases = append(testCases, testCase{
10711 name: "Peek-Shutdown",
10712 config: Config{
10713 Bugs: ProtocolBugs{
10714 ExpectCloseNotify: true,
10715 },
10716 },
10717 flags: []string{
10718 "-peek-then-read",
10719 "-check-close-notify",
10720 },
10721 })
10722
10723 // Test SSL_peek can discover an alert.
10724 testCases = append(testCases, testCase{
10725 name: "Peek-Alert",
10726 config: Config{
10727 Bugs: ProtocolBugs{
10728 SendSpuriousAlert: alertRecordOverflow,
10729 },
10730 },
10731 flags: []string{"-peek-then-read"},
10732 shouldFail: true,
10733 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10734 })
10735
10736 // Test SSL_peek can handle KeyUpdate.
10737 testCases = append(testCases, testCase{
10738 name: "Peek-KeyUpdate",
10739 config: Config{
10740 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10741 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]10742 sendKeyUpdates: 1,
10743 keyUpdateRequest: keyUpdateNotRequested,
10744 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10745 })
10746}
10747
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10748func addRecordVersionTests() {
10749 for _, ver := range tlsVersions {
10750 // Test that the record version is enforced.
10751 testCases = append(testCases, testCase{
10752 name: "CheckRecordVersion-" + ver.name,
10753 config: Config{
10754 MinVersion: ver.version,
10755 MaxVersion: ver.version,
10756 Bugs: ProtocolBugs{
10757 SendRecordVersion: 0x03ff,
10758 },
10759 },
10760 shouldFail: true,
10761 expectedError: ":WRONG_VERSION_NUMBER:",
10762 })
10763
10764 // Test that the ClientHello may use any record version, for
10765 // compatibility reasons.
10766 testCases = append(testCases, testCase{
10767 testType: serverTest,
10768 name: "LooseInitialRecordVersion-" + ver.name,
10769 config: Config{
10770 MinVersion: ver.version,
10771 MaxVersion: ver.version,
10772 Bugs: ProtocolBugs{
10773 SendInitialRecordVersion: 0x03ff,
10774 },
10775 },
10776 })
10777
10778 // Test that garbage ClientHello record versions are rejected.
10779 testCases = append(testCases, testCase{
10780 testType: serverTest,
10781 name: "GarbageInitialRecordVersion-" + ver.name,
10782 config: Config{
10783 MinVersion: ver.version,
10784 MaxVersion: ver.version,
10785 Bugs: ProtocolBugs{
10786 SendInitialRecordVersion: 0xffff,
10787 },
10788 },
10789 shouldFail: true,
10790 expectedError: ":WRONG_VERSION_NUMBER:",
10791 })
10792 }
10793}
10794
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10795func addCertificateTests() {
10796 // Test that a certificate chain with intermediate may be sent and
10797 // received as both client and server.
10798 for _, ver := range tlsVersions {
10799 testCases = append(testCases, testCase{
10800 testType: clientTest,
10801 name: "SendReceiveIntermediate-Client-" + ver.name,
10802 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10803 MinVersion: ver.version,
10804 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10805 Certificates: []Certificate{rsaChainCertificate},
10806 ClientAuth: RequireAnyClientCert,
10807 },
10808 expectPeerCertificate: &rsaChainCertificate,
10809 flags: []string{
10810 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10811 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10812 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10813 },
10814 })
10815
10816 testCases = append(testCases, testCase{
10817 testType: serverTest,
10818 name: "SendReceiveIntermediate-Server-" + ver.name,
10819 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10820 MinVersion: ver.version,
10821 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10822 Certificates: []Certificate{rsaChainCertificate},
10823 },
10824 expectPeerCertificate: &rsaChainCertificate,
10825 flags: []string{
10826 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10827 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10828 "-require-any-client-certificate",
10829 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10830 },
10831 })
10832 }
10833}
10834
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10835func addRetainOnlySHA256ClientCertTests() {
10836 for _, ver := range tlsVersions {
10837 // Test that enabling
10838 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10839 // actually requesting a client certificate is a no-op.
10840 testCases = append(testCases, testCase{
10841 testType: serverTest,
10842 name: "RetainOnlySHA256-NoCert-" + ver.name,
10843 config: Config{
10844 MinVersion: ver.version,
10845 MaxVersion: ver.version,
10846 },
10847 flags: []string{
10848 "-retain-only-sha256-client-cert-initial",
10849 "-retain-only-sha256-client-cert-resume",
10850 },
10851 resumeSession: true,
10852 })
10853
10854 // Test that when retaining only a SHA-256 certificate is
10855 // enabled, the hash appears as expected.
10856 testCases = append(testCases, testCase{
10857 testType: serverTest,
10858 name: "RetainOnlySHA256-Cert-" + ver.name,
10859 config: Config{
10860 MinVersion: ver.version,
10861 MaxVersion: ver.version,
10862 Certificates: []Certificate{rsaCertificate},
10863 },
10864 flags: []string{
10865 "-verify-peer",
10866 "-retain-only-sha256-client-cert-initial",
10867 "-retain-only-sha256-client-cert-resume",
10868 "-expect-sha256-client-cert-initial",
10869 "-expect-sha256-client-cert-resume",
10870 },
10871 resumeSession: true,
10872 })
10873
10874 // Test that when the config changes from on to off, a
10875 // resumption is rejected because the server now wants the full
10876 // certificate chain.
10877 testCases = append(testCases, testCase{
10878 testType: serverTest,
10879 name: "RetainOnlySHA256-OnOff-" + ver.name,
10880 config: Config{
10881 MinVersion: ver.version,
10882 MaxVersion: ver.version,
10883 Certificates: []Certificate{rsaCertificate},
10884 },
10885 flags: []string{
10886 "-verify-peer",
10887 "-retain-only-sha256-client-cert-initial",
10888 "-expect-sha256-client-cert-initial",
10889 },
10890 resumeSession: true,
10891 expectResumeRejected: true,
10892 })
10893
10894 // Test that when the config changes from off to on, a
10895 // resumption is rejected because the server now wants just the
10896 // hash.
10897 testCases = append(testCases, testCase{
10898 testType: serverTest,
10899 name: "RetainOnlySHA256-OffOn-" + ver.name,
10900 config: Config{
10901 MinVersion: ver.version,
10902 MaxVersion: ver.version,
10903 Certificates: []Certificate{rsaCertificate},
10904 },
10905 flags: []string{
10906 "-verify-peer",
10907 "-retain-only-sha256-client-cert-resume",
10908 "-expect-sha256-client-cert-resume",
10909 },
10910 resumeSession: true,
10911 expectResumeRejected: true,
10912 })
10913 }
10914}
10915
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10916func addECDSAKeyUsageTests() {
10917 p256 := elliptic.P256()
10918 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
10919 if err != nil {
10920 panic(err)
10921 }
10922
10923 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
10924 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
10925 if err != nil {
10926 panic(err)
10927 }
10928
10929 template := x509.Certificate{
10930 SerialNumber: serialNumber,
10931 Subject: pkix.Name{
10932 Organization: []string{"Acme Co"},
10933 },
10934 NotBefore: time.Now(),
10935 NotAfter: time.Now(),
10936
10937 // An ECC certificate with only the keyAgreement key usgae may
10938 // be used with ECDH, but not ECDSA.
10939 KeyUsage: x509.KeyUsageKeyAgreement,
10940 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
10941 BasicConstraintsValid: true,
10942 }
10943
10944 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
10945 if err != nil {
10946 panic(err)
10947 }
10948
10949 cert := Certificate{
10950 Certificate: [][]byte{derBytes},
10951 PrivateKey: priv,
10952 }
10953
10954 for _, ver := range tlsVersions {
10955 if ver.version < VersionTLS12 {
10956 continue
10957 }
10958
10959 testCases = append(testCases, testCase{
10960 testType: clientTest,
10961 name: "ECDSAKeyUsage-" + ver.name,
10962 config: Config{
10963 MinVersion: ver.version,
10964 MaxVersion: ver.version,
10965 Certificates: []Certificate{cert},
10966 },
10967 shouldFail: true,
10968 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
10969 })
10970 }
10971}
10972
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]10973func addExtraHandshakeTests() {
10974 // An extra SSL_do_handshake is normally a no-op. These tests use -async
10975 // to ensure there is no transport I/O.
10976 testCases = append(testCases, testCase{
10977 testType: clientTest,
10978 name: "ExtraHandshake-Client-TLS12",
10979 config: Config{
10980 MinVersion: VersionTLS12,
10981 MaxVersion: VersionTLS12,
10982 },
10983 flags: []string{
10984 "-async",
10985 "-no-op-extra-handshake",
10986 },
10987 })
10988 testCases = append(testCases, testCase{
10989 testType: serverTest,
10990 name: "ExtraHandshake-Server-TLS12",
10991 config: Config{
10992 MinVersion: VersionTLS12,
10993 MaxVersion: VersionTLS12,
10994 },
10995 flags: []string{
10996 "-async",
10997 "-no-op-extra-handshake",
10998 },
10999 })
11000 testCases = append(testCases, testCase{
11001 testType: clientTest,
11002 name: "ExtraHandshake-Client-TLS13",
11003 config: Config{
11004 MinVersion: VersionTLS13,
11005 MaxVersion: VersionTLS13,
11006 },
11007 flags: []string{
11008 "-async",
11009 "-no-op-extra-handshake",
11010 },
11011 })
11012 testCases = append(testCases, testCase{
11013 testType: serverTest,
11014 name: "ExtraHandshake-Server-TLS13",
11015 config: Config{
11016 MinVersion: VersionTLS13,
11017 MaxVersion: VersionTLS13,
11018 },
11019 flags: []string{
11020 "-async",
11021 "-no-op-extra-handshake",
11022 },
11023 })
11024
11025 // An extra SSL_do_handshake is a no-op in server 0-RTT.
11026 testCases = append(testCases, testCase{
11027 testType: serverTest,
11028 name: "ExtraHandshake-Server-EarlyData-TLS13",
11029 config: Config{
11030 MaxVersion: VersionTLS13,
11031 MinVersion: VersionTLS13,
11032 Bugs: ProtocolBugs{
11033 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11034 ExpectEarlyDataAccepted: true,
11035 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
11036 },
11037 },
11038 messageCount: 2,
11039 resumeSession: true,
11040 flags: []string{
11041 "-async",
11042 "-enable-early-data",
11043 "-expect-accept-early-data",
11044 "-no-op-extra-handshake",
11045 },
11046 })
11047
11048 // An extra SSL_do_handshake drives the handshake to completion in False
11049 // Start. We test this by handshaking twice and asserting the False
11050 // Start does not appear to happen. See AlertBeforeFalseStartTest for
11051 // how the test works.
11052 testCases = append(testCases, testCase{
11053 testType: clientTest,
11054 name: "ExtraHandshake-FalseStart",
11055 config: Config{
11056 MaxVersion: VersionTLS12,
11057 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
11058 NextProtos: []string{"foo"},
11059 Bugs: ProtocolBugs{
11060 ExpectFalseStart: true,
11061 AlertBeforeFalseStartTest: alertAccessDenied,
11062 },
11063 },
11064 flags: []string{
11065 "-handshake-twice",
11066 "-false-start",
11067 "-advertise-alpn", "\x03foo",
11068 },
11069 shimWritesFirst: true,
11070 shouldFail: true,
11071 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
11072 expectedLocalError: "tls: peer did not false start: EOF",
11073 })
11074}
11075
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11076func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11077 defer wg.Done()
11078
11079 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11080 var err error
11081
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11082 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11083 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
11084 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11085 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11086 if err != nil {
11087 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
11088 }
11089 break
11090 }
11091 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11092 } else if *repeatUntilFailure {
11093 for err == nil {
11094 statusChan <- statusMsg{test: test, started: true}
11095 err = runTest(test, shimPath, -1)
11096 }
11097 } else {
11098 statusChan <- statusMsg{test: test, started: true}
11099 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11100 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11101 statusChan <- statusMsg{test: test, err: err}
11102 }
11103}
11104
11105type statusMsg struct {
11106 test *testCase
11107 started bool
11108 err error
11109}
11110
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11111func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11112 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11113
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11114 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11115 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11116 if !*pipe {
11117 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]11118 var erase string
11119 for i := 0; i < lineLen; i++ {
11120 erase += "\b \b"
11121 }
11122 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11123 }
11124
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11125 if msg.started {
11126 started++
11127 } else {
11128 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11129
11130 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11131 if msg.err == errUnimplemented {
11132 if *pipe {
11133 // Print each test instead of a status line.
11134 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
11135 }
11136 unimplemented++
11137 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
11138 } else {
11139 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
11140 failed++
11141 testOutput.addResult(msg.test.name, "FAIL")
11142 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11143 } else {
11144 if *pipe {
11145 // Print each test instead of a status line.
11146 fmt.Printf("PASSED (%s)\n", msg.test.name)
11147 }
11148 testOutput.addResult(msg.test.name, "PASS")
11149 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11150 }
11151
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11152 if !*pipe {
11153 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11154 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11155 lineLen = len(line)
11156 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11157 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11158 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11159
11160 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11161}
11162
11163func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11164 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11165 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]11166 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11167
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11168 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11169 addCipherSuiteTests()
11170 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]11171 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]11172 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]11173 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]11174 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]11175 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]11176 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]11177 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]11178 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]11179 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]11180 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]11181 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]11182 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]11183 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]11184 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]11185 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]11186 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]11187 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]11188 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]11189 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]11190 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]11191 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]11192 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]11193 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]11194 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]11195 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]11196 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11197 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]11198 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11199 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]11200 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11201 addECDSAKeyUsageTests()
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11202 addExtraHandshakeTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11203
11204 var wg sync.WaitGroup
11205
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11206 statusChan := make(chan statusMsg, *numWorkers)
11207 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11208 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11209
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11210 if len(*shimConfigFile) != 0 {
11211 encoded, err := ioutil.ReadFile(*shimConfigFile)
11212 if err != nil {
11213 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
11214 os.Exit(1)
11215 }
11216
11217 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
11218 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
11219 os.Exit(1)
11220 }
11221 }
11222
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11223 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11224
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11225 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11226 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11227 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11228 }
11229
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11230 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11231 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11232 matched := true
11233 if len(*testToRun) != 0 {
11234 var err error
11235 matched, err = filepath.Match(*testToRun, testCases[i].name)
11236 if err != nil {
11237 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
11238 os.Exit(1)
11239 }
11240 }
11241
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11242 if !*includeDisabled {
11243 for pattern := range shimConfig.DisabledTests {
11244 isDisabled, err := filepath.Match(pattern, testCases[i].name)
11245 if err != nil {
11246 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
11247 os.Exit(1)
11248 }
11249
11250 if isDisabled {
11251 matched = false
11252 break
11253 }
11254 }
11255 }
11256
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11257 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11258 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11259 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11260
11261 // Only run one test if repeating until failure.
11262 if *repeatUntilFailure {
11263 break
11264 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11265 }
11266 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11267
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11268 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11269 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11270 os.Exit(1)
11271 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11272
11273 close(testChan)
11274 wg.Wait()
11275 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11276 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11277
11278 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11279
11280 if *jsonOutput != "" {
11281 if err := testOutput.writeTo(*jsonOutput); err != nil {
11282 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
11283 }
11284 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11285
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11286 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
11287 os.Exit(1)
11288 }
11289
11290 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11291 os.Exit(1)
11292 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11293}