Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 71c21b43000d9ca97ac65be5c8ee79c42b55bf3c / . / ssl / test / runner / runner.go
blob: b795d0a15b1596c1c7a5a5c7ab6d6fbad8da623f [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]68 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]69)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]70
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]71// ShimConfigurations is used with the “json” package and represents a shim
72// config file.
73type ShimConfiguration struct {
74 // DisabledTests maps from a glob-based pattern to a freeform string.
75 // The glob pattern is used to exclude tests from being run and the
76 // freeform string is unparsed but expected to explain why the test is
77 // disabled.
78 DisabledTests map[string]string
79
80 // ErrorMap maps from expected error strings to the correct error
81 // string for the shim in question. For example, it might map
82 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
83 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
84 ErrorMap map[string]string
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]85
86 // HalfRTTTickets is the number of half-RTT tickets the client should
87 // expect before half-RTT data when testing 0-RTT.
88 HalfRTTTickets int
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]89}
90
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]91// Setup shimConfig defaults aligning with BoringSSL.
92var shimConfig ShimConfiguration = ShimConfiguration{
93 HalfRTTTickets: 2,
94}
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]95
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]96type testCert int
97
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]98const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]99 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]100 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]101 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]102 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]103 testCertECDSAP256
104 testCertECDSAP384
105 testCertECDSAP521
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]106 testCertEd25519
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]107)
108
109const (
110 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]111 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]112 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]113 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]114 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
115 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
116 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]117 ed25519CertificateFile = "ed25519_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]118)
119
120const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]121 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]122 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]123 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]124 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]125 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
126 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
127 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]128 ed25519KeyFile = "ed25519_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]129 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]130)
131
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]132var (
133 rsaCertificate Certificate
134 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]135 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]136 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]137 ecdsaP256Certificate Certificate
138 ecdsaP384Certificate Certificate
139 ecdsaP521Certificate Certificate
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]140 ed25519Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]141)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]142
143var testCerts = []struct {
144 id testCert
145 certFile, keyFile string
146 cert *Certificate
147}{
148 {
149 id: testCertRSA,
150 certFile: rsaCertificateFile,
151 keyFile: rsaKeyFile,
152 cert: &rsaCertificate,
153 },
154 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]155 id: testCertRSA1024,
156 certFile: rsa1024CertificateFile,
157 keyFile: rsa1024KeyFile,
158 cert: &rsa1024Certificate,
159 },
160 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]161 id: testCertRSAChain,
162 certFile: rsaChainCertificateFile,
163 keyFile: rsaChainKeyFile,
164 cert: &rsaChainCertificate,
165 },
166 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]167 id: testCertECDSAP224,
168 certFile: ecdsaP224CertificateFile,
169 keyFile: ecdsaP224KeyFile,
170 cert: &ecdsaP224Certificate,
171 },
172 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]173 id: testCertECDSAP256,
174 certFile: ecdsaP256CertificateFile,
175 keyFile: ecdsaP256KeyFile,
176 cert: &ecdsaP256Certificate,
177 },
178 {
179 id: testCertECDSAP384,
180 certFile: ecdsaP384CertificateFile,
181 keyFile: ecdsaP384KeyFile,
182 cert: &ecdsaP384Certificate,
183 },
184 {
185 id: testCertECDSAP521,
186 certFile: ecdsaP521CertificateFile,
187 keyFile: ecdsaP521KeyFile,
188 cert: &ecdsaP521Certificate,
189 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]190 {
191 id: testCertEd25519,
192 certFile: ed25519CertificateFile,
193 keyFile: ed25519KeyFile,
194 cert: &ed25519Certificate,
195 },
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]196}
197
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]198var channelIDKey *ecdsa.PrivateKey
199var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]200
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]201var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]202var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]203
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]204var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]205var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]206
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]207func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]208 for i := range testCerts {
209 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
210 if err != nil {
211 panic(err)
212 }
213 cert.OCSPStaple = testOCSPResponse
214 cert.SignedCertificateTimestampList = testSCTList
215 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]216 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]217
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]218 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]219 if err != nil {
220 panic(err)
221 }
222 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
223 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
224 panic("bad key type")
225 }
226 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
227 if err != nil {
228 panic(err)
229 }
230 if channelIDKey.Curve != elliptic.P256() {
231 panic("bad curve")
232 }
233
234 channelIDBytes = make([]byte, 64)
235 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
236 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]237}
238
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]239func getRunnerCertificate(t testCert) Certificate {
240 for _, cert := range testCerts {
241 if cert.id == t {
242 return *cert.cert
243 }
244 }
245 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]246}
247
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]248func getShimCertificate(t testCert) string {
249 for _, cert := range testCerts {
250 if cert.id == t {
251 return cert.certFile
252 }
253 }
254 panic("Unknown test certificate")
255}
256
257func getShimKey(t testCert) string {
258 for _, cert := range testCerts {
259 if cert.id == t {
260 return cert.keyFile
261 }
262 }
263 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]264}
265
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]266// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
267func encodeDERValues(values [][]byte) string {
268 var ret string
269 for i, v := range values {
270 if i > 0 {
271 ret += ","
272 }
273 ret += hex.EncodeToString(v)
274 }
275
276 return ret
277}
278
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]279type testType int
280
281const (
282 clientTest testType = iota
283 serverTest
284)
285
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]286type protocol int
287
288const (
289 tls protocol = iota
290 dtls
291)
292
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]293const (
294 alpn = 1
295 npn = 2
296)
297
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]298type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]299 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]300 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]301 name string
302 config Config
303 shouldFail bool
304 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]305 // expectedLocalError, if not empty, contains a substring that must be
306 // found in the local error.
307 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]308 // expectedVersion, if non-zero, specifies the TLS version that must be
309 // negotiated.
310 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]311 // expectedResumeVersion, if non-zero, specifies the TLS version that
312 // must be negotiated on resumption. If zero, expectedVersion is used.
313 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]314 // expectedCipher, if non-zero, specifies the TLS cipher suite that
315 // should be negotiated.
316 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]317 // expectChannelID controls whether the connection should have
318 // negotiated a Channel ID with channelIDKey.
319 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]320 // expectedNextProto controls whether the connection should
321 // negotiate a next protocol via NPN or ALPN.
322 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]323 // expectNoNextProto, if true, means that no next protocol should be
324 // negotiated.
325 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]326 // expectedNextProtoType, if non-zero, is the expected next
327 // protocol negotiation mechanism.
328 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]329 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
330 // should be negotiated. If zero, none should be negotiated.
331 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]332 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
333 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]334 // expectedSCTList, if not nil, is the expected SCT list to be received.
335 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]336 // expectedPeerSignatureAlgorithm, if not zero, is the signature
337 // algorithm that the peer should have used in the handshake.
338 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]339 // expectedCurveID, if not zero, is the curve that the handshake should
340 // have used.
341 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]342 // messageLen is the length, in bytes, of the test message that will be
343 // sent.
344 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]345 // messageCount is the number of test messages that will be sent.
346 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]347 // certFile is the path to the certificate to use for the server.
348 certFile string
349 // keyFile is the path to the private key to use for the server.
350 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]351 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]352 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]353 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]354 // resumeRenewedSession controls whether a third connection should be
355 // tested which attempts to resume the second connection's session.
356 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]357 // expectResumeRejected, if true, specifies that the attempted
358 // resumption must be rejected by the client. This is only valid for a
359 // serverTest.
360 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]361 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]362 // resumption. Unless newSessionsOnResume is set,
363 // SessionTicketKey, ServerSessionCache, and
364 // ClientSessionCache are copied from the initial connection's
365 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]366 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]367 // newSessionsOnResume, if true, will cause resumeConfig to
368 // use a different session resumption context.
369 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]370 // noSessionCache, if true, will cause the server to run without a
371 // session cache.
372 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]373 // sendPrefix sends a prefix on the socket before actually performing a
374 // handshake.
375 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]376 // shimWritesFirst controls whether the shim sends an initial "hello"
377 // message before doing a roundtrip with the runner.
378 shimWritesFirst bool
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]379 // readWithUnfinishedWrite behaves like shimWritesFirst, but the shim
380 // does not complete the write until responding to the first runner
381 // message.
382 readWithUnfinishedWrite bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]383 // shimShutsDown, if true, runs a test where the shim shuts down the
384 // connection immediately after the handshake rather than echoing
385 // messages from the runner.
386 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]387 // renegotiate indicates the number of times the connection should be
388 // renegotiated during the exchange.
389 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]390 // sendHalfHelloRequest, if true, causes the server to send half a
391 // HelloRequest when the handshake completes.
392 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]393 // renegotiateCiphers is a list of ciphersuite ids that will be
394 // switched in just before renegotiation.
395 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]396 // replayWrites, if true, configures the underlying transport
397 // to replay every write it makes in DTLS tests.
398 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]399 // damageFirstWrite, if true, configures the underlying transport to
400 // damage the final byte of the first application data write.
401 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]402 // exportKeyingMaterial, if non-zero, configures the test to exchange
403 // keying material and verify they match.
404 exportKeyingMaterial int
405 exportLabel string
406 exportContext string
407 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]408 // flags, if not empty, contains a list of command-line flags that will
409 // be passed to the shim program.
410 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]411 // testTLSUnique, if true, causes the shim to send the tls-unique value
412 // which will be compared against the expected value.
413 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]414 // sendEmptyRecords is the number of consecutive empty records to send
415 // before and after the test message.
416 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]417 // sendWarningAlerts is the number of consecutive warning alerts to send
418 // before and after the test message.
419 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]420 // sendKeyUpdates is the number of consecutive key updates to send
421 // before and after the test message.
422 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]423 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
424 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]425 // expectMessageDropped, if true, means the test message is expected to
426 // be dropped by the client rather than echoed back.
427 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]428 // expectPeerCertificate, if not nil, is the certificate chain the peer
429 // is expected to send.
430 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]431}
432
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]433var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]434
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]435func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]436 if len(data) == 0 {
437 return
438 }
439
440 protocol := "tls"
441 if test.protocol == dtls {
442 protocol = "dtls"
443 }
444
445 side := "client"
446 if test.testType == serverTest {
447 side = "server"
448 }
449
450 dir := path.Join(*transcriptDir, protocol, side)
451 if err := os.MkdirAll(dir, 0755); err != nil {
452 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
453 return
454 }
455
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]456 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]457 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
458 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
459 }
460}
461
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]462// A timeoutConn implements an idle timeout on each Read and Write operation.
463type timeoutConn struct {
464 net.Conn
465 timeout time.Duration
466}
467
468func (t *timeoutConn) Read(b []byte) (int, error) {
469 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
470 return 0, err
471 }
472 return t.Conn.Read(b)
473}
474
475func (t *timeoutConn) Write(b []byte) (int, error) {
476 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
477 return 0, err
478 }
479 return t.Conn.Write(b)
480}
481
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]482func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]483 if !test.noSessionCache {
484 if config.ClientSessionCache == nil {
485 config.ClientSessionCache = NewLRUClientSessionCache(1)
486 }
487 if config.ServerSessionCache == nil {
488 config.ServerSessionCache = NewLRUServerSessionCache(1)
489 }
490 }
491 if test.testType == clientTest {
492 if len(config.Certificates) == 0 {
493 config.Certificates = []Certificate{rsaCertificate}
494 }
495 } else {
496 // Supply a ServerName to ensure a constant session cache key,
497 // rather than falling back to net.Conn.RemoteAddr.
498 if len(config.ServerName) == 0 {
499 config.ServerName = "test"
500 }
501 }
502 if *fuzzer {
503 config.Bugs.NullAllCiphers = true
504 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]505 if *deterministic {
506 config.Time = func() time.Time { return time.Unix(1234, 1234) }
507 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]508
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]509 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]510
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]511 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]512 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
513 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]514 }
515
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]516 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]517 local, peer := "client", "server"
518 if test.testType == clientTest {
519 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]520 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]521 connDebug := &recordingConn{
522 Conn: conn,
523 isDatagram: test.protocol == dtls,
524 local: local,
525 peer: peer,
526 }
527 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]528 if *flagDebug {
529 defer connDebug.WriteTo(os.Stdout)
530 }
531 if len(*transcriptDir) != 0 {
532 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]533 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]534 }()
535 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]536
537 if config.Bugs.PacketAdaptor != nil {
538 config.Bugs.PacketAdaptor.debug = connDebug
539 }
540 }
541
542 if test.replayWrites {
543 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]544 }
545
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]546 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]547 if test.damageFirstWrite {
548 connDamage = newDamageAdaptor(conn)
549 conn = connDamage
550 }
551
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]552 if test.sendPrefix != "" {
553 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
554 return err
555 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]556 }
557
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]558 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]559 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]560 if test.protocol == dtls {
561 tlsConn = DTLSServer(conn, config)
562 } else {
563 tlsConn = Server(conn, config)
564 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]565 } else {
566 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]567 if test.protocol == dtls {
568 tlsConn = DTLSClient(conn, config)
569 } else {
570 tlsConn = Client(conn, config)
571 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]572 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]573 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]574
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]575 if err := tlsConn.Handshake(); err != nil {
576 return err
577 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]578
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]579 // TODO(davidben): move all per-connection expectations into a dedicated
580 // expectations struct that can be specified separately for the two
581 // legs.
582 expectedVersion := test.expectedVersion
583 if isResume && test.expectedResumeVersion != 0 {
584 expectedVersion = test.expectedResumeVersion
585 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]586 connState := tlsConn.ConnectionState()
587 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]588 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]589 }
590
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]591 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]592 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
593 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]594 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
595 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
596 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]597
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]598 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]599 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]600 if channelID == nil {
601 return fmt.Errorf("no channel ID negotiated")
602 }
603 if channelID.Curve != channelIDKey.Curve ||
604 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
605 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
606 return fmt.Errorf("incorrect channel ID")
607 }
608 }
609
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]610 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]611 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]612 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
613 }
614 }
615
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]616 if test.expectNoNextProto {
617 if actual := connState.NegotiatedProtocol; actual != "" {
618 return fmt.Errorf("got unexpected next proto %s", actual)
619 }
620 }
621
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]622 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]623 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]624 return fmt.Errorf("next proto type mismatch")
625 }
626 }
627
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]628 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]629 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
630 }
631
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]632 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]633 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]634 }
635
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]636 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
637 return fmt.Errorf("SCT list mismatch")
638 }
639
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]640 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
641 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]642 }
643
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]644 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
645 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
646 }
647
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]648 if test.expectPeerCertificate != nil {
649 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
650 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
651 }
652 for i, cert := range connState.PeerCertificates {
653 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
654 return fmt.Errorf("peer certificate %d did not match", i+1)
655 }
656 }
657 }
658
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]659 if test.exportKeyingMaterial > 0 {
660 actual := make([]byte, test.exportKeyingMaterial)
661 if _, err := io.ReadFull(tlsConn, actual); err != nil {
662 return err
663 }
664 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
665 if err != nil {
666 return err
667 }
668 if !bytes.Equal(actual, expected) {
669 return fmt.Errorf("keying material mismatch")
670 }
671 }
672
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]673 if test.testTLSUnique {
674 var peersValue [12]byte
675 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
676 return err
677 }
678 expected := tlsConn.ConnectionState().TLSUnique
679 if !bytes.Equal(peersValue[:], expected) {
680 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
681 }
682 }
683
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]684 if test.sendHalfHelloRequest {
685 tlsConn.SendHalfHelloRequest()
686 }
687
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]688 shimPrefixPending := test.shimWritesFirst || test.readWithUnfinishedWrite
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]689 if test.renegotiate > 0 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]690 // If readWithUnfinishedWrite is set, the shim prefix will be
691 // available later.
692 if shimPrefixPending && !test.readWithUnfinishedWrite {
693 var buf [5]byte
694 _, err := io.ReadFull(tlsConn, buf[:])
695 if err != nil {
696 return err
697 }
698 if string(buf[:]) != "hello" {
699 return fmt.Errorf("bad initial message")
700 }
701 shimPrefixPending = false
702 }
703
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]704 if test.renegotiateCiphers != nil {
705 config.CipherSuites = test.renegotiateCiphers
706 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]707 for i := 0; i < test.renegotiate; i++ {
708 if err := tlsConn.Renegotiate(); err != nil {
709 return err
710 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]711 }
712 } else if test.renegotiateCiphers != nil {
713 panic("renegotiateCiphers without renegotiate")
714 }
715
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]716 if test.damageFirstWrite {
717 connDamage.setDamage(true)
718 tlsConn.Write([]byte("DAMAGED WRITE"))
719 connDamage.setDamage(false)
720 }
721
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]722 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]723 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]724 if test.protocol == dtls {
725 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
726 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]727 // Read until EOF.
728 _, err := io.Copy(ioutil.Discard, tlsConn)
729 return err
730 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]731 if messageLen == 0 {
732 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]733 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]734
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]735 messageCount := test.messageCount
736 if messageCount == 0 {
737 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]738 }
739
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]740 for j := 0; j < messageCount; j++ {
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]741 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]742 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]743 }
744
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]745 for i := 0; i < test.sendEmptyRecords; i++ {
746 tlsConn.Write(nil)
747 }
748
749 for i := 0; i < test.sendWarningAlerts; i++ {
750 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
751 }
752
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]753 testMessage := make([]byte, messageLen)
754 for i := range testMessage {
755 testMessage[i] = 0x42 ^ byte(j)
756 }
757 tlsConn.Write(testMessage)
758
759 // Consume the shim prefix if needed.
760 if shimPrefixPending {
761 var buf [5]byte
762 _, err := io.ReadFull(tlsConn, buf[:])
763 if err != nil {
764 return err
765 }
766 if string(buf[:]) != "hello" {
767 return fmt.Errorf("bad initial message")
768 }
769 shimPrefixPending = false
770 }
771
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]772 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]773 // The shim will not respond.
774 continue
775 }
776
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]777 // Process the KeyUpdate ACK. However many KeyUpdates the runner
778 // sends, the shim should respond only once.
779 if test.sendKeyUpdates > 0 && test.keyUpdateRequest == keyUpdateRequested {
780 if err := tlsConn.ReadKeyUpdateACK(); err != nil {
781 return err
782 }
783 }
784
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]785 buf := make([]byte, len(testMessage))
786 if test.protocol == dtls {
787 bufTmp := make([]byte, len(buf)+1)
788 n, err := tlsConn.Read(bufTmp)
789 if err != nil {
790 return err
791 }
792 if n != len(buf) {
793 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
794 }
795 copy(buf, bufTmp)
796 } else {
797 _, err := io.ReadFull(tlsConn, buf)
798 if err != nil {
799 return err
800 }
801 }
802
803 for i, v := range buf {
804 if v != testMessage[i]^0xff {
805 return fmt.Errorf("bad reply contents at byte %d", i)
806 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]807 }
808 }
809
810 return nil
811}
812
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]813func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]814 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]815 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]816 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]817 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]818 valgrindArgs = append(valgrindArgs, path)
819 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]820
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]821 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]822}
823
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]824func gdbOf(path string, args ...string) *exec.Cmd {
825 xtermArgs := []string{"-e", "gdb", "--args"}
826 xtermArgs = append(xtermArgs, path)
827 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]828
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]829 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]830}
831
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]832func lldbOf(path string, args ...string) *exec.Cmd {
833 xtermArgs := []string{"-e", "lldb", "--"}
834 xtermArgs = append(xtermArgs, path)
835 xtermArgs = append(xtermArgs, args...)
836
837 return exec.Command("xterm", xtermArgs...)
838}
839
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]840var (
841 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
842 errUnimplemented = errors.New("child process does not implement needed flags")
843)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]844
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]845// accept accepts a connection from listener, unless waitChan signals a process
846// exit first.
847func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
848 type connOrError struct {
849 conn net.Conn
850 err error
851 }
852 connChan := make(chan connOrError, 1)
853 go func() {
854 conn, err := listener.Accept()
855 connChan <- connOrError{conn, err}
856 close(connChan)
857 }()
858 select {
859 case result := <-connChan:
860 return result.conn, result.err
861 case childErr := <-waitChan:
862 waitChan <- childErr
863 return nil, fmt.Errorf("child exited early: %s", childErr)
864 }
865}
866
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]867func translateExpectedError(errorStr string) string {
868 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
869 return translated
870 }
871
872 if *looseErrors {
873 return ""
874 }
875
876 return errorStr
877}
878
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]879func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]880 // Help debugging panics on the Go side.
881 defer func() {
882 if r := recover(); r != nil {
883 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
884 panic(r)
885 }
886 }()
887
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]888 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
889 panic("Error expected without shouldFail in " + test.name)
890 }
891
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]892 if test.expectResumeRejected && !test.resumeSession {
893 panic("expectResumeRejected without resumeSession in " + test.name)
894 }
895
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]896 for _, ver := range tlsVersions {
897 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
898 continue
899 }
900
901 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
902 continue
903 }
904
905 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
906 }
907
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]908 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
909 if err != nil {
910 panic(err)
911 }
912 defer func() {
913 if listener != nil {
914 listener.Close()
915 }
916 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]917
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]918 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]919 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]920 flags = append(flags, "-server")
921
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]922 flags = append(flags, "-key-file")
923 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]924 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]925 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]926 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]927 }
928
929 flags = append(flags, "-cert-file")
930 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]931 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]932 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]933 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]934 }
935 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]936
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]937 if test.protocol == dtls {
938 flags = append(flags, "-dtls")
939 }
940
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]941 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]942 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]943 resumeCount++
944 if test.resumeRenewedSession {
945 resumeCount++
946 }
947 }
948
949 if resumeCount > 0 {
950 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]951 }
952
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]953 if test.shimWritesFirst {
954 flags = append(flags, "-shim-writes-first")
955 }
956
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]957 if test.readWithUnfinishedWrite {
958 flags = append(flags, "-read-with-unfinished-write")
959 }
960
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]961 if test.shimShutsDown {
962 flags = append(flags, "-shim-shuts-down")
963 }
964
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]965 if test.exportKeyingMaterial > 0 {
966 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
967 flags = append(flags, "-export-label", test.exportLabel)
968 flags = append(flags, "-export-context", test.exportContext)
969 if test.useExportContext {
970 flags = append(flags, "-use-export-context")
971 }
972 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]973 if test.expectResumeRejected {
974 flags = append(flags, "-expect-session-miss")
975 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]976
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]977 if test.testTLSUnique {
978 flags = append(flags, "-tls-unique")
979 }
980
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]981 flags = append(flags, test.flags...)
982
983 var shim *exec.Cmd
984 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]985 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]986 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]987 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]988 } else if *useLLDB {
989 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]990 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]991 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]992 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]993 shim.Stdin = os.Stdin
994 var stdoutBuf, stderrBuf bytes.Buffer
995 shim.Stdout = &stdoutBuf
996 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]997 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]998 shim.Env = os.Environ()
999 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1000 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]1001 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1002 }
1003 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
1004 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]1005
1006 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1007 panic(err)
1008 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1009 waitChan := make(chan error, 1)
1010 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1011
1012 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1013
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]1014 if *deterministic {
1015 config.Rand = &deterministicRand{}
1016 }
1017
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1018 conn, err := acceptOrWait(listener, waitChan)
1019 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1020 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1021 conn.Close()
1022 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]1023
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]1024 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1025 var resumeConfig Config
1026 if test.resumeConfig != nil {
1027 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]1028 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1029 resumeConfig.SessionTicketKey = config.SessionTicketKey
1030 resumeConfig.ClientSessionCache = config.ClientSessionCache
1031 resumeConfig.ServerSessionCache = config.ServerSessionCache
1032 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]1033 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1034 } else {
1035 resumeConfig = config
1036 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1037 var connResume net.Conn
1038 connResume, err = acceptOrWait(listener, waitChan)
1039 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1040 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1041 connResume.Close()
1042 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1043 }
1044
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1045 // Close the listener now. This is to avoid hangs should the shim try to
1046 // open more connections than expected.
1047 listener.Close()
1048 listener = nil
1049
1050 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1051 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1052 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1053 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1054 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1055 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1056 case 89:
1057 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1058 case 99:
1059 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1060 }
1061 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1062
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1063 // Account for Windows line endings.
1064 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1065 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1066
1067 // Separate the errors from the shim and those from tools like
1068 // AddressSanitizer.
1069 var extraStderr string
1070 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1071 stderr = stderrParts[0]
1072 extraStderr = stderrParts[1]
1073 }
1074
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1075 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1076 expectedError := translateExpectedError(test.expectedError)
1077 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1078
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1079 localError := "none"
1080 if err != nil {
1081 localError = err.Error()
1082 }
1083 if len(test.expectedLocalError) != 0 {
1084 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1085 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1086
1087 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1088 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1089 if childErr != nil {
1090 childError = childErr.Error()
1091 }
1092
1093 var msg string
1094 switch {
1095 case failed && !test.shouldFail:
1096 msg = "unexpected failure"
1097 case !failed && test.shouldFail:
1098 msg = "unexpected success"
1099 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1100 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1101 default:
1102 panic("internal error")
1103 }
1104
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1105 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1106 }
1107
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1108 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1109 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1110 }
1111
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1112 if *useValgrind && isValgrindError {
1113 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1114 }
1115
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1116 return nil
1117}
1118
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1119type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1120 name string
1121 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1122 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1123 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1124}
1125
1126var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1127 {"SSL3", VersionSSL30, "-no-ssl3", false},
1128 {"TLS1", VersionTLS10, "-no-tls1", true},
1129 {"TLS11", VersionTLS11, "-no-tls11", false},
1130 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1131 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1132}
1133
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1134type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1135 name string
1136 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1137}
1138
1139var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1140 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1141 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1142 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1143 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1144 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1145 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1146 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1147 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1148 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1149 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1150 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1151 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1152 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1153 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1154 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1155 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1156 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1157 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1158 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1159 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1160 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1161 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1162 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1163 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1164 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1165 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1166 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1167 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1168 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1169 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1170}
1171
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1172func hasComponent(suiteName, component string) bool {
1173 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1174}
1175
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1176func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1177 return hasComponent(suiteName, "GCM") ||
1178 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1179 hasComponent(suiteName, "SHA384") ||
1180 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1181}
1182
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1183func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1184 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1185}
1186
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1187func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1188 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1189}
1190
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1191func bigFromHex(hex string) *big.Int {
1192 ret, ok := new(big.Int).SetString(hex, 16)
1193 if !ok {
1194 panic("failed to parse hex number 0x" + hex)
1195 }
1196 return ret
1197}
1198
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1199func addBasicTests() {
1200 basicTests := []testCase{
1201 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1202 name: "NoFallbackSCSV",
1203 config: Config{
1204 Bugs: ProtocolBugs{
1205 FailIfNotFallbackSCSV: true,
1206 },
1207 },
1208 shouldFail: true,
1209 expectedLocalError: "no fallback SCSV found",
1210 },
1211 {
1212 name: "SendFallbackSCSV",
1213 config: Config{
1214 Bugs: ProtocolBugs{
1215 FailIfNotFallbackSCSV: true,
1216 },
1217 },
1218 flags: []string{"-fallback-scsv"},
1219 },
1220 {
1221 name: "ClientCertificateTypes",
1222 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1223 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1224 ClientAuth: RequestClientCert,
1225 ClientCertificateTypes: []byte{
1226 CertTypeDSSSign,
1227 CertTypeRSASign,
1228 CertTypeECDSASign,
1229 },
1230 },
1231 flags: []string{
1232 "-expect-certificate-types",
1233 base64.StdEncoding.EncodeToString([]byte{
1234 CertTypeDSSSign,
1235 CertTypeRSASign,
1236 CertTypeECDSASign,
1237 }),
1238 },
1239 },
1240 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1241 name: "UnauthenticatedECDH",
1242 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1243 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1244 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1245 Bugs: ProtocolBugs{
1246 UnauthenticatedECDH: true,
1247 },
1248 },
1249 shouldFail: true,
1250 expectedError: ":UNEXPECTED_MESSAGE:",
1251 },
1252 {
1253 name: "SkipCertificateStatus",
1254 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1255 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1256 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1257 Bugs: ProtocolBugs{
1258 SkipCertificateStatus: true,
1259 },
1260 },
1261 flags: []string{
1262 "-enable-ocsp-stapling",
1263 },
1264 },
1265 {
1266 name: "SkipServerKeyExchange",
1267 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1268 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1269 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1270 Bugs: ProtocolBugs{
1271 SkipServerKeyExchange: true,
1272 },
1273 },
1274 shouldFail: true,
1275 expectedError: ":UNEXPECTED_MESSAGE:",
1276 },
1277 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1278 testType: serverTest,
1279 name: "Alert",
1280 config: Config{
1281 Bugs: ProtocolBugs{
1282 SendSpuriousAlert: alertRecordOverflow,
1283 },
1284 },
1285 shouldFail: true,
1286 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1287 },
1288 {
1289 protocol: dtls,
1290 testType: serverTest,
1291 name: "Alert-DTLS",
1292 config: Config{
1293 Bugs: ProtocolBugs{
1294 SendSpuriousAlert: alertRecordOverflow,
1295 },
1296 },
1297 shouldFail: true,
1298 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1299 },
1300 {
1301 testType: serverTest,
1302 name: "FragmentAlert",
1303 config: Config{
1304 Bugs: ProtocolBugs{
1305 FragmentAlert: true,
1306 SendSpuriousAlert: alertRecordOverflow,
1307 },
1308 },
1309 shouldFail: true,
1310 expectedError: ":BAD_ALERT:",
1311 },
1312 {
1313 protocol: dtls,
1314 testType: serverTest,
1315 name: "FragmentAlert-DTLS",
1316 config: Config{
1317 Bugs: ProtocolBugs{
1318 FragmentAlert: true,
1319 SendSpuriousAlert: alertRecordOverflow,
1320 },
1321 },
1322 shouldFail: true,
1323 expectedError: ":BAD_ALERT:",
1324 },
1325 {
1326 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1327 name: "DoubleAlert",
1328 config: Config{
1329 Bugs: ProtocolBugs{
1330 DoubleAlert: true,
1331 SendSpuriousAlert: alertRecordOverflow,
1332 },
1333 },
1334 shouldFail: true,
1335 expectedError: ":BAD_ALERT:",
1336 },
1337 {
1338 protocol: dtls,
1339 testType: serverTest,
1340 name: "DoubleAlert-DTLS",
1341 config: Config{
1342 Bugs: ProtocolBugs{
1343 DoubleAlert: true,
1344 SendSpuriousAlert: alertRecordOverflow,
1345 },
1346 },
1347 shouldFail: true,
1348 expectedError: ":BAD_ALERT:",
1349 },
1350 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1351 name: "SkipNewSessionTicket",
1352 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1353 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1354 Bugs: ProtocolBugs{
1355 SkipNewSessionTicket: true,
1356 },
1357 },
1358 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1359 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1360 },
1361 {
1362 testType: serverTest,
1363 name: "FallbackSCSV",
1364 config: Config{
1365 MaxVersion: VersionTLS11,
1366 Bugs: ProtocolBugs{
1367 SendFallbackSCSV: true,
1368 },
1369 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1370 shouldFail: true,
1371 expectedError: ":INAPPROPRIATE_FALLBACK:",
1372 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1373 },
1374 {
1375 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1376 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1377 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1378 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1379 Bugs: ProtocolBugs{
1380 SendFallbackSCSV: true,
1381 },
1382 },
1383 },
1384 {
1385 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1386 name: "FallbackSCSV-VersionMatch-TLS12",
1387 config: Config{
1388 MaxVersion: VersionTLS12,
1389 Bugs: ProtocolBugs{
1390 SendFallbackSCSV: true,
1391 },
1392 },
1393 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1394 },
1395 {
1396 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1397 name: "FragmentedClientVersion",
1398 config: Config{
1399 Bugs: ProtocolBugs{
1400 MaxHandshakeRecordLength: 1,
1401 FragmentClientVersion: true,
1402 },
1403 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1404 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1405 },
1406 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1407 testType: serverTest,
1408 name: "HttpGET",
1409 sendPrefix: "GET / HTTP/1.0\n",
1410 shouldFail: true,
1411 expectedError: ":HTTP_REQUEST:",
1412 },
1413 {
1414 testType: serverTest,
1415 name: "HttpPOST",
1416 sendPrefix: "POST / HTTP/1.0\n",
1417 shouldFail: true,
1418 expectedError: ":HTTP_REQUEST:",
1419 },
1420 {
1421 testType: serverTest,
1422 name: "HttpHEAD",
1423 sendPrefix: "HEAD / HTTP/1.0\n",
1424 shouldFail: true,
1425 expectedError: ":HTTP_REQUEST:",
1426 },
1427 {
1428 testType: serverTest,
1429 name: "HttpPUT",
1430 sendPrefix: "PUT / HTTP/1.0\n",
1431 shouldFail: true,
1432 expectedError: ":HTTP_REQUEST:",
1433 },
1434 {
1435 testType: serverTest,
1436 name: "HttpCONNECT",
1437 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1438 shouldFail: true,
1439 expectedError: ":HTTPS_PROXY_REQUEST:",
1440 },
1441 {
1442 testType: serverTest,
1443 name: "Garbage",
1444 sendPrefix: "blah",
1445 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1446 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1447 },
1448 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1449 name: "RSAEphemeralKey",
1450 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1451 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1452 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1453 Bugs: ProtocolBugs{
1454 RSAEphemeralKey: true,
1455 },
1456 },
1457 shouldFail: true,
1458 expectedError: ":UNEXPECTED_MESSAGE:",
1459 },
1460 {
1461 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1462 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1463 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1464 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1465 },
1466 {
1467 protocol: dtls,
1468 name: "DisableEverything-DTLS",
1469 flags: []string{"-no-tls12", "-no-tls1"},
1470 shouldFail: true,
David Benjamin3cfeb952017-03-01 16:48:38 -0500[diff] [blame]1471 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1472 },
1473 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1474 protocol: dtls,
1475 testType: serverTest,
1476 name: "MTU",
1477 config: Config{
1478 Bugs: ProtocolBugs{
1479 MaxPacketLength: 256,
1480 },
1481 },
1482 flags: []string{"-mtu", "256"},
1483 },
1484 {
1485 protocol: dtls,
1486 testType: serverTest,
1487 name: "MTUExceeded",
1488 config: Config{
1489 Bugs: ProtocolBugs{
1490 MaxPacketLength: 255,
1491 },
1492 },
1493 flags: []string{"-mtu", "256"},
1494 shouldFail: true,
1495 expectedLocalError: "dtls: exceeded maximum packet length",
1496 },
1497 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1498 name: "EmptyCertificateList",
1499 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1500 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1501 Bugs: ProtocolBugs{
1502 EmptyCertificateList: true,
1503 },
1504 },
1505 shouldFail: true,
1506 expectedError: ":DECODE_ERROR:",
1507 },
1508 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1509 name: "EmptyCertificateList-TLS13",
1510 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1511 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1512 Bugs: ProtocolBugs{
1513 EmptyCertificateList: true,
1514 },
1515 },
1516 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1517 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1518 },
1519 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1520 name: "TLSFatalBadPackets",
1521 damageFirstWrite: true,
1522 shouldFail: true,
1523 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1524 },
1525 {
1526 protocol: dtls,
1527 name: "DTLSIgnoreBadPackets",
1528 damageFirstWrite: true,
1529 },
1530 {
1531 protocol: dtls,
1532 name: "DTLSIgnoreBadPackets-Async",
1533 damageFirstWrite: true,
1534 flags: []string{"-async"},
1535 },
1536 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1537 name: "AppDataBeforeHandshake",
1538 config: Config{
1539 Bugs: ProtocolBugs{
1540 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1541 },
1542 },
1543 shouldFail: true,
1544 expectedError: ":UNEXPECTED_RECORD:",
1545 },
1546 {
1547 name: "AppDataBeforeHandshake-Empty",
1548 config: Config{
1549 Bugs: ProtocolBugs{
1550 AppDataBeforeHandshake: []byte{},
1551 },
1552 },
1553 shouldFail: true,
1554 expectedError: ":UNEXPECTED_RECORD:",
1555 },
1556 {
1557 protocol: dtls,
1558 name: "AppDataBeforeHandshake-DTLS",
1559 config: Config{
1560 Bugs: ProtocolBugs{
1561 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1562 },
1563 },
1564 shouldFail: true,
1565 expectedError: ":UNEXPECTED_RECORD:",
1566 },
1567 {
1568 protocol: dtls,
1569 name: "AppDataBeforeHandshake-DTLS-Empty",
1570 config: Config{
1571 Bugs: ProtocolBugs{
1572 AppDataBeforeHandshake: []byte{},
1573 },
1574 },
1575 shouldFail: true,
1576 expectedError: ":UNEXPECTED_RECORD:",
1577 },
1578 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1579 name: "AppDataAfterChangeCipherSpec",
1580 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1581 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1582 Bugs: ProtocolBugs{
1583 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1584 },
1585 },
1586 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1587 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1588 },
1589 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1590 name: "AppDataAfterChangeCipherSpec-Empty",
1591 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1592 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1593 Bugs: ProtocolBugs{
1594 AppDataAfterChangeCipherSpec: []byte{},
1595 },
1596 },
1597 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1598 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1599 },
1600 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1601 protocol: dtls,
1602 name: "AppDataAfterChangeCipherSpec-DTLS",
1603 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1604 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1605 Bugs: ProtocolBugs{
1606 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1607 },
1608 },
1609 // BoringSSL's DTLS implementation will drop the out-of-order
1610 // application data.
1611 },
1612 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1613 protocol: dtls,
1614 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1615 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1616 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1617 Bugs: ProtocolBugs{
1618 AppDataAfterChangeCipherSpec: []byte{},
1619 },
1620 },
1621 // BoringSSL's DTLS implementation will drop the out-of-order
1622 // application data.
1623 },
1624 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1625 name: "AlertAfterChangeCipherSpec",
1626 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1627 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1628 Bugs: ProtocolBugs{
1629 AlertAfterChangeCipherSpec: alertRecordOverflow,
1630 },
1631 },
1632 shouldFail: true,
1633 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1634 },
1635 {
1636 protocol: dtls,
1637 name: "AlertAfterChangeCipherSpec-DTLS",
1638 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1639 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1640 Bugs: ProtocolBugs{
1641 AlertAfterChangeCipherSpec: alertRecordOverflow,
1642 },
1643 },
1644 shouldFail: true,
1645 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1646 },
1647 {
1648 protocol: dtls,
1649 name: "ReorderHandshakeFragments-Small-DTLS",
1650 config: Config{
1651 Bugs: ProtocolBugs{
1652 ReorderHandshakeFragments: true,
1653 // Small enough that every handshake message is
1654 // fragmented.
1655 MaxHandshakeRecordLength: 2,
1656 },
1657 },
1658 },
1659 {
1660 protocol: dtls,
1661 name: "ReorderHandshakeFragments-Large-DTLS",
1662 config: Config{
1663 Bugs: ProtocolBugs{
1664 ReorderHandshakeFragments: true,
1665 // Large enough that no handshake message is
1666 // fragmented.
1667 MaxHandshakeRecordLength: 2048,
1668 },
1669 },
1670 },
1671 {
1672 protocol: dtls,
1673 name: "MixCompleteMessageWithFragments-DTLS",
1674 config: Config{
1675 Bugs: ProtocolBugs{
1676 ReorderHandshakeFragments: true,
1677 MixCompleteMessageWithFragments: true,
1678 MaxHandshakeRecordLength: 2,
1679 },
1680 },
1681 },
1682 {
1683 name: "SendInvalidRecordType",
1684 config: Config{
1685 Bugs: ProtocolBugs{
1686 SendInvalidRecordType: true,
1687 },
1688 },
1689 shouldFail: true,
1690 expectedError: ":UNEXPECTED_RECORD:",
1691 },
1692 {
1693 protocol: dtls,
1694 name: "SendInvalidRecordType-DTLS",
1695 config: Config{
1696 Bugs: ProtocolBugs{
1697 SendInvalidRecordType: true,
1698 },
1699 },
1700 shouldFail: true,
1701 expectedError: ":UNEXPECTED_RECORD:",
1702 },
1703 {
1704 name: "FalseStart-SkipServerSecondLeg",
1705 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1706 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1707 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1708 NextProtos: []string{"foo"},
1709 Bugs: ProtocolBugs{
1710 SkipNewSessionTicket: true,
1711 SkipChangeCipherSpec: true,
1712 SkipFinished: true,
1713 ExpectFalseStart: true,
1714 },
1715 },
1716 flags: []string{
1717 "-false-start",
1718 "-handshake-never-done",
1719 "-advertise-alpn", "\x03foo",
1720 },
1721 shimWritesFirst: true,
1722 shouldFail: true,
1723 expectedError: ":UNEXPECTED_RECORD:",
1724 },
1725 {
1726 name: "FalseStart-SkipServerSecondLeg-Implicit",
1727 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1728 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1729 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1730 NextProtos: []string{"foo"},
1731 Bugs: ProtocolBugs{
1732 SkipNewSessionTicket: true,
1733 SkipChangeCipherSpec: true,
1734 SkipFinished: true,
1735 },
1736 },
1737 flags: []string{
1738 "-implicit-handshake",
1739 "-false-start",
1740 "-handshake-never-done",
1741 "-advertise-alpn", "\x03foo",
1742 },
1743 shouldFail: true,
1744 expectedError: ":UNEXPECTED_RECORD:",
1745 },
1746 {
1747 testType: serverTest,
1748 name: "FailEarlyCallback",
1749 flags: []string{"-fail-early-callback"},
1750 shouldFail: true,
1751 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1752 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1753 },
1754 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1755 name: "FailCertCallback-Client-TLS12",
1756 config: Config{
1757 MaxVersion: VersionTLS12,
1758 ClientAuth: RequestClientCert,
1759 },
1760 flags: []string{"-fail-cert-callback"},
1761 shouldFail: true,
1762 expectedError: ":CERT_CB_ERROR:",
1763 expectedLocalError: "remote error: internal error",
1764 },
1765 {
1766 testType: serverTest,
1767 name: "FailCertCallback-Server-TLS12",
1768 config: Config{
1769 MaxVersion: VersionTLS12,
1770 },
1771 flags: []string{"-fail-cert-callback"},
1772 shouldFail: true,
1773 expectedError: ":CERT_CB_ERROR:",
1774 expectedLocalError: "remote error: internal error",
1775 },
1776 {
1777 name: "FailCertCallback-Client-TLS13",
1778 config: Config{
1779 MaxVersion: VersionTLS13,
1780 ClientAuth: RequestClientCert,
1781 },
1782 flags: []string{"-fail-cert-callback"},
1783 shouldFail: true,
1784 expectedError: ":CERT_CB_ERROR:",
1785 expectedLocalError: "remote error: internal error",
1786 },
1787 {
1788 testType: serverTest,
1789 name: "FailCertCallback-Server-TLS13",
1790 config: Config{
1791 MaxVersion: VersionTLS13,
1792 },
1793 flags: []string{"-fail-cert-callback"},
1794 shouldFail: true,
1795 expectedError: ":CERT_CB_ERROR:",
1796 expectedLocalError: "remote error: internal error",
1797 },
1798 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1799 protocol: dtls,
1800 name: "FragmentMessageTypeMismatch-DTLS",
1801 config: Config{
1802 Bugs: ProtocolBugs{
1803 MaxHandshakeRecordLength: 2,
1804 FragmentMessageTypeMismatch: true,
1805 },
1806 },
1807 shouldFail: true,
1808 expectedError: ":FRAGMENT_MISMATCH:",
1809 },
1810 {
1811 protocol: dtls,
1812 name: "FragmentMessageLengthMismatch-DTLS",
1813 config: Config{
1814 Bugs: ProtocolBugs{
1815 MaxHandshakeRecordLength: 2,
1816 FragmentMessageLengthMismatch: true,
1817 },
1818 },
1819 shouldFail: true,
1820 expectedError: ":FRAGMENT_MISMATCH:",
1821 },
1822 {
1823 protocol: dtls,
1824 name: "SplitFragments-Header-DTLS",
1825 config: Config{
1826 Bugs: ProtocolBugs{
1827 SplitFragments: 2,
1828 },
1829 },
1830 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1831 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1832 },
1833 {
1834 protocol: dtls,
1835 name: "SplitFragments-Boundary-DTLS",
1836 config: Config{
1837 Bugs: ProtocolBugs{
1838 SplitFragments: dtlsRecordHeaderLen,
1839 },
1840 },
1841 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1842 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1843 },
1844 {
1845 protocol: dtls,
1846 name: "SplitFragments-Body-DTLS",
1847 config: Config{
1848 Bugs: ProtocolBugs{
1849 SplitFragments: dtlsRecordHeaderLen + 1,
1850 },
1851 },
1852 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1853 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1854 },
1855 {
1856 protocol: dtls,
1857 name: "SendEmptyFragments-DTLS",
1858 config: Config{
1859 Bugs: ProtocolBugs{
1860 SendEmptyFragments: true,
1861 },
1862 },
1863 },
1864 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1865 name: "BadFinished-Client",
1866 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1867 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1868 Bugs: ProtocolBugs{
1869 BadFinished: true,
1870 },
1871 },
1872 shouldFail: true,
1873 expectedError: ":DIGEST_CHECK_FAILED:",
1874 },
1875 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1876 name: "BadFinished-Client-TLS13",
1877 config: Config{
1878 MaxVersion: VersionTLS13,
1879 Bugs: ProtocolBugs{
1880 BadFinished: true,
1881 },
1882 },
1883 shouldFail: true,
1884 expectedError: ":DIGEST_CHECK_FAILED:",
1885 },
1886 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1887 testType: serverTest,
1888 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1889 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1890 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1891 Bugs: ProtocolBugs{
1892 BadFinished: true,
1893 },
1894 },
1895 shouldFail: true,
1896 expectedError: ":DIGEST_CHECK_FAILED:",
1897 },
1898 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1899 testType: serverTest,
1900 name: "BadFinished-Server-TLS13",
1901 config: Config{
1902 MaxVersion: VersionTLS13,
1903 Bugs: ProtocolBugs{
1904 BadFinished: true,
1905 },
1906 },
1907 shouldFail: true,
1908 expectedError: ":DIGEST_CHECK_FAILED:",
1909 },
1910 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1911 name: "FalseStart-BadFinished",
1912 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1913 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1914 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1915 NextProtos: []string{"foo"},
1916 Bugs: ProtocolBugs{
1917 BadFinished: true,
1918 ExpectFalseStart: true,
1919 },
1920 },
1921 flags: []string{
1922 "-false-start",
1923 "-handshake-never-done",
1924 "-advertise-alpn", "\x03foo",
1925 },
1926 shimWritesFirst: true,
1927 shouldFail: true,
1928 expectedError: ":DIGEST_CHECK_FAILED:",
1929 },
1930 {
1931 name: "NoFalseStart-NoALPN",
1932 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1933 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1934 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1935 Bugs: ProtocolBugs{
1936 ExpectFalseStart: true,
1937 AlertBeforeFalseStartTest: alertAccessDenied,
1938 },
1939 },
1940 flags: []string{
1941 "-false-start",
1942 },
1943 shimWritesFirst: true,
1944 shouldFail: true,
1945 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1946 expectedLocalError: "tls: peer did not false start: EOF",
1947 },
1948 {
1949 name: "NoFalseStart-NoAEAD",
1950 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1951 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1952 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1953 NextProtos: []string{"foo"},
1954 Bugs: ProtocolBugs{
1955 ExpectFalseStart: true,
1956 AlertBeforeFalseStartTest: alertAccessDenied,
1957 },
1958 },
1959 flags: []string{
1960 "-false-start",
1961 "-advertise-alpn", "\x03foo",
1962 },
1963 shimWritesFirst: true,
1964 shouldFail: true,
1965 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1966 expectedLocalError: "tls: peer did not false start: EOF",
1967 },
1968 {
1969 name: "NoFalseStart-RSA",
1970 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1971 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1972 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1973 NextProtos: []string{"foo"},
1974 Bugs: ProtocolBugs{
1975 ExpectFalseStart: true,
1976 AlertBeforeFalseStartTest: alertAccessDenied,
1977 },
1978 },
1979 flags: []string{
1980 "-false-start",
1981 "-advertise-alpn", "\x03foo",
1982 },
1983 shimWritesFirst: true,
1984 shouldFail: true,
1985 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1986 expectedLocalError: "tls: peer did not false start: EOF",
1987 },
1988 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1989 protocol: dtls,
1990 name: "SendSplitAlert-Sync",
1991 config: Config{
1992 Bugs: ProtocolBugs{
1993 SendSplitAlert: true,
1994 },
1995 },
1996 },
1997 {
1998 protocol: dtls,
1999 name: "SendSplitAlert-Async",
2000 config: Config{
2001 Bugs: ProtocolBugs{
2002 SendSplitAlert: true,
2003 },
2004 },
2005 flags: []string{"-async"},
2006 },
2007 {
2008 protocol: dtls,
2009 name: "PackDTLSHandshake",
2010 config: Config{
2011 Bugs: ProtocolBugs{
2012 MaxHandshakeRecordLength: 2,
2013 PackHandshakeFragments: 20,
2014 PackHandshakeRecords: 200,
2015 },
2016 },
2017 },
2018 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2019 name: "SendEmptyRecords-Pass",
2020 sendEmptyRecords: 32,
2021 },
2022 {
2023 name: "SendEmptyRecords",
2024 sendEmptyRecords: 33,
2025 shouldFail: true,
2026 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2027 },
2028 {
2029 name: "SendEmptyRecords-Async",
2030 sendEmptyRecords: 33,
2031 flags: []string{"-async"},
2032 shouldFail: true,
2033 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2034 },
2035 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2036 name: "SendWarningAlerts-Pass",
2037 config: Config{
2038 MaxVersion: VersionTLS12,
2039 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2040 sendWarningAlerts: 4,
2041 },
2042 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2043 protocol: dtls,
2044 name: "SendWarningAlerts-DTLS-Pass",
2045 config: Config{
2046 MaxVersion: VersionTLS12,
2047 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2048 sendWarningAlerts: 4,
2049 },
2050 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2051 name: "SendWarningAlerts-TLS13",
2052 config: Config{
2053 MaxVersion: VersionTLS13,
2054 },
2055 sendWarningAlerts: 4,
2056 shouldFail: true,
2057 expectedError: ":BAD_ALERT:",
2058 expectedLocalError: "remote error: error decoding message",
2059 },
2060 {
2061 name: "SendWarningAlerts",
2062 config: Config{
2063 MaxVersion: VersionTLS12,
2064 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2065 sendWarningAlerts: 5,
2066 shouldFail: true,
2067 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2068 },
2069 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2070 name: "SendWarningAlerts-Async",
2071 config: Config{
2072 MaxVersion: VersionTLS12,
2073 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2074 sendWarningAlerts: 5,
2075 flags: []string{"-async"},
2076 shouldFail: true,
2077 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2078 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2079 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2080 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2081 config: Config{
2082 MaxVersion: VersionTLS13,
2083 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2084 sendKeyUpdates: 33,
2085 keyUpdateRequest: keyUpdateNotRequested,
2086 shouldFail: true,
2087 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2088 },
2089 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2090 name: "EmptySessionID",
2091 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2092 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2093 SessionTicketsDisabled: true,
2094 },
2095 noSessionCache: true,
2096 flags: []string{"-expect-no-session"},
2097 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2098 {
2099 name: "Unclean-Shutdown",
2100 config: Config{
2101 Bugs: ProtocolBugs{
2102 NoCloseNotify: true,
2103 ExpectCloseNotify: true,
2104 },
2105 },
2106 shimShutsDown: true,
2107 flags: []string{"-check-close-notify"},
2108 shouldFail: true,
2109 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2110 },
2111 {
2112 name: "Unclean-Shutdown-Ignored",
2113 config: Config{
2114 Bugs: ProtocolBugs{
2115 NoCloseNotify: true,
2116 },
2117 },
2118 shimShutsDown: true,
2119 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2120 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2121 name: "Unclean-Shutdown-Alert",
2122 config: Config{
2123 Bugs: ProtocolBugs{
2124 SendAlertOnShutdown: alertDecompressionFailure,
2125 ExpectCloseNotify: true,
2126 },
2127 },
2128 shimShutsDown: true,
2129 flags: []string{"-check-close-notify"},
2130 shouldFail: true,
2131 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2132 },
2133 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2134 name: "LargePlaintext",
2135 config: Config{
2136 Bugs: ProtocolBugs{
2137 SendLargeRecords: true,
2138 },
2139 },
2140 messageLen: maxPlaintext + 1,
2141 shouldFail: true,
2142 expectedError: ":DATA_LENGTH_TOO_LONG:",
2143 },
2144 {
2145 protocol: dtls,
2146 name: "LargePlaintext-DTLS",
2147 config: Config{
2148 Bugs: ProtocolBugs{
2149 SendLargeRecords: true,
2150 },
2151 },
2152 messageLen: maxPlaintext + 1,
2153 shouldFail: true,
2154 expectedError: ":DATA_LENGTH_TOO_LONG:",
2155 },
2156 {
2157 name: "LargeCiphertext",
2158 config: Config{
2159 Bugs: ProtocolBugs{
2160 SendLargeRecords: true,
2161 },
2162 },
2163 messageLen: maxPlaintext * 2,
2164 shouldFail: true,
2165 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2166 },
2167 {
2168 protocol: dtls,
2169 name: "LargeCiphertext-DTLS",
2170 config: Config{
2171 Bugs: ProtocolBugs{
2172 SendLargeRecords: true,
2173 },
2174 },
2175 messageLen: maxPlaintext * 2,
2176 // Unlike the other four cases, DTLS drops records which
2177 // are invalid before authentication, so the connection
2178 // does not fail.
2179 expectMessageDropped: true,
2180 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2181 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2182 name: "BadHelloRequest-1",
2183 renegotiate: 1,
2184 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2185 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2186 Bugs: ProtocolBugs{
2187 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2188 },
2189 },
2190 flags: []string{
2191 "-renegotiate-freely",
2192 "-expect-total-renegotiations", "1",
2193 },
2194 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2195 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2196 },
2197 {
2198 name: "BadHelloRequest-2",
2199 renegotiate: 1,
2200 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2201 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2202 Bugs: ProtocolBugs{
2203 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2204 },
2205 },
2206 flags: []string{
2207 "-renegotiate-freely",
2208 "-expect-total-renegotiations", "1",
2209 },
2210 shouldFail: true,
2211 expectedError: ":BAD_HELLO_REQUEST:",
2212 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2213 {
2214 testType: serverTest,
2215 name: "SupportTicketsWithSessionID",
2216 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2217 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2218 SessionTicketsDisabled: true,
2219 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2220 resumeConfig: &Config{
2221 MaxVersion: VersionTLS12,
2222 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2223 resumeSession: true,
2224 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2225 {
2226 protocol: dtls,
2227 name: "DTLS-SendExtraFinished",
2228 config: Config{
2229 Bugs: ProtocolBugs{
2230 SendExtraFinished: true,
2231 },
2232 },
2233 shouldFail: true,
2234 expectedError: ":UNEXPECTED_RECORD:",
2235 },
2236 {
2237 protocol: dtls,
2238 name: "DTLS-SendExtraFinished-Reordered",
2239 config: Config{
2240 Bugs: ProtocolBugs{
2241 MaxHandshakeRecordLength: 2,
2242 ReorderHandshakeFragments: true,
2243 SendExtraFinished: true,
2244 },
2245 },
2246 shouldFail: true,
2247 expectedError: ":UNEXPECTED_RECORD:",
2248 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2249 {
2250 testType: serverTest,
2251 name: "V2ClientHello-EmptyRecordPrefix",
2252 config: Config{
2253 // Choose a cipher suite that does not involve
2254 // elliptic curves, so no extensions are
2255 // involved.
2256 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2257 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2258 Bugs: ProtocolBugs{
2259 SendV2ClientHello: true,
2260 },
2261 },
2262 sendPrefix: string([]byte{
2263 byte(recordTypeHandshake),
2264 3, 1, // version
2265 0, 0, // length
2266 }),
2267 // A no-op empty record may not be sent before V2ClientHello.
2268 shouldFail: true,
2269 expectedError: ":WRONG_VERSION_NUMBER:",
2270 },
2271 {
2272 testType: serverTest,
2273 name: "V2ClientHello-WarningAlertPrefix",
2274 config: Config{
2275 // Choose a cipher suite that does not involve
2276 // elliptic curves, so no extensions are
2277 // involved.
2278 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2279 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2280 Bugs: ProtocolBugs{
2281 SendV2ClientHello: true,
2282 },
2283 },
2284 sendPrefix: string([]byte{
2285 byte(recordTypeAlert),
2286 3, 1, // version
2287 0, 2, // length
2288 alertLevelWarning, byte(alertDecompressionFailure),
2289 }),
2290 // A no-op warning alert may not be sent before V2ClientHello.
2291 shouldFail: true,
2292 expectedError: ":WRONG_VERSION_NUMBER:",
2293 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2294 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2295 name: "KeyUpdate-Client",
2296 config: Config{
2297 MaxVersion: VersionTLS13,
2298 },
2299 sendKeyUpdates: 1,
2300 keyUpdateRequest: keyUpdateNotRequested,
2301 },
2302 {
2303 testType: serverTest,
2304 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2305 config: Config{
2306 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2307 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2308 sendKeyUpdates: 1,
2309 keyUpdateRequest: keyUpdateNotRequested,
2310 },
2311 {
2312 name: "KeyUpdate-InvalidRequestMode",
2313 config: Config{
2314 MaxVersion: VersionTLS13,
2315 },
2316 sendKeyUpdates: 1,
2317 keyUpdateRequest: 42,
2318 shouldFail: true,
2319 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2320 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2321 {
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]2322 // Test that KeyUpdates are acknowledged properly.
2323 name: "KeyUpdate-RequestACK",
2324 config: Config{
2325 MaxVersion: VersionTLS13,
2326 Bugs: ProtocolBugs{
2327 RejectUnsolicitedKeyUpdate: true,
2328 },
2329 },
2330 // Test the shim receiving many KeyUpdates in a row.
2331 sendKeyUpdates: 5,
2332 messageCount: 5,
2333 keyUpdateRequest: keyUpdateRequested,
2334 },
2335 {
2336 // Test that KeyUpdates are acknowledged properly if the
2337 // peer's KeyUpdate is discovered while a write is
2338 // pending.
2339 name: "KeyUpdate-RequestACK-UnfinishedWrite",
2340 config: Config{
2341 MaxVersion: VersionTLS13,
2342 Bugs: ProtocolBugs{
2343 RejectUnsolicitedKeyUpdate: true,
2344 },
2345 },
2346 // Test the shim receiving many KeyUpdates in a row.
2347 sendKeyUpdates: 5,
2348 messageCount: 5,
2349 keyUpdateRequest: keyUpdateRequested,
2350 readWithUnfinishedWrite: true,
2351 flags: []string{"-async"},
2352 },
2353 {
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2354 name: "SendSNIWarningAlert",
2355 config: Config{
2356 MaxVersion: VersionTLS12,
2357 Bugs: ProtocolBugs{
2358 SendSNIWarningAlert: true,
2359 },
2360 },
2361 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2362 {
2363 testType: serverTest,
2364 name: "ExtraCompressionMethods-TLS12",
2365 config: Config{
2366 MaxVersion: VersionTLS12,
2367 Bugs: ProtocolBugs{
2368 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2369 },
2370 },
2371 },
2372 {
2373 testType: serverTest,
2374 name: "ExtraCompressionMethods-TLS13",
2375 config: Config{
2376 MaxVersion: VersionTLS13,
2377 Bugs: ProtocolBugs{
2378 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2379 },
2380 },
2381 shouldFail: true,
2382 expectedError: ":INVALID_COMPRESSION_LIST:",
2383 expectedLocalError: "remote error: illegal parameter",
2384 },
2385 {
2386 testType: serverTest,
2387 name: "NoNullCompression-TLS12",
2388 config: Config{
2389 MaxVersion: VersionTLS12,
2390 Bugs: ProtocolBugs{
2391 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2392 },
2393 },
2394 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2395 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2396 expectedLocalError: "remote error: illegal parameter",
2397 },
2398 {
2399 testType: serverTest,
2400 name: "NoNullCompression-TLS13",
2401 config: Config{
2402 MaxVersion: VersionTLS13,
2403 Bugs: ProtocolBugs{
2404 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2405 },
2406 },
2407 shouldFail: true,
2408 expectedError: ":INVALID_COMPRESSION_LIST:",
2409 expectedLocalError: "remote error: illegal parameter",
2410 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2411 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2412 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2413 config: Config{
2414 MaxVersion: VersionTLS12,
2415 Bugs: ProtocolBugs{
2416 ExpectGREASE: true,
2417 },
2418 },
2419 flags: []string{"-enable-grease"},
2420 },
2421 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2422 name: "GREASE-Client-TLS13",
2423 config: Config{
2424 MaxVersion: VersionTLS13,
2425 Bugs: ProtocolBugs{
2426 ExpectGREASE: true,
2427 },
2428 },
2429 flags: []string{"-enable-grease"},
2430 },
2431 {
2432 testType: serverTest,
2433 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2434 config: Config{
2435 MaxVersion: VersionTLS13,
2436 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2437 // TLS 1.3 servers are expected to
2438 // always enable GREASE. TLS 1.3 is new,
2439 // so there is no existing ecosystem to
2440 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2441 ExpectGREASE: true,
2442 },
2443 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2444 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2445 {
2446 // Test the server so there is a large certificate as
2447 // well as application data.
2448 testType: serverTest,
2449 name: "MaxSendFragment",
2450 config: Config{
2451 Bugs: ProtocolBugs{
2452 MaxReceivePlaintext: 512,
2453 },
2454 },
2455 messageLen: 1024,
2456 flags: []string{
2457 "-max-send-fragment", "512",
2458 "-read-size", "1024",
2459 },
2460 },
2461 {
2462 // Test the server so there is a large certificate as
2463 // well as application data.
2464 testType: serverTest,
2465 name: "MaxSendFragment-TooLarge",
2466 config: Config{
2467 Bugs: ProtocolBugs{
2468 // Ensure that some of the records are
2469 // 512.
2470 MaxReceivePlaintext: 511,
2471 },
2472 },
2473 messageLen: 1024,
2474 flags: []string{
2475 "-max-send-fragment", "512",
2476 "-read-size", "1024",
2477 },
2478 shouldFail: true,
2479 expectedLocalError: "local error: record overflow",
2480 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2481 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2482 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2483
2484 // Test that very large messages can be received.
2485 cert := rsaCertificate
2486 for i := 0; i < 50; i++ {
2487 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2488 }
2489 testCases = append(testCases, testCase{
2490 name: "LargeMessage",
2491 config: Config{
2492 Certificates: []Certificate{cert},
2493 },
2494 })
2495 testCases = append(testCases, testCase{
2496 protocol: dtls,
2497 name: "LargeMessage-DTLS",
2498 config: Config{
2499 Certificates: []Certificate{cert},
2500 },
2501 })
2502
2503 // They are rejected if the maximum certificate chain length is capped.
2504 testCases = append(testCases, testCase{
2505 name: "LargeMessage-Reject",
2506 config: Config{
2507 Certificates: []Certificate{cert},
2508 },
2509 flags: []string{"-max-cert-list", "16384"},
2510 shouldFail: true,
2511 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2512 })
2513 testCases = append(testCases, testCase{
2514 protocol: dtls,
2515 name: "LargeMessage-Reject-DTLS",
2516 config: Config{
2517 Certificates: []Certificate{cert},
2518 },
2519 flags: []string{"-max-cert-list", "16384"},
2520 shouldFail: true,
2521 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2522 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2523}
2524
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2525func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2526 const psk = "12345"
2527 const pskIdentity = "luggage combo"
2528
2529 var prefix string
2530 if protocol == dtls {
2531 if !ver.hasDTLS {
2532 return
2533 }
2534 prefix = "D"
2535 }
2536
2537 var cert Certificate
2538 var certFile string
2539 var keyFile string
2540 if hasComponent(suite.name, "ECDSA") {
2541 cert = ecdsaP256Certificate
2542 certFile = ecdsaP256CertificateFile
2543 keyFile = ecdsaP256KeyFile
2544 } else {
2545 cert = rsaCertificate
2546 certFile = rsaCertificateFile
2547 keyFile = rsaKeyFile
2548 }
2549
2550 var flags []string
2551 if hasComponent(suite.name, "PSK") {
2552 flags = append(flags,
2553 "-psk", psk,
2554 "-psk-identity", pskIdentity)
2555 }
2556 if hasComponent(suite.name, "NULL") {
2557 // NULL ciphers must be explicitly enabled.
2558 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2559 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2560
2561 var shouldServerFail, shouldClientFail bool
2562 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2563 // BoringSSL clients accept ECDHE on SSLv3, but
2564 // a BoringSSL server will never select it
2565 // because the extension is missing.
2566 shouldServerFail = true
2567 }
2568 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2569 shouldClientFail = true
2570 shouldServerFail = true
2571 }
2572 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2573 shouldClientFail = true
2574 shouldServerFail = true
2575 }
2576 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2577 shouldClientFail = true
2578 shouldServerFail = true
2579 }
2580 if !isDTLSCipher(suite.name) && protocol == dtls {
2581 shouldClientFail = true
2582 shouldServerFail = true
2583 }
2584
2585 var sendCipherSuite uint16
2586 var expectedServerError, expectedClientError string
2587 serverCipherSuites := []uint16{suite.id}
2588 if shouldServerFail {
2589 expectedServerError = ":NO_SHARED_CIPHER:"
2590 }
2591 if shouldClientFail {
2592 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2593 // Configure the server to select ciphers as normal but
2594 // select an incompatible cipher in ServerHello.
2595 serverCipherSuites = nil
2596 sendCipherSuite = suite.id
2597 }
2598
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2599 // For cipher suites and versions where exporters are defined, verify
2600 // that they interoperate.
2601 var exportKeyingMaterial int
2602 if ver.version > VersionSSL30 {
2603 exportKeyingMaterial = 1024
2604 }
2605
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2606 testCases = append(testCases, testCase{
2607 testType: serverTest,
2608 protocol: protocol,
2609 name: prefix + ver.name + "-" + suite.name + "-server",
2610 config: Config{
2611 MinVersion: ver.version,
2612 MaxVersion: ver.version,
2613 CipherSuites: []uint16{suite.id},
2614 Certificates: []Certificate{cert},
2615 PreSharedKey: []byte(psk),
2616 PreSharedKeyIdentity: pskIdentity,
2617 Bugs: ProtocolBugs{
2618 AdvertiseAllConfiguredCiphers: true,
2619 },
2620 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2621 certFile: certFile,
2622 keyFile: keyFile,
2623 flags: flags,
2624 resumeSession: true,
2625 shouldFail: shouldServerFail,
2626 expectedError: expectedServerError,
2627 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2628 })
2629
2630 testCases = append(testCases, testCase{
2631 testType: clientTest,
2632 protocol: protocol,
2633 name: prefix + ver.name + "-" + suite.name + "-client",
2634 config: Config{
2635 MinVersion: ver.version,
2636 MaxVersion: ver.version,
2637 CipherSuites: serverCipherSuites,
2638 Certificates: []Certificate{cert},
2639 PreSharedKey: []byte(psk),
2640 PreSharedKeyIdentity: pskIdentity,
2641 Bugs: ProtocolBugs{
2642 IgnorePeerCipherPreferences: shouldClientFail,
2643 SendCipherSuite: sendCipherSuite,
2644 },
2645 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2646 flags: flags,
2647 resumeSession: true,
2648 shouldFail: shouldClientFail,
2649 expectedError: expectedClientError,
2650 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2651 })
2652
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2653 if shouldClientFail {
2654 return
2655 }
2656
2657 // Ensure the maximum record size is accepted.
2658 testCases = append(testCases, testCase{
2659 protocol: protocol,
2660 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2661 config: Config{
2662 MinVersion: ver.version,
2663 MaxVersion: ver.version,
2664 CipherSuites: []uint16{suite.id},
2665 Certificates: []Certificate{cert},
2666 PreSharedKey: []byte(psk),
2667 PreSharedKeyIdentity: pskIdentity,
2668 },
2669 flags: flags,
2670 messageLen: maxPlaintext,
2671 })
2672
2673 // Test bad records for all ciphers. Bad records are fatal in TLS
2674 // and ignored in DTLS.
2675 var shouldFail bool
2676 var expectedError string
2677 if protocol == tls {
2678 shouldFail = true
2679 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2680 }
2681
2682 testCases = append(testCases, testCase{
2683 protocol: protocol,
2684 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2685 config: Config{
2686 MinVersion: ver.version,
2687 MaxVersion: ver.version,
2688 CipherSuites: []uint16{suite.id},
2689 Certificates: []Certificate{cert},
2690 PreSharedKey: []byte(psk),
2691 PreSharedKeyIdentity: pskIdentity,
2692 },
2693 flags: flags,
2694 damageFirstWrite: true,
2695 messageLen: maxPlaintext,
2696 shouldFail: shouldFail,
2697 expectedError: expectedError,
2698 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2699}
2700
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2701func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2702 const bogusCipher = 0xfe00
2703
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2704 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2705 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2706 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2707 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2708 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2709 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2710 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2711
2712 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2713 name: "NoSharedCipher",
2714 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2715 MaxVersion: VersionTLS12,
2716 CipherSuites: []uint16{},
2717 },
2718 shouldFail: true,
2719 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2720 })
2721
2722 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2723 name: "NoSharedCipher-TLS13",
2724 config: Config{
2725 MaxVersion: VersionTLS13,
2726 CipherSuites: []uint16{},
2727 },
2728 shouldFail: true,
2729 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2730 })
2731
2732 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2733 name: "UnsupportedCipherSuite",
2734 config: Config{
2735 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2736 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2737 Bugs: ProtocolBugs{
2738 IgnorePeerCipherPreferences: true,
2739 },
2740 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2741 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2742 shouldFail: true,
2743 expectedError: ":WRONG_CIPHER_RETURNED:",
2744 })
2745
2746 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2747 name: "ServerHelloBogusCipher",
2748 config: Config{
2749 MaxVersion: VersionTLS12,
2750 Bugs: ProtocolBugs{
2751 SendCipherSuite: bogusCipher,
2752 },
2753 },
2754 shouldFail: true,
2755 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2756 })
2757 testCases = append(testCases, testCase{
2758 name: "ServerHelloBogusCipher-TLS13",
2759 config: Config{
2760 MaxVersion: VersionTLS13,
2761 Bugs: ProtocolBugs{
2762 SendCipherSuite: bogusCipher,
2763 },
2764 },
2765 shouldFail: true,
2766 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2767 })
2768
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2769 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2770 testCases = append(testCases, testCase{
2771 testType: serverTest,
2772 name: "UnknownCipher",
2773 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2774 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2775 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2776 Bugs: ProtocolBugs{
2777 AdvertiseAllConfiguredCiphers: true,
2778 },
2779 },
2780 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2781
2782 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2783 testCases = append(testCases, testCase{
2784 testType: serverTest,
2785 name: "UnknownCipher-TLS13",
2786 config: Config{
2787 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2788 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2789 Bugs: ProtocolBugs{
2790 AdvertiseAllConfiguredCiphers: true,
2791 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2792 },
2793 })
2794
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2795 // Test empty ECDHE_PSK identity hints work as expected.
2796 testCases = append(testCases, testCase{
2797 name: "EmptyECDHEPSKHint",
2798 config: Config{
2799 MaxVersion: VersionTLS12,
2800 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2801 PreSharedKey: []byte("secret"),
2802 },
2803 flags: []string{"-psk", "secret"},
2804 })
2805
2806 // Test empty PSK identity hints work as expected, even if an explicit
2807 // ServerKeyExchange is sent.
2808 testCases = append(testCases, testCase{
2809 name: "ExplicitEmptyPSKHint",
2810 config: Config{
2811 MaxVersion: VersionTLS12,
2812 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2813 PreSharedKey: []byte("secret"),
2814 Bugs: ProtocolBugs{
2815 AlwaysSendPreSharedKeyIdentityHint: true,
2816 },
2817 },
2818 flags: []string{"-psk", "secret"},
2819 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]2820
2821 // Test that clients enforce that the server-sent certificate and cipher
2822 // suite match in TLS 1.2.
2823 testCases = append(testCases, testCase{
2824 name: "CertificateCipherMismatch-RSA",
2825 config: Config{
2826 MaxVersion: VersionTLS12,
2827 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2828 Certificates: []Certificate{rsaCertificate},
2829 Bugs: ProtocolBugs{
2830 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2831 },
2832 },
2833 shouldFail: true,
2834 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2835 })
2836 testCases = append(testCases, testCase{
2837 name: "CertificateCipherMismatch-ECDSA",
2838 config: Config{
2839 MaxVersion: VersionTLS12,
2840 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2841 Certificates: []Certificate{ecdsaP256Certificate},
2842 Bugs: ProtocolBugs{
2843 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2844 },
2845 },
2846 shouldFail: true,
2847 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2848 })
2849 testCases = append(testCases, testCase{
2850 name: "CertificateCipherMismatch-Ed25519",
2851 config: Config{
2852 MaxVersion: VersionTLS12,
2853 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2854 Certificates: []Certificate{ed25519Certificate},
2855 Bugs: ProtocolBugs{
2856 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2857 },
2858 },
2859 shouldFail: true,
2860 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2861 })
2862
2863 // Test that servers decline to select a cipher suite which is
2864 // inconsistent with their configured certificate.
2865 testCases = append(testCases, testCase{
2866 testType: serverTest,
2867 name: "ServerCipherFilter-RSA",
2868 config: Config{
2869 MaxVersion: VersionTLS12,
2870 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2871 },
2872 flags: []string{
2873 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2874 "-key-file", path.Join(*resourceDir, rsaKeyFile),
2875 },
2876 shouldFail: true,
2877 expectedError: ":NO_SHARED_CIPHER:",
2878 })
2879 testCases = append(testCases, testCase{
2880 testType: serverTest,
2881 name: "ServerCipherFilter-ECDSA",
2882 config: Config{
2883 MaxVersion: VersionTLS12,
2884 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2885 },
2886 flags: []string{
2887 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2888 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
2889 },
2890 shouldFail: true,
2891 expectedError: ":NO_SHARED_CIPHER:",
2892 })
2893 testCases = append(testCases, testCase{
2894 testType: serverTest,
2895 name: "ServerCipherFilter-Ed25519",
2896 config: Config{
2897 MaxVersion: VersionTLS12,
2898 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2899 },
2900 flags: []string{
2901 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
2902 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
2903 },
2904 shouldFail: true,
2905 expectedError: ":NO_SHARED_CIPHER:",
2906 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2907}
2908
2909func addBadECDSASignatureTests() {
2910 for badR := BadValue(1); badR < NumBadValues; badR++ {
2911 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2912 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2913 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2914 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2915 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2916 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2917 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2918 Bugs: ProtocolBugs{
2919 BadECDSAR: badR,
2920 BadECDSAS: badS,
2921 },
2922 },
2923 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2924 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2925 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2926 testCases = append(testCases, testCase{
2927 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2928 config: Config{
2929 MaxVersion: VersionTLS13,
2930 Certificates: []Certificate{ecdsaP256Certificate},
2931 Bugs: ProtocolBugs{
2932 BadECDSAR: badR,
2933 BadECDSAS: badS,
2934 },
2935 },
2936 shouldFail: true,
2937 expectedError: ":BAD_SIGNATURE:",
2938 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2939 }
2940 }
2941}
2942
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2943func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2944 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2945 name: "MaxCBCPadding",
2946 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2947 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2948 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2949 Bugs: ProtocolBugs{
2950 MaxPadding: true,
2951 },
2952 },
2953 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2954 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2955 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2956 name: "BadCBCPadding",
2957 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2958 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2959 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2960 Bugs: ProtocolBugs{
2961 PaddingFirstByteBad: true,
2962 },
2963 },
2964 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2965 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2966 })
2967 // OpenSSL previously had an issue where the first byte of padding in
2968 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2969 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2970 name: "BadCBCPadding255",
2971 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2972 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2973 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2974 Bugs: ProtocolBugs{
2975 MaxPadding: true,
2976 PaddingFirstByteBadIf255: true,
2977 },
2978 },
2979 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2980 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2981 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2982 })
2983}
2984
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2985func addCBCSplittingTests() {
2986 testCases = append(testCases, testCase{
2987 name: "CBCRecordSplitting",
2988 config: Config{
2989 MaxVersion: VersionTLS10,
2990 MinVersion: VersionTLS10,
2991 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2992 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]2993 messageLen: -1, // read until EOF
2994 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2995 flags: []string{
2996 "-async",
2997 "-write-different-record-sizes",
2998 "-cbc-record-splitting",
2999 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]3000 })
3001 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]3002 name: "CBCRecordSplittingPartialWrite",
3003 config: Config{
3004 MaxVersion: VersionTLS10,
3005 MinVersion: VersionTLS10,
3006 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3007 },
3008 messageLen: -1, // read until EOF
3009 flags: []string{
3010 "-async",
3011 "-write-different-record-sizes",
3012 "-cbc-record-splitting",
3013 "-partial-write",
3014 },
3015 })
3016}
3017
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3018func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3019 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3020 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3021 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3022 cert, err := x509.ParseCertificate(cert.Certificate[0])
3023 if err != nil {
3024 panic(err)
3025 }
3026 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3027 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3028 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]3029
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3030 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3031 testCases = append(testCases, testCase{
3032 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3033 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3034 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3035 MinVersion: ver.version,
3036 MaxVersion: ver.version,
3037 ClientAuth: RequireAnyClientCert,
3038 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3039 },
3040 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3041 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3042 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3043 },
3044 })
3045 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3046 testType: serverTest,
3047 name: ver.name + "-Server-ClientAuth-RSA",
3048 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3049 MinVersion: ver.version,
3050 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3051 Certificates: []Certificate{rsaCertificate},
3052 },
3053 flags: []string{"-require-any-client-certificate"},
3054 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3055 if ver.version != VersionSSL30 {
3056 testCases = append(testCases, testCase{
3057 testType: serverTest,
3058 name: ver.name + "-Server-ClientAuth-ECDSA",
3059 config: Config{
3060 MinVersion: ver.version,
3061 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3062 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3063 },
3064 flags: []string{"-require-any-client-certificate"},
3065 })
3066 testCases = append(testCases, testCase{
3067 testType: clientTest,
3068 name: ver.name + "-Client-ClientAuth-ECDSA",
3069 config: Config{
3070 MinVersion: ver.version,
3071 MaxVersion: ver.version,
3072 ClientAuth: RequireAnyClientCert,
3073 ClientCAs: certPool,
3074 },
3075 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3076 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3077 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3078 },
3079 })
3080 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3081
3082 testCases = append(testCases, testCase{
3083 name: "NoClientCertificate-" + ver.name,
3084 config: Config{
3085 MinVersion: ver.version,
3086 MaxVersion: ver.version,
3087 ClientAuth: RequireAnyClientCert,
3088 },
3089 shouldFail: true,
3090 expectedLocalError: "client didn't provide a certificate",
3091 })
3092
3093 testCases = append(testCases, testCase{
3094 // Even if not configured to expect a certificate, OpenSSL will
3095 // return X509_V_OK as the verify_result.
3096 testType: serverTest,
3097 name: "NoClientCertificateRequested-Server-" + ver.name,
3098 config: Config{
3099 MinVersion: ver.version,
3100 MaxVersion: ver.version,
3101 },
3102 flags: []string{
3103 "-expect-verify-result",
3104 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3105 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3106 })
3107
3108 testCases = append(testCases, testCase{
3109 // If a client certificate is not provided, OpenSSL will still
3110 // return X509_V_OK as the verify_result.
3111 testType: serverTest,
3112 name: "NoClientCertificate-Server-" + ver.name,
3113 config: Config{
3114 MinVersion: ver.version,
3115 MaxVersion: ver.version,
3116 },
3117 flags: []string{
3118 "-expect-verify-result",
3119 "-verify-peer",
3120 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3121 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3122 })
3123
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3124 certificateRequired := "remote error: certificate required"
3125 if ver.version < VersionTLS13 {
3126 // Prior to TLS 1.3, the generic handshake_failure alert
3127 // was used.
3128 certificateRequired = "remote error: handshake failure"
3129 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3130 testCases = append(testCases, testCase{
3131 testType: serverTest,
3132 name: "RequireAnyClientCertificate-" + ver.name,
3133 config: Config{
3134 MinVersion: ver.version,
3135 MaxVersion: ver.version,
3136 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3137 flags: []string{"-require-any-client-certificate"},
3138 shouldFail: true,
3139 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3140 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3141 })
3142
3143 if ver.version != VersionSSL30 {
3144 testCases = append(testCases, testCase{
3145 testType: serverTest,
3146 name: "SkipClientCertificate-" + ver.name,
3147 config: Config{
3148 MinVersion: ver.version,
3149 MaxVersion: ver.version,
3150 Bugs: ProtocolBugs{
3151 SkipClientCertificate: true,
3152 },
3153 },
3154 // Setting SSL_VERIFY_PEER allows anonymous clients.
3155 flags: []string{"-verify-peer"},
3156 shouldFail: true,
3157 expectedError: ":UNEXPECTED_MESSAGE:",
3158 })
3159 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3160
3161 testCases = append(testCases, testCase{
3162 testType: serverTest,
3163 name: ver.name + "-Server-CertReq-CA-List",
3164 config: Config{
3165 MinVersion: ver.version,
3166 MaxVersion: ver.version,
3167 Certificates: []Certificate{rsaCertificate},
3168 Bugs: ProtocolBugs{
3169 ExpectCertificateReqNames: caNames,
3170 },
3171 },
3172 flags: []string{
3173 "-require-any-client-certificate",
3174 "-use-client-ca-list", encodeDERValues(caNames),
3175 },
3176 })
3177
3178 testCases = append(testCases, testCase{
3179 testType: clientTest,
3180 name: ver.name + "-Client-CertReq-CA-List",
3181 config: Config{
3182 MinVersion: ver.version,
3183 MaxVersion: ver.version,
3184 Certificates: []Certificate{rsaCertificate},
3185 ClientAuth: RequireAnyClientCert,
3186 ClientCAs: certPool,
3187 },
3188 flags: []string{
3189 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3190 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3191 "-expect-client-ca-list", encodeDERValues(caNames),
3192 },
3193 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3194 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3195
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3196 // Client auth is only legal in certificate-based ciphers.
3197 testCases = append(testCases, testCase{
3198 testType: clientTest,
3199 name: "ClientAuth-PSK",
3200 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3201 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3202 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3203 PreSharedKey: []byte("secret"),
3204 ClientAuth: RequireAnyClientCert,
3205 },
3206 flags: []string{
3207 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3208 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3209 "-psk", "secret",
3210 },
3211 shouldFail: true,
3212 expectedError: ":UNEXPECTED_MESSAGE:",
3213 })
3214 testCases = append(testCases, testCase{
3215 testType: clientTest,
3216 name: "ClientAuth-ECDHE_PSK",
3217 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3218 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3219 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3220 PreSharedKey: []byte("secret"),
3221 ClientAuth: RequireAnyClientCert,
3222 },
3223 flags: []string{
3224 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3225 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3226 "-psk", "secret",
3227 },
3228 shouldFail: true,
3229 expectedError: ":UNEXPECTED_MESSAGE:",
3230 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3231
3232 // Regression test for a bug where the client CA list, if explicitly
3233 // set to NULL, was mis-encoded.
3234 testCases = append(testCases, testCase{
3235 testType: serverTest,
3236 name: "Null-Client-CA-List",
3237 config: Config{
3238 MaxVersion: VersionTLS12,
3239 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3240 Bugs: ProtocolBugs{
3241 ExpectCertificateReqNames: [][]byte{},
3242 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3243 },
3244 flags: []string{
3245 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3246 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3247 },
3248 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3249}
3250
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3251func addExtendedMasterSecretTests() {
3252 const expectEMSFlag = "-expect-extended-master-secret"
3253
3254 for _, with := range []bool{false, true} {
3255 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3256 if with {
3257 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3258 }
3259
3260 for _, isClient := range []bool{false, true} {
3261 suffix := "-Server"
3262 testType := serverTest
3263 if isClient {
3264 suffix = "-Client"
3265 testType = clientTest
3266 }
3267
3268 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3269 // In TLS 1.3, the extension is irrelevant and
3270 // always reports as enabled.
3271 var flags []string
3272 if with || ver.version >= VersionTLS13 {
3273 flags = []string{expectEMSFlag}
3274 }
3275
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3276 test := testCase{
3277 testType: testType,
3278 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3279 config: Config{
3280 MinVersion: ver.version,
3281 MaxVersion: ver.version,
3282 Bugs: ProtocolBugs{
3283 NoExtendedMasterSecret: !with,
3284 RequireExtendedMasterSecret: with,
3285 },
3286 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3287 flags: flags,
3288 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3289 }
3290 if test.shouldFail {
3291 test.expectedLocalError = "extended master secret required but not supported by peer"
3292 }
3293 testCases = append(testCases, test)
3294 }
3295 }
3296 }
3297
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3298 for _, isClient := range []bool{false, true} {
3299 for _, supportedInFirstConnection := range []bool{false, true} {
3300 for _, supportedInResumeConnection := range []bool{false, true} {
3301 boolToWord := func(b bool) string {
3302 if b {
3303 return "Yes"
3304 }
3305 return "No"
3306 }
3307 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3308 if isClient {
3309 suffix += "Client"
3310 } else {
3311 suffix += "Server"
3312 }
3313
3314 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3315 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3316 Bugs: ProtocolBugs{
3317 RequireExtendedMasterSecret: true,
3318 },
3319 }
3320
3321 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3322 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3323 Bugs: ProtocolBugs{
3324 NoExtendedMasterSecret: true,
3325 },
3326 }
3327
3328 test := testCase{
3329 name: "ExtendedMasterSecret-" + suffix,
3330 resumeSession: true,
3331 }
3332
3333 if !isClient {
3334 test.testType = serverTest
3335 }
3336
3337 if supportedInFirstConnection {
3338 test.config = supportedConfig
3339 } else {
3340 test.config = noSupportConfig
3341 }
3342
3343 if supportedInResumeConnection {
3344 test.resumeConfig = &supportedConfig
3345 } else {
3346 test.resumeConfig = &noSupportConfig
3347 }
3348
3349 switch suffix {
3350 case "YesToYes-Client", "YesToYes-Server":
3351 // When a session is resumed, it should
3352 // still be aware that its master
3353 // secret was generated via EMS and
3354 // thus it's safe to use tls-unique.
3355 test.flags = []string{expectEMSFlag}
3356 case "NoToYes-Server":
3357 // If an original connection did not
3358 // contain EMS, but a resumption
3359 // handshake does, then a server should
3360 // not resume the session.
3361 test.expectResumeRejected = true
3362 case "YesToNo-Server":
3363 // Resuming an EMS session without the
3364 // EMS extension should cause the
3365 // server to abort the connection.
3366 test.shouldFail = true
3367 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3368 case "NoToYes-Client":
3369 // A client should abort a connection
3370 // where the server resumed a non-EMS
3371 // session but echoed the EMS
3372 // extension.
3373 test.shouldFail = true
3374 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3375 case "YesToNo-Client":
3376 // A client should abort a connection
3377 // where the server didn't echo EMS
3378 // when the session used it.
3379 test.shouldFail = true
3380 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3381 }
3382
3383 testCases = append(testCases, test)
3384 }
3385 }
3386 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3387
3388 // Switching EMS on renegotiation is forbidden.
3389 testCases = append(testCases, testCase{
3390 name: "ExtendedMasterSecret-Renego-NoEMS",
3391 config: Config{
3392 MaxVersion: VersionTLS12,
3393 Bugs: ProtocolBugs{
3394 NoExtendedMasterSecret: true,
3395 NoExtendedMasterSecretOnRenegotiation: true,
3396 },
3397 },
3398 renegotiate: 1,
3399 flags: []string{
3400 "-renegotiate-freely",
3401 "-expect-total-renegotiations", "1",
3402 },
3403 })
3404
3405 testCases = append(testCases, testCase{
3406 name: "ExtendedMasterSecret-Renego-Upgrade",
3407 config: Config{
3408 MaxVersion: VersionTLS12,
3409 Bugs: ProtocolBugs{
3410 NoExtendedMasterSecret: true,
3411 },
3412 },
3413 renegotiate: 1,
3414 flags: []string{
3415 "-renegotiate-freely",
3416 "-expect-total-renegotiations", "1",
3417 },
3418 shouldFail: true,
3419 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3420 })
3421
3422 testCases = append(testCases, testCase{
3423 name: "ExtendedMasterSecret-Renego-Downgrade",
3424 config: Config{
3425 MaxVersion: VersionTLS12,
3426 Bugs: ProtocolBugs{
3427 NoExtendedMasterSecretOnRenegotiation: true,
3428 },
3429 },
3430 renegotiate: 1,
3431 flags: []string{
3432 "-renegotiate-freely",
3433 "-expect-total-renegotiations", "1",
3434 },
3435 shouldFail: true,
3436 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3437 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3438}
3439
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3440type stateMachineTestConfig struct {
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3441 protocol protocol
3442 async bool
3443 splitHandshake bool
3444 packHandshakeFlight bool
3445 implicitHandshake bool
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3446}
3447
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3448// Adds tests that try to cover the range of the handshake state machine, under
3449// various conditions. Some of these are redundant with other tests, but they
3450// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3451func addAllStateMachineCoverageTests() {
3452 for _, async := range []bool{false, true} {
3453 for _, protocol := range []protocol{tls, dtls} {
3454 addStateMachineCoverageTests(stateMachineTestConfig{
3455 protocol: protocol,
3456 async: async,
3457 })
3458 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3459 protocol: protocol,
3460 async: async,
3461 implicitHandshake: true,
3462 })
3463 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3464 protocol: protocol,
3465 async: async,
3466 splitHandshake: true,
3467 })
3468 if protocol == tls {
3469 addStateMachineCoverageTests(stateMachineTestConfig{
3470 protocol: protocol,
3471 async: async,
3472 packHandshakeFlight: true,
3473 })
3474 }
3475 }
3476 }
3477}
3478
3479func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3480 var tests []testCase
3481
3482 // Basic handshake, with resumption. Client and server,
3483 // session ID and session ticket.
3484 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3485 name: "Basic-Client",
3486 config: Config{
3487 MaxVersion: VersionTLS12,
3488 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3489 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3490 // Ensure session tickets are used, not session IDs.
3491 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3492 })
3493 tests = append(tests, testCase{
3494 name: "Basic-Client-RenewTicket",
3495 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3496 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3497 Bugs: ProtocolBugs{
3498 RenewTicketOnResume: true,
3499 },
3500 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3501 flags: []string{"-expect-ticket-renewal"},
3502 resumeSession: true,
3503 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3504 })
3505 tests = append(tests, testCase{
3506 name: "Basic-Client-NoTicket",
3507 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3508 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3509 SessionTicketsDisabled: true,
3510 },
3511 resumeSession: true,
3512 })
3513 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3514 testType: serverTest,
3515 name: "Basic-Server",
3516 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3517 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3518 Bugs: ProtocolBugs{
3519 RequireSessionTickets: true,
3520 },
3521 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3522 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3523 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3524 })
3525 tests = append(tests, testCase{
3526 testType: serverTest,
3527 name: "Basic-Server-NoTickets",
3528 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3529 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3530 SessionTicketsDisabled: true,
3531 },
3532 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3533 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3534 })
3535 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3536 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3537 name: "Basic-Server-EarlyCallback",
3538 config: Config{
3539 MaxVersion: VersionTLS12,
3540 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3541 flags: []string{"-use-early-callback"},
3542 resumeSession: true,
3543 })
3544
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3545 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3546 if config.protocol == tls {
3547 tests = append(tests, testCase{
3548 name: "TLS13-1RTT-Client",
3549 config: Config{
3550 MaxVersion: VersionTLS13,
3551 MinVersion: VersionTLS13,
3552 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3553 resumeSession: true,
3554 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3555 })
3556
3557 tests = append(tests, testCase{
3558 testType: serverTest,
3559 name: "TLS13-1RTT-Server",
3560 config: Config{
3561 MaxVersion: VersionTLS13,
3562 MinVersion: VersionTLS13,
3563 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3564 resumeSession: true,
3565 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3566 // TLS 1.3 uses tickets, so the session should not be
3567 // cached statefully.
3568 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3569 })
3570
3571 tests = append(tests, testCase{
3572 name: "TLS13-HelloRetryRequest-Client",
3573 config: Config{
3574 MaxVersion: VersionTLS13,
3575 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3576 // P-384 requires a HelloRetryRequest against BoringSSL's default
3577 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3578 CurvePreferences: []CurveID{CurveP384},
3579 Bugs: ProtocolBugs{
3580 ExpectMissingKeyShare: true,
3581 },
3582 },
3583 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3584 resumeSession: true,
3585 })
3586
3587 tests = append(tests, testCase{
3588 testType: serverTest,
3589 name: "TLS13-HelloRetryRequest-Server",
3590 config: Config{
3591 MaxVersion: VersionTLS13,
3592 MinVersion: VersionTLS13,
3593 // Require a HelloRetryRequest for every curve.
3594 DefaultCurves: []CurveID{},
3595 },
3596 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3597 resumeSession: true,
3598 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3599
3600 // TODO(svaldez): Send data on early data once implemented.
3601 tests = append(tests, testCase{
3602 testType: clientTest,
3603 name: "TLS13-EarlyData-Client",
3604 config: Config{
3605 MaxVersion: VersionTLS13,
3606 MinVersion: VersionTLS13,
3607 MaxEarlyDataSize: 16384,
3608 },
3609 resumeSession: true,
3610 flags: []string{
3611 "-enable-early-data",
3612 "-expect-early-data-info",
3613 "-expect-accept-early-data",
3614 },
3615 })
3616
3617 tests = append(tests, testCase{
3618 testType: serverTest,
3619 name: "TLS13-EarlyData-Server",
3620 config: Config{
3621 MaxVersion: VersionTLS13,
3622 MinVersion: VersionTLS13,
3623 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3624 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3625 ExpectEarlyDataAccepted: true,
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3626 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3627 },
3628 },
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3629 messageCount: 2,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3630 resumeSession: true,
3631 flags: []string{
3632 "-enable-early-data",
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3633 "-expect-accept-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3634 },
3635 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3636 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3637
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3638 // TLS client auth.
3639 tests = append(tests, testCase{
3640 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3641 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3642 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3643 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3644 ClientAuth: RequestClientCert,
3645 },
3646 })
3647 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3648 testType: serverTest,
3649 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3650 config: Config{
3651 MaxVersion: VersionTLS12,
3652 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3653 // Setting SSL_VERIFY_PEER allows anonymous clients.
3654 flags: []string{"-verify-peer"},
3655 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3656 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3657 tests = append(tests, testCase{
3658 testType: clientTest,
3659 name: "ClientAuth-NoCertificate-Client-SSL3",
3660 config: Config{
3661 MaxVersion: VersionSSL30,
3662 ClientAuth: RequestClientCert,
3663 },
3664 })
3665 tests = append(tests, testCase{
3666 testType: serverTest,
3667 name: "ClientAuth-NoCertificate-Server-SSL3",
3668 config: Config{
3669 MaxVersion: VersionSSL30,
3670 },
3671 // Setting SSL_VERIFY_PEER allows anonymous clients.
3672 flags: []string{"-verify-peer"},
3673 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3674 tests = append(tests, testCase{
3675 testType: clientTest,
3676 name: "ClientAuth-NoCertificate-Client-TLS13",
3677 config: Config{
3678 MaxVersion: VersionTLS13,
3679 ClientAuth: RequestClientCert,
3680 },
3681 })
3682 tests = append(tests, testCase{
3683 testType: serverTest,
3684 name: "ClientAuth-NoCertificate-Server-TLS13",
3685 config: Config{
3686 MaxVersion: VersionTLS13,
3687 },
3688 // Setting SSL_VERIFY_PEER allows anonymous clients.
3689 flags: []string{"-verify-peer"},
3690 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3691 }
3692 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3693 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3694 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3695 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3696 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3697 ClientAuth: RequireAnyClientCert,
3698 },
3699 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3700 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3701 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3702 },
3703 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3704 tests = append(tests, testCase{
3705 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3706 name: "ClientAuth-RSA-Client-TLS13",
3707 config: Config{
3708 MaxVersion: VersionTLS13,
3709 ClientAuth: RequireAnyClientCert,
3710 },
3711 flags: []string{
3712 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3713 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3714 },
3715 })
3716 tests = append(tests, testCase{
3717 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3718 name: "ClientAuth-ECDSA-Client",
3719 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3720 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3721 ClientAuth: RequireAnyClientCert,
3722 },
3723 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3724 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3725 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3726 },
3727 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3728 tests = append(tests, testCase{
3729 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3730 name: "ClientAuth-ECDSA-Client-TLS13",
3731 config: Config{
3732 MaxVersion: VersionTLS13,
3733 ClientAuth: RequireAnyClientCert,
3734 },
3735 flags: []string{
3736 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3737 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3738 },
3739 })
3740 tests = append(tests, testCase{
3741 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3742 name: "ClientAuth-NoCertificate-OldCallback",
3743 config: Config{
3744 MaxVersion: VersionTLS12,
3745 ClientAuth: RequestClientCert,
3746 },
3747 flags: []string{"-use-old-client-cert-callback"},
3748 })
3749 tests = append(tests, testCase{
3750 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3751 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3752 config: Config{
3753 MaxVersion: VersionTLS13,
3754 ClientAuth: RequestClientCert,
3755 },
3756 flags: []string{"-use-old-client-cert-callback"},
3757 })
3758 tests = append(tests, testCase{
3759 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3760 name: "ClientAuth-OldCallback",
3761 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3762 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3763 ClientAuth: RequireAnyClientCert,
3764 },
3765 flags: []string{
3766 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3767 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3768 "-use-old-client-cert-callback",
3769 },
3770 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3771 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3772 testType: clientTest,
3773 name: "ClientAuth-OldCallback-TLS13",
3774 config: Config{
3775 MaxVersion: VersionTLS13,
3776 ClientAuth: RequireAnyClientCert,
3777 },
3778 flags: []string{
3779 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3780 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3781 "-use-old-client-cert-callback",
3782 },
3783 })
3784 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3785 testType: serverTest,
3786 name: "ClientAuth-Server",
3787 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3788 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3789 Certificates: []Certificate{rsaCertificate},
3790 },
3791 flags: []string{"-require-any-client-certificate"},
3792 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3793 tests = append(tests, testCase{
3794 testType: serverTest,
3795 name: "ClientAuth-Server-TLS13",
3796 config: Config{
3797 MaxVersion: VersionTLS13,
3798 Certificates: []Certificate{rsaCertificate},
3799 },
3800 flags: []string{"-require-any-client-certificate"},
3801 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3802
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3803 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3804 tests = append(tests, testCase{
3805 testType: serverTest,
3806 name: "Basic-Server-RSA",
3807 config: Config{
3808 MaxVersion: VersionTLS12,
3809 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3810 },
3811 flags: []string{
3812 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3813 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3814 },
3815 })
3816 tests = append(tests, testCase{
3817 testType: serverTest,
3818 name: "Basic-Server-ECDHE-RSA",
3819 config: Config{
3820 MaxVersion: VersionTLS12,
3821 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3822 },
3823 flags: []string{
3824 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3825 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3826 },
3827 })
3828 tests = append(tests, testCase{
3829 testType: serverTest,
3830 name: "Basic-Server-ECDHE-ECDSA",
3831 config: Config{
3832 MaxVersion: VersionTLS12,
3833 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3834 },
3835 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3836 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3837 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3838 },
3839 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]3840 tests = append(tests, testCase{
3841 testType: serverTest,
3842 name: "Basic-Server-Ed25519",
3843 config: Config{
3844 MaxVersion: VersionTLS12,
3845 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3846 },
3847 flags: []string{
3848 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3849 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
3850 "-enable-ed25519",
3851 },
3852 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3853
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3854 // No session ticket support; server doesn't send NewSessionTicket.
3855 tests = append(tests, testCase{
3856 name: "SessionTicketsDisabled-Client",
3857 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3858 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3859 SessionTicketsDisabled: true,
3860 },
3861 })
3862 tests = append(tests, testCase{
3863 testType: serverTest,
3864 name: "SessionTicketsDisabled-Server",
3865 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3866 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3867 SessionTicketsDisabled: true,
3868 },
3869 })
3870
3871 // Skip ServerKeyExchange in PSK key exchange if there's no
3872 // identity hint.
3873 tests = append(tests, testCase{
3874 name: "EmptyPSKHint-Client",
3875 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3876 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3877 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3878 PreSharedKey: []byte("secret"),
3879 },
3880 flags: []string{"-psk", "secret"},
3881 })
3882 tests = append(tests, testCase{
3883 testType: serverTest,
3884 name: "EmptyPSKHint-Server",
3885 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3886 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3887 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3888 PreSharedKey: []byte("secret"),
3889 },
3890 flags: []string{"-psk", "secret"},
3891 })
3892
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3893 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3894 tests = append(tests, testCase{
3895 testType: clientTest,
3896 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3897 config: Config{
3898 MaxVersion: VersionTLS12,
3899 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3900 flags: []string{
3901 "-enable-ocsp-stapling",
3902 "-expect-ocsp-response",
3903 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3904 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3905 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3906 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3907 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3908 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3909 testType: serverTest,
3910 name: "OCSPStapling-Server",
3911 config: Config{
3912 MaxVersion: VersionTLS12,
3913 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3914 expectedOCSPResponse: testOCSPResponse,
3915 flags: []string{
3916 "-ocsp-response",
3917 base64.StdEncoding.EncodeToString(testOCSPResponse),
3918 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3919 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3920 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3921 tests = append(tests, testCase{
3922 testType: clientTest,
3923 name: "OCSPStapling-Client-TLS13",
3924 config: Config{
3925 MaxVersion: VersionTLS13,
3926 },
3927 flags: []string{
3928 "-enable-ocsp-stapling",
3929 "-expect-ocsp-response",
3930 base64.StdEncoding.EncodeToString(testOCSPResponse),
3931 "-verify-peer",
3932 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3933 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3934 })
3935 tests = append(tests, testCase{
3936 testType: serverTest,
3937 name: "OCSPStapling-Server-TLS13",
3938 config: Config{
3939 MaxVersion: VersionTLS13,
3940 },
3941 expectedOCSPResponse: testOCSPResponse,
3942 flags: []string{
3943 "-ocsp-response",
3944 base64.StdEncoding.EncodeToString(testOCSPResponse),
3945 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3946 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3947 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3948
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3949 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3950 for _, vers := range tlsVersions {
3951 if config.protocol == dtls && !vers.hasDTLS {
3952 continue
3953 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3954 for _, testType := range []testType{clientTest, serverTest} {
3955 suffix := "-Client"
3956 if testType == serverTest {
3957 suffix = "-Server"
3958 }
3959 suffix += "-" + vers.name
3960
3961 flag := "-verify-peer"
3962 if testType == serverTest {
3963 flag = "-require-any-client-certificate"
3964 }
3965
3966 tests = append(tests, testCase{
3967 testType: testType,
3968 name: "CertificateVerificationSucceed" + suffix,
3969 config: Config{
3970 MaxVersion: vers.version,
3971 Certificates: []Certificate{rsaCertificate},
3972 },
3973 flags: []string{
3974 flag,
3975 "-expect-verify-result",
3976 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3977 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3978 })
3979 tests = append(tests, testCase{
3980 testType: testType,
3981 name: "CertificateVerificationFail" + suffix,
3982 config: Config{
3983 MaxVersion: vers.version,
3984 Certificates: []Certificate{rsaCertificate},
3985 },
3986 flags: []string{
3987 flag,
3988 "-verify-fail",
3989 },
3990 shouldFail: true,
3991 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
3992 })
3993 }
3994
3995 // By default, the client is in a soft fail mode where the peer
3996 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3997 tests = append(tests, testCase{
3998 testType: clientTest,
3999 name: "CertificateVerificationSoftFail-" + vers.name,
4000 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]4001 MaxVersion: vers.version,
4002 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4003 },
4004 flags: []string{
4005 "-verify-fail",
4006 "-expect-verify-result",
4007 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4008 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]4009 })
4010 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]4011
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]4012 tests = append(tests, testCase{
4013 name: "ShimSendAlert",
4014 flags: []string{"-send-alert"},
4015 shimWritesFirst: true,
4016 shouldFail: true,
4017 expectedLocalError: "remote error: decompression failure",
4018 })
4019
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4020 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4021 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4022 name: "Renegotiate-Client",
4023 config: Config{
4024 MaxVersion: VersionTLS12,
4025 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]4026 renegotiate: 1,
4027 flags: []string{
4028 "-renegotiate-freely",
4029 "-expect-total-renegotiations", "1",
4030 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4031 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4032
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]4033 tests = append(tests, testCase{
4034 name: "SendHalfHelloRequest",
4035 config: Config{
4036 MaxVersion: VersionTLS12,
4037 Bugs: ProtocolBugs{
4038 PackHelloRequestWithFinished: config.packHandshakeFlight,
4039 },
4040 },
4041 sendHalfHelloRequest: true,
4042 flags: []string{"-renegotiate-ignore"},
4043 shouldFail: true,
4044 expectedError: ":UNEXPECTED_RECORD:",
4045 })
4046
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4047 // NPN on client and server; results in post-handshake message.
4048 tests = append(tests, testCase{
4049 name: "NPN-Client",
4050 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4051 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4052 NextProtos: []string{"foo"},
4053 },
4054 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4055 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4056 expectedNextProto: "foo",
4057 expectedNextProtoType: npn,
4058 })
4059 tests = append(tests, testCase{
4060 testType: serverTest,
4061 name: "NPN-Server",
4062 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4063 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4064 NextProtos: []string{"bar"},
4065 },
4066 flags: []string{
4067 "-advertise-npn", "\x03foo\x03bar\x03baz",
4068 "-expect-next-proto", "bar",
4069 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4070 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4071 expectedNextProto: "bar",
4072 expectedNextProtoType: npn,
4073 })
4074
4075 // TODO(davidben): Add tests for when False Start doesn't trigger.
4076
4077 // Client does False Start and negotiates NPN.
4078 tests = append(tests, testCase{
4079 name: "FalseStart",
4080 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4081 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4082 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4083 NextProtos: []string{"foo"},
4084 Bugs: ProtocolBugs{
4085 ExpectFalseStart: true,
4086 },
4087 },
4088 flags: []string{
4089 "-false-start",
4090 "-select-next-proto", "foo",
4091 },
4092 shimWritesFirst: true,
4093 resumeSession: true,
4094 })
4095
4096 // Client does False Start and negotiates ALPN.
4097 tests = append(tests, testCase{
4098 name: "FalseStart-ALPN",
4099 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4100 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4101 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4102 NextProtos: []string{"foo"},
4103 Bugs: ProtocolBugs{
4104 ExpectFalseStart: true,
4105 },
4106 },
4107 flags: []string{
4108 "-false-start",
4109 "-advertise-alpn", "\x03foo",
4110 },
4111 shimWritesFirst: true,
4112 resumeSession: true,
4113 })
4114
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4115 // False Start without session tickets.
4116 tests = append(tests, testCase{
4117 name: "FalseStart-SessionTicketsDisabled",
4118 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4119 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4120 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4121 NextProtos: []string{"foo"},
4122 SessionTicketsDisabled: true,
4123 Bugs: ProtocolBugs{
4124 ExpectFalseStart: true,
4125 },
4126 },
4127 flags: []string{
4128 "-false-start",
4129 "-select-next-proto", "foo",
4130 },
4131 shimWritesFirst: true,
4132 })
4133
4134 // Server parses a V2ClientHello.
4135 tests = append(tests, testCase{
4136 testType: serverTest,
4137 name: "SendV2ClientHello",
4138 config: Config{
4139 // Choose a cipher suite that does not involve
4140 // elliptic curves, so no extensions are
4141 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4142 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4143 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4144 Bugs: ProtocolBugs{
4145 SendV2ClientHello: true,
4146 },
4147 },
4148 })
4149
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4150 // Test Channel ID
4151 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4152 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4153 continue
4154 }
4155 // Client sends a Channel ID.
4156 tests = append(tests, testCase{
4157 name: "ChannelID-Client-" + ver.name,
4158 config: Config{
4159 MaxVersion: ver.version,
4160 RequestChannelID: true,
4161 },
4162 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4163 resumeSession: true,
4164 expectChannelID: true,
4165 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4166
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4167 // Server accepts a Channel ID.
4168 tests = append(tests, testCase{
4169 testType: serverTest,
4170 name: "ChannelID-Server-" + ver.name,
4171 config: Config{
4172 MaxVersion: ver.version,
4173 ChannelID: channelIDKey,
4174 },
4175 flags: []string{
4176 "-expect-channel-id",
4177 base64.StdEncoding.EncodeToString(channelIDBytes),
4178 },
4179 resumeSession: true,
4180 expectChannelID: true,
4181 })
4182
4183 tests = append(tests, testCase{
4184 testType: serverTest,
4185 name: "InvalidChannelIDSignature-" + ver.name,
4186 config: Config{
4187 MaxVersion: ver.version,
4188 ChannelID: channelIDKey,
4189 Bugs: ProtocolBugs{
4190 InvalidChannelIDSignature: true,
4191 },
4192 },
4193 flags: []string{"-enable-channel-id"},
4194 shouldFail: true,
4195 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4196 })
4197 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4198
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4199 // Channel ID and NPN at the same time, to ensure their relative
4200 // ordering is correct.
4201 tests = append(tests, testCase{
4202 name: "ChannelID-NPN-Client",
4203 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4204 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4205 RequestChannelID: true,
4206 NextProtos: []string{"foo"},
4207 },
4208 flags: []string{
4209 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4210 "-select-next-proto", "foo",
4211 },
4212 resumeSession: true,
4213 expectChannelID: true,
4214 expectedNextProto: "foo",
4215 expectedNextProtoType: npn,
4216 })
4217 tests = append(tests, testCase{
4218 testType: serverTest,
4219 name: "ChannelID-NPN-Server",
4220 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4221 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4222 ChannelID: channelIDKey,
4223 NextProtos: []string{"bar"},
4224 },
4225 flags: []string{
4226 "-expect-channel-id",
4227 base64.StdEncoding.EncodeToString(channelIDBytes),
4228 "-advertise-npn", "\x03foo\x03bar\x03baz",
4229 "-expect-next-proto", "bar",
4230 },
4231 resumeSession: true,
4232 expectChannelID: true,
4233 expectedNextProto: "bar",
4234 expectedNextProtoType: npn,
4235 })
4236
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4237 // Bidirectional shutdown with the runner initiating.
4238 tests = append(tests, testCase{
4239 name: "Shutdown-Runner",
4240 config: Config{
4241 Bugs: ProtocolBugs{
4242 ExpectCloseNotify: true,
4243 },
4244 },
4245 flags: []string{"-check-close-notify"},
4246 })
4247
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4248 if !config.implicitHandshake {
4249 // Bidirectional shutdown with the shim initiating. The runner,
4250 // in the meantime, sends garbage before the close_notify which
4251 // the shim must ignore. This test is disabled under implicit
4252 // handshake tests because the shim never reads or writes.
4253 tests = append(tests, testCase{
4254 name: "Shutdown-Shim",
4255 config: Config{
4256 MaxVersion: VersionTLS12,
4257 Bugs: ProtocolBugs{
4258 ExpectCloseNotify: true,
4259 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4260 },
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4261 shimShutsDown: true,
4262 sendEmptyRecords: 1,
4263 sendWarningAlerts: 1,
4264 flags: []string{"-check-close-notify"},
4265 })
4266 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4267 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4268 // TODO(davidben): DTLS 1.3 will want a similar thing for
4269 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4270 tests = append(tests, testCase{
4271 name: "SkipHelloVerifyRequest",
4272 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4273 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4274 Bugs: ProtocolBugs{
4275 SkipHelloVerifyRequest: true,
4276 },
4277 },
4278 })
4279 }
4280
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4281 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4282 test.protocol = config.protocol
4283 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4284 test.name += "-DTLS"
4285 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4286 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4287 test.name += "-Async"
4288 test.flags = append(test.flags, "-async")
4289 } else {
4290 test.name += "-Sync"
4291 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4292 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4293 test.name += "-SplitHandshakeRecords"
4294 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4295 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4296 test.config.Bugs.MaxPacketLength = 256
4297 test.flags = append(test.flags, "-mtu", "256")
4298 }
4299 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4300 if config.packHandshakeFlight {
4301 test.name += "-PackHandshakeFlight"
4302 test.config.Bugs.PackHandshakeFlight = true
4303 }
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4304 if config.implicitHandshake {
4305 test.name += "-ImplicitHandshake"
4306 test.flags = append(test.flags, "-implicit-handshake")
4307 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4308 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4309 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4310}
4311
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4312func addDDoSCallbackTests() {
4313 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4314 for _, resume := range []bool{false, true} {
4315 suffix := "Resume"
4316 if resume {
4317 suffix = "No" + suffix
4318 }
4319
4320 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4321 testType: serverTest,
4322 name: "Server-DDoS-OK-" + suffix,
4323 config: Config{
4324 MaxVersion: VersionTLS12,
4325 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4326 flags: []string{"-install-ddos-callback"},
4327 resumeSession: resume,
4328 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4329 testCases = append(testCases, testCase{
4330 testType: serverTest,
4331 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4332 config: Config{
4333 MaxVersion: VersionTLS13,
4334 },
4335 flags: []string{"-install-ddos-callback"},
4336 resumeSession: resume,
4337 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4338
4339 failFlag := "-fail-ddos-callback"
4340 if resume {
4341 failFlag = "-fail-second-ddos-callback"
4342 }
4343 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4344 testType: serverTest,
4345 name: "Server-DDoS-Reject-" + suffix,
4346 config: Config{
4347 MaxVersion: VersionTLS12,
4348 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4349 flags: []string{"-install-ddos-callback", failFlag},
4350 resumeSession: resume,
4351 shouldFail: true,
4352 expectedError: ":CONNECTION_REJECTED:",
4353 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4354 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4355 testCases = append(testCases, testCase{
4356 testType: serverTest,
4357 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4358 config: Config{
4359 MaxVersion: VersionTLS13,
4360 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4361 flags: []string{"-install-ddos-callback", failFlag},
4362 resumeSession: resume,
4363 shouldFail: true,
4364 expectedError: ":CONNECTION_REJECTED:",
4365 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4366 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4367 }
4368}
4369
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4370func addVersionNegotiationTests() {
4371 for i, shimVers := range tlsVersions {
4372 // Assemble flags to disable all newer versions on the shim.
4373 var flags []string
4374 for _, vers := range tlsVersions[i+1:] {
4375 flags = append(flags, vers.flag)
4376 }
4377
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4378 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4379 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4380 protocols := []protocol{tls}
4381 if runnerVers.hasDTLS && shimVers.hasDTLS {
4382 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4383 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4384 for _, protocol := range protocols {
4385 expectedVersion := shimVers.version
4386 if runnerVers.version < shimVers.version {
4387 expectedVersion = runnerVers.version
4388 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4389
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4390 suffix := shimVers.name + "-" + runnerVers.name
4391 if protocol == dtls {
4392 suffix += "-DTLS"
4393 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4394
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4395 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4396
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4397 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4398 clientVers := shimVers.version
4399 if clientVers > VersionTLS10 {
4400 clientVers = VersionTLS10
4401 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4402 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4403 serverVers := expectedVersion
4404 if expectedVersion >= VersionTLS13 {
4405 serverVers = VersionTLS10
4406 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4407 serverVers = versionToWire(serverVers, protocol == dtls)
4408
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4409 testCases = append(testCases, testCase{
4410 protocol: protocol,
4411 testType: clientTest,
4412 name: "VersionNegotiation-Client-" + suffix,
4413 config: Config{
4414 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4415 Bugs: ProtocolBugs{
4416 ExpectInitialRecordVersion: clientVers,
4417 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4418 },
4419 flags: flags,
4420 expectedVersion: expectedVersion,
4421 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4422 testCases = append(testCases, testCase{
4423 protocol: protocol,
4424 testType: clientTest,
4425 name: "VersionNegotiation-Client2-" + suffix,
4426 config: Config{
4427 MaxVersion: runnerVers.version,
4428 Bugs: ProtocolBugs{
4429 ExpectInitialRecordVersion: clientVers,
4430 },
4431 },
4432 flags: []string{"-max-version", shimVersFlag},
4433 expectedVersion: expectedVersion,
4434 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4435
4436 testCases = append(testCases, testCase{
4437 protocol: protocol,
4438 testType: serverTest,
4439 name: "VersionNegotiation-Server-" + suffix,
4440 config: Config{
4441 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4442 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4443 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4444 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4445 },
4446 flags: flags,
4447 expectedVersion: expectedVersion,
4448 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4449 testCases = append(testCases, testCase{
4450 protocol: protocol,
4451 testType: serverTest,
4452 name: "VersionNegotiation-Server2-" + suffix,
4453 config: Config{
4454 MaxVersion: runnerVers.version,
4455 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4456 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4457 },
4458 },
4459 flags: []string{"-max-version", shimVersFlag},
4460 expectedVersion: expectedVersion,
4461 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4462 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4463 }
4464 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4465
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4466 // Test the version extension at all versions.
4467 for _, vers := range tlsVersions {
4468 protocols := []protocol{tls}
4469 if vers.hasDTLS {
4470 protocols = append(protocols, dtls)
4471 }
4472 for _, protocol := range protocols {
4473 suffix := vers.name
4474 if protocol == dtls {
4475 suffix += "-DTLS"
4476 }
4477
4478 wireVersion := versionToWire(vers.version, protocol == dtls)
4479 testCases = append(testCases, testCase{
4480 protocol: protocol,
4481 testType: serverTest,
4482 name: "VersionNegotiationExtension-" + suffix,
4483 config: Config{
4484 Bugs: ProtocolBugs{
4485 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4486 },
4487 },
4488 expectedVersion: vers.version,
4489 })
4490 }
4491
4492 }
4493
4494 // If all versions are unknown, negotiation fails.
4495 testCases = append(testCases, testCase{
4496 testType: serverTest,
4497 name: "NoSupportedVersions",
4498 config: Config{
4499 Bugs: ProtocolBugs{
4500 SendSupportedVersions: []uint16{0x1111},
4501 },
4502 },
4503 shouldFail: true,
4504 expectedError: ":UNSUPPORTED_PROTOCOL:",
4505 })
4506 testCases = append(testCases, testCase{
4507 protocol: dtls,
4508 testType: serverTest,
4509 name: "NoSupportedVersions-DTLS",
4510 config: Config{
4511 Bugs: ProtocolBugs{
4512 SendSupportedVersions: []uint16{0x1111},
4513 },
4514 },
4515 shouldFail: true,
4516 expectedError: ":UNSUPPORTED_PROTOCOL:",
4517 })
4518
4519 testCases = append(testCases, testCase{
4520 testType: serverTest,
4521 name: "ClientHelloVersionTooHigh",
4522 config: Config{
4523 MaxVersion: VersionTLS13,
4524 Bugs: ProtocolBugs{
4525 SendClientVersion: 0x0304,
4526 OmitSupportedVersions: true,
4527 },
4528 },
4529 expectedVersion: VersionTLS12,
4530 })
4531
4532 testCases = append(testCases, testCase{
4533 testType: serverTest,
4534 name: "ConflictingVersionNegotiation",
4535 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4536 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4537 SendClientVersion: VersionTLS12,
4538 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4539 },
4540 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4541 // The extension takes precedence over the ClientHello version.
4542 expectedVersion: VersionTLS11,
4543 })
4544
4545 testCases = append(testCases, testCase{
4546 testType: serverTest,
4547 name: "ConflictingVersionNegotiation-2",
4548 config: Config{
4549 Bugs: ProtocolBugs{
4550 SendClientVersion: VersionTLS11,
4551 SendSupportedVersions: []uint16{VersionTLS12},
4552 },
4553 },
4554 // The extension takes precedence over the ClientHello version.
4555 expectedVersion: VersionTLS12,
4556 })
4557
4558 testCases = append(testCases, testCase{
4559 testType: serverTest,
4560 name: "RejectFinalTLS13",
4561 config: Config{
4562 Bugs: ProtocolBugs{
4563 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4564 },
4565 },
4566 // We currently implement a draft TLS 1.3 version. Ensure that
4567 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4568 expectedVersion: VersionTLS12,
4569 })
4570
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4571 // Test that the maximum version is selected regardless of the
4572 // client-sent order.
4573 testCases = append(testCases, testCase{
4574 testType: serverTest,
4575 name: "IgnoreClientVersionOrder",
4576 config: Config{
4577 Bugs: ProtocolBugs{
4578 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4579 },
4580 },
4581 expectedVersion: VersionTLS13,
4582 })
4583
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4584 // Test for version tolerance.
4585 testCases = append(testCases, testCase{
4586 testType: serverTest,
4587 name: "MinorVersionTolerance",
4588 config: Config{
4589 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4590 SendClientVersion: 0x03ff,
4591 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4592 },
4593 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4594 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4595 })
4596 testCases = append(testCases, testCase{
4597 testType: serverTest,
4598 name: "MajorVersionTolerance",
4599 config: Config{
4600 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4601 SendClientVersion: 0x0400,
4602 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4603 },
4604 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4605 // TLS 1.3 must be negotiated with the supported_versions
4606 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4607 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4608 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4609 testCases = append(testCases, testCase{
4610 testType: serverTest,
4611 name: "VersionTolerance-TLS13",
4612 config: Config{
4613 Bugs: ProtocolBugs{
4614 // Although TLS 1.3 does not use
4615 // ClientHello.version, it still tolerates high
4616 // values there.
4617 SendClientVersion: 0x0400,
4618 },
4619 },
4620 expectedVersion: VersionTLS13,
4621 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4622
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4623 testCases = append(testCases, testCase{
4624 protocol: dtls,
4625 testType: serverTest,
4626 name: "MinorVersionTolerance-DTLS",
4627 config: Config{
4628 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4629 SendClientVersion: 0xfe00,
4630 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4631 },
4632 },
4633 expectedVersion: VersionTLS12,
4634 })
4635 testCases = append(testCases, testCase{
4636 protocol: dtls,
4637 testType: serverTest,
4638 name: "MajorVersionTolerance-DTLS",
4639 config: Config{
4640 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4641 SendClientVersion: 0xfdff,
4642 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4643 },
4644 },
4645 expectedVersion: VersionTLS12,
4646 })
4647
4648 // Test that versions below 3.0 are rejected.
4649 testCases = append(testCases, testCase{
4650 testType: serverTest,
4651 name: "VersionTooLow",
4652 config: Config{
4653 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4654 SendClientVersion: 0x0200,
4655 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4656 },
4657 },
4658 shouldFail: true,
4659 expectedError: ":UNSUPPORTED_PROTOCOL:",
4660 })
4661 testCases = append(testCases, testCase{
4662 protocol: dtls,
4663 testType: serverTest,
4664 name: "VersionTooLow-DTLS",
4665 config: Config{
4666 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4667 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4668 },
4669 },
4670 shouldFail: true,
4671 expectedError: ":UNSUPPORTED_PROTOCOL:",
4672 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4673
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4674 testCases = append(testCases, testCase{
4675 name: "ServerBogusVersion",
4676 config: Config{
4677 Bugs: ProtocolBugs{
4678 SendServerHelloVersion: 0x1234,
4679 },
4680 },
4681 shouldFail: true,
4682 expectedError: ":UNSUPPORTED_PROTOCOL:",
4683 })
4684
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4685 // Test TLS 1.3's downgrade signal.
4686 testCases = append(testCases, testCase{
4687 name: "Downgrade-TLS12-Client",
4688 config: Config{
4689 Bugs: ProtocolBugs{
4690 NegotiateVersion: VersionTLS12,
4691 },
4692 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4693 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4694 // TODO(davidben): This test should fail once TLS 1.3 is final
4695 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4696 })
4697 testCases = append(testCases, testCase{
4698 testType: serverTest,
4699 name: "Downgrade-TLS12-Server",
4700 config: Config{
4701 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4702 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4703 },
4704 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4705 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4706 // TODO(davidben): This test should fail once TLS 1.3 is final
4707 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4708 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4709}
4710
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4711func addMinimumVersionTests() {
4712 for i, shimVers := range tlsVersions {
4713 // Assemble flags to disable all older versions on the shim.
4714 var flags []string
4715 for _, vers := range tlsVersions[:i] {
4716 flags = append(flags, vers.flag)
4717 }
4718
4719 for _, runnerVers := range tlsVersions {
4720 protocols := []protocol{tls}
4721 if runnerVers.hasDTLS && shimVers.hasDTLS {
4722 protocols = append(protocols, dtls)
4723 }
4724 for _, protocol := range protocols {
4725 suffix := shimVers.name + "-" + runnerVers.name
4726 if protocol == dtls {
4727 suffix += "-DTLS"
4728 }
4729 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4730
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4731 var expectedVersion uint16
4732 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4733 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4734 if runnerVers.version >= shimVers.version {
4735 expectedVersion = runnerVers.version
4736 } else {
4737 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4738 expectedError = ":UNSUPPORTED_PROTOCOL:"
4739 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4740 }
4741
4742 testCases = append(testCases, testCase{
4743 protocol: protocol,
4744 testType: clientTest,
4745 name: "MinimumVersion-Client-" + suffix,
4746 config: Config{
4747 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4748 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4749 // Ensure the server does not decline to
4750 // select a version (versions extension) or
4751 // cipher (some ciphers depend on versions).
4752 NegotiateVersion: runnerVers.version,
4753 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4754 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4755 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4756 flags: flags,
4757 expectedVersion: expectedVersion,
4758 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4759 expectedError: expectedError,
4760 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4761 })
4762 testCases = append(testCases, testCase{
4763 protocol: protocol,
4764 testType: clientTest,
4765 name: "MinimumVersion-Client2-" + suffix,
4766 config: Config{
4767 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4768 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4769 // Ensure the server does not decline to
4770 // select a version (versions extension) or
4771 // cipher (some ciphers depend on versions).
4772 NegotiateVersion: runnerVers.version,
4773 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4774 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4775 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4776 flags: []string{"-min-version", shimVersFlag},
4777 expectedVersion: expectedVersion,
4778 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4779 expectedError: expectedError,
4780 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4781 })
4782
4783 testCases = append(testCases, testCase{
4784 protocol: protocol,
4785 testType: serverTest,
4786 name: "MinimumVersion-Server-" + suffix,
4787 config: Config{
4788 MaxVersion: runnerVers.version,
4789 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4790 flags: flags,
4791 expectedVersion: expectedVersion,
4792 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4793 expectedError: expectedError,
4794 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4795 })
4796 testCases = append(testCases, testCase{
4797 protocol: protocol,
4798 testType: serverTest,
4799 name: "MinimumVersion-Server2-" + suffix,
4800 config: Config{
4801 MaxVersion: runnerVers.version,
4802 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4803 flags: []string{"-min-version", shimVersFlag},
4804 expectedVersion: expectedVersion,
4805 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4806 expectedError: expectedError,
4807 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4808 })
4809 }
4810 }
4811 }
4812}
4813
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4814func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4815 // TODO(davidben): Extensions, where applicable, all move their server
4816 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4817 // tests for both. Also test interaction with 0-RTT when implemented.
4818
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4819 // Repeat extensions tests all versions except SSL 3.0.
4820 for _, ver := range tlsVersions {
4821 if ver.version == VersionSSL30 {
4822 continue
4823 }
4824
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4825 // Test that duplicate extensions are rejected.
4826 testCases = append(testCases, testCase{
4827 testType: clientTest,
4828 name: "DuplicateExtensionClient-" + ver.name,
4829 config: Config{
4830 MaxVersion: ver.version,
4831 Bugs: ProtocolBugs{
4832 DuplicateExtension: true,
4833 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4834 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4835 shouldFail: true,
4836 expectedLocalError: "remote error: error decoding message",
4837 })
4838 testCases = append(testCases, testCase{
4839 testType: serverTest,
4840 name: "DuplicateExtensionServer-" + ver.name,
4841 config: Config{
4842 MaxVersion: ver.version,
4843 Bugs: ProtocolBugs{
4844 DuplicateExtension: true,
4845 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4846 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4847 shouldFail: true,
4848 expectedLocalError: "remote error: error decoding message",
4849 })
4850
4851 // Test SNI.
4852 testCases = append(testCases, testCase{
4853 testType: clientTest,
4854 name: "ServerNameExtensionClient-" + ver.name,
4855 config: Config{
4856 MaxVersion: ver.version,
4857 Bugs: ProtocolBugs{
4858 ExpectServerName: "example.com",
4859 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4860 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4861 flags: []string{"-host-name", "example.com"},
4862 })
4863 testCases = append(testCases, testCase{
4864 testType: clientTest,
4865 name: "ServerNameExtensionClientMismatch-" + ver.name,
4866 config: Config{
4867 MaxVersion: ver.version,
4868 Bugs: ProtocolBugs{
4869 ExpectServerName: "mismatch.com",
4870 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4871 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4872 flags: []string{"-host-name", "example.com"},
4873 shouldFail: true,
4874 expectedLocalError: "tls: unexpected server name",
4875 })
4876 testCases = append(testCases, testCase{
4877 testType: clientTest,
4878 name: "ServerNameExtensionClientMissing-" + ver.name,
4879 config: Config{
4880 MaxVersion: ver.version,
4881 Bugs: ProtocolBugs{
4882 ExpectServerName: "missing.com",
4883 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4884 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4885 shouldFail: true,
4886 expectedLocalError: "tls: unexpected server name",
4887 })
4888 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]4889 testType: clientTest,
4890 name: "TolerateServerNameAck-" + ver.name,
4891 config: Config{
4892 MaxVersion: ver.version,
4893 Bugs: ProtocolBugs{
4894 SendServerNameAck: true,
4895 },
4896 },
4897 flags: []string{"-host-name", "example.com"},
4898 resumeSession: true,
4899 })
4900 testCases = append(testCases, testCase{
4901 testType: clientTest,
4902 name: "UnsolicitedServerNameAck-" + ver.name,
4903 config: Config{
4904 MaxVersion: ver.version,
4905 Bugs: ProtocolBugs{
4906 SendServerNameAck: true,
4907 },
4908 },
4909 shouldFail: true,
4910 expectedError: ":UNEXPECTED_EXTENSION:",
4911 expectedLocalError: "remote error: unsupported extension",
4912 })
4913 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4914 testType: serverTest,
4915 name: "ServerNameExtensionServer-" + ver.name,
4916 config: Config{
4917 MaxVersion: ver.version,
4918 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4919 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4920 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4921 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4922 })
4923
4924 // Test ALPN.
4925 testCases = append(testCases, testCase{
4926 testType: clientTest,
4927 name: "ALPNClient-" + ver.name,
4928 config: Config{
4929 MaxVersion: ver.version,
4930 NextProtos: []string{"foo"},
4931 },
4932 flags: []string{
4933 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4934 "-expect-alpn", "foo",
4935 },
4936 expectedNextProto: "foo",
4937 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4938 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4939 })
4940 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4941 testType: clientTest,
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4942 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4943 config: Config{
4944 MaxVersion: ver.version,
4945 Bugs: ProtocolBugs{
4946 SendALPN: "baz",
4947 },
4948 },
4949 flags: []string{
4950 "-advertise-alpn", "\x03foo\x03bar",
4951 },
4952 shouldFail: true,
4953 expectedError: ":INVALID_ALPN_PROTOCOL:",
4954 expectedLocalError: "remote error: illegal parameter",
4955 })
4956 testCases = append(testCases, testCase{
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame]4957 testType: clientTest,
4958 name: "ALPNClient-AllowUnknown-" + ver.name,
4959 config: Config{
4960 MaxVersion: ver.version,
4961 Bugs: ProtocolBugs{
4962 SendALPN: "baz",
4963 },
4964 },
4965 flags: []string{
4966 "-advertise-alpn", "\x03foo\x03bar",
4967 "-allow-unknown-alpn-protos",
4968 },
4969 })
4970 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4971 testType: serverTest,
4972 name: "ALPNServer-" + ver.name,
4973 config: Config{
4974 MaxVersion: ver.version,
4975 NextProtos: []string{"foo", "bar", "baz"},
4976 },
4977 flags: []string{
4978 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4979 "-select-alpn", "foo",
4980 },
4981 expectedNextProto: "foo",
4982 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4983 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4984 })
4985 testCases = append(testCases, testCase{
4986 testType: serverTest,
4987 name: "ALPNServer-Decline-" + ver.name,
4988 config: Config{
4989 MaxVersion: ver.version,
4990 NextProtos: []string{"foo", "bar", "baz"},
4991 },
4992 flags: []string{"-decline-alpn"},
4993 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4994 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4995 })
4996
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4997 // Test ALPN in async mode as well to ensure that extensions callbacks are only
4998 // called once.
4999 testCases = append(testCases, testCase{
5000 testType: serverTest,
5001 name: "ALPNServer-Async-" + ver.name,
5002 config: Config{
5003 MaxVersion: ver.version,
5004 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]5005 // Prior to TLS 1.3, exercise the asynchronous session callback.
5006 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5007 },
5008 flags: []string{
5009 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5010 "-select-alpn", "foo",
5011 "-async",
5012 },
5013 expectedNextProto: "foo",
5014 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5015 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]5016 })
5017
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5018 var emptyString string
5019 testCases = append(testCases, testCase{
5020 testType: clientTest,
5021 name: "ALPNClient-EmptyProtocolName-" + ver.name,
5022 config: Config{
5023 MaxVersion: ver.version,
5024 NextProtos: []string{""},
5025 Bugs: ProtocolBugs{
5026 // A server returning an empty ALPN protocol
5027 // should be rejected.
5028 ALPNProtocol: &emptyString,
5029 },
5030 },
5031 flags: []string{
5032 "-advertise-alpn", "\x03foo",
5033 },
5034 shouldFail: true,
5035 expectedError: ":PARSE_TLSEXT:",
5036 })
5037 testCases = append(testCases, testCase{
5038 testType: serverTest,
5039 name: "ALPNServer-EmptyProtocolName-" + ver.name,
5040 config: Config{
5041 MaxVersion: ver.version,
5042 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5043 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5044 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]5045 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5046 flags: []string{
5047 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5048 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5049 shouldFail: true,
5050 expectedError: ":PARSE_TLSEXT:",
5051 })
5052
5053 // Test NPN and the interaction with ALPN.
5054 if ver.version < VersionTLS13 {
5055 // Test that the server prefers ALPN over NPN.
5056 testCases = append(testCases, testCase{
5057 testType: serverTest,
5058 name: "ALPNServer-Preferred-" + ver.name,
5059 config: Config{
5060 MaxVersion: ver.version,
5061 NextProtos: []string{"foo", "bar", "baz"},
5062 },
5063 flags: []string{
5064 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5065 "-select-alpn", "foo",
5066 "-advertise-npn", "\x03foo\x03bar\x03baz",
5067 },
5068 expectedNextProto: "foo",
5069 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5070 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5071 })
5072 testCases = append(testCases, testCase{
5073 testType: serverTest,
5074 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5075 config: Config{
5076 MaxVersion: ver.version,
5077 NextProtos: []string{"foo", "bar", "baz"},
5078 Bugs: ProtocolBugs{
5079 SwapNPNAndALPN: true,
5080 },
5081 },
5082 flags: []string{
5083 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5084 "-select-alpn", "foo",
5085 "-advertise-npn", "\x03foo\x03bar\x03baz",
5086 },
5087 expectedNextProto: "foo",
5088 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5089 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5090 })
5091
5092 // Test that negotiating both NPN and ALPN is forbidden.
5093 testCases = append(testCases, testCase{
5094 name: "NegotiateALPNAndNPN-" + ver.name,
5095 config: Config{
5096 MaxVersion: ver.version,
5097 NextProtos: []string{"foo", "bar", "baz"},
5098 Bugs: ProtocolBugs{
5099 NegotiateALPNAndNPN: true,
5100 },
5101 },
5102 flags: []string{
5103 "-advertise-alpn", "\x03foo",
5104 "-select-next-proto", "foo",
5105 },
5106 shouldFail: true,
5107 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5108 })
5109 testCases = append(testCases, testCase{
5110 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5111 config: Config{
5112 MaxVersion: ver.version,
5113 NextProtos: []string{"foo", "bar", "baz"},
5114 Bugs: ProtocolBugs{
5115 NegotiateALPNAndNPN: true,
5116 SwapNPNAndALPN: true,
5117 },
5118 },
5119 flags: []string{
5120 "-advertise-alpn", "\x03foo",
5121 "-select-next-proto", "foo",
5122 },
5123 shouldFail: true,
5124 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5125 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5126 }
5127
5128 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5129
5130 // Resume with a corrupt ticket.
5131 testCases = append(testCases, testCase{
5132 testType: serverTest,
5133 name: "CorruptTicket-" + ver.name,
5134 config: Config{
5135 MaxVersion: ver.version,
5136 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5137 FilterTicket: func(in []byte) ([]byte, error) {
5138 in[len(in)-1] ^= 1
5139 return in, nil
5140 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5141 },
5142 },
5143 resumeSession: true,
5144 expectResumeRejected: true,
5145 })
5146 // Test the ticket callback, with and without renewal.
5147 testCases = append(testCases, testCase{
5148 testType: serverTest,
5149 name: "TicketCallback-" + ver.name,
5150 config: Config{
5151 MaxVersion: ver.version,
5152 },
5153 resumeSession: true,
5154 flags: []string{"-use-ticket-callback"},
5155 })
5156 testCases = append(testCases, testCase{
5157 testType: serverTest,
5158 name: "TicketCallback-Renew-" + ver.name,
5159 config: Config{
5160 MaxVersion: ver.version,
5161 Bugs: ProtocolBugs{
5162 ExpectNewTicket: true,
5163 },
5164 },
5165 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5166 resumeSession: true,
5167 })
5168
5169 // Test that the ticket callback is only called once when everything before
5170 // it in the ClientHello is asynchronous. This corrupts the ticket so
5171 // certificate selection callbacks run.
5172 testCases = append(testCases, testCase{
5173 testType: serverTest,
5174 name: "TicketCallback-SingleCall-" + ver.name,
5175 config: Config{
5176 MaxVersion: ver.version,
5177 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5178 FilterTicket: func(in []byte) ([]byte, error) {
5179 in[len(in)-1] ^= 1
5180 return in, nil
5181 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5182 },
5183 },
5184 resumeSession: true,
5185 expectResumeRejected: true,
5186 flags: []string{
5187 "-use-ticket-callback",
5188 "-async",
5189 },
5190 })
5191
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5192 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5193 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5194 testCases = append(testCases, testCase{
5195 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5196 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5197 config: Config{
5198 MaxVersion: ver.version,
5199 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5200 EmptyTicketSessionID: true,
5201 },
5202 },
5203 resumeSession: true,
5204 })
5205 testCases = append(testCases, testCase{
5206 testType: serverTest,
5207 name: "TicketSessionIDLength-16-" + ver.name,
5208 config: Config{
5209 MaxVersion: ver.version,
5210 Bugs: ProtocolBugs{
5211 TicketSessionIDLength: 16,
5212 },
5213 },
5214 resumeSession: true,
5215 })
5216 testCases = append(testCases, testCase{
5217 testType: serverTest,
5218 name: "TicketSessionIDLength-32-" + ver.name,
5219 config: Config{
5220 MaxVersion: ver.version,
5221 Bugs: ProtocolBugs{
5222 TicketSessionIDLength: 32,
5223 },
5224 },
5225 resumeSession: true,
5226 })
5227 testCases = append(testCases, testCase{
5228 testType: serverTest,
5229 name: "TicketSessionIDLength-33-" + ver.name,
5230 config: Config{
5231 MaxVersion: ver.version,
5232 Bugs: ProtocolBugs{
5233 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5234 },
5235 },
5236 resumeSession: true,
5237 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5238 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5239 expectedError: ":DECODE_ERROR:",
5240 })
5241 }
5242
5243 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5244 // are ignored.
5245 if ver.hasDTLS {
5246 testCases = append(testCases, testCase{
5247 protocol: dtls,
5248 name: "SRTP-Client-" + ver.name,
5249 config: Config{
5250 MaxVersion: ver.version,
5251 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5252 },
5253 flags: []string{
5254 "-srtp-profiles",
5255 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5256 },
5257 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5258 })
5259 testCases = append(testCases, testCase{
5260 protocol: dtls,
5261 testType: serverTest,
5262 name: "SRTP-Server-" + ver.name,
5263 config: Config{
5264 MaxVersion: ver.version,
5265 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5266 },
5267 flags: []string{
5268 "-srtp-profiles",
5269 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5270 },
5271 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5272 })
5273 // Test that the MKI is ignored.
5274 testCases = append(testCases, testCase{
5275 protocol: dtls,
5276 testType: serverTest,
5277 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5278 config: Config{
5279 MaxVersion: ver.version,
5280 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5281 Bugs: ProtocolBugs{
5282 SRTPMasterKeyIdentifer: "bogus",
5283 },
5284 },
5285 flags: []string{
5286 "-srtp-profiles",
5287 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5288 },
5289 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5290 })
5291 // Test that SRTP isn't negotiated on the server if there were
5292 // no matching profiles.
5293 testCases = append(testCases, testCase{
5294 protocol: dtls,
5295 testType: serverTest,
5296 name: "SRTP-Server-NoMatch-" + ver.name,
5297 config: Config{
5298 MaxVersion: ver.version,
5299 SRTPProtectionProfiles: []uint16{100, 101, 102},
5300 },
5301 flags: []string{
5302 "-srtp-profiles",
5303 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5304 },
5305 expectedSRTPProtectionProfile: 0,
5306 })
5307 // Test that the server returning an invalid SRTP profile is
5308 // flagged as an error by the client.
5309 testCases = append(testCases, testCase{
5310 protocol: dtls,
5311 name: "SRTP-Client-NoMatch-" + ver.name,
5312 config: Config{
5313 MaxVersion: ver.version,
5314 Bugs: ProtocolBugs{
5315 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5316 },
5317 },
5318 flags: []string{
5319 "-srtp-profiles",
5320 "SRTP_AES128_CM_SHA1_80",
5321 },
5322 shouldFail: true,
5323 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5324 })
5325 }
5326
5327 // Test SCT list.
5328 testCases = append(testCases, testCase{
5329 name: "SignedCertificateTimestampList-Client-" + ver.name,
5330 testType: clientTest,
5331 config: Config{
5332 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5333 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5334 flags: []string{
5335 "-enable-signed-cert-timestamps",
5336 "-expect-signed-cert-timestamps",
5337 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5338 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5339 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5340 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5341
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5342 var differentSCTList []byte
5343 differentSCTList = append(differentSCTList, testSCTList...)
5344 differentSCTList[len(differentSCTList)-1] ^= 1
5345
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5346 // The SCT extension did not specify that it must only be sent on resumption as it
5347 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5348 testCases = append(testCases, testCase{
5349 name: "SendSCTListOnResume-" + ver.name,
5350 config: Config{
5351 MaxVersion: ver.version,
5352 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5353 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5354 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5355 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5356 flags: []string{
5357 "-enable-signed-cert-timestamps",
5358 "-expect-signed-cert-timestamps",
5359 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5360 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5361 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5362 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5363
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5364 testCases = append(testCases, testCase{
5365 name: "SignedCertificateTimestampList-Server-" + ver.name,
5366 testType: serverTest,
5367 config: Config{
5368 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5369 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5370 flags: []string{
5371 "-signed-cert-timestamps",
5372 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5373 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5374 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5375 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5376 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5377
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5378 emptySCTListCert := *testCerts[0].cert
5379 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5380
5381 // Test empty SCT list.
5382 testCases = append(testCases, testCase{
5383 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5384 testType: clientTest,
5385 config: Config{
5386 MaxVersion: ver.version,
5387 Certificates: []Certificate{emptySCTListCert},
5388 },
5389 flags: []string{
5390 "-enable-signed-cert-timestamps",
5391 },
5392 shouldFail: true,
5393 expectedError: ":ERROR_PARSING_EXTENSION:",
5394 })
5395
5396 emptySCTCert := *testCerts[0].cert
5397 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5398
5399 // Test empty SCT in non-empty list.
5400 testCases = append(testCases, testCase{
5401 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5402 testType: clientTest,
5403 config: Config{
5404 MaxVersion: ver.version,
5405 Certificates: []Certificate{emptySCTCert},
5406 },
5407 flags: []string{
5408 "-enable-signed-cert-timestamps",
5409 },
5410 shouldFail: true,
5411 expectedError: ":ERROR_PARSING_EXTENSION:",
5412 })
5413
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5414 // Test that certificate-related extensions are not sent unsolicited.
5415 testCases = append(testCases, testCase{
5416 testType: serverTest,
5417 name: "UnsolicitedCertificateExtensions-" + ver.name,
5418 config: Config{
5419 MaxVersion: ver.version,
5420 Bugs: ProtocolBugs{
5421 NoOCSPStapling: true,
5422 NoSignedCertificateTimestamps: true,
5423 },
5424 },
5425 flags: []string{
5426 "-ocsp-response",
5427 base64.StdEncoding.EncodeToString(testOCSPResponse),
5428 "-signed-cert-timestamps",
5429 base64.StdEncoding.EncodeToString(testSCTList),
5430 },
5431 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5432 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5433
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5434 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5435 testType: clientTest,
5436 name: "ClientHelloPadding",
5437 config: Config{
5438 Bugs: ProtocolBugs{
5439 RequireClientHelloSize: 512,
5440 },
5441 },
5442 // This hostname just needs to be long enough to push the
5443 // ClientHello into F5's danger zone between 256 and 511 bytes
5444 // long.
5445 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5446 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5447
5448 // Extensions should not function in SSL 3.0.
5449 testCases = append(testCases, testCase{
5450 testType: serverTest,
5451 name: "SSLv3Extensions-NoALPN",
5452 config: Config{
5453 MaxVersion: VersionSSL30,
5454 NextProtos: []string{"foo", "bar", "baz"},
5455 },
5456 flags: []string{
5457 "-select-alpn", "foo",
5458 },
5459 expectNoNextProto: true,
5460 })
5461
5462 // Test session tickets separately as they follow a different codepath.
5463 testCases = append(testCases, testCase{
5464 testType: serverTest,
5465 name: "SSLv3Extensions-NoTickets",
5466 config: Config{
5467 MaxVersion: VersionSSL30,
5468 Bugs: ProtocolBugs{
5469 // Historically, session tickets in SSL 3.0
5470 // failed in different ways depending on whether
5471 // the client supported renegotiation_info.
5472 NoRenegotiationInfo: true,
5473 },
5474 },
5475 resumeSession: true,
5476 })
5477 testCases = append(testCases, testCase{
5478 testType: serverTest,
5479 name: "SSLv3Extensions-NoTickets2",
5480 config: Config{
5481 MaxVersion: VersionSSL30,
5482 },
5483 resumeSession: true,
5484 })
5485
5486 // But SSL 3.0 does send and process renegotiation_info.
5487 testCases = append(testCases, testCase{
5488 testType: serverTest,
5489 name: "SSLv3Extensions-RenegotiationInfo",
5490 config: Config{
5491 MaxVersion: VersionSSL30,
5492 Bugs: ProtocolBugs{
5493 RequireRenegotiationInfo: true,
5494 },
5495 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5496 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5497 })
5498 testCases = append(testCases, testCase{
5499 testType: serverTest,
5500 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5501 config: Config{
5502 MaxVersion: VersionSSL30,
5503 Bugs: ProtocolBugs{
5504 NoRenegotiationInfo: true,
5505 SendRenegotiationSCSV: true,
5506 RequireRenegotiationInfo: true,
5507 },
5508 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5509 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5510 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5511
5512 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5513 // in ServerHello.
5514 testCases = append(testCases, testCase{
5515 name: "NPN-Forbidden-TLS13",
5516 config: Config{
5517 MaxVersion: VersionTLS13,
5518 NextProtos: []string{"foo"},
5519 Bugs: ProtocolBugs{
5520 NegotiateNPNAtAllVersions: true,
5521 },
5522 },
5523 flags: []string{"-select-next-proto", "foo"},
5524 shouldFail: true,
5525 expectedError: ":ERROR_PARSING_EXTENSION:",
5526 })
5527 testCases = append(testCases, testCase{
5528 name: "EMS-Forbidden-TLS13",
5529 config: Config{
5530 MaxVersion: VersionTLS13,
5531 Bugs: ProtocolBugs{
5532 NegotiateEMSAtAllVersions: true,
5533 },
5534 },
5535 shouldFail: true,
5536 expectedError: ":ERROR_PARSING_EXTENSION:",
5537 })
5538 testCases = append(testCases, testCase{
5539 name: "RenegotiationInfo-Forbidden-TLS13",
5540 config: Config{
5541 MaxVersion: VersionTLS13,
5542 Bugs: ProtocolBugs{
5543 NegotiateRenegotiationInfoAtAllVersions: true,
5544 },
5545 },
5546 shouldFail: true,
5547 expectedError: ":ERROR_PARSING_EXTENSION:",
5548 })
5549 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5550 name: "Ticket-Forbidden-TLS13",
5551 config: Config{
5552 MaxVersion: VersionTLS12,
5553 },
5554 resumeConfig: &Config{
5555 MaxVersion: VersionTLS13,
5556 Bugs: ProtocolBugs{
5557 AdvertiseTicketExtension: true,
5558 },
5559 },
5560 resumeSession: true,
5561 shouldFail: true,
5562 expectedError: ":ERROR_PARSING_EXTENSION:",
5563 })
5564
5565 // Test that illegal extensions in TLS 1.3 are declined by the server if
5566 // offered in ClientHello. The runner's server will fail if this occurs,
5567 // so we exercise the offering path. (EMS and Renegotiation Info are
5568 // implicit in every test.)
5569 testCases = append(testCases, testCase{
5570 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5571 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5572 config: Config{
5573 MaxVersion: VersionTLS13,
5574 NextProtos: []string{"bar"},
5575 },
5576 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5577 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5578
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5579 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5580 // tolerated.
5581 testCases = append(testCases, testCase{
5582 name: "SendOCSPResponseOnResume-TLS12",
5583 config: Config{
5584 MaxVersion: VersionTLS12,
5585 Bugs: ProtocolBugs{
5586 SendOCSPResponseOnResume: []byte("bogus"),
5587 },
5588 },
5589 flags: []string{
5590 "-enable-ocsp-stapling",
5591 "-expect-ocsp-response",
5592 base64.StdEncoding.EncodeToString(testOCSPResponse),
5593 },
5594 resumeSession: true,
5595 })
5596
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5597 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5598 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5599 config: Config{
5600 MaxVersion: VersionTLS13,
5601 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5602 SendExtensionOnCertificate: testOCSPExtension,
5603 },
5604 },
5605 shouldFail: true,
5606 expectedError: ":UNEXPECTED_EXTENSION:",
5607 })
5608
5609 testCases = append(testCases, testCase{
5610 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5611 config: Config{
5612 MaxVersion: VersionTLS13,
5613 Bugs: ProtocolBugs{
5614 SendExtensionOnCertificate: testSCTExtension,
5615 },
5616 },
5617 shouldFail: true,
5618 expectedError: ":UNEXPECTED_EXTENSION:",
5619 })
5620
5621 // Test that extensions on client certificates are never accepted.
5622 testCases = append(testCases, testCase{
5623 name: "SendExtensionOnClientCertificate-TLS13",
5624 testType: serverTest,
5625 config: Config{
5626 MaxVersion: VersionTLS13,
5627 Certificates: []Certificate{rsaCertificate},
5628 Bugs: ProtocolBugs{
5629 SendExtensionOnCertificate: testOCSPExtension,
5630 },
5631 },
5632 flags: []string{
5633 "-enable-ocsp-stapling",
5634 "-require-any-client-certificate",
5635 },
5636 shouldFail: true,
5637 expectedError: ":UNEXPECTED_EXTENSION:",
5638 })
5639
5640 testCases = append(testCases, testCase{
5641 name: "SendUnknownExtensionOnCertificate-TLS13",
5642 config: Config{
5643 MaxVersion: VersionTLS13,
5644 Bugs: ProtocolBugs{
5645 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5646 },
5647 },
5648 shouldFail: true,
5649 expectedError: ":UNEXPECTED_EXTENSION:",
5650 })
5651
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5652 var differentSCTList []byte
5653 differentSCTList = append(differentSCTList, testSCTList...)
5654 differentSCTList[len(differentSCTList)-1] ^= 1
5655
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5656 // Test that extensions on intermediates are allowed but ignored.
5657 testCases = append(testCases, testCase{
5658 name: "IgnoreExtensionsOnIntermediates-TLS13",
5659 config: Config{
5660 MaxVersion: VersionTLS13,
5661 Certificates: []Certificate{rsaChainCertificate},
5662 Bugs: ProtocolBugs{
5663 // Send different values on the intermediate. This tests
5664 // the intermediate's extensions do not override the
5665 // leaf's.
5666 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5667 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5668 },
5669 },
5670 flags: []string{
5671 "-enable-ocsp-stapling",
5672 "-expect-ocsp-response",
5673 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5674 "-enable-signed-cert-timestamps",
5675 "-expect-signed-cert-timestamps",
5676 base64.StdEncoding.EncodeToString(testSCTList),
5677 },
5678 resumeSession: true,
5679 })
5680
5681 // Test that extensions are not sent on intermediates when configured
5682 // only for a leaf.
5683 testCases = append(testCases, testCase{
5684 testType: serverTest,
5685 name: "SendNoExtensionsOnIntermediate-TLS13",
5686 config: Config{
5687 MaxVersion: VersionTLS13,
5688 Bugs: ProtocolBugs{
5689 ExpectNoExtensionsOnIntermediate: true,
5690 },
5691 },
5692 flags: []string{
5693 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5694 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5695 "-ocsp-response",
5696 base64.StdEncoding.EncodeToString(testOCSPResponse),
5697 "-signed-cert-timestamps",
5698 base64.StdEncoding.EncodeToString(testSCTList),
5699 },
5700 })
5701
5702 // Test that extensions are not sent on client certificates.
5703 testCases = append(testCases, testCase{
5704 name: "SendNoClientCertificateExtensions-TLS13",
5705 config: Config{
5706 MaxVersion: VersionTLS13,
5707 ClientAuth: RequireAnyClientCert,
5708 },
5709 flags: []string{
5710 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5711 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5712 "-ocsp-response",
5713 base64.StdEncoding.EncodeToString(testOCSPResponse),
5714 "-signed-cert-timestamps",
5715 base64.StdEncoding.EncodeToString(testSCTList),
5716 },
5717 })
5718
5719 testCases = append(testCases, testCase{
5720 name: "SendDuplicateExtensionsOnCerts-TLS13",
5721 config: Config{
5722 MaxVersion: VersionTLS13,
5723 Bugs: ProtocolBugs{
5724 SendDuplicateCertExtensions: true,
5725 },
5726 },
5727 flags: []string{
5728 "-enable-ocsp-stapling",
5729 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5730 },
5731 resumeSession: true,
5732 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5733 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5734 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5735
5736 testCases = append(testCases, testCase{
5737 name: "SignedCertificateTimestampListInvalid-Server",
5738 testType: serverTest,
5739 flags: []string{
5740 "-signed-cert-timestamps",
5741 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5742 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5743 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5744 expectedError: ":INVALID_SCT_LIST:",
5745 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5746}
5747
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5748func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5749 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5750 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5751 // SSL 3.0 does not have tickets and TLS 1.3 does not
5752 // have session IDs, so skip their cross-resumption
5753 // tests.
5754 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5755 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5756 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5757 }
5758
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5759 protocols := []protocol{tls}
5760 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5761 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5762 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5763 for _, protocol := range protocols {
5764 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5765 if protocol == dtls {
5766 suffix += "-DTLS"
5767 }
5768
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5769 if sessionVers.version == resumeVers.version {
5770 testCases = append(testCases, testCase{
5771 protocol: protocol,
5772 name: "Resume-Client" + suffix,
5773 resumeSession: true,
5774 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5775 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5776 Bugs: ProtocolBugs{
5777 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5778 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5779 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5780 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5781 expectedVersion: sessionVers.version,
5782 expectedResumeVersion: resumeVers.version,
5783 })
5784 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5785 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5786
5787 // Offering a TLS 1.3 session sends an empty session ID, so
5788 // there is no way to convince a non-lookahead client the
5789 // session was resumed. It will appear to the client that a
5790 // stray ChangeCipherSpec was sent.
5791 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5792 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5793 }
5794
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5795 testCases = append(testCases, testCase{
5796 protocol: protocol,
5797 name: "Resume-Client-Mismatch" + suffix,
5798 resumeSession: true,
5799 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5800 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5801 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5802 expectedVersion: sessionVers.version,
5803 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5804 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5805 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5806 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5807 },
5808 },
5809 expectedResumeVersion: resumeVers.version,
5810 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5811 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5812 })
5813 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5814
5815 testCases = append(testCases, testCase{
5816 protocol: protocol,
5817 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5818 resumeSession: true,
5819 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5820 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5821 },
5822 expectedVersion: sessionVers.version,
5823 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5824 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5825 },
5826 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5827 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5828 expectedResumeVersion: resumeVers.version,
5829 })
5830
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5831 testCases = append(testCases, testCase{
5832 protocol: protocol,
5833 testType: serverTest,
5834 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5835 resumeSession: true,
5836 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5837 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5838 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5839 expectedVersion: sessionVers.version,
5840 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5841 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5842 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5843 Bugs: ProtocolBugs{
5844 SendBothTickets: true,
5845 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5846 },
5847 expectedResumeVersion: resumeVers.version,
5848 })
5849 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5850 }
5851 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5852
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5853 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5854 testCases = append(testCases, testCase{
5855 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5856 name: "ShimTicketRewritable",
5857 resumeSession: true,
5858 config: Config{
5859 MaxVersion: VersionTLS12,
5860 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5861 Bugs: ProtocolBugs{
5862 FilterTicket: func(in []byte) ([]byte, error) {
5863 in, err := SetShimTicketVersion(in, VersionTLS12)
5864 if err != nil {
5865 return nil, err
5866 }
5867 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5868 },
5869 },
5870 },
5871 flags: []string{
5872 "-ticket-key",
5873 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5874 },
5875 })
5876
5877 // Resumptions are declined if the version does not match.
5878 testCases = append(testCases, testCase{
5879 testType: serverTest,
5880 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5881 resumeSession: true,
5882 config: Config{
5883 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5884 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5885 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5886 FilterTicket: func(in []byte) ([]byte, error) {
5887 return SetShimTicketVersion(in, VersionTLS13)
5888 },
5889 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5890 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5891 flags: []string{
5892 "-ticket-key",
5893 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5894 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5895 expectResumeRejected: true,
5896 })
5897
5898 testCases = append(testCases, testCase{
5899 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5900 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5901 resumeSession: true,
5902 config: Config{
5903 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5904 Bugs: ProtocolBugs{
5905 FilterTicket: func(in []byte) ([]byte, error) {
5906 return SetShimTicketVersion(in, VersionTLS12)
5907 },
5908 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5909 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5910 flags: []string{
5911 "-ticket-key",
5912 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5913 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5914 expectResumeRejected: true,
5915 })
5916
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5917 // Resumptions are declined if the cipher is invalid or disabled.
5918 testCases = append(testCases, testCase{
5919 testType: serverTest,
5920 name: "Resume-Server-DeclineBadCipher",
5921 resumeSession: true,
5922 config: Config{
5923 MaxVersion: VersionTLS12,
5924 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5925 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5926 FilterTicket: func(in []byte) ([]byte, error) {
5927 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5928 },
5929 },
5930 },
5931 flags: []string{
5932 "-ticket-key",
5933 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5934 },
5935 expectResumeRejected: true,
5936 })
5937
5938 testCases = append(testCases, testCase{
5939 testType: serverTest,
5940 name: "Resume-Server-DeclineBadCipher-2",
5941 resumeSession: true,
5942 config: Config{
5943 MaxVersion: VersionTLS12,
5944 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5945 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5946 FilterTicket: func(in []byte) ([]byte, error) {
5947 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5948 },
5949 },
5950 },
5951 flags: []string{
5952 "-cipher", "AES128",
5953 "-ticket-key",
5954 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5955 },
5956 expectResumeRejected: true,
5957 })
5958
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5959 // Sessions are not resumed if they do not use the preferred cipher.
5960 testCases = append(testCases, testCase{
5961 testType: serverTest,
5962 name: "Resume-Server-CipherNotPreferred",
5963 resumeSession: true,
5964 config: Config{
5965 MaxVersion: VersionTLS12,
5966 Bugs: ProtocolBugs{
5967 ExpectNewTicket: true,
5968 FilterTicket: func(in []byte) ([]byte, error) {
5969 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
5970 },
5971 },
5972 },
5973 flags: []string{
5974 "-ticket-key",
5975 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5976 },
5977 shouldFail: false,
5978 expectResumeRejected: true,
5979 })
5980
5981 // TLS 1.3 allows sessions to be resumed at a different cipher if their
5982 // PRF hashes match, but BoringSSL will always decline such resumptions.
5983 testCases = append(testCases, testCase{
5984 testType: serverTest,
5985 name: "Resume-Server-CipherNotPreferred-TLS13",
5986 resumeSession: true,
5987 config: Config{
5988 MaxVersion: VersionTLS13,
5989 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
5990 Bugs: ProtocolBugs{
5991 FilterTicket: func(in []byte) ([]byte, error) {
5992 // If the client (runner) offers ChaCha20-Poly1305 first, the
5993 // server (shim) always prefers it. Switch it to AES-GCM.
5994 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5995 },
5996 },
5997 },
5998 flags: []string{
5999 "-ticket-key",
6000 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6001 },
6002 shouldFail: false,
6003 expectResumeRejected: true,
6004 })
6005
6006 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6007 testCases = append(testCases, testCase{
6008 testType: serverTest,
6009 name: "Resume-Server-DeclineBadCipher-TLS13",
6010 resumeSession: true,
6011 config: Config{
6012 MaxVersion: VersionTLS13,
6013 Bugs: ProtocolBugs{
6014 FilterTicket: func(in []byte) ([]byte, error) {
6015 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
6016 },
6017 },
6018 },
6019 flags: []string{
6020 "-ticket-key",
6021 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6022 },
6023 expectResumeRejected: true,
6024 })
6025
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6026 // If the client does not offer the cipher from the session, decline to
6027 // resume. Clients are forbidden from doing this, but BoringSSL selects
6028 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6029 testCases = append(testCases, testCase{
6030 testType: serverTest,
6031 name: "Resume-Server-UnofferedCipher",
6032 resumeSession: true,
6033 config: Config{
6034 MaxVersion: VersionTLS12,
6035 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6036 },
6037 resumeConfig: &Config{
6038 MaxVersion: VersionTLS12,
6039 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6040 Bugs: ProtocolBugs{
6041 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6042 },
6043 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6044 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6045 })
6046
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6047 // In TLS 1.3, clients may advertise a cipher list which does not
6048 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]6049 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
6050 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6051 testCases = append(testCases, testCase{
6052 testType: serverTest,
6053 name: "Resume-Server-UnofferedCipher-TLS13",
6054 resumeSession: true,
6055 config: Config{
6056 MaxVersion: VersionTLS13,
6057 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6058 },
6059 resumeConfig: &Config{
6060 MaxVersion: VersionTLS13,
6061 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6062 Bugs: ProtocolBugs{
6063 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6064 },
6065 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6066 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6067 })
6068
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6069 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6070 testCases = append(testCases, testCase{
6071 name: "Resume-Client-CipherMismatch",
6072 resumeSession: true,
6073 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6074 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6075 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6076 },
6077 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6078 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6079 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6080 Bugs: ProtocolBugs{
6081 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6082 },
6083 },
6084 shouldFail: true,
6085 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6086 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6087
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6088 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6089 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6090 testCases = append(testCases, testCase{
6091 name: "Resume-Client-CipherMismatch-TLS13",
6092 resumeSession: true,
6093 config: Config{
6094 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6095 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6096 },
6097 resumeConfig: &Config{
6098 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6099 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6100 },
6101 })
6102
6103 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6104 testCases = append(testCases, testCase{
6105 name: "Resume-Client-PRFMismatch-TLS13",
6106 resumeSession: true,
6107 config: Config{
6108 MaxVersion: VersionTLS13,
6109 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6110 },
6111 resumeConfig: &Config{
6112 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6113 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6114 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6115 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6116 },
6117 },
6118 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6119 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6120 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6121
6122 testCases = append(testCases, testCase{
6123 testType: serverTest,
6124 name: "Resume-Server-BinderWrongLength",
6125 resumeSession: true,
6126 config: Config{
6127 MaxVersion: VersionTLS13,
6128 Bugs: ProtocolBugs{
6129 SendShortPSKBinder: true,
6130 },
6131 },
6132 shouldFail: true,
6133 expectedLocalError: "remote error: error decrypting message",
6134 expectedError: ":DIGEST_CHECK_FAILED:",
6135 })
6136
6137 testCases = append(testCases, testCase{
6138 testType: serverTest,
6139 name: "Resume-Server-NoPSKBinder",
6140 resumeSession: true,
6141 config: Config{
6142 MaxVersion: VersionTLS13,
6143 Bugs: ProtocolBugs{
6144 SendNoPSKBinder: true,
6145 },
6146 },
6147 shouldFail: true,
6148 expectedLocalError: "remote error: error decoding message",
6149 expectedError: ":DECODE_ERROR:",
6150 })
6151
6152 testCases = append(testCases, testCase{
6153 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6154 name: "Resume-Server-ExtraPSKBinder",
6155 resumeSession: true,
6156 config: Config{
6157 MaxVersion: VersionTLS13,
6158 Bugs: ProtocolBugs{
6159 SendExtraPSKBinder: true,
6160 },
6161 },
6162 shouldFail: true,
6163 expectedLocalError: "remote error: illegal parameter",
6164 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6165 })
6166
6167 testCases = append(testCases, testCase{
6168 testType: serverTest,
6169 name: "Resume-Server-ExtraIdentityNoBinder",
6170 resumeSession: true,
6171 config: Config{
6172 MaxVersion: VersionTLS13,
6173 Bugs: ProtocolBugs{
6174 ExtraPSKIdentity: true,
6175 },
6176 },
6177 shouldFail: true,
6178 expectedLocalError: "remote error: illegal parameter",
6179 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6180 })
6181
6182 testCases = append(testCases, testCase{
6183 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6184 name: "Resume-Server-InvalidPSKBinder",
6185 resumeSession: true,
6186 config: Config{
6187 MaxVersion: VersionTLS13,
6188 Bugs: ProtocolBugs{
6189 SendInvalidPSKBinder: true,
6190 },
6191 },
6192 shouldFail: true,
6193 expectedLocalError: "remote error: error decrypting message",
6194 expectedError: ":DIGEST_CHECK_FAILED:",
6195 })
6196
6197 testCases = append(testCases, testCase{
6198 testType: serverTest,
6199 name: "Resume-Server-PSKBinderFirstExtension",
6200 resumeSession: true,
6201 config: Config{
6202 MaxVersion: VersionTLS13,
6203 Bugs: ProtocolBugs{
6204 PSKBinderFirst: true,
6205 },
6206 },
6207 shouldFail: true,
6208 expectedLocalError: "remote error: illegal parameter",
6209 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6210 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6211}
6212
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6213func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6214 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6215 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6216 testType: serverTest,
6217 name: "Renegotiate-Server-Forbidden",
6218 config: Config{
6219 MaxVersion: VersionTLS12,
6220 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6221 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6222 shouldFail: true,
6223 expectedError: ":NO_RENEGOTIATION:",
6224 expectedLocalError: "remote error: no renegotiation",
6225 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6226 // The server shouldn't echo the renegotiation extension unless
6227 // requested by the client.
6228 testCases = append(testCases, testCase{
6229 testType: serverTest,
6230 name: "Renegotiate-Server-NoExt",
6231 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6232 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6233 Bugs: ProtocolBugs{
6234 NoRenegotiationInfo: true,
6235 RequireRenegotiationInfo: true,
6236 },
6237 },
6238 shouldFail: true,
6239 expectedLocalError: "renegotiation extension missing",
6240 })
6241 // The renegotiation SCSV should be sufficient for the server to echo
6242 // the extension.
6243 testCases = append(testCases, testCase{
6244 testType: serverTest,
6245 name: "Renegotiate-Server-NoExt-SCSV",
6246 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6247 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6248 Bugs: ProtocolBugs{
6249 NoRenegotiationInfo: true,
6250 SendRenegotiationSCSV: true,
6251 RequireRenegotiationInfo: true,
6252 },
6253 },
6254 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6255 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6256 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6257 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6258 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6259 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6260 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6261 },
6262 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6263 renegotiate: 1,
6264 flags: []string{
6265 "-renegotiate-freely",
6266 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6267 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6268 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6269 })
6270 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6271 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6272 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6273 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6274 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6275 Bugs: ProtocolBugs{
6276 EmptyRenegotiationInfo: true,
6277 },
6278 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6279 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6280 shouldFail: true,
6281 expectedError: ":RENEGOTIATION_MISMATCH:",
6282 })
6283 testCases = append(testCases, testCase{
6284 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6285 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6286 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6287 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6288 Bugs: ProtocolBugs{
6289 BadRenegotiationInfo: true,
6290 },
6291 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6292 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6293 shouldFail: true,
6294 expectedError: ":RENEGOTIATION_MISMATCH:",
6295 })
6296 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6297 name: "Renegotiate-Client-Downgrade",
6298 renegotiate: 1,
6299 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6300 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6301 Bugs: ProtocolBugs{
6302 NoRenegotiationInfoAfterInitial: true,
6303 },
6304 },
6305 flags: []string{"-renegotiate-freely"},
6306 shouldFail: true,
6307 expectedError: ":RENEGOTIATION_MISMATCH:",
6308 })
6309 testCases = append(testCases, testCase{
6310 name: "Renegotiate-Client-Upgrade",
6311 renegotiate: 1,
6312 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6313 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6314 Bugs: ProtocolBugs{
6315 NoRenegotiationInfoInInitial: true,
6316 },
6317 },
6318 flags: []string{"-renegotiate-freely"},
6319 shouldFail: true,
6320 expectedError: ":RENEGOTIATION_MISMATCH:",
6321 })
6322 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6323 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6324 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6325 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6326 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6327 Bugs: ProtocolBugs{
6328 NoRenegotiationInfo: true,
6329 },
6330 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6331 flags: []string{
6332 "-renegotiate-freely",
6333 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6334 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6335 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6336 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6337
6338 // Test that the server may switch ciphers on renegotiation without
6339 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6340 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6341 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6342 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6343 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6344 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6345 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6346 },
6347 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6348 flags: []string{
6349 "-renegotiate-freely",
6350 "-expect-total-renegotiations", "1",
6351 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6352 })
6353 testCases = append(testCases, testCase{
6354 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6355 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6356 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6357 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6358 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6359 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6360 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6361 flags: []string{
6362 "-renegotiate-freely",
6363 "-expect-total-renegotiations", "1",
6364 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6365 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6366
6367 // Test that the server may not switch versions on renegotiation.
6368 testCases = append(testCases, testCase{
6369 name: "Renegotiate-Client-SwitchVersion",
6370 config: Config{
6371 MaxVersion: VersionTLS12,
6372 // Pick a cipher which exists at both versions.
6373 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6374 Bugs: ProtocolBugs{
6375 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6376 // Avoid failing early at the record layer.
6377 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6378 },
6379 },
6380 renegotiate: 1,
6381 flags: []string{
6382 "-renegotiate-freely",
6383 "-expect-total-renegotiations", "1",
6384 },
6385 shouldFail: true,
6386 expectedError: ":WRONG_SSL_VERSION:",
6387 })
6388
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6389 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6390 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6391 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6392 config: Config{
6393 MaxVersion: VersionTLS10,
6394 Bugs: ProtocolBugs{
6395 RequireSameRenegoClientVersion: true,
6396 },
6397 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6398 flags: []string{
6399 "-renegotiate-freely",
6400 "-expect-total-renegotiations", "1",
6401 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6402 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6403 testCases = append(testCases, testCase{
6404 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6405 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6406 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6407 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6408 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6409 NextProtos: []string{"foo"},
6410 },
6411 flags: []string{
6412 "-false-start",
6413 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6414 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6415 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6416 },
6417 shimWritesFirst: true,
6418 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6419
6420 // Client-side renegotiation controls.
6421 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6422 name: "Renegotiate-Client-Forbidden-1",
6423 config: Config{
6424 MaxVersion: VersionTLS12,
6425 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6426 renegotiate: 1,
6427 shouldFail: true,
6428 expectedError: ":NO_RENEGOTIATION:",
6429 expectedLocalError: "remote error: no renegotiation",
6430 })
6431 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6432 name: "Renegotiate-Client-Once-1",
6433 config: Config{
6434 MaxVersion: VersionTLS12,
6435 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6436 renegotiate: 1,
6437 flags: []string{
6438 "-renegotiate-once",
6439 "-expect-total-renegotiations", "1",
6440 },
6441 })
6442 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6443 name: "Renegotiate-Client-Freely-1",
6444 config: Config{
6445 MaxVersion: VersionTLS12,
6446 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6447 renegotiate: 1,
6448 flags: []string{
6449 "-renegotiate-freely",
6450 "-expect-total-renegotiations", "1",
6451 },
6452 })
6453 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6454 name: "Renegotiate-Client-Once-2",
6455 config: Config{
6456 MaxVersion: VersionTLS12,
6457 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6458 renegotiate: 2,
6459 flags: []string{"-renegotiate-once"},
6460 shouldFail: true,
6461 expectedError: ":NO_RENEGOTIATION:",
6462 expectedLocalError: "remote error: no renegotiation",
6463 })
6464 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6465 name: "Renegotiate-Client-Freely-2",
6466 config: Config{
6467 MaxVersion: VersionTLS12,
6468 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6469 renegotiate: 2,
6470 flags: []string{
6471 "-renegotiate-freely",
6472 "-expect-total-renegotiations", "2",
6473 },
6474 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6475 testCases = append(testCases, testCase{
6476 name: "Renegotiate-Client-NoIgnore",
6477 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6478 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6479 Bugs: ProtocolBugs{
6480 SendHelloRequestBeforeEveryAppDataRecord: true,
6481 },
6482 },
6483 shouldFail: true,
6484 expectedError: ":NO_RENEGOTIATION:",
6485 })
6486 testCases = append(testCases, testCase{
6487 name: "Renegotiate-Client-Ignore",
6488 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6489 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6490 Bugs: ProtocolBugs{
6491 SendHelloRequestBeforeEveryAppDataRecord: true,
6492 },
6493 },
6494 flags: []string{
6495 "-renegotiate-ignore",
6496 "-expect-total-renegotiations", "0",
6497 },
6498 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6499
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6500 // Renegotiation is not allowed at SSL 3.0.
6501 testCases = append(testCases, testCase{
6502 name: "Renegotiate-Client-SSL3",
6503 config: Config{
6504 MaxVersion: VersionSSL30,
6505 },
6506 renegotiate: 1,
6507 flags: []string{
6508 "-renegotiate-freely",
6509 "-expect-total-renegotiations", "1",
6510 },
6511 shouldFail: true,
6512 expectedError: ":NO_RENEGOTIATION:",
6513 expectedLocalError: "remote error: no renegotiation",
6514 })
6515
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6516 // Renegotiation is not allowed when there is an unfinished write.
6517 testCases = append(testCases, testCase{
6518 name: "Renegotiate-Client-UnfinishedWrite",
6519 config: Config{
6520 MaxVersion: VersionTLS12,
6521 },
David Benjaminbbba9392017-04-06 12:54:12 -0400[diff] [blame]6522 renegotiate: 1,
6523 readWithUnfinishedWrite: true,
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6524 flags: []string{
6525 "-async",
6526 "-renegotiate-freely",
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6527 },
6528 shouldFail: true,
6529 expectedError: ":NO_RENEGOTIATION:",
6530 // We do not successfully send the no_renegotiation alert in
6531 // this case. https://crbug.com/boringssl/130
6532 })
6533
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6534 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6535 testCases = append(testCases, testCase{
6536 name: "StrayHelloRequest",
6537 config: Config{
6538 MaxVersion: VersionTLS12,
6539 Bugs: ProtocolBugs{
6540 SendHelloRequestBeforeEveryHandshakeMessage: true,
6541 },
6542 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6543 shouldFail: true,
6544 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6545 })
6546 testCases = append(testCases, testCase{
6547 name: "StrayHelloRequest-Packed",
6548 config: Config{
6549 MaxVersion: VersionTLS12,
6550 Bugs: ProtocolBugs{
6551 PackHandshakeFlight: true,
6552 SendHelloRequestBeforeEveryHandshakeMessage: true,
6553 },
6554 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6555 shouldFail: true,
6556 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6557 })
6558
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6559 // Test renegotiation works if HelloRequest and server Finished come in
6560 // the same record.
6561 testCases = append(testCases, testCase{
6562 name: "Renegotiate-Client-Packed",
6563 config: Config{
6564 MaxVersion: VersionTLS12,
6565 Bugs: ProtocolBugs{
6566 PackHandshakeFlight: true,
6567 PackHelloRequestWithFinished: true,
6568 },
6569 },
6570 renegotiate: 1,
6571 flags: []string{
6572 "-renegotiate-freely",
6573 "-expect-total-renegotiations", "1",
6574 },
6575 })
6576
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6577 // Renegotiation is forbidden in TLS 1.3.
6578 testCases = append(testCases, testCase{
6579 name: "Renegotiate-Client-TLS13",
6580 config: Config{
6581 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6582 Bugs: ProtocolBugs{
6583 SendHelloRequestBeforeEveryAppDataRecord: true,
6584 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6585 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6586 flags: []string{
6587 "-renegotiate-freely",
6588 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6589 shouldFail: true,
6590 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6591 })
6592
6593 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6594 testCases = append(testCases, testCase{
6595 name: "StrayHelloRequest-TLS13",
6596 config: Config{
6597 MaxVersion: VersionTLS13,
6598 Bugs: ProtocolBugs{
6599 SendHelloRequestBeforeEveryHandshakeMessage: true,
6600 },
6601 },
6602 shouldFail: true,
6603 expectedError: ":UNEXPECTED_MESSAGE:",
6604 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6605
6606 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6607 // always reads as supporting it, regardless of whether it was
6608 // negotiated.
6609 testCases = append(testCases, testCase{
6610 name: "AlwaysReportRenegotiationInfo-TLS13",
6611 config: Config{
6612 MaxVersion: VersionTLS13,
6613 Bugs: ProtocolBugs{
6614 NoRenegotiationInfo: true,
6615 },
6616 },
6617 flags: []string{
6618 "-expect-secure-renegotiation",
6619 },
6620 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]6621
6622 // Certificates may not change on renegotiation.
6623 testCases = append(testCases, testCase{
6624 name: "Renegotiation-CertificateChange",
6625 config: Config{
6626 MaxVersion: VersionTLS12,
6627 Certificates: []Certificate{rsaCertificate},
6628 Bugs: ProtocolBugs{
6629 RenegotiationCertificate: &rsaChainCertificate,
6630 },
6631 },
6632 renegotiate: 1,
6633 flags: []string{"-renegotiate-freely"},
6634 shouldFail: true,
6635 expectedError: ":SERVER_CERT_CHANGED:",
6636 })
6637 testCases = append(testCases, testCase{
6638 name: "Renegotiation-CertificateChange-2",
6639 config: Config{
6640 MaxVersion: VersionTLS12,
6641 Certificates: []Certificate{rsaCertificate},
6642 Bugs: ProtocolBugs{
6643 RenegotiationCertificate: &rsa1024Certificate,
6644 },
6645 },
6646 renegotiate: 1,
6647 flags: []string{"-renegotiate-freely"},
6648 shouldFail: true,
6649 expectedError: ":SERVER_CERT_CHANGED:",
6650 })
David Benjaminbbf42462017-03-14 21:27:10 -0400[diff] [blame]6651
6652 // We do not negotiate ALPN after the initial handshake. This is
6653 // error-prone and only risks bugs in consumers.
6654 testCases = append(testCases, testCase{
6655 testType: clientTest,
6656 name: "Renegotiation-ForbidALPN",
6657 config: Config{
6658 MaxVersion: VersionTLS12,
6659 Bugs: ProtocolBugs{
6660 // Forcibly negotiate ALPN on both initial and
6661 // renegotiation handshakes. The test stack will
6662 // internally check the client does not offer
6663 // it.
6664 SendALPN: "foo",
6665 },
6666 },
6667 flags: []string{
6668 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6669 "-expect-alpn", "foo",
6670 "-renegotiate-freely",
6671 },
6672 renegotiate: 1,
6673 shouldFail: true,
6674 expectedError: ":UNEXPECTED_EXTENSION:",
6675 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6676}
6677
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6678func addDTLSReplayTests() {
6679 // Test that sequence number replays are detected.
6680 testCases = append(testCases, testCase{
6681 protocol: dtls,
6682 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6683 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6684 replayWrites: true,
6685 })
6686
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6687 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6688 // than the retransmit window.
6689 testCases = append(testCases, testCase{
6690 protocol: dtls,
6691 name: "DTLS-Replay-LargeGaps",
6692 config: Config{
6693 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6694 SequenceNumberMapping: func(in uint64) uint64 {
6695 return in * 127
6696 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6697 },
6698 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6699 messageCount: 200,
6700 replayWrites: true,
6701 })
6702
6703 // Test the incoming sequence number changing non-monotonically.
6704 testCases = append(testCases, testCase{
6705 protocol: dtls,
6706 name: "DTLS-Replay-NonMonotonic",
6707 config: Config{
6708 Bugs: ProtocolBugs{
6709 SequenceNumberMapping: func(in uint64) uint64 {
6710 return in ^ 31
6711 },
6712 },
6713 },
6714 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6715 replayWrites: true,
6716 })
6717}
6718
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6719var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6720 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6721 id signatureAlgorithm
6722 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6723}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6724 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6725 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6726 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6727 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6728 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6729 // The “P256” in the following line is not a mistake. In TLS 1.2 the
6730 // hash function doesn't have to match the curve and so the same
6731 // signature algorithm works with P-224.
6732 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6733 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6734 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6735 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6736 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6737 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6738 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6739 {"Ed25519", signatureEd25519, testCertEd25519},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6740 // Tests for key types prior to TLS 1.2.
6741 {"RSA", 0, testCertRSA},
6742 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6743}
6744
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6745const fakeSigAlg1 signatureAlgorithm = 0x2a01
6746const fakeSigAlg2 signatureAlgorithm = 0xff01
6747
6748func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6749 // Not all ciphers involve a signature. Advertise a list which gives all
6750 // versions a signing cipher.
6751 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6752 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6753 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6754 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6755 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6756 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6757 }
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6758
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6759 var allAlgorithms []signatureAlgorithm
6760 for _, alg := range testSignatureAlgorithms {
6761 if alg.id != 0 {
6762 allAlgorithms = append(allAlgorithms, alg.id)
6763 }
6764 }
6765
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6766 // Make sure each signature algorithm works. Include some fake values in
6767 // the list and ensure they're ignored.
6768 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6769 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6770 if (ver.version < VersionTLS12) != (alg.id == 0) {
6771 continue
6772 }
6773
6774 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6775 // or remove it in C.
6776 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6777 continue
6778 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6779
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6780 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6781 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6782 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6783 shouldSignFail = true
6784 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6785 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6786 // RSA-PKCS1 does not exist in TLS 1.3.
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6787 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
6788 shouldSignFail = true
6789 shouldVerifyFail = true
6790 }
6791 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
6792 // the curve has to match the hash size.
6793 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6794 shouldSignFail = true
6795 shouldVerifyFail = true
6796 }
6797
6798 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6799 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6800 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6801 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6802
6803 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6804 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6805 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6806 }
6807 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6808 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6809 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6810
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6811 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6812
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6813 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6814 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6815 config: Config{
6816 MaxVersion: ver.version,
6817 ClientAuth: RequireAnyClientCert,
6818 VerifySignatureAlgorithms: []signatureAlgorithm{
6819 fakeSigAlg1,
6820 alg.id,
6821 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6822 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6823 },
6824 flags: []string{
6825 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6826 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6827 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6828 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6829 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6830 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6831 expectedError: signError,
6832 expectedPeerSignatureAlgorithm: alg.id,
6833 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6834
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6835 testCases = append(testCases, testCase{
6836 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6837 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6838 config: Config{
6839 MaxVersion: ver.version,
6840 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6841 SignSignatureAlgorithms: []signatureAlgorithm{
6842 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6843 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6844 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6845 SkipECDSACurveCheck: shouldVerifyFail,
6846 IgnoreSignatureVersionChecks: shouldVerifyFail,
6847 // Some signature algorithms may not be advertised.
6848 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6849 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6850 },
6851 flags: []string{
6852 "-require-any-client-certificate",
6853 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6854 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6855 "-enable-ed25519",
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6856 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6857 // Resume the session to assert the peer signature
6858 // algorithm is reported on both handshakes.
6859 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6860 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6861 expectedError: verifyError,
6862 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6863
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6864 // No signing cipher for SSL 3.0.
David Benjamin96bc12a2017-04-14 16:48:08 -0400[diff] [blame]6865 if ver.version > VersionSSL30 {
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6866 testCases = append(testCases, testCase{
6867 testType: serverTest,
6868 name: "ServerAuth-Sign" + suffix,
6869 config: Config{
6870 MaxVersion: ver.version,
6871 CipherSuites: signingCiphers,
6872 VerifySignatureAlgorithms: []signatureAlgorithm{
6873 fakeSigAlg1,
6874 alg.id,
6875 fakeSigAlg2,
6876 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6877 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6878 flags: []string{
6879 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6880 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6881 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6882 "-enable-ed25519",
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6883 },
6884 shouldFail: shouldSignFail,
6885 expectedError: signError,
6886 expectedPeerSignatureAlgorithm: alg.id,
6887 })
6888 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6889
6890 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6891 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6892 config: Config{
6893 MaxVersion: ver.version,
6894 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6895 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6896 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6897 alg.id,
6898 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6899 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6900 SkipECDSACurveCheck: shouldVerifyFail,
6901 IgnoreSignatureVersionChecks: shouldVerifyFail,
6902 // Some signature algorithms may not be advertised.
6903 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6904 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6905 },
6906 flags: []string{
6907 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6908 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6909 "-enable-ed25519",
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6910 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6911 // Resume the session to assert the peer signature
6912 // algorithm is reported on both handshakes.
6913 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6914 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6915 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6916 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6917
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6918 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6919 testCases = append(testCases, testCase{
6920 testType: serverTest,
6921 name: "ClientAuth-InvalidSignature" + suffix,
6922 config: Config{
6923 MaxVersion: ver.version,
6924 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6925 SignSignatureAlgorithms: []signatureAlgorithm{
6926 alg.id,
6927 },
6928 Bugs: ProtocolBugs{
6929 InvalidSignature: true,
6930 },
6931 },
6932 flags: []string{
6933 "-require-any-client-certificate",
6934 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6935 "-enable-ed25519",
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6936 },
6937 shouldFail: true,
6938 expectedError: ":BAD_SIGNATURE:",
6939 })
6940
6941 testCases = append(testCases, testCase{
6942 name: "ServerAuth-InvalidSignature" + suffix,
6943 config: Config{
6944 MaxVersion: ver.version,
6945 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6946 CipherSuites: signingCiphers,
6947 SignSignatureAlgorithms: []signatureAlgorithm{
6948 alg.id,
6949 },
6950 Bugs: ProtocolBugs{
6951 InvalidSignature: true,
6952 },
6953 },
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6954 flags: []string{
6955 "-enable-all-curves",
6956 "-enable-ed25519",
6957 },
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6958 shouldFail: true,
6959 expectedError: ":BAD_SIGNATURE:",
6960 })
6961 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6962
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6963 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6964 testCases = append(testCases, testCase{
6965 name: "ClientAuth-Sign-Negotiate" + suffix,
6966 config: Config{
6967 MaxVersion: ver.version,
6968 ClientAuth: RequireAnyClientCert,
6969 VerifySignatureAlgorithms: allAlgorithms,
6970 },
6971 flags: []string{
6972 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6973 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6974 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6975 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6976 "-signing-prefs", strconv.Itoa(int(alg.id)),
6977 },
6978 expectedPeerSignatureAlgorithm: alg.id,
6979 })
6980
6981 testCases = append(testCases, testCase{
6982 testType: serverTest,
6983 name: "ServerAuth-Sign-Negotiate" + suffix,
6984 config: Config{
6985 MaxVersion: ver.version,
6986 CipherSuites: signingCiphers,
6987 VerifySignatureAlgorithms: allAlgorithms,
6988 },
6989 flags: []string{
6990 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6991 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6992 "-enable-all-curves",
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]6993 "-enable-ed25519",
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6994 "-signing-prefs", strconv.Itoa(int(alg.id)),
6995 },
6996 expectedPeerSignatureAlgorithm: alg.id,
6997 })
6998 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6999 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7000 }
7001
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7002 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7003 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7004 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7005 config: Config{
7006 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7007 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7008 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7009 signatureECDSAWithP521AndSHA512,
7010 signatureRSAPKCS1WithSHA384,
7011 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7012 },
7013 },
7014 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7015 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7016 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7017 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7018 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7019 })
7020
7021 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7022 name: "ClientAuth-SignatureType-TLS13",
7023 config: Config{
7024 ClientAuth: RequireAnyClientCert,
7025 MaxVersion: VersionTLS13,
7026 VerifySignatureAlgorithms: []signatureAlgorithm{
7027 signatureECDSAWithP521AndSHA512,
7028 signatureRSAPKCS1WithSHA384,
7029 signatureRSAPSSWithSHA384,
7030 signatureECDSAWithSHA1,
7031 },
7032 },
7033 flags: []string{
7034 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7035 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7036 },
7037 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7038 })
7039
7040 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7041 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7042 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7043 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7044 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7045 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7046 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7047 signatureECDSAWithP521AndSHA512,
7048 signatureRSAPKCS1WithSHA384,
7049 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7050 },
7051 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7052 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7053 })
7054
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7055 testCases = append(testCases, testCase{
7056 testType: serverTest,
7057 name: "ServerAuth-SignatureType-TLS13",
7058 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7059 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7060 VerifySignatureAlgorithms: []signatureAlgorithm{
7061 signatureECDSAWithP521AndSHA512,
7062 signatureRSAPKCS1WithSHA384,
7063 signatureRSAPSSWithSHA384,
7064 signatureECDSAWithSHA1,
7065 },
7066 },
7067 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7068 })
7069
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7070 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7071 testCases = append(testCases, testCase{
7072 testType: serverTest,
7073 name: "Verify-ClientAuth-SignatureType",
7074 config: Config{
7075 MaxVersion: VersionTLS12,
7076 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7077 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7078 signatureRSAPKCS1WithSHA256,
7079 },
7080 Bugs: ProtocolBugs{
7081 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7082 },
7083 },
7084 flags: []string{
7085 "-require-any-client-certificate",
7086 },
7087 shouldFail: true,
7088 expectedError: ":WRONG_SIGNATURE_TYPE:",
7089 })
7090
7091 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7092 testType: serverTest,
7093 name: "Verify-ClientAuth-SignatureType-TLS13",
7094 config: Config{
7095 MaxVersion: VersionTLS13,
7096 Certificates: []Certificate{rsaCertificate},
7097 SignSignatureAlgorithms: []signatureAlgorithm{
7098 signatureRSAPSSWithSHA256,
7099 },
7100 Bugs: ProtocolBugs{
7101 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7102 },
7103 },
7104 flags: []string{
7105 "-require-any-client-certificate",
7106 },
7107 shouldFail: true,
7108 expectedError: ":WRONG_SIGNATURE_TYPE:",
7109 })
7110
7111 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7112 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7113 config: Config{
7114 MaxVersion: VersionTLS12,
7115 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7116 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7117 signatureRSAPKCS1WithSHA256,
7118 },
7119 Bugs: ProtocolBugs{
7120 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7121 },
7122 },
7123 shouldFail: true,
7124 expectedError: ":WRONG_SIGNATURE_TYPE:",
7125 })
7126
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7127 testCases = append(testCases, testCase{
7128 name: "Verify-ServerAuth-SignatureType-TLS13",
7129 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7130 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7131 SignSignatureAlgorithms: []signatureAlgorithm{
7132 signatureRSAPSSWithSHA256,
7133 },
7134 Bugs: ProtocolBugs{
7135 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7136 },
7137 },
7138 shouldFail: true,
7139 expectedError: ":WRONG_SIGNATURE_TYPE:",
7140 })
7141
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7142 // Test that, if the list is missing, the peer falls back to SHA-1 in
7143 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7144 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7145 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7146 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7147 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7148 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7149 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7150 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7151 },
7152 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7153 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7154 },
7155 },
7156 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7157 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7158 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7159 },
7160 })
7161
7162 testCases = append(testCases, testCase{
7163 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7164 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7165 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7166 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7167 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7168 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7169 },
7170 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7171 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7172 },
7173 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7174 flags: []string{
7175 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7176 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7177 },
7178 })
7179
7180 testCases = append(testCases, testCase{
7181 name: "ClientAuth-SHA1-Fallback-ECDSA",
7182 config: Config{
7183 MaxVersion: VersionTLS12,
7184 ClientAuth: RequireAnyClientCert,
7185 VerifySignatureAlgorithms: []signatureAlgorithm{
7186 signatureECDSAWithSHA1,
7187 },
7188 Bugs: ProtocolBugs{
7189 NoSignatureAlgorithms: true,
7190 },
7191 },
7192 flags: []string{
7193 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7194 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7195 },
7196 })
7197
7198 testCases = append(testCases, testCase{
7199 testType: serverTest,
7200 name: "ServerAuth-SHA1-Fallback-ECDSA",
7201 config: Config{
7202 MaxVersion: VersionTLS12,
7203 VerifySignatureAlgorithms: []signatureAlgorithm{
7204 signatureECDSAWithSHA1,
7205 },
7206 Bugs: ProtocolBugs{
7207 NoSignatureAlgorithms: true,
7208 },
7209 },
7210 flags: []string{
7211 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7212 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7213 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7214 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7215
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7216 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7217 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7218 config: Config{
7219 MaxVersion: VersionTLS13,
7220 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7221 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7222 signatureRSAPKCS1WithSHA1,
7223 },
7224 Bugs: ProtocolBugs{
7225 NoSignatureAlgorithms: true,
7226 },
7227 },
7228 flags: []string{
7229 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7230 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7231 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7232 shouldFail: true,
7233 // An empty CertificateRequest signature algorithm list is a
7234 // syntax error in TLS 1.3.
7235 expectedError: ":DECODE_ERROR:",
7236 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7237 })
7238
7239 testCases = append(testCases, testCase{
7240 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7241 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7242 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7243 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7244 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7245 signatureRSAPKCS1WithSHA1,
7246 },
7247 Bugs: ProtocolBugs{
7248 NoSignatureAlgorithms: true,
7249 },
7250 },
7251 shouldFail: true,
7252 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7253 })
7254
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7255 // Test that hash preferences are enforced. BoringSSL does not implement
7256 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7257 testCases = append(testCases, testCase{
7258 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7259 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7260 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7261 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7262 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7263 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7264 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7265 },
7266 Bugs: ProtocolBugs{
7267 IgnorePeerSignatureAlgorithmPreferences: true,
7268 },
7269 },
7270 flags: []string{"-require-any-client-certificate"},
7271 shouldFail: true,
7272 expectedError: ":WRONG_SIGNATURE_TYPE:",
7273 })
7274
7275 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7276 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7277 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7278 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7279 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7280 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7281 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7282 },
7283 Bugs: ProtocolBugs{
7284 IgnorePeerSignatureAlgorithmPreferences: true,
7285 },
7286 },
7287 shouldFail: true,
7288 expectedError: ":WRONG_SIGNATURE_TYPE:",
7289 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7290 testCases = append(testCases, testCase{
7291 testType: serverTest,
7292 name: "ClientAuth-Enforced-TLS13",
7293 config: Config{
7294 MaxVersion: VersionTLS13,
7295 Certificates: []Certificate{rsaCertificate},
7296 SignSignatureAlgorithms: []signatureAlgorithm{
7297 signatureRSAPKCS1WithMD5,
7298 },
7299 Bugs: ProtocolBugs{
7300 IgnorePeerSignatureAlgorithmPreferences: true,
7301 IgnoreSignatureVersionChecks: true,
7302 },
7303 },
7304 flags: []string{"-require-any-client-certificate"},
7305 shouldFail: true,
7306 expectedError: ":WRONG_SIGNATURE_TYPE:",
7307 })
7308
7309 testCases = append(testCases, testCase{
7310 name: "ServerAuth-Enforced-TLS13",
7311 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7312 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7313 SignSignatureAlgorithms: []signatureAlgorithm{
7314 signatureRSAPKCS1WithMD5,
7315 },
7316 Bugs: ProtocolBugs{
7317 IgnorePeerSignatureAlgorithmPreferences: true,
7318 IgnoreSignatureVersionChecks: true,
7319 },
7320 },
7321 shouldFail: true,
7322 expectedError: ":WRONG_SIGNATURE_TYPE:",
7323 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7324
7325 // Test that the agreed upon digest respects the client preferences and
7326 // the server digests.
7327 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7328 name: "NoCommonAlgorithms-Digests",
7329 config: Config{
7330 MaxVersion: VersionTLS12,
7331 ClientAuth: RequireAnyClientCert,
7332 VerifySignatureAlgorithms: []signatureAlgorithm{
7333 signatureRSAPKCS1WithSHA512,
7334 signatureRSAPKCS1WithSHA1,
7335 },
7336 },
7337 flags: []string{
7338 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7339 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7340 "-digest-prefs", "SHA256",
7341 },
7342 shouldFail: true,
7343 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7344 })
7345 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7346 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7347 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7348 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7349 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7350 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7351 signatureRSAPKCS1WithSHA512,
7352 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7353 },
7354 },
7355 flags: []string{
7356 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7357 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7358 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7359 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7360 shouldFail: true,
7361 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7362 })
7363 testCases = append(testCases, testCase{
7364 name: "NoCommonAlgorithms-TLS13",
7365 config: Config{
7366 MaxVersion: VersionTLS13,
7367 ClientAuth: RequireAnyClientCert,
7368 VerifySignatureAlgorithms: []signatureAlgorithm{
7369 signatureRSAPSSWithSHA512,
7370 signatureRSAPSSWithSHA384,
7371 },
7372 },
7373 flags: []string{
7374 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7375 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7376 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7377 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7378 shouldFail: true,
7379 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7380 })
7381 testCases = append(testCases, testCase{
7382 name: "Agree-Digest-SHA256",
7383 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7384 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7385 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7386 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7387 signatureRSAPKCS1WithSHA1,
7388 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7389 },
7390 },
7391 flags: []string{
7392 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7393 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7394 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7395 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7396 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7397 })
7398 testCases = append(testCases, testCase{
7399 name: "Agree-Digest-SHA1",
7400 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7401 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7402 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7403 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7404 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7405 },
7406 },
7407 flags: []string{
7408 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7409 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7410 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7411 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7412 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7413 })
7414 testCases = append(testCases, testCase{
7415 name: "Agree-Digest-Default",
7416 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7417 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7418 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7419 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7420 signatureRSAPKCS1WithSHA256,
7421 signatureECDSAWithP256AndSHA256,
7422 signatureRSAPKCS1WithSHA1,
7423 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7424 },
7425 },
7426 flags: []string{
7427 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7428 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7429 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7430 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7431 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7432
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7433 // Test that the signing preference list may include extra algorithms
7434 // without negotiation problems.
7435 testCases = append(testCases, testCase{
7436 testType: serverTest,
7437 name: "FilterExtraAlgorithms",
7438 config: Config{
7439 MaxVersion: VersionTLS12,
7440 VerifySignatureAlgorithms: []signatureAlgorithm{
7441 signatureRSAPKCS1WithSHA256,
7442 },
7443 },
7444 flags: []string{
7445 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7446 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7447 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7448 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7449 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7450 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7451 },
7452 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7453 })
7454
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7455 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7456 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7457 testCases = append(testCases, testCase{
7458 name: "CheckLeafCurve",
7459 config: Config{
7460 MaxVersion: VersionTLS12,
7461 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7462 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7463 },
7464 flags: []string{"-p384-only"},
7465 shouldFail: true,
7466 expectedError: ":BAD_ECC_CERT:",
7467 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7468
7469 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7470 testCases = append(testCases, testCase{
7471 name: "CheckLeafCurve-TLS13",
7472 config: Config{
7473 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7474 Certificates: []Certificate{ecdsaP256Certificate},
7475 },
7476 flags: []string{"-p384-only"},
7477 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7478
7479 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7480 testCases = append(testCases, testCase{
7481 name: "ECDSACurveMismatch-Verify-TLS12",
7482 config: Config{
7483 MaxVersion: VersionTLS12,
7484 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7485 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7486 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7487 signatureECDSAWithP384AndSHA384,
7488 },
7489 },
7490 })
7491
7492 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7493 testCases = append(testCases, testCase{
7494 name: "ECDSACurveMismatch-Verify-TLS13",
7495 config: Config{
7496 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7497 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7498 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7499 signatureECDSAWithP384AndSHA384,
7500 },
7501 Bugs: ProtocolBugs{
7502 SkipECDSACurveCheck: true,
7503 },
7504 },
7505 shouldFail: true,
7506 expectedError: ":WRONG_SIGNATURE_TYPE:",
7507 })
7508
7509 // Signature algorithm selection in TLS 1.3 should take the curve into
7510 // account.
7511 testCases = append(testCases, testCase{
7512 testType: serverTest,
7513 name: "ECDSACurveMismatch-Sign-TLS13",
7514 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7515 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7516 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7517 signatureECDSAWithP384AndSHA384,
7518 signatureECDSAWithP256AndSHA256,
7519 },
7520 },
7521 flags: []string{
7522 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7523 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7524 },
7525 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7526 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7527
7528 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7529 // server does not attempt to sign in that case.
7530 testCases = append(testCases, testCase{
7531 testType: serverTest,
7532 name: "RSA-PSS-Large",
7533 config: Config{
7534 MaxVersion: VersionTLS13,
7535 VerifySignatureAlgorithms: []signatureAlgorithm{
7536 signatureRSAPSSWithSHA512,
7537 },
7538 },
7539 flags: []string{
7540 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7541 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7542 },
7543 shouldFail: true,
7544 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7545 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7546
7547 // Test that RSA-PSS is enabled by default for TLS 1.2.
7548 testCases = append(testCases, testCase{
7549 testType: clientTest,
7550 name: "RSA-PSS-Default-Verify",
7551 config: Config{
7552 MaxVersion: VersionTLS12,
7553 SignSignatureAlgorithms: []signatureAlgorithm{
7554 signatureRSAPSSWithSHA256,
7555 },
7556 },
7557 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7558 })
7559
7560 testCases = append(testCases, testCase{
7561 testType: serverTest,
7562 name: "RSA-PSS-Default-Sign",
7563 config: Config{
7564 MaxVersion: VersionTLS12,
7565 VerifySignatureAlgorithms: []signatureAlgorithm{
7566 signatureRSAPSSWithSHA256,
7567 },
7568 },
7569 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7570 })
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]7571
7572 // TLS 1.1 and below has no way to advertise support for or negotiate
7573 // Ed25519's signature algorithm.
7574 testCases = append(testCases, testCase{
7575 testType: clientTest,
7576 name: "NoEd25519-TLS11-ServerAuth-Verify",
7577 config: Config{
7578 MaxVersion: VersionTLS11,
7579 Certificates: []Certificate{ed25519Certificate},
7580 Bugs: ProtocolBugs{
7581 // Sign with Ed25519 even though it is TLS 1.1.
7582 UseLegacySigningAlgorithm: signatureEd25519,
7583 },
7584 },
7585 flags: []string{"-enable-ed25519"},
7586 shouldFail: true,
7587 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7588 })
7589 testCases = append(testCases, testCase{
7590 testType: serverTest,
7591 name: "NoEd25519-TLS11-ServerAuth-Sign",
7592 config: Config{
7593 MaxVersion: VersionTLS11,
7594 },
7595 flags: []string{
7596 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7597 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7598 },
7599 shouldFail: true,
7600 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7601 })
7602 testCases = append(testCases, testCase{
7603 testType: serverTest,
7604 name: "NoEd25519-TLS11-ClientAuth-Verify",
7605 config: Config{
7606 MaxVersion: VersionTLS11,
7607 Certificates: []Certificate{ed25519Certificate},
7608 Bugs: ProtocolBugs{
7609 // Sign with Ed25519 even though it is TLS 1.1.
7610 UseLegacySigningAlgorithm: signatureEd25519,
7611 },
7612 },
7613 flags: []string{
7614 "-enable-ed25519",
7615 "-require-any-client-certificate",
7616 },
7617 shouldFail: true,
7618 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7619 })
7620 testCases = append(testCases, testCase{
7621 testType: clientTest,
7622 name: "NoEd25519-TLS11-ClientAuth-Sign",
7623 config: Config{
7624 MaxVersion: VersionTLS11,
7625 ClientAuth: RequireAnyClientCert,
7626 },
7627 flags: []string{
7628 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7629 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7630 },
7631 shouldFail: true,
7632 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7633 })
7634
7635 // Test Ed25519 is not advertised by default.
7636 testCases = append(testCases, testCase{
7637 testType: clientTest,
7638 name: "Ed25519DefaultDisable-NoAdvertise",
7639 config: Config{
7640 Certificates: []Certificate{ed25519Certificate},
7641 },
7642 shouldFail: true,
7643 expectedLocalError: "tls: no common signature algorithms",
7644 })
7645
7646 // Test Ed25519, when disabled, is not accepted if the peer ignores our
7647 // preferences.
7648 testCases = append(testCases, testCase{
7649 testType: clientTest,
7650 name: "Ed25519DefaultDisable-NoAccept",
7651 config: Config{
7652 Certificates: []Certificate{ed25519Certificate},
7653 Bugs: ProtocolBugs{
7654 IgnorePeerSignatureAlgorithmPreferences: true,
7655 },
7656 },
7657 shouldFail: true,
7658 expectedLocalError: "remote error: illegal parameter",
7659 expectedError: ":WRONG_SIGNATURE_TYPE:",
7660 })
David Benjamin71c21b42017-04-14 17:05:40 -0400[diff] [blame^]7661
7662 // Test that configuring verify preferences changes what the client
7663 // advertises.
7664 testCases = append(testCases, testCase{
7665 name: "VerifyPreferences-Advertised",
7666 config: Config{
7667 Certificates: []Certificate{rsaCertificate},
7668 SignSignatureAlgorithms: []signatureAlgorithm{
7669 signatureRSAPSSWithSHA256,
7670 signatureRSAPSSWithSHA384,
7671 signatureRSAPSSWithSHA512,
7672 },
7673 },
7674 flags: []string{
7675 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7676 "-expect-peer-signature-algorithm", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7677 },
7678 })
7679
7680 // Test that the client advertises a set which the runner can find
7681 // nothing in common with.
7682 testCases = append(testCases, testCase{
7683 name: "VerifyPreferences-NoCommonAlgorithms",
7684 config: Config{
7685 Certificates: []Certificate{rsaCertificate},
7686 SignSignatureAlgorithms: []signatureAlgorithm{
7687 signatureRSAPSSWithSHA256,
7688 signatureRSAPSSWithSHA512,
7689 },
7690 },
7691 flags: []string{
7692 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7693 },
7694 shouldFail: true,
7695 expectedLocalError: "tls: no common signature algorithms",
7696 })
7697
7698 // Test that the client enforces its preferences when configured.
7699 testCases = append(testCases, testCase{
7700 name: "VerifyPreferences-Enforced",
7701 config: Config{
7702 Certificates: []Certificate{rsaCertificate},
7703 SignSignatureAlgorithms: []signatureAlgorithm{
7704 signatureRSAPSSWithSHA256,
7705 signatureRSAPSSWithSHA512,
7706 },
7707 Bugs: ProtocolBugs{
7708 IgnorePeerSignatureAlgorithmPreferences: true,
7709 },
7710 },
7711 flags: []string{
7712 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7713 },
7714 shouldFail: true,
7715 expectedLocalError: "remote error: illegal parameter",
7716 expectedError: ":WRONG_SIGNATURE_TYPE:",
7717 })
7718
7719 // Test that explicitly configuring Ed25519 is as good as changing the
7720 // boolean toggle.
7721 testCases = append(testCases, testCase{
7722 name: "VerifyPreferences-Ed25519",
7723 config: Config{
7724 Certificates: []Certificate{ed25519Certificate},
7725 },
7726 flags: []string{
7727 "-verify-prefs", strconv.Itoa(int(signatureEd25519)),
7728 },
7729 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7730}
7731
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7732// timeouts is the retransmit schedule for BoringSSL. It doubles and
7733// caps at 60 seconds. On the 13th timeout, it gives up.
7734var timeouts = []time.Duration{
7735 1 * time.Second,
7736 2 * time.Second,
7737 4 * time.Second,
7738 8 * time.Second,
7739 16 * time.Second,
7740 32 * time.Second,
7741 60 * time.Second,
7742 60 * time.Second,
7743 60 * time.Second,
7744 60 * time.Second,
7745 60 * time.Second,
7746 60 * time.Second,
7747 60 * time.Second,
7748}
7749
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7750// shortTimeouts is an alternate set of timeouts which would occur if the
7751// initial timeout duration was set to 250ms.
7752var shortTimeouts = []time.Duration{
7753 250 * time.Millisecond,
7754 500 * time.Millisecond,
7755 1 * time.Second,
7756 2 * time.Second,
7757 4 * time.Second,
7758 8 * time.Second,
7759 16 * time.Second,
7760 32 * time.Second,
7761 60 * time.Second,
7762 60 * time.Second,
7763 60 * time.Second,
7764 60 * time.Second,
7765 60 * time.Second,
7766}
7767
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7768func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7769 // These tests work by coordinating some behavior on both the shim and
7770 // the runner.
7771 //
7772 // TimeoutSchedule configures the runner to send a series of timeout
7773 // opcodes to the shim (see packetAdaptor) immediately before reading
7774 // each peer handshake flight N. The timeout opcode both simulates a
7775 // timeout in the shim and acts as a synchronization point to help the
7776 // runner bracket each handshake flight.
7777 //
7778 // We assume the shim does not read from the channel eagerly. It must
7779 // first wait until it has sent flight N and is ready to receive
7780 // handshake flight N+1. At this point, it will process the timeout
7781 // opcode. It must then immediately respond with a timeout ACK and act
7782 // as if the shim was idle for the specified amount of time.
7783 //
7784 // The runner then drops all packets received before the ACK and
7785 // continues waiting for flight N. This ordering results in one attempt
7786 // at sending flight N to be dropped. For the test to complete, the
7787 // shim must send flight N again, testing that the shim implements DTLS
7788 // retransmit on a timeout.
7789
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7790 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7791 // likely be more epochs to cross and the final message's retransmit may
7792 // be more complex.
7793
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7794 // Test that this is indeed the timeout schedule. Stress all
7795 // four patterns of handshake.
7796 for i := 1; i < len(timeouts); i++ {
7797 number := strconv.Itoa(i)
7798 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7799 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7800 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7801 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7802 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7803 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7804 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7805 },
7806 },
7807 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7808 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7809 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7810 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7811 protocol: dtls,
7812 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7813 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7814 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7815 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7816 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7817 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7818 },
7819 },
7820 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7821 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7822 })
7823 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7824
7825 // Test that exceeding the timeout schedule hits a read
7826 // timeout.
7827 testCases = append(testCases, testCase{
7828 protocol: dtls,
7829 name: "DTLS-Retransmit-Timeout",
7830 config: Config{
7831 MaxVersion: VersionTLS12,
7832 Bugs: ProtocolBugs{
7833 TimeoutSchedule: timeouts,
7834 },
7835 },
7836 resumeSession: true,
7837 flags: []string{"-async"},
7838 shouldFail: true,
7839 expectedError: ":READ_TIMEOUT_EXPIRED:",
7840 })
7841
7842 // Test that timeout handling has a fudge factor, due to API
7843 // problems.
7844 testCases = append(testCases, testCase{
7845 protocol: dtls,
7846 name: "DTLS-Retransmit-Fudge",
7847 config: Config{
7848 MaxVersion: VersionTLS12,
7849 Bugs: ProtocolBugs{
7850 TimeoutSchedule: []time.Duration{
7851 timeouts[0] - 10*time.Millisecond,
7852 },
7853 },
7854 },
7855 resumeSession: true,
7856 flags: []string{"-async"},
7857 })
7858
7859 // Test that the final Finished retransmitting isn't
7860 // duplicated if the peer badly fragments everything.
7861 testCases = append(testCases, testCase{
7862 testType: serverTest,
7863 protocol: dtls,
7864 name: "DTLS-Retransmit-Fragmented",
7865 config: Config{
7866 MaxVersion: VersionTLS12,
7867 Bugs: ProtocolBugs{
7868 TimeoutSchedule: []time.Duration{timeouts[0]},
7869 MaxHandshakeRecordLength: 2,
7870 },
7871 },
7872 flags: []string{"-async"},
7873 })
7874
7875 // Test the timeout schedule when a shorter initial timeout duration is set.
7876 testCases = append(testCases, testCase{
7877 protocol: dtls,
7878 name: "DTLS-Retransmit-Short-Client",
7879 config: Config{
7880 MaxVersion: VersionTLS12,
7881 Bugs: ProtocolBugs{
7882 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7883 },
7884 },
7885 resumeSession: true,
7886 flags: []string{
7887 "-async",
7888 "-initial-timeout-duration-ms", "250",
7889 },
7890 })
7891 testCases = append(testCases, testCase{
7892 protocol: dtls,
7893 testType: serverTest,
7894 name: "DTLS-Retransmit-Short-Server",
7895 config: Config{
7896 MaxVersion: VersionTLS12,
7897 Bugs: ProtocolBugs{
7898 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7899 },
7900 },
7901 resumeSession: true,
7902 flags: []string{
7903 "-async",
7904 "-initial-timeout-duration-ms", "250",
7905 },
7906 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7907}
7908
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7909func addExportKeyingMaterialTests() {
7910 for _, vers := range tlsVersions {
7911 if vers.version == VersionSSL30 {
7912 continue
7913 }
7914 testCases = append(testCases, testCase{
7915 name: "ExportKeyingMaterial-" + vers.name,
7916 config: Config{
7917 MaxVersion: vers.version,
7918 },
7919 exportKeyingMaterial: 1024,
7920 exportLabel: "label",
7921 exportContext: "context",
7922 useExportContext: true,
7923 })
7924 testCases = append(testCases, testCase{
7925 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7926 config: Config{
7927 MaxVersion: vers.version,
7928 },
7929 exportKeyingMaterial: 1024,
7930 })
7931 testCases = append(testCases, testCase{
7932 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7933 config: Config{
7934 MaxVersion: vers.version,
7935 },
7936 exportKeyingMaterial: 1024,
7937 useExportContext: true,
7938 })
7939 testCases = append(testCases, testCase{
7940 name: "ExportKeyingMaterial-Small-" + vers.name,
7941 config: Config{
7942 MaxVersion: vers.version,
7943 },
7944 exportKeyingMaterial: 1,
7945 exportLabel: "label",
7946 exportContext: "context",
7947 useExportContext: true,
7948 })
7949 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7950
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7951 testCases = append(testCases, testCase{
7952 name: "ExportKeyingMaterial-SSL3",
7953 config: Config{
7954 MaxVersion: VersionSSL30,
7955 },
7956 exportKeyingMaterial: 1024,
7957 exportLabel: "label",
7958 exportContext: "context",
7959 useExportContext: true,
7960 shouldFail: true,
7961 expectedError: "failed to export keying material",
7962 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7963
7964 // Exporters work during a False Start.
7965 testCases = append(testCases, testCase{
7966 name: "ExportKeyingMaterial-FalseStart",
7967 config: Config{
7968 MaxVersion: VersionTLS12,
7969 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7970 NextProtos: []string{"foo"},
7971 Bugs: ProtocolBugs{
7972 ExpectFalseStart: true,
7973 },
7974 },
7975 flags: []string{
7976 "-false-start",
7977 "-advertise-alpn", "\x03foo",
7978 },
7979 shimWritesFirst: true,
7980 exportKeyingMaterial: 1024,
7981 exportLabel: "label",
7982 exportContext: "context",
7983 useExportContext: true,
7984 })
7985
7986 // Exporters do not work in the middle of a renegotiation. Test this by
7987 // triggering the exporter after every SSL_read call and configuring the
7988 // shim to run asynchronously.
7989 testCases = append(testCases, testCase{
7990 name: "ExportKeyingMaterial-Renegotiate",
7991 config: Config{
7992 MaxVersion: VersionTLS12,
7993 },
7994 renegotiate: 1,
7995 flags: []string{
7996 "-async",
7997 "-use-exporter-between-reads",
7998 "-renegotiate-freely",
7999 "-expect-total-renegotiations", "1",
8000 },
8001 shouldFail: true,
8002 expectedError: "failed to export keying material",
8003 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]8004}
8005
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8006func addTLSUniqueTests() {
8007 for _, isClient := range []bool{false, true} {
8008 for _, isResumption := range []bool{false, true} {
8009 for _, hasEMS := range []bool{false, true} {
8010 var suffix string
8011 if isResumption {
8012 suffix = "Resume-"
8013 } else {
8014 suffix = "Full-"
8015 }
8016
8017 if hasEMS {
8018 suffix += "EMS-"
8019 } else {
8020 suffix += "NoEMS-"
8021 }
8022
8023 if isClient {
8024 suffix += "Client"
8025 } else {
8026 suffix += "Server"
8027 }
8028
8029 test := testCase{
8030 name: "TLSUnique-" + suffix,
8031 testTLSUnique: true,
8032 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8033 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8034 Bugs: ProtocolBugs{
8035 NoExtendedMasterSecret: !hasEMS,
8036 },
8037 },
8038 }
8039
8040 if isResumption {
8041 test.resumeSession = true
8042 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8043 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]8044 Bugs: ProtocolBugs{
8045 NoExtendedMasterSecret: !hasEMS,
8046 },
8047 }
8048 }
8049
8050 if isResumption && !hasEMS {
8051 test.shouldFail = true
8052 test.expectedError = "failed to get tls-unique"
8053 }
8054
8055 testCases = append(testCases, test)
8056 }
8057 }
8058 }
8059}
8060
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8061func addCustomExtensionTests() {
8062 expectedContents := "custom extension"
8063 emptyString := ""
8064
8065 for _, isClient := range []bool{false, true} {
8066 suffix := "Server"
8067 flag := "-enable-server-custom-extension"
8068 testType := serverTest
8069 if isClient {
8070 suffix = "Client"
8071 flag = "-enable-client-custom-extension"
8072 testType = clientTest
8073 }
8074
8075 testCases = append(testCases, testCase{
8076 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8077 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8078 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8079 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8080 Bugs: ProtocolBugs{
8081 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8082 ExpectedCustomExtension: &expectedContents,
8083 },
8084 },
8085 flags: []string{flag},
8086 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8087 testCases = append(testCases, testCase{
8088 testType: testType,
8089 name: "CustomExtensions-" + suffix + "-TLS13",
8090 config: Config{
8091 MaxVersion: VersionTLS13,
8092 Bugs: ProtocolBugs{
8093 CustomExtension: expectedContents,
8094 ExpectedCustomExtension: &expectedContents,
8095 },
8096 },
8097 flags: []string{flag},
8098 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8099
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]8100 // 0-RTT is not currently supported with Custom Extensions.
8101 testCases = append(testCases, testCase{
8102 testType: testType,
8103 name: "CustomExtensions-" + suffix + "-EarlyData",
8104 config: Config{
8105 MaxVersion: VersionTLS13,
8106 Bugs: ProtocolBugs{
8107 CustomExtension: expectedContents,
8108 ExpectedCustomExtension: &expectedContents,
8109 },
8110 },
8111 shouldFail: true,
8112 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8113 flags: []string{flag, "-enable-early-data"},
8114 })
8115
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8116 // If the parse callback fails, the handshake should also fail.
8117 testCases = append(testCases, testCase{
8118 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8119 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8120 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8121 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8122 Bugs: ProtocolBugs{
8123 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8124 ExpectedCustomExtension: &expectedContents,
8125 },
8126 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8127 flags: []string{flag},
8128 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8129 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8130 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8131 testCases = append(testCases, testCase{
8132 testType: testType,
8133 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
8134 config: Config{
8135 MaxVersion: VersionTLS13,
8136 Bugs: ProtocolBugs{
8137 CustomExtension: expectedContents + "foo",
8138 ExpectedCustomExtension: &expectedContents,
8139 },
8140 },
8141 flags: []string{flag},
8142 shouldFail: true,
8143 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8144 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8145
8146 // If the add callback fails, the handshake should also fail.
8147 testCases = append(testCases, testCase{
8148 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8149 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8150 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8151 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8152 Bugs: ProtocolBugs{
8153 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8154 ExpectedCustomExtension: &expectedContents,
8155 },
8156 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8157 flags: []string{flag, "-custom-extension-fail-add"},
8158 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8159 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8160 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8161 testCases = append(testCases, testCase{
8162 testType: testType,
8163 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
8164 config: Config{
8165 MaxVersion: VersionTLS13,
8166 Bugs: ProtocolBugs{
8167 CustomExtension: expectedContents,
8168 ExpectedCustomExtension: &expectedContents,
8169 },
8170 },
8171 flags: []string{flag, "-custom-extension-fail-add"},
8172 shouldFail: true,
8173 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8174 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8175
8176 // If the add callback returns zero, no extension should be
8177 // added.
8178 skipCustomExtension := expectedContents
8179 if isClient {
8180 // For the case where the client skips sending the
8181 // custom extension, the server must not “echo” it.
8182 skipCustomExtension = ""
8183 }
8184 testCases = append(testCases, testCase{
8185 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8186 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8187 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8188 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8189 Bugs: ProtocolBugs{
8190 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8191 ExpectedCustomExtension: &emptyString,
8192 },
8193 },
8194 flags: []string{flag, "-custom-extension-skip"},
8195 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8196 testCases = append(testCases, testCase{
8197 testType: testType,
8198 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
8199 config: Config{
8200 MaxVersion: VersionTLS13,
8201 Bugs: ProtocolBugs{
8202 CustomExtension: skipCustomExtension,
8203 ExpectedCustomExtension: &emptyString,
8204 },
8205 },
8206 flags: []string{flag, "-custom-extension-skip"},
8207 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8208 }
8209
8210 // The custom extension add callback should not be called if the client
8211 // doesn't send the extension.
8212 testCases = append(testCases, testCase{
8213 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8214 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8215 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8216 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8217 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8218 ExpectedCustomExtension: &emptyString,
8219 },
8220 },
8221 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8222 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8223
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8224 testCases = append(testCases, testCase{
8225 testType: serverTest,
8226 name: "CustomExtensions-NotCalled-Server-TLS13",
8227 config: Config{
8228 MaxVersion: VersionTLS13,
8229 Bugs: ProtocolBugs{
8230 ExpectedCustomExtension: &emptyString,
8231 },
8232 },
8233 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8234 })
8235
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8236 // Test an unknown extension from the server.
8237 testCases = append(testCases, testCase{
8238 testType: clientTest,
8239 name: "UnknownExtension-Client",
8240 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8241 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8242 Bugs: ProtocolBugs{
8243 CustomExtension: expectedContents,
8244 },
8245 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8246 shouldFail: true,
8247 expectedError: ":UNEXPECTED_EXTENSION:",
8248 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8249 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8250 testCases = append(testCases, testCase{
8251 testType: clientTest,
8252 name: "UnknownExtension-Client-TLS13",
8253 config: Config{
8254 MaxVersion: VersionTLS13,
8255 Bugs: ProtocolBugs{
8256 CustomExtension: expectedContents,
8257 },
8258 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8259 shouldFail: true,
8260 expectedError: ":UNEXPECTED_EXTENSION:",
8261 expectedLocalError: "remote error: unsupported extension",
8262 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8263 testCases = append(testCases, testCase{
8264 testType: clientTest,
8265 name: "UnknownUnencryptedExtension-Client-TLS13",
8266 config: Config{
8267 MaxVersion: VersionTLS13,
8268 Bugs: ProtocolBugs{
8269 CustomUnencryptedExtension: expectedContents,
8270 },
8271 },
8272 shouldFail: true,
8273 expectedError: ":UNEXPECTED_EXTENSION:",
8274 // The shim must send an alert, but alerts at this point do not
8275 // get successfully decrypted by the runner.
8276 expectedLocalError: "local error: bad record MAC",
8277 })
8278 testCases = append(testCases, testCase{
8279 testType: clientTest,
8280 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8281 config: Config{
8282 MaxVersion: VersionTLS13,
8283 Bugs: ProtocolBugs{
8284 SendUnencryptedALPN: "foo",
8285 },
8286 },
8287 flags: []string{
8288 "-advertise-alpn", "\x03foo\x03bar",
8289 },
8290 shouldFail: true,
8291 expectedError: ":UNEXPECTED_EXTENSION:",
8292 // The shim must send an alert, but alerts at this point do not
8293 // get successfully decrypted by the runner.
8294 expectedLocalError: "local error: bad record MAC",
8295 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8296
8297 // Test a known but unoffered extension from the server.
8298 testCases = append(testCases, testCase{
8299 testType: clientTest,
8300 name: "UnofferedExtension-Client",
8301 config: Config{
8302 MaxVersion: VersionTLS12,
8303 Bugs: ProtocolBugs{
8304 SendALPN: "alpn",
8305 },
8306 },
8307 shouldFail: true,
8308 expectedError: ":UNEXPECTED_EXTENSION:",
8309 expectedLocalError: "remote error: unsupported extension",
8310 })
8311 testCases = append(testCases, testCase{
8312 testType: clientTest,
8313 name: "UnofferedExtension-Client-TLS13",
8314 config: Config{
8315 MaxVersion: VersionTLS13,
8316 Bugs: ProtocolBugs{
8317 SendALPN: "alpn",
8318 },
8319 },
8320 shouldFail: true,
8321 expectedError: ":UNEXPECTED_EXTENSION:",
8322 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8323 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8324}
8325
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8326func addRSAClientKeyExchangeTests() {
8327 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8328 testCases = append(testCases, testCase{
8329 testType: serverTest,
8330 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8331 config: Config{
8332 // Ensure the ClientHello version and final
8333 // version are different, to detect if the
8334 // server uses the wrong one.
8335 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8336 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8337 Bugs: ProtocolBugs{
8338 BadRSAClientKeyExchange: bad,
8339 },
8340 },
8341 shouldFail: true,
8342 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8343 })
8344 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8345
8346 // The server must compare whatever was in ClientHello.version for the
8347 // RSA premaster.
8348 testCases = append(testCases, testCase{
8349 testType: serverTest,
8350 name: "SendClientVersion-RSA",
8351 config: Config{
8352 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8353 Bugs: ProtocolBugs{
8354 SendClientVersion: 0x1234,
8355 },
8356 },
8357 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8358 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8359}
8360
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8361var testCurves = []struct {
8362 name string
8363 id CurveID
8364}{
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]8365 {"P-224", CurveP224},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8366 {"P-256", CurveP256},
8367 {"P-384", CurveP384},
8368 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8369 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8370}
8371
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8372const bogusCurve = 0x1234
8373
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8374func addCurveTests() {
8375 for _, curve := range testCurves {
8376 testCases = append(testCases, testCase{
8377 name: "CurveTest-Client-" + curve.name,
8378 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8379 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8380 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8381 CurvePreferences: []CurveID{curve.id},
8382 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8383 flags: []string{
8384 "-enable-all-curves",
8385 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8386 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8387 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8388 })
8389 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8390 name: "CurveTest-Client-" + curve.name + "-TLS13",
8391 config: Config{
8392 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8393 CurvePreferences: []CurveID{curve.id},
8394 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8395 flags: []string{
8396 "-enable-all-curves",
8397 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8398 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8399 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8400 })
8401 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8402 testType: serverTest,
8403 name: "CurveTest-Server-" + curve.name,
8404 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8405 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8406 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8407 CurvePreferences: []CurveID{curve.id},
8408 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8409 flags: []string{
8410 "-enable-all-curves",
8411 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8412 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8413 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8414 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8415 testCases = append(testCases, testCase{
8416 testType: serverTest,
8417 name: "CurveTest-Server-" + curve.name + "-TLS13",
8418 config: Config{
8419 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8420 CurvePreferences: []CurveID{curve.id},
8421 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8422 flags: []string{
8423 "-enable-all-curves",
8424 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8425 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8426 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8427 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8428 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8429
8430 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8431 testCases = append(testCases, testCase{
8432 testType: serverTest,
8433 name: "UnknownCurve",
8434 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8435 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8436 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8437 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8438 },
8439 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8440
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8441 // The server must be tolerant to bogus curves.
8442 testCases = append(testCases, testCase{
8443 testType: serverTest,
8444 name: "UnknownCurve-TLS13",
8445 config: Config{
8446 MaxVersion: VersionTLS13,
8447 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8448 },
8449 })
8450
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8451 // The server must not consider ECDHE ciphers when there are no
8452 // supported curves.
8453 testCases = append(testCases, testCase{
8454 testType: serverTest,
8455 name: "NoSupportedCurves",
8456 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8457 MaxVersion: VersionTLS12,
8458 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8459 Bugs: ProtocolBugs{
8460 NoSupportedCurves: true,
8461 },
8462 },
8463 shouldFail: true,
8464 expectedError: ":NO_SHARED_CIPHER:",
8465 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8466 testCases = append(testCases, testCase{
8467 testType: serverTest,
8468 name: "NoSupportedCurves-TLS13",
8469 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8470 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8471 Bugs: ProtocolBugs{
8472 NoSupportedCurves: true,
8473 },
8474 },
8475 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8476 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8477 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8478
8479 // The server must fall back to another cipher when there are no
8480 // supported curves.
8481 testCases = append(testCases, testCase{
8482 testType: serverTest,
8483 name: "NoCommonCurves",
8484 config: Config{
8485 MaxVersion: VersionTLS12,
8486 CipherSuites: []uint16{
8487 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8488 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8489 },
8490 CurvePreferences: []CurveID{CurveP224},
8491 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8492 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8493 })
8494
8495 // The client must reject bogus curves and disabled curves.
8496 testCases = append(testCases, testCase{
8497 name: "BadECDHECurve",
8498 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8499 MaxVersion: VersionTLS12,
8500 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8501 Bugs: ProtocolBugs{
8502 SendCurve: bogusCurve,
8503 },
8504 },
8505 shouldFail: true,
8506 expectedError: ":WRONG_CURVE:",
8507 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8508 testCases = append(testCases, testCase{
8509 name: "BadECDHECurve-TLS13",
8510 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8511 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8512 Bugs: ProtocolBugs{
8513 SendCurve: bogusCurve,
8514 },
8515 },
8516 shouldFail: true,
8517 expectedError: ":WRONG_CURVE:",
8518 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8519
8520 testCases = append(testCases, testCase{
8521 name: "UnsupportedCurve",
8522 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8523 MaxVersion: VersionTLS12,
8524 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8525 CurvePreferences: []CurveID{CurveP256},
8526 Bugs: ProtocolBugs{
8527 IgnorePeerCurvePreferences: true,
8528 },
8529 },
8530 flags: []string{"-p384-only"},
8531 shouldFail: true,
8532 expectedError: ":WRONG_CURVE:",
8533 })
8534
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8535 testCases = append(testCases, testCase{
8536 // TODO(davidben): Add a TLS 1.3 version where
8537 // HelloRetryRequest requests an unsupported curve.
8538 name: "UnsupportedCurve-ServerHello-TLS13",
8539 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8540 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8541 CurvePreferences: []CurveID{CurveP384},
8542 Bugs: ProtocolBugs{
8543 SendCurve: CurveP256,
8544 },
8545 },
8546 flags: []string{"-p384-only"},
8547 shouldFail: true,
8548 expectedError: ":WRONG_CURVE:",
8549 })
8550
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8551 // Test invalid curve points.
8552 testCases = append(testCases, testCase{
8553 name: "InvalidECDHPoint-Client",
8554 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8555 MaxVersion: VersionTLS12,
8556 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8557 CurvePreferences: []CurveID{CurveP256},
8558 Bugs: ProtocolBugs{
8559 InvalidECDHPoint: true,
8560 },
8561 },
8562 shouldFail: true,
8563 expectedError: ":INVALID_ENCODING:",
8564 })
8565 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8566 name: "InvalidECDHPoint-Client-TLS13",
8567 config: Config{
8568 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8569 CurvePreferences: []CurveID{CurveP256},
8570 Bugs: ProtocolBugs{
8571 InvalidECDHPoint: true,
8572 },
8573 },
8574 shouldFail: true,
8575 expectedError: ":INVALID_ENCODING:",
8576 })
8577 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8578 testType: serverTest,
8579 name: "InvalidECDHPoint-Server",
8580 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8581 MaxVersion: VersionTLS12,
8582 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8583 CurvePreferences: []CurveID{CurveP256},
8584 Bugs: ProtocolBugs{
8585 InvalidECDHPoint: true,
8586 },
8587 },
8588 shouldFail: true,
8589 expectedError: ":INVALID_ENCODING:",
8590 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8591 testCases = append(testCases, testCase{
8592 testType: serverTest,
8593 name: "InvalidECDHPoint-Server-TLS13",
8594 config: Config{
8595 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8596 CurvePreferences: []CurveID{CurveP256},
8597 Bugs: ProtocolBugs{
8598 InvalidECDHPoint: true,
8599 },
8600 },
8601 shouldFail: true,
8602 expectedError: ":INVALID_ENCODING:",
8603 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8604
8605 // The previous curve ID should be reported on TLS 1.2 resumption.
8606 testCases = append(testCases, testCase{
8607 name: "CurveID-Resume-Client",
8608 config: Config{
8609 MaxVersion: VersionTLS12,
8610 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8611 CurvePreferences: []CurveID{CurveX25519},
8612 },
8613 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8614 resumeSession: true,
8615 })
8616 testCases = append(testCases, testCase{
8617 testType: serverTest,
8618 name: "CurveID-Resume-Server",
8619 config: Config{
8620 MaxVersion: VersionTLS12,
8621 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8622 CurvePreferences: []CurveID{CurveX25519},
8623 },
8624 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8625 resumeSession: true,
8626 })
8627
8628 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8629 // one should be reported.
8630 testCases = append(testCases, testCase{
8631 name: "CurveID-Resume-Client-TLS13",
8632 config: Config{
8633 MaxVersion: VersionTLS13,
8634 CurvePreferences: []CurveID{CurveX25519},
8635 },
8636 resumeConfig: &Config{
8637 MaxVersion: VersionTLS13,
8638 CurvePreferences: []CurveID{CurveP256},
8639 },
8640 flags: []string{
8641 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8642 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8643 },
8644 resumeSession: true,
8645 })
8646 testCases = append(testCases, testCase{
8647 testType: serverTest,
8648 name: "CurveID-Resume-Server-TLS13",
8649 config: Config{
8650 MaxVersion: VersionTLS13,
8651 CurvePreferences: []CurveID{CurveX25519},
8652 },
8653 resumeConfig: &Config{
8654 MaxVersion: VersionTLS13,
8655 CurvePreferences: []CurveID{CurveP256},
8656 },
8657 flags: []string{
8658 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8659 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8660 },
8661 resumeSession: true,
8662 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8663
8664 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8665 testCases = append(testCases, testCase{
8666 name: "PointFormat-ServerHello-TLS12",
8667 config: Config{
8668 MaxVersion: VersionTLS12,
8669 Bugs: ProtocolBugs{
8670 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8671 },
8672 },
8673 })
8674 testCases = append(testCases, testCase{
8675 name: "PointFormat-EncryptedExtensions-TLS13",
8676 config: Config{
8677 MaxVersion: VersionTLS13,
8678 Bugs: ProtocolBugs{
8679 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8680 },
8681 },
8682 shouldFail: true,
8683 expectedError: ":ERROR_PARSING_EXTENSION:",
8684 })
8685
8686 // Test that we tolerate unknown point formats, as long as
8687 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8688 // check they are still functional.
8689 testCases = append(testCases, testCase{
8690 name: "PointFormat-Client-Tolerance",
8691 config: Config{
8692 MaxVersion: VersionTLS12,
8693 Bugs: ProtocolBugs{
8694 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8695 },
8696 },
8697 })
8698 testCases = append(testCases, testCase{
8699 testType: serverTest,
8700 name: "PointFormat-Server-Tolerance",
8701 config: Config{
8702 MaxVersion: VersionTLS12,
8703 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8704 Bugs: ProtocolBugs{
8705 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8706 },
8707 },
8708 })
8709
8710 // Test TLS 1.2 does not require the point format extension to be
8711 // present.
8712 testCases = append(testCases, testCase{
8713 name: "PointFormat-Client-Missing",
8714 config: Config{
8715 MaxVersion: VersionTLS12,
8716 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8717 Bugs: ProtocolBugs{
8718 SendSupportedPointFormats: []byte{},
8719 },
8720 },
8721 })
8722 testCases = append(testCases, testCase{
8723 testType: serverTest,
8724 name: "PointFormat-Server-Missing",
8725 config: Config{
8726 MaxVersion: VersionTLS12,
8727 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8728 Bugs: ProtocolBugs{
8729 SendSupportedPointFormats: []byte{},
8730 },
8731 },
8732 })
8733
8734 // If the point format extension is present, uncompressed points must be
8735 // offered. BoringSSL requires this whether or not ECDHE is used.
8736 testCases = append(testCases, testCase{
8737 name: "PointFormat-Client-MissingUncompressed",
8738 config: Config{
8739 MaxVersion: VersionTLS12,
8740 Bugs: ProtocolBugs{
8741 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8742 },
8743 },
8744 shouldFail: true,
8745 expectedError: ":ERROR_PARSING_EXTENSION:",
8746 })
8747 testCases = append(testCases, testCase{
8748 testType: serverTest,
8749 name: "PointFormat-Server-MissingUncompressed",
8750 config: Config{
8751 MaxVersion: VersionTLS12,
8752 Bugs: ProtocolBugs{
8753 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8754 },
8755 },
8756 shouldFail: true,
8757 expectedError: ":ERROR_PARSING_EXTENSION:",
8758 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8759}
8760
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8761func addTLS13RecordTests() {
8762 testCases = append(testCases, testCase{
8763 name: "TLS13-RecordPadding",
8764 config: Config{
8765 MaxVersion: VersionTLS13,
8766 MinVersion: VersionTLS13,
8767 Bugs: ProtocolBugs{
8768 RecordPadding: 10,
8769 },
8770 },
8771 })
8772
8773 testCases = append(testCases, testCase{
8774 name: "TLS13-EmptyRecords",
8775 config: Config{
8776 MaxVersion: VersionTLS13,
8777 MinVersion: VersionTLS13,
8778 Bugs: ProtocolBugs{
8779 OmitRecordContents: true,
8780 },
8781 },
8782 shouldFail: true,
8783 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8784 })
8785
8786 testCases = append(testCases, testCase{
8787 name: "TLS13-OnlyPadding",
8788 config: Config{
8789 MaxVersion: VersionTLS13,
8790 MinVersion: VersionTLS13,
8791 Bugs: ProtocolBugs{
8792 OmitRecordContents: true,
8793 RecordPadding: 10,
8794 },
8795 },
8796 shouldFail: true,
8797 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8798 })
8799
8800 testCases = append(testCases, testCase{
8801 name: "TLS13-WrongOuterRecord",
8802 config: Config{
8803 MaxVersion: VersionTLS13,
8804 MinVersion: VersionTLS13,
8805 Bugs: ProtocolBugs{
8806 OuterRecordType: recordTypeHandshake,
8807 },
8808 },
8809 shouldFail: true,
8810 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8811 })
8812}
8813
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8814func addSessionTicketTests() {
8815 testCases = append(testCases, testCase{
8816 // In TLS 1.2 and below, empty NewSessionTicket messages
8817 // mean the server changed its mind on sending a ticket.
8818 name: "SendEmptySessionTicket",
8819 config: Config{
8820 MaxVersion: VersionTLS12,
8821 Bugs: ProtocolBugs{
8822 SendEmptySessionTicket: true,
8823 },
8824 },
8825 flags: []string{"-expect-no-session"},
8826 })
8827
8828 // Test that the server ignores unknown PSK modes.
8829 testCases = append(testCases, testCase{
8830 testType: serverTest,
8831 name: "TLS13-SendUnknownModeSessionTicket-Server",
8832 config: Config{
8833 MaxVersion: VersionTLS13,
8834 Bugs: ProtocolBugs{
8835 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8836 },
8837 },
8838 resumeSession: true,
8839 expectedResumeVersion: VersionTLS13,
8840 })
8841
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8842 // Test that the server does not send session tickets with no matching key exchange mode.
8843 testCases = append(testCases, testCase{
8844 testType: serverTest,
8845 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8846 config: Config{
8847 MaxVersion: VersionTLS13,
8848 Bugs: ProtocolBugs{
8849 SendPSKKeyExchangeModes: []byte{0x1a},
8850 ExpectNoNewSessionTicket: true,
8851 },
8852 },
8853 })
8854
8855 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8856 testCases = append(testCases, testCase{
8857 testType: serverTest,
8858 name: "TLS13-SendBadKEModeSessionTicket-Server",
8859 config: Config{
8860 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8861 },
8862 resumeConfig: &Config{
8863 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8864 Bugs: ProtocolBugs{
8865 SendPSKKeyExchangeModes: []byte{0x1a},
8866 },
8867 },
8868 resumeSession: true,
8869 expectResumeRejected: true,
8870 })
8871
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8872 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8873 testCases = append(testCases, testCase{
8874 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8875 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8876 config: Config{
8877 MaxVersion: VersionTLS13,
8878 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8879 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8880 },
8881 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8882 resumeSession: true,
8883 flags: []string{
8884 "-resumption-delay", "10",
8885 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8886 })
8887
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8888 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8889 testCases = append(testCases, testCase{
8890 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8891 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8892 config: Config{
8893 MaxVersion: VersionTLS13,
8894 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8895 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8896 },
8897 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8898 resumeSession: true,
8899 shouldFail: true,
8900 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8901 })
8902
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8903 // Test that the server's ticket age skew reporting works.
8904 testCases = append(testCases, testCase{
8905 testType: serverTest,
8906 name: "TLS13-TicketAgeSkew-Forward",
8907 config: Config{
8908 MaxVersion: VersionTLS13,
8909 Bugs: ProtocolBugs{
8910 SendTicketAge: 15 * time.Second,
8911 },
8912 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8913 resumeSession: true,
8914 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8915 flags: []string{
8916 "-resumption-delay", "10",
8917 "-expect-ticket-age-skew", "5",
8918 },
8919 })
8920 testCases = append(testCases, testCase{
8921 testType: serverTest,
8922 name: "TLS13-TicketAgeSkew-Backward",
8923 config: Config{
8924 MaxVersion: VersionTLS13,
8925 Bugs: ProtocolBugs{
8926 SendTicketAge: 5 * time.Second,
8927 },
8928 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8929 resumeSession: true,
8930 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8931 flags: []string{
8932 "-resumption-delay", "10",
8933 "-expect-ticket-age-skew", "-5",
8934 },
8935 })
8936
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8937 testCases = append(testCases, testCase{
8938 testType: clientTest,
8939 name: "TLS13-SendTicketEarlyDataInfo",
8940 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8941 MaxVersion: VersionTLS13,
8942 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8943 },
8944 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8945 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8946 "-expect-early-data-info",
8947 },
8948 })
8949
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8950 // Test that 0-RTT tickets are ignored in clients unless opted in.
8951 testCases = append(testCases, testCase{
8952 testType: clientTest,
8953 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8954 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8955 MaxVersion: VersionTLS13,
8956 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8957 },
8958 })
8959
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8960 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8961 testType: clientTest,
8962 name: "TLS13-DuplicateTicketEarlyDataInfo",
8963 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8964 MaxVersion: VersionTLS13,
8965 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8966 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8967 DuplicateTicketEarlyDataInfo: true,
8968 },
8969 },
8970 shouldFail: true,
8971 expectedError: ":DUPLICATE_EXTENSION:",
8972 expectedLocalError: "remote error: illegal parameter",
8973 })
8974
8975 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8976 testType: serverTest,
8977 name: "TLS13-ExpectTicketEarlyDataInfo",
8978 config: Config{
8979 MaxVersion: VersionTLS13,
8980 Bugs: ProtocolBugs{
8981 ExpectTicketEarlyDataInfo: true,
8982 },
8983 },
8984 flags: []string{
8985 "-enable-early-data",
8986 },
8987 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]8988
8989 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
8990 // is honored.
8991 testCases = append(testCases, testCase{
8992 testType: clientTest,
8993 name: "TLS13-HonorServerSessionTicketLifetime",
8994 config: Config{
8995 MaxVersion: VersionTLS13,
8996 Bugs: ProtocolBugs{
8997 SendTicketLifetime: 20 * time.Second,
8998 },
8999 },
9000 flags: []string{
9001 "-resumption-delay", "19",
9002 },
9003 resumeSession: true,
9004 })
9005 testCases = append(testCases, testCase{
9006 testType: clientTest,
9007 name: "TLS13-HonorServerSessionTicketLifetime-2",
9008 config: Config{
9009 MaxVersion: VersionTLS13,
9010 Bugs: ProtocolBugs{
9011 SendTicketLifetime: 20 * time.Second,
9012 // The client should not offer the expired session.
9013 ExpectNoTLS13PSK: true,
9014 },
9015 },
9016 flags: []string{
9017 "-resumption-delay", "21",
9018 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]9019 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]9020 expectResumeRejected: true,
9021 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]9022}
9023
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9024func addChangeCipherSpecTests() {
9025 // Test missing ChangeCipherSpecs.
9026 testCases = append(testCases, testCase{
9027 name: "SkipChangeCipherSpec-Client",
9028 config: Config{
9029 MaxVersion: VersionTLS12,
9030 Bugs: ProtocolBugs{
9031 SkipChangeCipherSpec: true,
9032 },
9033 },
9034 shouldFail: true,
9035 expectedError: ":UNEXPECTED_RECORD:",
9036 })
9037 testCases = append(testCases, testCase{
9038 testType: serverTest,
9039 name: "SkipChangeCipherSpec-Server",
9040 config: Config{
9041 MaxVersion: VersionTLS12,
9042 Bugs: ProtocolBugs{
9043 SkipChangeCipherSpec: true,
9044 },
9045 },
9046 shouldFail: true,
9047 expectedError: ":UNEXPECTED_RECORD:",
9048 })
9049 testCases = append(testCases, testCase{
9050 testType: serverTest,
9051 name: "SkipChangeCipherSpec-Server-NPN",
9052 config: Config{
9053 MaxVersion: VersionTLS12,
9054 NextProtos: []string{"bar"},
9055 Bugs: ProtocolBugs{
9056 SkipChangeCipherSpec: true,
9057 },
9058 },
9059 flags: []string{
9060 "-advertise-npn", "\x03foo\x03bar\x03baz",
9061 },
9062 shouldFail: true,
9063 expectedError: ":UNEXPECTED_RECORD:",
9064 })
9065
9066 // Test synchronization between the handshake and ChangeCipherSpec.
9067 // Partial post-CCS handshake messages before ChangeCipherSpec should be
9068 // rejected. Test both with and without handshake packing to handle both
9069 // when the partial post-CCS message is in its own record and when it is
9070 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9071 for _, packed := range []bool{false, true} {
9072 var suffix string
9073 if packed {
9074 suffix = "-Packed"
9075 }
9076
9077 testCases = append(testCases, testCase{
9078 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
9079 config: Config{
9080 MaxVersion: VersionTLS12,
9081 Bugs: ProtocolBugs{
9082 FragmentAcrossChangeCipherSpec: true,
9083 PackHandshakeFlight: packed,
9084 },
9085 },
9086 shouldFail: true,
9087 expectedError: ":UNEXPECTED_RECORD:",
9088 })
9089 testCases = append(testCases, testCase{
9090 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
9091 config: Config{
9092 MaxVersion: VersionTLS12,
9093 },
9094 resumeSession: true,
9095 resumeConfig: &Config{
9096 MaxVersion: VersionTLS12,
9097 Bugs: ProtocolBugs{
9098 FragmentAcrossChangeCipherSpec: true,
9099 PackHandshakeFlight: packed,
9100 },
9101 },
9102 shouldFail: true,
9103 expectedError: ":UNEXPECTED_RECORD:",
9104 })
9105 testCases = append(testCases, testCase{
9106 testType: serverTest,
9107 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
9108 config: Config{
9109 MaxVersion: VersionTLS12,
9110 Bugs: ProtocolBugs{
9111 FragmentAcrossChangeCipherSpec: true,
9112 PackHandshakeFlight: packed,
9113 },
9114 },
9115 shouldFail: true,
9116 expectedError: ":UNEXPECTED_RECORD:",
9117 })
9118 testCases = append(testCases, testCase{
9119 testType: serverTest,
9120 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
9121 config: Config{
9122 MaxVersion: VersionTLS12,
9123 },
9124 resumeSession: true,
9125 resumeConfig: &Config{
9126 MaxVersion: VersionTLS12,
9127 Bugs: ProtocolBugs{
9128 FragmentAcrossChangeCipherSpec: true,
9129 PackHandshakeFlight: packed,
9130 },
9131 },
9132 shouldFail: true,
9133 expectedError: ":UNEXPECTED_RECORD:",
9134 })
9135 testCases = append(testCases, testCase{
9136 testType: serverTest,
9137 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
9138 config: Config{
9139 MaxVersion: VersionTLS12,
9140 NextProtos: []string{"bar"},
9141 Bugs: ProtocolBugs{
9142 FragmentAcrossChangeCipherSpec: true,
9143 PackHandshakeFlight: packed,
9144 },
9145 },
9146 flags: []string{
9147 "-advertise-npn", "\x03foo\x03bar\x03baz",
9148 },
9149 shouldFail: true,
9150 expectedError: ":UNEXPECTED_RECORD:",
9151 })
9152 }
9153
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]9154 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
9155 // messages in the handshake queue. Do this by testing the server
9156 // reading the client Finished, reversing the flight so Finished comes
9157 // first.
9158 testCases = append(testCases, testCase{
9159 protocol: dtls,
9160 testType: serverTest,
9161 name: "SendUnencryptedFinished-DTLS",
9162 config: Config{
9163 MaxVersion: VersionTLS12,
9164 Bugs: ProtocolBugs{
9165 SendUnencryptedFinished: true,
9166 ReverseHandshakeFragments: true,
9167 },
9168 },
9169 shouldFail: true,
9170 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9171 })
9172
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9173 // Test synchronization between encryption changes and the handshake in
9174 // TLS 1.3, where ChangeCipherSpec is implicit.
9175 testCases = append(testCases, testCase{
9176 name: "PartialEncryptedExtensionsWithServerHello",
9177 config: Config{
9178 MaxVersion: VersionTLS13,
9179 Bugs: ProtocolBugs{
9180 PartialEncryptedExtensionsWithServerHello: true,
9181 },
9182 },
9183 shouldFail: true,
9184 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9185 })
9186 testCases = append(testCases, testCase{
9187 testType: serverTest,
9188 name: "PartialClientFinishedWithClientHello",
9189 config: Config{
9190 MaxVersion: VersionTLS13,
9191 Bugs: ProtocolBugs{
9192 PartialClientFinishedWithClientHello: true,
9193 },
9194 },
9195 shouldFail: true,
9196 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9197 })
9198
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]9199 // Test that early ChangeCipherSpecs are handled correctly.
9200 testCases = append(testCases, testCase{
9201 testType: serverTest,
9202 name: "EarlyChangeCipherSpec-server-1",
9203 config: Config{
9204 MaxVersion: VersionTLS12,
9205 Bugs: ProtocolBugs{
9206 EarlyChangeCipherSpec: 1,
9207 },
9208 },
9209 shouldFail: true,
9210 expectedError: ":UNEXPECTED_RECORD:",
9211 })
9212 testCases = append(testCases, testCase{
9213 testType: serverTest,
9214 name: "EarlyChangeCipherSpec-server-2",
9215 config: Config{
9216 MaxVersion: VersionTLS12,
9217 Bugs: ProtocolBugs{
9218 EarlyChangeCipherSpec: 2,
9219 },
9220 },
9221 shouldFail: true,
9222 expectedError: ":UNEXPECTED_RECORD:",
9223 })
9224 testCases = append(testCases, testCase{
9225 protocol: dtls,
9226 name: "StrayChangeCipherSpec",
9227 config: Config{
9228 // TODO(davidben): Once DTLS 1.3 exists, test
9229 // that stray ChangeCipherSpec messages are
9230 // rejected.
9231 MaxVersion: VersionTLS12,
9232 Bugs: ProtocolBugs{
9233 StrayChangeCipherSpec: true,
9234 },
9235 },
9236 })
9237
9238 // Test that the contents of ChangeCipherSpec are checked.
9239 testCases = append(testCases, testCase{
9240 name: "BadChangeCipherSpec-1",
9241 config: Config{
9242 MaxVersion: VersionTLS12,
9243 Bugs: ProtocolBugs{
9244 BadChangeCipherSpec: []byte{2},
9245 },
9246 },
9247 shouldFail: true,
9248 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9249 })
9250 testCases = append(testCases, testCase{
9251 name: "BadChangeCipherSpec-2",
9252 config: Config{
9253 MaxVersion: VersionTLS12,
9254 Bugs: ProtocolBugs{
9255 BadChangeCipherSpec: []byte{1, 1},
9256 },
9257 },
9258 shouldFail: true,
9259 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9260 })
9261 testCases = append(testCases, testCase{
9262 protocol: dtls,
9263 name: "BadChangeCipherSpec-DTLS-1",
9264 config: Config{
9265 MaxVersion: VersionTLS12,
9266 Bugs: ProtocolBugs{
9267 BadChangeCipherSpec: []byte{2},
9268 },
9269 },
9270 shouldFail: true,
9271 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9272 })
9273 testCases = append(testCases, testCase{
9274 protocol: dtls,
9275 name: "BadChangeCipherSpec-DTLS-2",
9276 config: Config{
9277 MaxVersion: VersionTLS12,
9278 Bugs: ProtocolBugs{
9279 BadChangeCipherSpec: []byte{1, 1},
9280 },
9281 },
9282 shouldFail: true,
9283 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9284 })
9285}
9286
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9287type perMessageTest struct {
9288 messageType uint8
9289 test testCase
9290}
9291
9292// makePerMessageTests returns a series of test templates which cover each
9293// message in the TLS handshake. These may be used with bugs like
9294// WrongMessageType to fully test a per-message bug.
9295func makePerMessageTests() []perMessageTest {
9296 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9297 for _, protocol := range []protocol{tls, dtls} {
9298 var suffix string
9299 if protocol == dtls {
9300 suffix = "-DTLS"
9301 }
9302
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9303 ret = append(ret, perMessageTest{
9304 messageType: typeClientHello,
9305 test: testCase{
9306 protocol: protocol,
9307 testType: serverTest,
9308 name: "ClientHello" + suffix,
9309 config: Config{
9310 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9311 },
9312 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9313 })
9314
9315 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9316 ret = append(ret, perMessageTest{
9317 messageType: typeHelloVerifyRequest,
9318 test: testCase{
9319 protocol: protocol,
9320 name: "HelloVerifyRequest" + suffix,
9321 config: Config{
9322 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9323 },
9324 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9325 })
9326 }
9327
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9328 ret = append(ret, perMessageTest{
9329 messageType: typeServerHello,
9330 test: testCase{
9331 protocol: protocol,
9332 name: "ServerHello" + suffix,
9333 config: Config{
9334 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9335 },
9336 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9337 })
9338
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9339 ret = append(ret, perMessageTest{
9340 messageType: typeCertificate,
9341 test: testCase{
9342 protocol: protocol,
9343 name: "ServerCertificate" + suffix,
9344 config: Config{
9345 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9346 },
9347 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9348 })
9349
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9350 ret = append(ret, perMessageTest{
9351 messageType: typeCertificateStatus,
9352 test: testCase{
9353 protocol: protocol,
9354 name: "CertificateStatus" + suffix,
9355 config: Config{
9356 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9357 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9358 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9359 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9360 })
9361
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9362 ret = append(ret, perMessageTest{
9363 messageType: typeServerKeyExchange,
9364 test: testCase{
9365 protocol: protocol,
9366 name: "ServerKeyExchange" + suffix,
9367 config: Config{
9368 MaxVersion: VersionTLS12,
9369 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9370 },
9371 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9372 })
9373
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9374 ret = append(ret, perMessageTest{
9375 messageType: typeCertificateRequest,
9376 test: testCase{
9377 protocol: protocol,
9378 name: "CertificateRequest" + suffix,
9379 config: Config{
9380 MaxVersion: VersionTLS12,
9381 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9382 },
9383 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9384 })
9385
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9386 ret = append(ret, perMessageTest{
9387 messageType: typeServerHelloDone,
9388 test: testCase{
9389 protocol: protocol,
9390 name: "ServerHelloDone" + suffix,
9391 config: Config{
9392 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9393 },
9394 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9395 })
9396
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9397 ret = append(ret, perMessageTest{
9398 messageType: typeCertificate,
9399 test: testCase{
9400 testType: serverTest,
9401 protocol: protocol,
9402 name: "ClientCertificate" + suffix,
9403 config: Config{
9404 Certificates: []Certificate{rsaCertificate},
9405 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9406 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9407 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9408 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9409 })
9410
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9411 ret = append(ret, perMessageTest{
9412 messageType: typeCertificateVerify,
9413 test: testCase{
9414 testType: serverTest,
9415 protocol: protocol,
9416 name: "CertificateVerify" + suffix,
9417 config: Config{
9418 Certificates: []Certificate{rsaCertificate},
9419 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9420 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9421 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9422 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9423 })
9424
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9425 ret = append(ret, perMessageTest{
9426 messageType: typeClientKeyExchange,
9427 test: testCase{
9428 testType: serverTest,
9429 protocol: protocol,
9430 name: "ClientKeyExchange" + suffix,
9431 config: Config{
9432 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9433 },
9434 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9435 })
9436
9437 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9438 ret = append(ret, perMessageTest{
9439 messageType: typeNextProtocol,
9440 test: testCase{
9441 testType: serverTest,
9442 protocol: protocol,
9443 name: "NextProtocol" + suffix,
9444 config: Config{
9445 MaxVersion: VersionTLS12,
9446 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9447 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9448 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9449 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9450 })
9451
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9452 ret = append(ret, perMessageTest{
9453 messageType: typeChannelID,
9454 test: testCase{
9455 testType: serverTest,
9456 protocol: protocol,
9457 name: "ChannelID" + suffix,
9458 config: Config{
9459 MaxVersion: VersionTLS12,
9460 ChannelID: channelIDKey,
9461 },
9462 flags: []string{
9463 "-expect-channel-id",
9464 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9465 },
9466 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9467 })
9468 }
9469
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9470 ret = append(ret, perMessageTest{
9471 messageType: typeFinished,
9472 test: testCase{
9473 testType: serverTest,
9474 protocol: protocol,
9475 name: "ClientFinished" + suffix,
9476 config: Config{
9477 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9478 },
9479 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9480 })
9481
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9482 ret = append(ret, perMessageTest{
9483 messageType: typeNewSessionTicket,
9484 test: testCase{
9485 protocol: protocol,
9486 name: "NewSessionTicket" + suffix,
9487 config: Config{
9488 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9489 },
9490 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9491 })
9492
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9493 ret = append(ret, perMessageTest{
9494 messageType: typeFinished,
9495 test: testCase{
9496 protocol: protocol,
9497 name: "ServerFinished" + suffix,
9498 config: Config{
9499 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9500 },
9501 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9502 })
9503
9504 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9505
9506 ret = append(ret, perMessageTest{
9507 messageType: typeClientHello,
9508 test: testCase{
9509 testType: serverTest,
9510 name: "TLS13-ClientHello",
9511 config: Config{
9512 MaxVersion: VersionTLS13,
9513 },
9514 },
9515 })
9516
9517 ret = append(ret, perMessageTest{
9518 messageType: typeServerHello,
9519 test: testCase{
9520 name: "TLS13-ServerHello",
9521 config: Config{
9522 MaxVersion: VersionTLS13,
9523 },
9524 },
9525 })
9526
9527 ret = append(ret, perMessageTest{
9528 messageType: typeEncryptedExtensions,
9529 test: testCase{
9530 name: "TLS13-EncryptedExtensions",
9531 config: Config{
9532 MaxVersion: VersionTLS13,
9533 },
9534 },
9535 })
9536
9537 ret = append(ret, perMessageTest{
9538 messageType: typeCertificateRequest,
9539 test: testCase{
9540 name: "TLS13-CertificateRequest",
9541 config: Config{
9542 MaxVersion: VersionTLS13,
9543 ClientAuth: RequireAnyClientCert,
9544 },
9545 },
9546 })
9547
9548 ret = append(ret, perMessageTest{
9549 messageType: typeCertificate,
9550 test: testCase{
9551 name: "TLS13-ServerCertificate",
9552 config: Config{
9553 MaxVersion: VersionTLS13,
9554 },
9555 },
9556 })
9557
9558 ret = append(ret, perMessageTest{
9559 messageType: typeCertificateVerify,
9560 test: testCase{
9561 name: "TLS13-ServerCertificateVerify",
9562 config: Config{
9563 MaxVersion: VersionTLS13,
9564 },
9565 },
9566 })
9567
9568 ret = append(ret, perMessageTest{
9569 messageType: typeFinished,
9570 test: testCase{
9571 name: "TLS13-ServerFinished",
9572 config: Config{
9573 MaxVersion: VersionTLS13,
9574 },
9575 },
9576 })
9577
9578 ret = append(ret, perMessageTest{
9579 messageType: typeCertificate,
9580 test: testCase{
9581 testType: serverTest,
9582 name: "TLS13-ClientCertificate",
9583 config: Config{
9584 Certificates: []Certificate{rsaCertificate},
9585 MaxVersion: VersionTLS13,
9586 },
9587 flags: []string{"-require-any-client-certificate"},
9588 },
9589 })
9590
9591 ret = append(ret, perMessageTest{
9592 messageType: typeCertificateVerify,
9593 test: testCase{
9594 testType: serverTest,
9595 name: "TLS13-ClientCertificateVerify",
9596 config: Config{
9597 Certificates: []Certificate{rsaCertificate},
9598 MaxVersion: VersionTLS13,
9599 },
9600 flags: []string{"-require-any-client-certificate"},
9601 },
9602 })
9603
9604 ret = append(ret, perMessageTest{
9605 messageType: typeFinished,
9606 test: testCase{
9607 testType: serverTest,
9608 name: "TLS13-ClientFinished",
9609 config: Config{
9610 MaxVersion: VersionTLS13,
9611 },
9612 },
9613 })
9614
9615 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9616}
9617
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9618func addWrongMessageTypeTests() {
9619 for _, t := range makePerMessageTests() {
9620 t.test.name = "WrongMessageType-" + t.test.name
9621 t.test.config.Bugs.SendWrongMessageType = t.messageType
9622 t.test.shouldFail = true
9623 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9624 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9625
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9626 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9627 // In TLS 1.3, a bad ServerHello means the client sends
9628 // an unencrypted alert while the server expects
9629 // encryption, so the alert is not readable by runner.
9630 t.test.expectedLocalError = "local error: bad record MAC"
9631 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9632
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9633 testCases = append(testCases, t.test)
9634 }
David Benjaminebacdee2017-04-08 11:00:45 -0400[diff] [blame]9635
9636 // The processing order for TLS 1.3 version negotiation is such that one
9637 // may accidentally accept a HelloRetryRequest in lieu of ServerHello in
9638 // TLS 1.2. Test that we do not do this.
9639 testCases = append(testCases, testCase{
9640 name: "SendServerHelloAsHelloRetryRequest",
9641 config: Config{
9642 MaxVersion: VersionTLS12,
9643 Bugs: ProtocolBugs{
9644 SendServerHelloAsHelloRetryRequest: true,
9645 },
9646 },
9647 shouldFail: true,
9648 expectedError: ":UNEXPECTED_MESSAGE:",
9649 expectedLocalError: "remote error: unexpected message",
9650 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9651}
9652
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9653func addTrailingMessageDataTests() {
9654 for _, t := range makePerMessageTests() {
9655 t.test.name = "TrailingMessageData-" + t.test.name
9656 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9657 t.test.shouldFail = true
9658 t.test.expectedError = ":DECODE_ERROR:"
9659 t.test.expectedLocalError = "remote error: error decoding message"
9660
9661 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9662 // In TLS 1.3, a bad ServerHello means the client sends
9663 // an unencrypted alert while the server expects
9664 // encryption, so the alert is not readable by runner.
9665 t.test.expectedLocalError = "local error: bad record MAC"
9666 }
9667
9668 if t.messageType == typeFinished {
9669 // Bad Finished messages read as the verify data having
9670 // the wrong length.
9671 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9672 t.test.expectedLocalError = "remote error: error decrypting message"
9673 }
9674
9675 testCases = append(testCases, t.test)
9676 }
9677}
9678
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9679func addTLS13HandshakeTests() {
9680 testCases = append(testCases, testCase{
9681 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9682 name: "NegotiatePSKResumption-TLS13",
9683 config: Config{
9684 MaxVersion: VersionTLS13,
9685 Bugs: ProtocolBugs{
9686 NegotiatePSKResumption: true,
9687 },
9688 },
9689 resumeSession: true,
9690 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9691 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9692 })
9693
9694 testCases = append(testCases, testCase{
9695 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9696 name: "MissingKeyShare-Client",
9697 config: Config{
9698 MaxVersion: VersionTLS13,
9699 Bugs: ProtocolBugs{
9700 MissingKeyShare: true,
9701 },
9702 },
9703 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9704 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9705 })
9706
9707 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9708 testType: serverTest,
9709 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9710 config: Config{
9711 MaxVersion: VersionTLS13,
9712 Bugs: ProtocolBugs{
9713 MissingKeyShare: true,
9714 },
9715 },
9716 shouldFail: true,
9717 expectedError: ":MISSING_KEY_SHARE:",
9718 })
9719
9720 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9721 testType: serverTest,
9722 name: "DuplicateKeyShares",
9723 config: Config{
9724 MaxVersion: VersionTLS13,
9725 Bugs: ProtocolBugs{
9726 DuplicateKeyShares: true,
9727 },
9728 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9729 shouldFail: true,
9730 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9731 })
9732
9733 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9734 testType: serverTest,
9735 name: "SkipEarlyData",
9736 config: Config{
9737 MaxVersion: VersionTLS13,
9738 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9739 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9740 },
9741 },
9742 })
9743
9744 testCases = append(testCases, testCase{
9745 testType: serverTest,
9746 name: "SkipEarlyData-OmitEarlyDataExtension",
9747 config: Config{
9748 MaxVersion: VersionTLS13,
9749 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9750 SendFakeEarlyDataLength: 4,
9751 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9752 },
9753 },
9754 shouldFail: true,
9755 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9756 })
9757
9758 testCases = append(testCases, testCase{
9759 testType: serverTest,
9760 name: "SkipEarlyData-TooMuchData",
9761 config: Config{
9762 MaxVersion: VersionTLS13,
9763 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9764 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9765 },
9766 },
9767 shouldFail: true,
9768 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9769 })
9770
9771 testCases = append(testCases, testCase{
9772 testType: serverTest,
9773 name: "SkipEarlyData-Interleaved",
9774 config: Config{
9775 MaxVersion: VersionTLS13,
9776 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9777 SendFakeEarlyDataLength: 4,
9778 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9779 },
9780 },
9781 shouldFail: true,
9782 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9783 })
9784
9785 testCases = append(testCases, testCase{
9786 testType: serverTest,
9787 name: "SkipEarlyData-EarlyDataInTLS12",
9788 config: Config{
9789 MaxVersion: VersionTLS13,
9790 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9791 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9792 },
9793 },
9794 shouldFail: true,
9795 expectedError: ":UNEXPECTED_RECORD:",
9796 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9797 })
9798
9799 testCases = append(testCases, testCase{
9800 testType: serverTest,
9801 name: "SkipEarlyData-HRR",
9802 config: Config{
9803 MaxVersion: VersionTLS13,
9804 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9805 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9806 },
9807 DefaultCurves: []CurveID{},
9808 },
9809 })
9810
9811 testCases = append(testCases, testCase{
9812 testType: serverTest,
9813 name: "SkipEarlyData-HRR-Interleaved",
9814 config: Config{
9815 MaxVersion: VersionTLS13,
9816 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9817 SendFakeEarlyDataLength: 4,
9818 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9819 },
9820 DefaultCurves: []CurveID{},
9821 },
9822 shouldFail: true,
9823 expectedError: ":UNEXPECTED_RECORD:",
9824 })
9825
9826 testCases = append(testCases, testCase{
9827 testType: serverTest,
9828 name: "SkipEarlyData-HRR-TooMuchData",
9829 config: Config{
9830 MaxVersion: VersionTLS13,
9831 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9832 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9833 },
9834 DefaultCurves: []CurveID{},
9835 },
9836 shouldFail: true,
9837 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9838 })
9839
9840 // Test that skipping early data looking for cleartext correctly
9841 // processes an alert record.
9842 testCases = append(testCases, testCase{
9843 testType: serverTest,
9844 name: "SkipEarlyData-HRR-FatalAlert",
9845 config: Config{
9846 MaxVersion: VersionTLS13,
9847 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9848 SendEarlyAlert: true,
9849 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9850 },
9851 DefaultCurves: []CurveID{},
9852 },
9853 shouldFail: true,
9854 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9855 })
9856
9857 testCases = append(testCases, testCase{
9858 testType: serverTest,
9859 name: "SkipEarlyData-SecondClientHelloEarlyData",
9860 config: Config{
9861 MaxVersion: VersionTLS13,
9862 Bugs: ProtocolBugs{
9863 SendEarlyDataOnSecondClientHello: true,
9864 },
9865 DefaultCurves: []CurveID{},
9866 },
9867 shouldFail: true,
9868 expectedLocalError: "remote error: bad record MAC",
9869 })
9870
9871 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9872 testType: clientTest,
9873 name: "EmptyEncryptedExtensions",
9874 config: Config{
9875 MaxVersion: VersionTLS13,
9876 Bugs: ProtocolBugs{
9877 EmptyEncryptedExtensions: true,
9878 },
9879 },
9880 shouldFail: true,
9881 expectedLocalError: "remote error: error decoding message",
9882 })
9883
9884 testCases = append(testCases, testCase{
9885 testType: clientTest,
9886 name: "EncryptedExtensionsWithKeyShare",
9887 config: Config{
9888 MaxVersion: VersionTLS13,
9889 Bugs: ProtocolBugs{
9890 EncryptedExtensionsWithKeyShare: true,
9891 },
9892 },
9893 shouldFail: true,
9894 expectedLocalError: "remote error: unsupported extension",
9895 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9896
9897 testCases = append(testCases, testCase{
9898 testType: serverTest,
9899 name: "SendHelloRetryRequest",
9900 config: Config{
9901 MaxVersion: VersionTLS13,
9902 // Require a HelloRetryRequest for every curve.
9903 DefaultCurves: []CurveID{},
9904 },
9905 expectedCurveID: CurveX25519,
9906 })
9907
9908 testCases = append(testCases, testCase{
9909 testType: serverTest,
9910 name: "SendHelloRetryRequest-2",
9911 config: Config{
9912 MaxVersion: VersionTLS13,
9913 DefaultCurves: []CurveID{CurveP384},
9914 },
9915 // Although the ClientHello did not predict our preferred curve,
9916 // we always select it whether it is predicted or not.
9917 expectedCurveID: CurveX25519,
9918 })
9919
9920 testCases = append(testCases, testCase{
9921 name: "UnknownCurve-HelloRetryRequest",
9922 config: Config{
9923 MaxVersion: VersionTLS13,
9924 // P-384 requires HelloRetryRequest in BoringSSL.
9925 CurvePreferences: []CurveID{CurveP384},
9926 Bugs: ProtocolBugs{
9927 SendHelloRetryRequestCurve: bogusCurve,
9928 },
9929 },
9930 shouldFail: true,
9931 expectedError: ":WRONG_CURVE:",
9932 })
9933
9934 testCases = append(testCases, testCase{
9935 name: "DisabledCurve-HelloRetryRequest",
9936 config: Config{
9937 MaxVersion: VersionTLS13,
9938 CurvePreferences: []CurveID{CurveP256},
9939 Bugs: ProtocolBugs{
9940 IgnorePeerCurvePreferences: true,
9941 },
9942 },
9943 flags: []string{"-p384-only"},
9944 shouldFail: true,
9945 expectedError: ":WRONG_CURVE:",
9946 })
9947
9948 testCases = append(testCases, testCase{
9949 name: "UnnecessaryHelloRetryRequest",
9950 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9951 MaxVersion: VersionTLS13,
9952 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9953 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9954 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9955 },
9956 },
9957 shouldFail: true,
9958 expectedError: ":WRONG_CURVE:",
9959 })
9960
9961 testCases = append(testCases, testCase{
9962 name: "SecondHelloRetryRequest",
9963 config: Config{
9964 MaxVersion: VersionTLS13,
9965 // P-384 requires HelloRetryRequest in BoringSSL.
9966 CurvePreferences: []CurveID{CurveP384},
9967 Bugs: ProtocolBugs{
9968 SecondHelloRetryRequest: true,
9969 },
9970 },
9971 shouldFail: true,
9972 expectedError: ":UNEXPECTED_MESSAGE:",
9973 })
9974
9975 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9976 name: "HelloRetryRequest-Empty",
9977 config: Config{
9978 MaxVersion: VersionTLS13,
9979 Bugs: ProtocolBugs{
9980 AlwaysSendHelloRetryRequest: true,
9981 },
9982 },
9983 shouldFail: true,
9984 expectedError: ":DECODE_ERROR:",
9985 })
9986
9987 testCases = append(testCases, testCase{
9988 name: "HelloRetryRequest-DuplicateCurve",
9989 config: Config{
9990 MaxVersion: VersionTLS13,
9991 // P-384 requires a HelloRetryRequest against BoringSSL's default
9992 // configuration. Assert this ExpectMissingKeyShare.
9993 CurvePreferences: []CurveID{CurveP384},
9994 Bugs: ProtocolBugs{
9995 ExpectMissingKeyShare: true,
9996 DuplicateHelloRetryRequestExtensions: true,
9997 },
9998 },
9999 shouldFail: true,
10000 expectedError: ":DUPLICATE_EXTENSION:",
10001 expectedLocalError: "remote error: illegal parameter",
10002 })
10003
10004 testCases = append(testCases, testCase{
10005 name: "HelloRetryRequest-Cookie",
10006 config: Config{
10007 MaxVersion: VersionTLS13,
10008 Bugs: ProtocolBugs{
10009 SendHelloRetryRequestCookie: []byte("cookie"),
10010 },
10011 },
10012 })
10013
10014 testCases = append(testCases, testCase{
10015 name: "HelloRetryRequest-DuplicateCookie",
10016 config: Config{
10017 MaxVersion: VersionTLS13,
10018 Bugs: ProtocolBugs{
10019 SendHelloRetryRequestCookie: []byte("cookie"),
10020 DuplicateHelloRetryRequestExtensions: true,
10021 },
10022 },
10023 shouldFail: true,
10024 expectedError: ":DUPLICATE_EXTENSION:",
10025 expectedLocalError: "remote error: illegal parameter",
10026 })
10027
10028 testCases = append(testCases, testCase{
10029 name: "HelloRetryRequest-EmptyCookie",
10030 config: Config{
10031 MaxVersion: VersionTLS13,
10032 Bugs: ProtocolBugs{
10033 SendHelloRetryRequestCookie: []byte{},
10034 },
10035 },
10036 shouldFail: true,
10037 expectedError: ":DECODE_ERROR:",
10038 })
10039
10040 testCases = append(testCases, testCase{
10041 name: "HelloRetryRequest-Cookie-Curve",
10042 config: Config{
10043 MaxVersion: VersionTLS13,
10044 // P-384 requires HelloRetryRequest in BoringSSL.
10045 CurvePreferences: []CurveID{CurveP384},
10046 Bugs: ProtocolBugs{
10047 SendHelloRetryRequestCookie: []byte("cookie"),
10048 ExpectMissingKeyShare: true,
10049 },
10050 },
10051 })
10052
10053 testCases = append(testCases, testCase{
10054 name: "HelloRetryRequest-Unknown",
10055 config: Config{
10056 MaxVersion: VersionTLS13,
10057 Bugs: ProtocolBugs{
10058 CustomHelloRetryRequestExtension: "extension",
10059 },
10060 },
10061 shouldFail: true,
10062 expectedError: ":UNEXPECTED_EXTENSION:",
10063 expectedLocalError: "remote error: unsupported extension",
10064 })
10065
10066 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]10067 testType: serverTest,
10068 name: "SecondClientHelloMissingKeyShare",
10069 config: Config{
10070 MaxVersion: VersionTLS13,
10071 DefaultCurves: []CurveID{},
10072 Bugs: ProtocolBugs{
10073 SecondClientHelloMissingKeyShare: true,
10074 },
10075 },
10076 shouldFail: true,
10077 expectedError: ":MISSING_KEY_SHARE:",
10078 })
10079
10080 testCases = append(testCases, testCase{
10081 testType: serverTest,
10082 name: "SecondClientHelloWrongCurve",
10083 config: Config{
10084 MaxVersion: VersionTLS13,
10085 DefaultCurves: []CurveID{},
10086 Bugs: ProtocolBugs{
10087 MisinterpretHelloRetryRequestCurve: CurveP521,
10088 },
10089 },
10090 shouldFail: true,
10091 expectedError: ":WRONG_CURVE:",
10092 })
10093
10094 testCases = append(testCases, testCase{
10095 name: "HelloRetryRequestVersionMismatch",
10096 config: Config{
10097 MaxVersion: VersionTLS13,
10098 // P-384 requires HelloRetryRequest in BoringSSL.
10099 CurvePreferences: []CurveID{CurveP384},
10100 Bugs: ProtocolBugs{
10101 SendServerHelloVersion: 0x0305,
10102 },
10103 },
10104 shouldFail: true,
10105 expectedError: ":WRONG_VERSION_NUMBER:",
10106 })
10107
10108 testCases = append(testCases, testCase{
10109 name: "HelloRetryRequestCurveMismatch",
10110 config: Config{
10111 MaxVersion: VersionTLS13,
10112 // P-384 requires HelloRetryRequest in BoringSSL.
10113 CurvePreferences: []CurveID{CurveP384},
10114 Bugs: ProtocolBugs{
10115 // Send P-384 (correct) in the HelloRetryRequest.
10116 SendHelloRetryRequestCurve: CurveP384,
10117 // But send P-256 in the ServerHello.
10118 SendCurve: CurveP256,
10119 },
10120 },
10121 shouldFail: true,
10122 expectedError: ":WRONG_CURVE:",
10123 })
10124
10125 // Test the server selecting a curve that requires a HelloRetryRequest
10126 // without sending it.
10127 testCases = append(testCases, testCase{
10128 name: "SkipHelloRetryRequest",
10129 config: Config{
10130 MaxVersion: VersionTLS13,
10131 // P-384 requires HelloRetryRequest in BoringSSL.
10132 CurvePreferences: []CurveID{CurveP384},
10133 Bugs: ProtocolBugs{
10134 SkipHelloRetryRequest: true,
10135 },
10136 },
10137 shouldFail: true,
10138 expectedError: ":WRONG_CURVE:",
10139 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]10140
10141 testCases = append(testCases, testCase{
10142 name: "TLS13-RequestContextInHandshake",
10143 config: Config{
10144 MaxVersion: VersionTLS13,
10145 MinVersion: VersionTLS13,
10146 ClientAuth: RequireAnyClientCert,
10147 Bugs: ProtocolBugs{
10148 SendRequestContext: []byte("request context"),
10149 },
10150 },
10151 flags: []string{
10152 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10153 "-key-file", path.Join(*resourceDir, rsaKeyFile),
10154 },
10155 shouldFail: true,
10156 expectedError: ":DECODE_ERROR:",
10157 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]10158
10159 testCases = append(testCases, testCase{
10160 testType: serverTest,
10161 name: "TLS13-TrailingKeyShareData",
10162 config: Config{
10163 MaxVersion: VersionTLS13,
10164 Bugs: ProtocolBugs{
10165 TrailingKeyShareData: true,
10166 },
10167 },
10168 shouldFail: true,
10169 expectedError: ":DECODE_ERROR:",
10170 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]10171
10172 testCases = append(testCases, testCase{
10173 name: "TLS13-AlwaysSelectPSKIdentity",
10174 config: Config{
10175 MaxVersion: VersionTLS13,
10176 Bugs: ProtocolBugs{
10177 AlwaysSelectPSKIdentity: true,
10178 },
10179 },
10180 shouldFail: true,
10181 expectedError: ":UNEXPECTED_EXTENSION:",
10182 })
10183
10184 testCases = append(testCases, testCase{
10185 name: "TLS13-InvalidPSKIdentity",
10186 config: Config{
10187 MaxVersion: VersionTLS13,
10188 Bugs: ProtocolBugs{
10189 SelectPSKIdentityOnResume: 1,
10190 },
10191 },
10192 resumeSession: true,
10193 shouldFail: true,
10194 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
10195 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10196
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10197 testCases = append(testCases, testCase{
10198 testType: serverTest,
10199 name: "TLS13-ExtraPSKIdentity",
10200 config: Config{
10201 MaxVersion: VersionTLS13,
10202 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]10203 ExtraPSKIdentity: true,
10204 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]10205 },
10206 },
10207 resumeSession: true,
10208 })
10209
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]10210 // Test that unknown NewSessionTicket extensions are tolerated.
10211 testCases = append(testCases, testCase{
10212 name: "TLS13-CustomTicketExtension",
10213 config: Config{
10214 MaxVersion: VersionTLS13,
10215 Bugs: ProtocolBugs{
10216 CustomTicketExtension: "1234",
10217 },
10218 },
10219 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10220
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10221 testCases = append(testCases, testCase{
10222 testType: clientTest,
10223 name: "TLS13-DataLessEarlyData-Reject-Client",
10224 config: Config{
10225 MaxVersion: VersionTLS13,
10226 MaxEarlyDataSize: 16384,
10227 },
10228 resumeConfig: &Config{
10229 MaxVersion: VersionTLS13,
10230 MaxEarlyDataSize: 16384,
10231 Bugs: ProtocolBugs{
10232 AlwaysRejectEarlyData: true,
10233 },
10234 },
10235 resumeSession: true,
10236 flags: []string{
10237 "-enable-early-data",
10238 "-expect-early-data-info",
10239 "-expect-reject-early-data",
10240 },
10241 })
10242
10243 testCases = append(testCases, testCase{
10244 testType: clientTest,
10245 name: "TLS13-DataLessEarlyData-HRR-Client",
10246 config: Config{
10247 MaxVersion: VersionTLS13,
10248 MaxEarlyDataSize: 16384,
10249 },
10250 resumeConfig: &Config{
10251 MaxVersion: VersionTLS13,
10252 MaxEarlyDataSize: 16384,
10253 Bugs: ProtocolBugs{
10254 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10255 },
10256 },
10257 resumeSession: true,
10258 flags: []string{
10259 "-enable-early-data",
10260 "-expect-early-data-info",
10261 "-expect-reject-early-data",
10262 },
10263 })
10264
10265 // The client must check the server does not send the early_data
10266 // extension while rejecting the session.
10267 testCases = append(testCases, testCase{
10268 testType: clientTest,
10269 name: "TLS13-EarlyDataWithoutResume-Client",
10270 config: Config{
10271 MaxVersion: VersionTLS13,
10272 MaxEarlyDataSize: 16384,
10273 },
10274 resumeConfig: &Config{
10275 MaxVersion: VersionTLS13,
10276 SessionTicketsDisabled: true,
10277 Bugs: ProtocolBugs{
10278 SendEarlyDataExtension: true,
10279 },
10280 },
10281 resumeSession: true,
10282 flags: []string{
10283 "-enable-early-data",
10284 "-expect-early-data-info",
10285 },
10286 shouldFail: true,
10287 expectedError: ":UNEXPECTED_EXTENSION:",
10288 })
10289
10290 // The client must fail with a dedicated error code if the server
10291 // responds with TLS 1.2 when offering 0-RTT.
10292 testCases = append(testCases, testCase{
10293 testType: clientTest,
10294 name: "TLS13-EarlyDataVersionDowngrade-Client",
10295 config: Config{
10296 MaxVersion: VersionTLS13,
10297 MaxEarlyDataSize: 16384,
10298 },
10299 resumeConfig: &Config{
10300 MaxVersion: VersionTLS12,
10301 },
10302 resumeSession: true,
10303 flags: []string{
10304 "-enable-early-data",
10305 "-expect-early-data-info",
10306 },
10307 shouldFail: true,
10308 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10309 })
10310
10311 // Test that the client rejects an (unsolicited) early_data extension if
10312 // the server sent an HRR.
10313 testCases = append(testCases, testCase{
10314 testType: clientTest,
10315 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10316 config: Config{
10317 MaxVersion: VersionTLS13,
10318 MaxEarlyDataSize: 16384,
10319 },
10320 resumeConfig: &Config{
10321 MaxVersion: VersionTLS13,
10322 MaxEarlyDataSize: 16384,
10323 Bugs: ProtocolBugs{
10324 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10325 SendEarlyDataExtension: true,
10326 },
10327 },
10328 resumeSession: true,
10329 flags: []string{
10330 "-enable-early-data",
10331 "-expect-early-data-info",
10332 },
10333 shouldFail: true,
10334 expectedError: ":UNEXPECTED_EXTENSION:",
10335 })
10336
10337 fooString := "foo"
10338 barString := "bar"
10339
10340 // Test that the client reports the correct ALPN after a 0-RTT reject
10341 // that changed it.
10342 testCases = append(testCases, testCase{
10343 testType: clientTest,
10344 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10345 config: Config{
10346 MaxVersion: VersionTLS13,
10347 MaxEarlyDataSize: 16384,
10348 Bugs: ProtocolBugs{
10349 ALPNProtocol: &fooString,
10350 },
10351 },
10352 resumeConfig: &Config{
10353 MaxVersion: VersionTLS13,
10354 MaxEarlyDataSize: 16384,
10355 Bugs: ProtocolBugs{
10356 ALPNProtocol: &barString,
10357 },
10358 },
10359 resumeSession: true,
10360 flags: []string{
10361 "-advertise-alpn", "\x03foo\x03bar",
10362 "-enable-early-data",
10363 "-expect-early-data-info",
10364 "-expect-reject-early-data",
10365 "-expect-alpn", "foo",
10366 "-expect-resume-alpn", "bar",
10367 },
10368 })
10369
10370 // Test that the client reports the correct ALPN after a 0-RTT reject if
10371 // ALPN was omitted from the first connection.
10372 testCases = append(testCases, testCase{
10373 testType: clientTest,
10374 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10375 config: Config{
10376 MaxVersion: VersionTLS13,
10377 MaxEarlyDataSize: 16384,
10378 },
10379 resumeConfig: &Config{
10380 MaxVersion: VersionTLS13,
10381 MaxEarlyDataSize: 16384,
10382 NextProtos: []string{"foo"},
10383 },
10384 resumeSession: true,
10385 flags: []string{
10386 "-advertise-alpn", "\x03foo\x03bar",
10387 "-enable-early-data",
10388 "-expect-early-data-info",
10389 "-expect-reject-early-data",
10390 "-expect-no-alpn",
10391 "-expect-resume-alpn", "foo",
10392 },
10393 })
10394
10395 // Test that the client reports the correct ALPN after a 0-RTT reject if
10396 // ALPN was omitted from the second connection.
10397 testCases = append(testCases, testCase{
10398 testType: clientTest,
10399 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10400 config: Config{
10401 MaxVersion: VersionTLS13,
10402 MaxEarlyDataSize: 16384,
10403 NextProtos: []string{"foo"},
10404 },
10405 resumeConfig: &Config{
10406 MaxVersion: VersionTLS13,
10407 MaxEarlyDataSize: 16384,
10408 },
10409 resumeSession: true,
10410 flags: []string{
10411 "-advertise-alpn", "\x03foo\x03bar",
10412 "-enable-early-data",
10413 "-expect-early-data-info",
10414 "-expect-reject-early-data",
10415 "-expect-alpn", "foo",
10416 "-expect-no-resume-alpn",
10417 },
10418 })
10419
10420 // Test that the client enforces ALPN match on 0-RTT accept.
10421 testCases = append(testCases, testCase{
10422 testType: clientTest,
10423 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10424 config: Config{
10425 MaxVersion: VersionTLS13,
10426 MaxEarlyDataSize: 16384,
10427 Bugs: ProtocolBugs{
10428 ALPNProtocol: &fooString,
10429 },
10430 },
10431 resumeConfig: &Config{
10432 MaxVersion: VersionTLS13,
10433 MaxEarlyDataSize: 16384,
10434 Bugs: ProtocolBugs{
10435 AlwaysAcceptEarlyData: true,
10436 ALPNProtocol: &barString,
10437 },
10438 },
10439 resumeSession: true,
10440 flags: []string{
10441 "-advertise-alpn", "\x03foo\x03bar",
10442 "-enable-early-data",
10443 "-expect-early-data-info",
10444 },
10445 shouldFail: true,
10446 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10447 })
10448
10449 // Test that the server correctly rejects 0-RTT when the previous
10450 // session did not allow early data on resumption.
10451 testCases = append(testCases, testCase{
10452 testType: serverTest,
10453 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10454 config: Config{
10455 MaxVersion: VersionTLS13,
10456 },
10457 resumeConfig: &Config{
10458 MaxVersion: VersionTLS13,
10459 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10460 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10461 ExpectEarlyDataAccepted: false,
10462 },
10463 },
10464 resumeSession: true,
10465 flags: []string{
10466 "-enable-resume-early-data",
10467 "-expect-reject-early-data",
10468 },
10469 })
10470
10471 // Test that we reject early data where ALPN is omitted from the first
10472 // connection.
10473 testCases = append(testCases, testCase{
10474 testType: serverTest,
10475 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10476 config: Config{
10477 MaxVersion: VersionTLS13,
10478 NextProtos: []string{},
10479 },
10480 resumeConfig: &Config{
10481 MaxVersion: VersionTLS13,
10482 NextProtos: []string{"foo"},
10483 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10484 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10485 ExpectEarlyDataAccepted: false,
10486 },
10487 },
10488 resumeSession: true,
10489 flags: []string{
10490 "-enable-early-data",
10491 "-select-alpn", "",
10492 "-select-resume-alpn", "foo",
10493 },
10494 })
10495
10496 // Test that we reject early data where ALPN is omitted from the second
10497 // connection.
10498 testCases = append(testCases, testCase{
10499 testType: serverTest,
10500 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10501 config: Config{
10502 MaxVersion: VersionTLS13,
10503 NextProtos: []string{"foo"},
10504 },
10505 resumeConfig: &Config{
10506 MaxVersion: VersionTLS13,
10507 NextProtos: []string{},
10508 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10509 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10510 ExpectEarlyDataAccepted: false,
10511 },
10512 },
10513 resumeSession: true,
10514 flags: []string{
10515 "-enable-early-data",
10516 "-select-alpn", "foo",
10517 "-select-resume-alpn", "",
10518 },
10519 })
10520
10521 // Test that we reject early data with mismatched ALPN.
10522 testCases = append(testCases, testCase{
10523 testType: serverTest,
10524 name: "TLS13-EarlyData-ALPNMismatch-Server",
10525 config: Config{
10526 MaxVersion: VersionTLS13,
10527 NextProtos: []string{"foo"},
10528 },
10529 resumeConfig: &Config{
10530 MaxVersion: VersionTLS13,
10531 NextProtos: []string{"bar"},
10532 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10533 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10534 ExpectEarlyDataAccepted: false,
10535 },
10536 },
10537 resumeSession: true,
10538 flags: []string{
10539 "-enable-early-data",
10540 "-select-alpn", "foo",
10541 "-select-resume-alpn", "bar",
10542 },
10543 })
10544
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10545 // Test that the client offering 0-RTT and Channel ID forbids the server
10546 // from accepting both.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10547 testCases = append(testCases, testCase{
10548 testType: clientTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10549 name: "TLS13-EarlyDataChannelID-AcceptBoth-Client",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10550 config: Config{
10551 MaxVersion: VersionTLS13,
10552 MaxEarlyDataSize: 16384,
10553 RequestChannelID: true,
10554 },
10555 resumeSession: true,
10556 expectChannelID: true,
10557 shouldFail: true,
10558 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
10559 flags: []string{
10560 "-enable-early-data",
10561 "-expect-early-data-info",
10562 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10563 },
10564 })
10565
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10566 // Test that the client offering Channel ID and 0-RTT allows the server
10567 // to decline 0-RTT.
10568 testCases = append(testCases, testCase{
10569 testType: clientTest,
10570 name: "TLS13-EarlyDataChannelID-AcceptChannelID-Client",
10571 config: Config{
10572 MaxVersion: VersionTLS13,
10573 MaxEarlyDataSize: 16384,
10574 RequestChannelID: true,
10575 Bugs: ProtocolBugs{
10576 AlwaysRejectEarlyData: true,
10577 },
10578 },
10579 resumeSession: true,
10580 expectChannelID: true,
10581 flags: []string{
10582 "-enable-early-data",
10583 "-expect-early-data-info",
10584 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10585 "-expect-reject-early-data",
10586 },
10587 })
10588
10589 // Test that the client offering Channel ID and 0-RTT allows the server
10590 // to decline Channel ID.
10591 testCases = append(testCases, testCase{
10592 testType: clientTest,
10593 name: "TLS13-EarlyDataChannelID-AcceptEarlyData-Client",
10594 config: Config{
10595 MaxVersion: VersionTLS13,
10596 MaxEarlyDataSize: 16384,
10597 },
10598 resumeSession: true,
10599 flags: []string{
10600 "-enable-early-data",
10601 "-expect-early-data-info",
10602 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10603 "-expect-accept-early-data",
10604 },
10605 })
10606
10607 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
10608 // if it would negotiate Channel ID.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10609 testCases = append(testCases, testCase{
10610 testType: serverTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10611 name: "TLS13-EarlyDataChannelID-OfferBoth-Server",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10612 config: Config{
10613 MaxVersion: VersionTLS13,
10614 ChannelID: channelIDKey,
10615 Bugs: ProtocolBugs{
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10616 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10617 ExpectEarlyDataAccepted: false,
10618 },
10619 },
10620 resumeSession: true,
10621 expectChannelID: true,
10622 flags: []string{
10623 "-enable-early-data",
10624 "-expect-reject-early-data",
10625 "-expect-channel-id",
10626 base64.StdEncoding.EncodeToString(channelIDBytes),
10627 },
10628 })
10629
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10630 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
10631 // if not offered Channel ID.
10632 testCases = append(testCases, testCase{
10633 testType: serverTest,
10634 name: "TLS13-EarlyDataChannelID-OfferEarlyData-Server",
10635 config: Config{
10636 MaxVersion: VersionTLS13,
10637 Bugs: ProtocolBugs{
10638 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10639 ExpectEarlyDataAccepted: true,
10640 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
10641 },
10642 },
10643 resumeSession: true,
10644 expectChannelID: false,
10645 flags: []string{
10646 "-enable-early-data",
10647 "-expect-accept-early-data",
10648 "-enable-channel-id",
10649 },
10650 })
10651
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10652 // Test that the server rejects 0-RTT streams without end_of_early_data.
10653 // The subsequent records should fail to decrypt.
10654 testCases = append(testCases, testCase{
10655 testType: serverTest,
10656 name: "TLS13-EarlyData-SkipEndOfEarlyData",
10657 config: Config{
10658 MaxVersion: VersionTLS13,
10659 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10660 SendEarlyData: [][]byte{{1, 2, 3, 4}},
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10661 ExpectEarlyDataAccepted: true,
10662 SkipEndOfEarlyData: true,
10663 },
10664 },
10665 resumeSession: true,
10666 flags: []string{"-enable-early-data"},
10667 shouldFail: true,
10668 expectedLocalError: "remote error: bad record MAC",
10669 expectedError: ":BAD_DECRYPT:",
10670 })
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10671
10672 testCases = append(testCases, testCase{
10673 testType: serverTest,
10674 name: "TLS13-EarlyData-UnexpectedHandshake-Server",
10675 config: Config{
10676 MaxVersion: VersionTLS13,
10677 },
10678 resumeConfig: &Config{
10679 MaxVersion: VersionTLS13,
10680 Bugs: ProtocolBugs{
10681 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10682 SendStrayEarlyHandshake: true,
10683 ExpectEarlyDataAccepted: true},
10684 },
10685 resumeSession: true,
10686 shouldFail: true,
10687 expectedError: ":UNEXPECTED_RECORD:",
10688 expectedLocalError: "remote error: unexpected message",
10689 flags: []string{
10690 "-enable-early-data",
10691 },
10692 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10693}
10694
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10695func addTLS13CipherPreferenceTests() {
10696 // Test that client preference is honored if the shim has AES hardware
10697 // and ChaCha20-Poly1305 is preferred otherwise.
10698 testCases = append(testCases, testCase{
10699 testType: serverTest,
10700 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10701 config: Config{
10702 MaxVersion: VersionTLS13,
10703 CipherSuites: []uint16{
10704 TLS_CHACHA20_POLY1305_SHA256,
10705 TLS_AES_128_GCM_SHA256,
10706 },
10707 },
10708 flags: []string{
10709 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10710 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10711 },
10712 })
10713
10714 testCases = append(testCases, testCase{
10715 testType: serverTest,
10716 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10717 config: Config{
10718 MaxVersion: VersionTLS13,
10719 CipherSuites: []uint16{
10720 TLS_AES_128_GCM_SHA256,
10721 TLS_CHACHA20_POLY1305_SHA256,
10722 },
10723 },
10724 flags: []string{
10725 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10726 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10727 },
10728 })
10729
10730 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10731 // whether it has AES hardware.
10732 testCases = append(testCases, testCase{
10733 name: "TLS13-CipherPreference-Client",
10734 config: Config{
10735 MaxVersion: VersionTLS13,
10736 // Use the client cipher order. (This is the default but
10737 // is listed to be explicit.)
10738 PreferServerCipherSuites: false,
10739 },
10740 flags: []string{
10741 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10742 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10743 },
10744 })
10745}
10746
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10747func addPeekTests() {
10748 // Test SSL_peek works, including on empty records.
10749 testCases = append(testCases, testCase{
10750 name: "Peek-Basic",
10751 sendEmptyRecords: 1,
10752 flags: []string{"-peek-then-read"},
10753 })
10754
10755 // Test SSL_peek can drive the initial handshake.
10756 testCases = append(testCases, testCase{
10757 name: "Peek-ImplicitHandshake",
10758 flags: []string{
10759 "-peek-then-read",
10760 "-implicit-handshake",
10761 },
10762 })
10763
10764 // Test SSL_peek can discover and drive a renegotiation.
10765 testCases = append(testCases, testCase{
10766 name: "Peek-Renegotiate",
10767 config: Config{
10768 MaxVersion: VersionTLS12,
10769 },
10770 renegotiate: 1,
10771 flags: []string{
10772 "-peek-then-read",
10773 "-renegotiate-freely",
10774 "-expect-total-renegotiations", "1",
10775 },
10776 })
10777
10778 // Test SSL_peek can discover a close_notify.
10779 testCases = append(testCases, testCase{
10780 name: "Peek-Shutdown",
10781 config: Config{
10782 Bugs: ProtocolBugs{
10783 ExpectCloseNotify: true,
10784 },
10785 },
10786 flags: []string{
10787 "-peek-then-read",
10788 "-check-close-notify",
10789 },
10790 })
10791
10792 // Test SSL_peek can discover an alert.
10793 testCases = append(testCases, testCase{
10794 name: "Peek-Alert",
10795 config: Config{
10796 Bugs: ProtocolBugs{
10797 SendSpuriousAlert: alertRecordOverflow,
10798 },
10799 },
10800 flags: []string{"-peek-then-read"},
10801 shouldFail: true,
10802 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10803 })
10804
10805 // Test SSL_peek can handle KeyUpdate.
10806 testCases = append(testCases, testCase{
10807 name: "Peek-KeyUpdate",
10808 config: Config{
10809 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10810 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]10811 sendKeyUpdates: 1,
10812 keyUpdateRequest: keyUpdateNotRequested,
10813 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10814 })
10815}
10816
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10817func addRecordVersionTests() {
10818 for _, ver := range tlsVersions {
10819 // Test that the record version is enforced.
10820 testCases = append(testCases, testCase{
10821 name: "CheckRecordVersion-" + ver.name,
10822 config: Config{
10823 MinVersion: ver.version,
10824 MaxVersion: ver.version,
10825 Bugs: ProtocolBugs{
10826 SendRecordVersion: 0x03ff,
10827 },
10828 },
10829 shouldFail: true,
10830 expectedError: ":WRONG_VERSION_NUMBER:",
10831 })
10832
10833 // Test that the ClientHello may use any record version, for
10834 // compatibility reasons.
10835 testCases = append(testCases, testCase{
10836 testType: serverTest,
10837 name: "LooseInitialRecordVersion-" + ver.name,
10838 config: Config{
10839 MinVersion: ver.version,
10840 MaxVersion: ver.version,
10841 Bugs: ProtocolBugs{
10842 SendInitialRecordVersion: 0x03ff,
10843 },
10844 },
10845 })
10846
10847 // Test that garbage ClientHello record versions are rejected.
10848 testCases = append(testCases, testCase{
10849 testType: serverTest,
10850 name: "GarbageInitialRecordVersion-" + ver.name,
10851 config: Config{
10852 MinVersion: ver.version,
10853 MaxVersion: ver.version,
10854 Bugs: ProtocolBugs{
10855 SendInitialRecordVersion: 0xffff,
10856 },
10857 },
10858 shouldFail: true,
10859 expectedError: ":WRONG_VERSION_NUMBER:",
10860 })
10861 }
10862}
10863
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10864func addCertificateTests() {
10865 // Test that a certificate chain with intermediate may be sent and
10866 // received as both client and server.
10867 for _, ver := range tlsVersions {
10868 testCases = append(testCases, testCase{
10869 testType: clientTest,
10870 name: "SendReceiveIntermediate-Client-" + ver.name,
10871 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10872 MinVersion: ver.version,
10873 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10874 Certificates: []Certificate{rsaChainCertificate},
10875 ClientAuth: RequireAnyClientCert,
10876 },
10877 expectPeerCertificate: &rsaChainCertificate,
10878 flags: []string{
10879 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10880 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10881 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10882 },
10883 })
10884
10885 testCases = append(testCases, testCase{
10886 testType: serverTest,
10887 name: "SendReceiveIntermediate-Server-" + ver.name,
10888 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10889 MinVersion: ver.version,
10890 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10891 Certificates: []Certificate{rsaChainCertificate},
10892 },
10893 expectPeerCertificate: &rsaChainCertificate,
10894 flags: []string{
10895 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10896 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10897 "-require-any-client-certificate",
10898 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10899 },
10900 })
10901 }
10902}
10903
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10904func addRetainOnlySHA256ClientCertTests() {
10905 for _, ver := range tlsVersions {
10906 // Test that enabling
10907 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10908 // actually requesting a client certificate is a no-op.
10909 testCases = append(testCases, testCase{
10910 testType: serverTest,
10911 name: "RetainOnlySHA256-NoCert-" + ver.name,
10912 config: Config{
10913 MinVersion: ver.version,
10914 MaxVersion: ver.version,
10915 },
10916 flags: []string{
10917 "-retain-only-sha256-client-cert-initial",
10918 "-retain-only-sha256-client-cert-resume",
10919 },
10920 resumeSession: true,
10921 })
10922
10923 // Test that when retaining only a SHA-256 certificate is
10924 // enabled, the hash appears as expected.
10925 testCases = append(testCases, testCase{
10926 testType: serverTest,
10927 name: "RetainOnlySHA256-Cert-" + ver.name,
10928 config: Config{
10929 MinVersion: ver.version,
10930 MaxVersion: ver.version,
10931 Certificates: []Certificate{rsaCertificate},
10932 },
10933 flags: []string{
10934 "-verify-peer",
10935 "-retain-only-sha256-client-cert-initial",
10936 "-retain-only-sha256-client-cert-resume",
10937 "-expect-sha256-client-cert-initial",
10938 "-expect-sha256-client-cert-resume",
10939 },
10940 resumeSession: true,
10941 })
10942
10943 // Test that when the config changes from on to off, a
10944 // resumption is rejected because the server now wants the full
10945 // certificate chain.
10946 testCases = append(testCases, testCase{
10947 testType: serverTest,
10948 name: "RetainOnlySHA256-OnOff-" + ver.name,
10949 config: Config{
10950 MinVersion: ver.version,
10951 MaxVersion: ver.version,
10952 Certificates: []Certificate{rsaCertificate},
10953 },
10954 flags: []string{
10955 "-verify-peer",
10956 "-retain-only-sha256-client-cert-initial",
10957 "-expect-sha256-client-cert-initial",
10958 },
10959 resumeSession: true,
10960 expectResumeRejected: true,
10961 })
10962
10963 // Test that when the config changes from off to on, a
10964 // resumption is rejected because the server now wants just the
10965 // hash.
10966 testCases = append(testCases, testCase{
10967 testType: serverTest,
10968 name: "RetainOnlySHA256-OffOn-" + ver.name,
10969 config: Config{
10970 MinVersion: ver.version,
10971 MaxVersion: ver.version,
10972 Certificates: []Certificate{rsaCertificate},
10973 },
10974 flags: []string{
10975 "-verify-peer",
10976 "-retain-only-sha256-client-cert-resume",
10977 "-expect-sha256-client-cert-resume",
10978 },
10979 resumeSession: true,
10980 expectResumeRejected: true,
10981 })
10982 }
10983}
10984
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10985func addECDSAKeyUsageTests() {
10986 p256 := elliptic.P256()
10987 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
10988 if err != nil {
10989 panic(err)
10990 }
10991
10992 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
10993 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
10994 if err != nil {
10995 panic(err)
10996 }
10997
10998 template := x509.Certificate{
10999 SerialNumber: serialNumber,
11000 Subject: pkix.Name{
11001 Organization: []string{"Acme Co"},
11002 },
11003 NotBefore: time.Now(),
11004 NotAfter: time.Now(),
11005
11006 // An ECC certificate with only the keyAgreement key usgae may
11007 // be used with ECDH, but not ECDSA.
11008 KeyUsage: x509.KeyUsageKeyAgreement,
11009 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
11010 BasicConstraintsValid: true,
11011 }
11012
11013 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
11014 if err != nil {
11015 panic(err)
11016 }
11017
11018 cert := Certificate{
11019 Certificate: [][]byte{derBytes},
11020 PrivateKey: priv,
11021 }
11022
11023 for _, ver := range tlsVersions {
11024 if ver.version < VersionTLS12 {
11025 continue
11026 }
11027
11028 testCases = append(testCases, testCase{
11029 testType: clientTest,
11030 name: "ECDSAKeyUsage-" + ver.name,
11031 config: Config{
11032 MinVersion: ver.version,
11033 MaxVersion: ver.version,
11034 Certificates: []Certificate{cert},
11035 },
11036 shouldFail: true,
11037 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
11038 })
11039 }
11040}
11041
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11042func addExtraHandshakeTests() {
11043 // An extra SSL_do_handshake is normally a no-op. These tests use -async
11044 // to ensure there is no transport I/O.
11045 testCases = append(testCases, testCase{
11046 testType: clientTest,
11047 name: "ExtraHandshake-Client-TLS12",
11048 config: Config{
11049 MinVersion: VersionTLS12,
11050 MaxVersion: VersionTLS12,
11051 },
11052 flags: []string{
11053 "-async",
11054 "-no-op-extra-handshake",
11055 },
11056 })
11057 testCases = append(testCases, testCase{
11058 testType: serverTest,
11059 name: "ExtraHandshake-Server-TLS12",
11060 config: Config{
11061 MinVersion: VersionTLS12,
11062 MaxVersion: VersionTLS12,
11063 },
11064 flags: []string{
11065 "-async",
11066 "-no-op-extra-handshake",
11067 },
11068 })
11069 testCases = append(testCases, testCase{
11070 testType: clientTest,
11071 name: "ExtraHandshake-Client-TLS13",
11072 config: Config{
11073 MinVersion: VersionTLS13,
11074 MaxVersion: VersionTLS13,
11075 },
11076 flags: []string{
11077 "-async",
11078 "-no-op-extra-handshake",
11079 },
11080 })
11081 testCases = append(testCases, testCase{
11082 testType: serverTest,
11083 name: "ExtraHandshake-Server-TLS13",
11084 config: Config{
11085 MinVersion: VersionTLS13,
11086 MaxVersion: VersionTLS13,
11087 },
11088 flags: []string{
11089 "-async",
11090 "-no-op-extra-handshake",
11091 },
11092 })
11093
11094 // An extra SSL_do_handshake is a no-op in server 0-RTT.
11095 testCases = append(testCases, testCase{
11096 testType: serverTest,
11097 name: "ExtraHandshake-Server-EarlyData-TLS13",
11098 config: Config{
11099 MaxVersion: VersionTLS13,
11100 MinVersion: VersionTLS13,
11101 Bugs: ProtocolBugs{
11102 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11103 ExpectEarlyDataAccepted: true,
11104 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
11105 },
11106 },
11107 messageCount: 2,
11108 resumeSession: true,
11109 flags: []string{
11110 "-async",
11111 "-enable-early-data",
11112 "-expect-accept-early-data",
11113 "-no-op-extra-handshake",
11114 },
11115 })
11116
11117 // An extra SSL_do_handshake drives the handshake to completion in False
11118 // Start. We test this by handshaking twice and asserting the False
11119 // Start does not appear to happen. See AlertBeforeFalseStartTest for
11120 // how the test works.
11121 testCases = append(testCases, testCase{
11122 testType: clientTest,
11123 name: "ExtraHandshake-FalseStart",
11124 config: Config{
11125 MaxVersion: VersionTLS12,
11126 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
11127 NextProtos: []string{"foo"},
11128 Bugs: ProtocolBugs{
11129 ExpectFalseStart: true,
11130 AlertBeforeFalseStartTest: alertAccessDenied,
11131 },
11132 },
11133 flags: []string{
11134 "-handshake-twice",
11135 "-false-start",
11136 "-advertise-alpn", "\x03foo",
11137 },
11138 shimWritesFirst: true,
11139 shouldFail: true,
11140 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
11141 expectedLocalError: "tls: peer did not false start: EOF",
11142 })
11143}
11144
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11145func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11146 defer wg.Done()
11147
11148 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11149 var err error
11150
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11151 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11152 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
11153 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11154 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11155 if err != nil {
11156 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
11157 }
11158 break
11159 }
11160 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11161 } else if *repeatUntilFailure {
11162 for err == nil {
11163 statusChan <- statusMsg{test: test, started: true}
11164 err = runTest(test, shimPath, -1)
11165 }
11166 } else {
11167 statusChan <- statusMsg{test: test, started: true}
11168 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]11169 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11170 statusChan <- statusMsg{test: test, err: err}
11171 }
11172}
11173
11174type statusMsg struct {
11175 test *testCase
11176 started bool
11177 err error
11178}
11179
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11180func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11181 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11182
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11183 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11184 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11185 if !*pipe {
11186 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]11187 var erase string
11188 for i := 0; i < lineLen; i++ {
11189 erase += "\b \b"
11190 }
11191 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11192 }
11193
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11194 if msg.started {
11195 started++
11196 } else {
11197 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11198
11199 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11200 if msg.err == errUnimplemented {
11201 if *pipe {
11202 // Print each test instead of a status line.
11203 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
11204 }
11205 unimplemented++
11206 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
11207 } else {
11208 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
11209 failed++
11210 testOutput.addResult(msg.test.name, "FAIL")
11211 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11212 } else {
11213 if *pipe {
11214 // Print each test instead of a status line.
11215 fmt.Printf("PASSED (%s)\n", msg.test.name)
11216 }
11217 testOutput.addResult(msg.test.name, "PASS")
11218 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11219 }
11220
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11221 if !*pipe {
11222 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11223 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11224 lineLen = len(line)
11225 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11226 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11227 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11228
11229 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11230}
11231
11232func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11233 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11234 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]11235 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11236
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11237 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11238 addCipherSuiteTests()
11239 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]11240 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]11241 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]11242 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]11243 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]11244 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]11245 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]11246 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]11247 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]11248 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]11249 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]11250 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]11251 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]11252 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]11253 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]11254 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]11255 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]11256 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]11257 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]11258 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]11259 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]11260 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]11261 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]11262 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]11263 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]11264 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]11265 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11266 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]11267 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11268 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]11269 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11270 addECDSAKeyUsageTests()
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11271 addExtraHandshakeTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11272
11273 var wg sync.WaitGroup
11274
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11275 statusChan := make(chan statusMsg, *numWorkers)
11276 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11277 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11278
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11279 if len(*shimConfigFile) != 0 {
11280 encoded, err := ioutil.ReadFile(*shimConfigFile)
11281 if err != nil {
11282 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
11283 os.Exit(1)
11284 }
11285
11286 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
11287 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
11288 os.Exit(1)
11289 }
11290 }
11291
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11292 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11293
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11294 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11295 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11296 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11297 }
11298
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11299 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11300 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11301 matched := true
11302 if len(*testToRun) != 0 {
11303 var err error
11304 matched, err = filepath.Match(*testToRun, testCases[i].name)
11305 if err != nil {
11306 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
11307 os.Exit(1)
11308 }
11309 }
11310
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11311 if !*includeDisabled {
11312 for pattern := range shimConfig.DisabledTests {
11313 isDisabled, err := filepath.Match(pattern, testCases[i].name)
11314 if err != nil {
11315 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
11316 os.Exit(1)
11317 }
11318
11319 if isDisabled {
11320 matched = false
11321 break
11322 }
11323 }
11324 }
11325
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11326 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11327 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11328 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11329
11330 // Only run one test if repeating until failure.
11331 if *repeatUntilFailure {
11332 break
11333 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11334 }
11335 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11336
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11337 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11338 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11339 os.Exit(1)
11340 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11341
11342 close(testChan)
11343 wg.Wait()
11344 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11345 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11346
11347 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11348
11349 if *jsonOutput != "" {
11350 if err := testOutput.writeTo(*jsonOutput); err != nil {
11351 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
11352 }
11353 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11354
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11355 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
11356 os.Exit(1)
11357 }
11358
11359 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11360 os.Exit(1)
11361 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11362}