Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 9b16066654f768d22ee2cd5a2576fcc4cab9590b / . / ssl / test / runner / runner.go
blob: 7aa3c840ddd23b475efb29babe3d5fdeaa729472 [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]25 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]26 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]27 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]28 "flag"
29 "fmt"
30 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]31 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]32 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]33 "net"
34 "os"
35 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]36 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]37 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]38 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]39 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]40 "strings"
41 "sync"
42 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]43 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]44)
45
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]46var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]47 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
48 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
49 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
50 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
51 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
52 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
53 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
54 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]55 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]56 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
57 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
58 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
59 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
60 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
61 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
62 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
63 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]64 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]65 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
66 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]67 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]68)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]69
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]70// ShimConfigurations is used with the “json” package and represents a shim
71// config file.
72type ShimConfiguration struct {
73 // DisabledTests maps from a glob-based pattern to a freeform string.
74 // The glob pattern is used to exclude tests from being run and the
75 // freeform string is unparsed but expected to explain why the test is
76 // disabled.
77 DisabledTests map[string]string
78
79 // ErrorMap maps from expected error strings to the correct error
80 // string for the shim in question. For example, it might map
81 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
82 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
83 ErrorMap map[string]string
84}
85
86var shimConfig ShimConfiguration
87
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]88type testCert int
89
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]90const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]91 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]92 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]93 testCertRSAChain
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]94 testCertECDSAP256
95 testCertECDSAP384
96 testCertECDSAP521
97)
98
99const (
100 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]101 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]102 rsaChainCertificateFile = "rsa_chain_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]103 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
104 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
105 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]106)
107
108const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]109 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]110 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]111 rsaChainKeyFile = "rsa_chain_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]112 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
113 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
114 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]115 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]116)
117
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]118var (
119 rsaCertificate Certificate
120 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]121 rsaChainCertificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]122 ecdsaP256Certificate Certificate
123 ecdsaP384Certificate Certificate
124 ecdsaP521Certificate Certificate
125)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]126
127var testCerts = []struct {
128 id testCert
129 certFile, keyFile string
130 cert *Certificate
131}{
132 {
133 id: testCertRSA,
134 certFile: rsaCertificateFile,
135 keyFile: rsaKeyFile,
136 cert: &rsaCertificate,
137 },
138 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]139 id: testCertRSA1024,
140 certFile: rsa1024CertificateFile,
141 keyFile: rsa1024KeyFile,
142 cert: &rsa1024Certificate,
143 },
144 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]145 id: testCertRSAChain,
146 certFile: rsaChainCertificateFile,
147 keyFile: rsaChainKeyFile,
148 cert: &rsaChainCertificate,
149 },
150 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]151 id: testCertECDSAP256,
152 certFile: ecdsaP256CertificateFile,
153 keyFile: ecdsaP256KeyFile,
154 cert: &ecdsaP256Certificate,
155 },
156 {
157 id: testCertECDSAP384,
158 certFile: ecdsaP384CertificateFile,
159 keyFile: ecdsaP384KeyFile,
160 cert: &ecdsaP384Certificate,
161 },
162 {
163 id: testCertECDSAP521,
164 certFile: ecdsaP521CertificateFile,
165 keyFile: ecdsaP521KeyFile,
166 cert: &ecdsaP521Certificate,
167 },
168}
169
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]170var channelIDKey *ecdsa.PrivateKey
171var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]172
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]173var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]174var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]175
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]176var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]177var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]178
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]179func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]180 for i := range testCerts {
181 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
182 if err != nil {
183 panic(err)
184 }
185 cert.OCSPStaple = testOCSPResponse
186 cert.SignedCertificateTimestampList = testSCTList
187 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]188 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]189
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]190 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]191 if err != nil {
192 panic(err)
193 }
194 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
195 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
196 panic("bad key type")
197 }
198 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
199 if err != nil {
200 panic(err)
201 }
202 if channelIDKey.Curve != elliptic.P256() {
203 panic("bad curve")
204 }
205
206 channelIDBytes = make([]byte, 64)
207 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
208 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]209}
210
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]211func getRunnerCertificate(t testCert) Certificate {
212 for _, cert := range testCerts {
213 if cert.id == t {
214 return *cert.cert
215 }
216 }
217 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]218}
219
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]220func getShimCertificate(t testCert) string {
221 for _, cert := range testCerts {
222 if cert.id == t {
223 return cert.certFile
224 }
225 }
226 panic("Unknown test certificate")
227}
228
229func getShimKey(t testCert) string {
230 for _, cert := range testCerts {
231 if cert.id == t {
232 return cert.keyFile
233 }
234 }
235 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]236}
237
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]238type testType int
239
240const (
241 clientTest testType = iota
242 serverTest
243)
244
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]245type protocol int
246
247const (
248 tls protocol = iota
249 dtls
250)
251
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]252const (
253 alpn = 1
254 npn = 2
255)
256
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]257type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]258 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]259 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]260 name string
261 config Config
262 shouldFail bool
263 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]264 // expectedLocalError, if not empty, contains a substring that must be
265 // found in the local error.
266 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]267 // expectedVersion, if non-zero, specifies the TLS version that must be
268 // negotiated.
269 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]270 // expectedResumeVersion, if non-zero, specifies the TLS version that
271 // must be negotiated on resumption. If zero, expectedVersion is used.
272 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]273 // expectedCipher, if non-zero, specifies the TLS cipher suite that
274 // should be negotiated.
275 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]276 // expectChannelID controls whether the connection should have
277 // negotiated a Channel ID with channelIDKey.
278 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]279 // expectedNextProto controls whether the connection should
280 // negotiate a next protocol via NPN or ALPN.
281 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]282 // expectNoNextProto, if true, means that no next protocol should be
283 // negotiated.
284 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]285 // expectedNextProtoType, if non-zero, is the expected next
286 // protocol negotiation mechanism.
287 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]288 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
289 // should be negotiated. If zero, none should be negotiated.
290 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]291 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
292 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]293 // expectedSCTList, if not nil, is the expected SCT list to be received.
294 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]295 // expectedPeerSignatureAlgorithm, if not zero, is the signature
296 // algorithm that the peer should have used in the handshake.
297 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]298 // expectedCurveID, if not zero, is the curve that the handshake should
299 // have used.
300 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]301 // messageLen is the length, in bytes, of the test message that will be
302 // sent.
303 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]304 // messageCount is the number of test messages that will be sent.
305 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]306 // certFile is the path to the certificate to use for the server.
307 certFile string
308 // keyFile is the path to the private key to use for the server.
309 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]310 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]311 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]312 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]313 // resumeRenewedSession controls whether a third connection should be
314 // tested which attempts to resume the second connection's session.
315 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]316 // expectResumeRejected, if true, specifies that the attempted
317 // resumption must be rejected by the client. This is only valid for a
318 // serverTest.
319 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]320 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]321 // resumption. Unless newSessionsOnResume is set,
322 // SessionTicketKey, ServerSessionCache, and
323 // ClientSessionCache are copied from the initial connection's
324 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]325 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]326 // newSessionsOnResume, if true, will cause resumeConfig to
327 // use a different session resumption context.
328 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]329 // noSessionCache, if true, will cause the server to run without a
330 // session cache.
331 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]332 // sendPrefix sends a prefix on the socket before actually performing a
333 // handshake.
334 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]335 // shimWritesFirst controls whether the shim sends an initial "hello"
336 // message before doing a roundtrip with the runner.
337 shimWritesFirst bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]338 // shimShutsDown, if true, runs a test where the shim shuts down the
339 // connection immediately after the handshake rather than echoing
340 // messages from the runner.
341 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]342 // renegotiate indicates the number of times the connection should be
343 // renegotiated during the exchange.
344 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]345 // sendHalfHelloRequest, if true, causes the server to send half a
346 // HelloRequest when the handshake completes.
347 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]348 // renegotiateCiphers is a list of ciphersuite ids that will be
349 // switched in just before renegotiation.
350 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]351 // replayWrites, if true, configures the underlying transport
352 // to replay every write it makes in DTLS tests.
353 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]354 // damageFirstWrite, if true, configures the underlying transport to
355 // damage the final byte of the first application data write.
356 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]357 // exportKeyingMaterial, if non-zero, configures the test to exchange
358 // keying material and verify they match.
359 exportKeyingMaterial int
360 exportLabel string
361 exportContext string
362 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]363 // flags, if not empty, contains a list of command-line flags that will
364 // be passed to the shim program.
365 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]366 // testTLSUnique, if true, causes the shim to send the tls-unique value
367 // which will be compared against the expected value.
368 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]369 // sendEmptyRecords is the number of consecutive empty records to send
370 // before and after the test message.
371 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]372 // sendWarningAlerts is the number of consecutive warning alerts to send
373 // before and after the test message.
374 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]375 // sendKeyUpdates is the number of consecutive key updates to send
376 // before and after the test message.
377 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]378 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
379 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]380 // expectMessageDropped, if true, means the test message is expected to
381 // be dropped by the client rather than echoed back.
382 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]383 // expectPeerCertificate, if not nil, is the certificate chain the peer
384 // is expected to send.
385 expectPeerCertificate *Certificate
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]386 // expectShortHeader is whether the short header extension should be negotiated.
387 expectShortHeader bool
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]388}
389
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]390var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]391
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]392func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]393 if len(data) == 0 {
394 return
395 }
396
397 protocol := "tls"
398 if test.protocol == dtls {
399 protocol = "dtls"
400 }
401
402 side := "client"
403 if test.testType == serverTest {
404 side = "server"
405 }
406
407 dir := path.Join(*transcriptDir, protocol, side)
408 if err := os.MkdirAll(dir, 0755); err != nil {
409 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
410 return
411 }
412
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]413 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]414 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
415 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
416 }
417}
418
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]419// A timeoutConn implements an idle timeout on each Read and Write operation.
420type timeoutConn struct {
421 net.Conn
422 timeout time.Duration
423}
424
425func (t *timeoutConn) Read(b []byte) (int, error) {
426 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
427 return 0, err
428 }
429 return t.Conn.Read(b)
430}
431
432func (t *timeoutConn) Write(b []byte) (int, error) {
433 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
434 return 0, err
435 }
436 return t.Conn.Write(b)
437}
438
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]439func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]440 if !test.noSessionCache {
441 if config.ClientSessionCache == nil {
442 config.ClientSessionCache = NewLRUClientSessionCache(1)
443 }
444 if config.ServerSessionCache == nil {
445 config.ServerSessionCache = NewLRUServerSessionCache(1)
446 }
447 }
448 if test.testType == clientTest {
449 if len(config.Certificates) == 0 {
450 config.Certificates = []Certificate{rsaCertificate}
451 }
452 } else {
453 // Supply a ServerName to ensure a constant session cache key,
454 // rather than falling back to net.Conn.RemoteAddr.
455 if len(config.ServerName) == 0 {
456 config.ServerName = "test"
457 }
458 }
459 if *fuzzer {
460 config.Bugs.NullAllCiphers = true
461 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]462 if *deterministic {
463 config.Time = func() time.Time { return time.Unix(1234, 1234) }
464 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]465
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]466 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]467
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]468 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]469 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
470 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]471 }
472
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]473 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]474 local, peer := "client", "server"
475 if test.testType == clientTest {
476 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]477 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]478 connDebug := &recordingConn{
479 Conn: conn,
480 isDatagram: test.protocol == dtls,
481 local: local,
482 peer: peer,
483 }
484 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]485 if *flagDebug {
486 defer connDebug.WriteTo(os.Stdout)
487 }
488 if len(*transcriptDir) != 0 {
489 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]490 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]491 }()
492 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]493
494 if config.Bugs.PacketAdaptor != nil {
495 config.Bugs.PacketAdaptor.debug = connDebug
496 }
497 }
498
499 if test.replayWrites {
500 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]501 }
502
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]503 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]504 if test.damageFirstWrite {
505 connDamage = newDamageAdaptor(conn)
506 conn = connDamage
507 }
508
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]509 if test.sendPrefix != "" {
510 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
511 return err
512 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]513 }
514
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]515 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]516 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]517 if test.protocol == dtls {
518 tlsConn = DTLSServer(conn, config)
519 } else {
520 tlsConn = Server(conn, config)
521 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]522 } else {
523 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]524 if test.protocol == dtls {
525 tlsConn = DTLSClient(conn, config)
526 } else {
527 tlsConn = Client(conn, config)
528 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]529 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]530 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]531
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]532 if err := tlsConn.Handshake(); err != nil {
533 return err
534 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]535
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]536 // TODO(davidben): move all per-connection expectations into a dedicated
537 // expectations struct that can be specified separately for the two
538 // legs.
539 expectedVersion := test.expectedVersion
540 if isResume && test.expectedResumeVersion != 0 {
541 expectedVersion = test.expectedResumeVersion
542 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]543 connState := tlsConn.ConnectionState()
544 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]545 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]546 }
547
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]548 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]549 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
550 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]551 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
552 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
553 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]554
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]555 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]556 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]557 if channelID == nil {
558 return fmt.Errorf("no channel ID negotiated")
559 }
560 if channelID.Curve != channelIDKey.Curve ||
561 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
562 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
563 return fmt.Errorf("incorrect channel ID")
564 }
565 }
566
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]567 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]568 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]569 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
570 }
571 }
572
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]573 if test.expectNoNextProto {
574 if actual := connState.NegotiatedProtocol; actual != "" {
575 return fmt.Errorf("got unexpected next proto %s", actual)
576 }
577 }
578
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]579 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]580 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]581 return fmt.Errorf("next proto type mismatch")
582 }
583 }
584
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]585 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]586 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
587 }
588
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]589 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]590 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]591 }
592
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]593 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
594 return fmt.Errorf("SCT list mismatch")
595 }
596
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]597 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
598 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]599 }
600
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]601 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
602 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
603 }
604
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]605 if test.expectPeerCertificate != nil {
606 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
607 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
608 }
609 for i, cert := range connState.PeerCertificates {
610 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
611 return fmt.Errorf("peer certificate %d did not match", i+1)
612 }
613 }
614 }
615
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]616 if test.expectShortHeader != connState.ShortHeader {
617 return fmt.Errorf("ShortHeader is %t, but we expected the opposite", connState.ShortHeader)
618 }
619
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]620 if test.exportKeyingMaterial > 0 {
621 actual := make([]byte, test.exportKeyingMaterial)
622 if _, err := io.ReadFull(tlsConn, actual); err != nil {
623 return err
624 }
625 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
626 if err != nil {
627 return err
628 }
629 if !bytes.Equal(actual, expected) {
630 return fmt.Errorf("keying material mismatch")
631 }
632 }
633
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]634 if test.testTLSUnique {
635 var peersValue [12]byte
636 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
637 return err
638 }
639 expected := tlsConn.ConnectionState().TLSUnique
640 if !bytes.Equal(peersValue[:], expected) {
641 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
642 }
643 }
644
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]645 if test.shimWritesFirst {
646 var buf [5]byte
647 _, err := io.ReadFull(tlsConn, buf[:])
648 if err != nil {
649 return err
650 }
651 if string(buf[:]) != "hello" {
652 return fmt.Errorf("bad initial message")
653 }
654 }
655
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]656 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]657 if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil {
David Benjamin7f0965a2016-09-30 15:14:01 -0400[diff] [blame]658 return err
659 }
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]660 }
661
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]662 for i := 0; i < test.sendEmptyRecords; i++ {
663 tlsConn.Write(nil)
664 }
665
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]666 for i := 0; i < test.sendWarningAlerts; i++ {
667 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
668 }
669
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]670 if test.sendHalfHelloRequest {
671 tlsConn.SendHalfHelloRequest()
672 }
673
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]674 if test.renegotiate > 0 {
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]675 if test.renegotiateCiphers != nil {
676 config.CipherSuites = test.renegotiateCiphers
677 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]678 for i := 0; i < test.renegotiate; i++ {
679 if err := tlsConn.Renegotiate(); err != nil {
680 return err
681 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]682 }
683 } else if test.renegotiateCiphers != nil {
684 panic("renegotiateCiphers without renegotiate")
685 }
686
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]687 if test.damageFirstWrite {
688 connDamage.setDamage(true)
689 tlsConn.Write([]byte("DAMAGED WRITE"))
690 connDamage.setDamage(false)
691 }
692
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]693 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]694 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]695 if test.protocol == dtls {
696 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
697 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]698 // Read until EOF.
699 _, err := io.Copy(ioutil.Discard, tlsConn)
700 return err
701 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]702 if messageLen == 0 {
703 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]704 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]705
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]706 messageCount := test.messageCount
707 if messageCount == 0 {
708 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]709 }
710
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]711 for j := 0; j < messageCount; j++ {
712 testMessage := make([]byte, messageLen)
713 for i := range testMessage {
714 testMessage[i] = 0x42 ^ byte(j)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]715 }
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]716 tlsConn.Write(testMessage)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]717
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]718 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]719 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]720 }
721
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]722 for i := 0; i < test.sendEmptyRecords; i++ {
723 tlsConn.Write(nil)
724 }
725
726 for i := 0; i < test.sendWarningAlerts; i++ {
727 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
728 }
729
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]730 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]731 // The shim will not respond.
732 continue
733 }
734
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]735 buf := make([]byte, len(testMessage))
736 if test.protocol == dtls {
737 bufTmp := make([]byte, len(buf)+1)
738 n, err := tlsConn.Read(bufTmp)
739 if err != nil {
740 return err
741 }
742 if n != len(buf) {
743 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
744 }
745 copy(buf, bufTmp)
746 } else {
747 _, err := io.ReadFull(tlsConn, buf)
748 if err != nil {
749 return err
750 }
751 }
752
753 for i, v := range buf {
754 if v != testMessage[i]^0xff {
755 return fmt.Errorf("bad reply contents at byte %d", i)
756 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]757 }
758 }
759
760 return nil
761}
762
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]763func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]764 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]765 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]766 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]767 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]768 valgrindArgs = append(valgrindArgs, path)
769 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]770
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]771 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]772}
773
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]774func gdbOf(path string, args ...string) *exec.Cmd {
775 xtermArgs := []string{"-e", "gdb", "--args"}
776 xtermArgs = append(xtermArgs, path)
777 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]778
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]779 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]780}
781
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]782func lldbOf(path string, args ...string) *exec.Cmd {
783 xtermArgs := []string{"-e", "lldb", "--"}
784 xtermArgs = append(xtermArgs, path)
785 xtermArgs = append(xtermArgs, args...)
786
787 return exec.Command("xterm", xtermArgs...)
788}
789
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]790var (
791 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
792 errUnimplemented = errors.New("child process does not implement needed flags")
793)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]794
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]795// accept accepts a connection from listener, unless waitChan signals a process
796// exit first.
797func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
798 type connOrError struct {
799 conn net.Conn
800 err error
801 }
802 connChan := make(chan connOrError, 1)
803 go func() {
804 conn, err := listener.Accept()
805 connChan <- connOrError{conn, err}
806 close(connChan)
807 }()
808 select {
809 case result := <-connChan:
810 return result.conn, result.err
811 case childErr := <-waitChan:
812 waitChan <- childErr
813 return nil, fmt.Errorf("child exited early: %s", childErr)
814 }
815}
816
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]817func translateExpectedError(errorStr string) string {
818 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
819 return translated
820 }
821
822 if *looseErrors {
823 return ""
824 }
825
826 return errorStr
827}
828
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]829func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]830 // Help debugging panics on the Go side.
831 defer func() {
832 if r := recover(); r != nil {
833 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
834 panic(r)
835 }
836 }()
837
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]838 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
839 panic("Error expected without shouldFail in " + test.name)
840 }
841
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]842 if test.expectResumeRejected && !test.resumeSession {
843 panic("expectResumeRejected without resumeSession in " + test.name)
844 }
845
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]846 for _, ver := range tlsVersions {
847 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
848 continue
849 }
850
851 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
852 continue
853 }
854
855 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
856 }
857
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]858 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
859 if err != nil {
860 panic(err)
861 }
862 defer func() {
863 if listener != nil {
864 listener.Close()
865 }
866 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]867
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]868 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]869 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]870 flags = append(flags, "-server")
871
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]872 flags = append(flags, "-key-file")
873 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]874 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]875 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]876 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]877 }
878
879 flags = append(flags, "-cert-file")
880 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]881 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]882 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]883 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]884 }
885 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]886
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]887 if test.protocol == dtls {
888 flags = append(flags, "-dtls")
889 }
890
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]891 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]892 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]893 resumeCount++
894 if test.resumeRenewedSession {
895 resumeCount++
896 }
897 }
898
899 if resumeCount > 0 {
900 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]901 }
902
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]903 if test.shimWritesFirst {
904 flags = append(flags, "-shim-writes-first")
905 }
906
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]907 if test.shimShutsDown {
908 flags = append(flags, "-shim-shuts-down")
909 }
910
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]911 if test.exportKeyingMaterial > 0 {
912 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
913 flags = append(flags, "-export-label", test.exportLabel)
914 flags = append(flags, "-export-context", test.exportContext)
915 if test.useExportContext {
916 flags = append(flags, "-use-export-context")
917 }
918 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]919 if test.expectResumeRejected {
920 flags = append(flags, "-expect-session-miss")
921 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]922
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]923 if test.testTLSUnique {
924 flags = append(flags, "-tls-unique")
925 }
926
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]927 flags = append(flags, test.flags...)
928
929 var shim *exec.Cmd
930 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]931 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]932 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]933 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]934 } else if *useLLDB {
935 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]936 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]937 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]938 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]939 shim.Stdin = os.Stdin
940 var stdoutBuf, stderrBuf bytes.Buffer
941 shim.Stdout = &stdoutBuf
942 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]943 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]944 shim.Env = os.Environ()
945 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]946 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]947 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]948 }
949 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
950 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]951
952 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]953 panic(err)
954 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]955 waitChan := make(chan error, 1)
956 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]957
958 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]959
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]960 if *deterministic {
961 config.Rand = &deterministicRand{}
962 }
963
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]964 conn, err := acceptOrWait(listener, waitChan)
965 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]966 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]967 conn.Close()
968 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]969
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]970 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]971 var resumeConfig Config
972 if test.resumeConfig != nil {
973 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]974 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]975 resumeConfig.SessionTicketKey = config.SessionTicketKey
976 resumeConfig.ClientSessionCache = config.ClientSessionCache
977 resumeConfig.ServerSessionCache = config.ServerSessionCache
978 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]979 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]980 } else {
981 resumeConfig = config
982 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]983 var connResume net.Conn
984 connResume, err = acceptOrWait(listener, waitChan)
985 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]986 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]987 connResume.Close()
988 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]989 }
990
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]991 // Close the listener now. This is to avoid hangs should the shim try to
992 // open more connections than expected.
993 listener.Close()
994 listener = nil
995
996 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]997 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]998 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]999 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1000 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1001 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1002 case 89:
1003 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1004 case 99:
1005 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1006 }
1007 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1008
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1009 // Account for Windows line endings.
1010 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1011 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1012
1013 // Separate the errors from the shim and those from tools like
1014 // AddressSanitizer.
1015 var extraStderr string
1016 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1017 stderr = stderrParts[0]
1018 extraStderr = stderrParts[1]
1019 }
1020
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1021 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1022 expectedError := translateExpectedError(test.expectedError)
1023 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1024
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1025 localError := "none"
1026 if err != nil {
1027 localError = err.Error()
1028 }
1029 if len(test.expectedLocalError) != 0 {
1030 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1031 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1032
1033 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1034 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1035 if childErr != nil {
1036 childError = childErr.Error()
1037 }
1038
1039 var msg string
1040 switch {
1041 case failed && !test.shouldFail:
1042 msg = "unexpected failure"
1043 case !failed && test.shouldFail:
1044 msg = "unexpected success"
1045 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1046 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1047 default:
1048 panic("internal error")
1049 }
1050
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1051 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1052 }
1053
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1054 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1055 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1056 }
1057
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1058 if *useValgrind && isValgrindError {
1059 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1060 }
1061
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1062 return nil
1063}
1064
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1065type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1066 name string
1067 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1068 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1069 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1070}
1071
1072var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1073 {"SSL3", VersionSSL30, "-no-ssl3", false},
1074 {"TLS1", VersionTLS10, "-no-tls1", true},
1075 {"TLS11", VersionTLS11, "-no-tls11", false},
1076 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1077 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1078}
1079
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1080type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1081 name string
1082 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1083}
1084
1085var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1086 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1087 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1088 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1089 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1090 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1091 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1092 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1093 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1094 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1095 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1096 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
1097 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1098 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1099 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1100 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1101 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1102 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1103 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1104 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1105 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1106 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1107 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1108 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1109 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1110 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1111 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1112 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1113 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1114 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1115 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1116 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1117 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1118 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1119 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1120 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1121 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1122}
1123
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1124func hasComponent(suiteName, component string) bool {
1125 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1126}
1127
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1128func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1129 return hasComponent(suiteName, "GCM") ||
1130 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1131 hasComponent(suiteName, "SHA384") ||
1132 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1133}
1134
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1135func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1136 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1137}
1138
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1139func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1140 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1141}
1142
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1143func bigFromHex(hex string) *big.Int {
1144 ret, ok := new(big.Int).SetString(hex, 16)
1145 if !ok {
1146 panic("failed to parse hex number 0x" + hex)
1147 }
1148 return ret
1149}
1150
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1151func addBasicTests() {
1152 basicTests := []testCase{
1153 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1154 name: "NoFallbackSCSV",
1155 config: Config{
1156 Bugs: ProtocolBugs{
1157 FailIfNotFallbackSCSV: true,
1158 },
1159 },
1160 shouldFail: true,
1161 expectedLocalError: "no fallback SCSV found",
1162 },
1163 {
1164 name: "SendFallbackSCSV",
1165 config: Config{
1166 Bugs: ProtocolBugs{
1167 FailIfNotFallbackSCSV: true,
1168 },
1169 },
1170 flags: []string{"-fallback-scsv"},
1171 },
1172 {
1173 name: "ClientCertificateTypes",
1174 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1175 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1176 ClientAuth: RequestClientCert,
1177 ClientCertificateTypes: []byte{
1178 CertTypeDSSSign,
1179 CertTypeRSASign,
1180 CertTypeECDSASign,
1181 },
1182 },
1183 flags: []string{
1184 "-expect-certificate-types",
1185 base64.StdEncoding.EncodeToString([]byte{
1186 CertTypeDSSSign,
1187 CertTypeRSASign,
1188 CertTypeECDSASign,
1189 }),
1190 },
1191 },
1192 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1193 name: "UnauthenticatedECDH",
1194 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1195 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1196 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1197 Bugs: ProtocolBugs{
1198 UnauthenticatedECDH: true,
1199 },
1200 },
1201 shouldFail: true,
1202 expectedError: ":UNEXPECTED_MESSAGE:",
1203 },
1204 {
1205 name: "SkipCertificateStatus",
1206 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1207 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1208 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1209 Bugs: ProtocolBugs{
1210 SkipCertificateStatus: true,
1211 },
1212 },
1213 flags: []string{
1214 "-enable-ocsp-stapling",
1215 },
1216 },
1217 {
1218 name: "SkipServerKeyExchange",
1219 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1220 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1221 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1222 Bugs: ProtocolBugs{
1223 SkipServerKeyExchange: true,
1224 },
1225 },
1226 shouldFail: true,
1227 expectedError: ":UNEXPECTED_MESSAGE:",
1228 },
1229 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1230 testType: serverTest,
1231 name: "Alert",
1232 config: Config{
1233 Bugs: ProtocolBugs{
1234 SendSpuriousAlert: alertRecordOverflow,
1235 },
1236 },
1237 shouldFail: true,
1238 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1239 },
1240 {
1241 protocol: dtls,
1242 testType: serverTest,
1243 name: "Alert-DTLS",
1244 config: Config{
1245 Bugs: ProtocolBugs{
1246 SendSpuriousAlert: alertRecordOverflow,
1247 },
1248 },
1249 shouldFail: true,
1250 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1251 },
1252 {
1253 testType: serverTest,
1254 name: "FragmentAlert",
1255 config: Config{
1256 Bugs: ProtocolBugs{
1257 FragmentAlert: true,
1258 SendSpuriousAlert: alertRecordOverflow,
1259 },
1260 },
1261 shouldFail: true,
1262 expectedError: ":BAD_ALERT:",
1263 },
1264 {
1265 protocol: dtls,
1266 testType: serverTest,
1267 name: "FragmentAlert-DTLS",
1268 config: Config{
1269 Bugs: ProtocolBugs{
1270 FragmentAlert: true,
1271 SendSpuriousAlert: alertRecordOverflow,
1272 },
1273 },
1274 shouldFail: true,
1275 expectedError: ":BAD_ALERT:",
1276 },
1277 {
1278 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1279 name: "DoubleAlert",
1280 config: Config{
1281 Bugs: ProtocolBugs{
1282 DoubleAlert: true,
1283 SendSpuriousAlert: alertRecordOverflow,
1284 },
1285 },
1286 shouldFail: true,
1287 expectedError: ":BAD_ALERT:",
1288 },
1289 {
1290 protocol: dtls,
1291 testType: serverTest,
1292 name: "DoubleAlert-DTLS",
1293 config: Config{
1294 Bugs: ProtocolBugs{
1295 DoubleAlert: true,
1296 SendSpuriousAlert: alertRecordOverflow,
1297 },
1298 },
1299 shouldFail: true,
1300 expectedError: ":BAD_ALERT:",
1301 },
1302 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1303 name: "SkipNewSessionTicket",
1304 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1305 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1306 Bugs: ProtocolBugs{
1307 SkipNewSessionTicket: true,
1308 },
1309 },
1310 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1311 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1312 },
1313 {
1314 testType: serverTest,
1315 name: "FallbackSCSV",
1316 config: Config{
1317 MaxVersion: VersionTLS11,
1318 Bugs: ProtocolBugs{
1319 SendFallbackSCSV: true,
1320 },
1321 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1322 shouldFail: true,
1323 expectedError: ":INAPPROPRIATE_FALLBACK:",
1324 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1325 },
1326 {
1327 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1328 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1329 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1330 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1331 Bugs: ProtocolBugs{
1332 SendFallbackSCSV: true,
1333 },
1334 },
1335 },
1336 {
1337 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1338 name: "FallbackSCSV-VersionMatch-TLS12",
1339 config: Config{
1340 MaxVersion: VersionTLS12,
1341 Bugs: ProtocolBugs{
1342 SendFallbackSCSV: true,
1343 },
1344 },
1345 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1346 },
1347 {
1348 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1349 name: "FragmentedClientVersion",
1350 config: Config{
1351 Bugs: ProtocolBugs{
1352 MaxHandshakeRecordLength: 1,
1353 FragmentClientVersion: true,
1354 },
1355 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1356 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1357 },
1358 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1359 testType: serverTest,
1360 name: "HttpGET",
1361 sendPrefix: "GET / HTTP/1.0\n",
1362 shouldFail: true,
1363 expectedError: ":HTTP_REQUEST:",
1364 },
1365 {
1366 testType: serverTest,
1367 name: "HttpPOST",
1368 sendPrefix: "POST / HTTP/1.0\n",
1369 shouldFail: true,
1370 expectedError: ":HTTP_REQUEST:",
1371 },
1372 {
1373 testType: serverTest,
1374 name: "HttpHEAD",
1375 sendPrefix: "HEAD / HTTP/1.0\n",
1376 shouldFail: true,
1377 expectedError: ":HTTP_REQUEST:",
1378 },
1379 {
1380 testType: serverTest,
1381 name: "HttpPUT",
1382 sendPrefix: "PUT / HTTP/1.0\n",
1383 shouldFail: true,
1384 expectedError: ":HTTP_REQUEST:",
1385 },
1386 {
1387 testType: serverTest,
1388 name: "HttpCONNECT",
1389 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1390 shouldFail: true,
1391 expectedError: ":HTTPS_PROXY_REQUEST:",
1392 },
1393 {
1394 testType: serverTest,
1395 name: "Garbage",
1396 sendPrefix: "blah",
1397 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1398 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1399 },
1400 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1401 name: "RSAEphemeralKey",
1402 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1403 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1404 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1405 Bugs: ProtocolBugs{
1406 RSAEphemeralKey: true,
1407 },
1408 },
1409 shouldFail: true,
1410 expectedError: ":UNEXPECTED_MESSAGE:",
1411 },
1412 {
1413 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1414 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1415 shouldFail: true,
1416 expectedError: ":WRONG_SSL_VERSION:",
1417 },
1418 {
1419 protocol: dtls,
1420 name: "DisableEverything-DTLS",
1421 flags: []string{"-no-tls12", "-no-tls1"},
1422 shouldFail: true,
1423 expectedError: ":WRONG_SSL_VERSION:",
1424 },
1425 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1426 protocol: dtls,
1427 testType: serverTest,
1428 name: "MTU",
1429 config: Config{
1430 Bugs: ProtocolBugs{
1431 MaxPacketLength: 256,
1432 },
1433 },
1434 flags: []string{"-mtu", "256"},
1435 },
1436 {
1437 protocol: dtls,
1438 testType: serverTest,
1439 name: "MTUExceeded",
1440 config: Config{
1441 Bugs: ProtocolBugs{
1442 MaxPacketLength: 255,
1443 },
1444 },
1445 flags: []string{"-mtu", "256"},
1446 shouldFail: true,
1447 expectedLocalError: "dtls: exceeded maximum packet length",
1448 },
1449 {
1450 name: "CertMismatchRSA",
1451 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1452 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1453 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1454 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1455 Bugs: ProtocolBugs{
1456 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1457 },
1458 },
1459 shouldFail: true,
1460 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1461 },
1462 {
1463 name: "CertMismatchECDSA",
1464 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1465 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1466 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1467 Certificates: []Certificate{rsaCertificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1468 Bugs: ProtocolBugs{
1469 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1470 },
1471 },
1472 shouldFail: true,
1473 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1474 },
1475 {
1476 name: "EmptyCertificateList",
1477 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1478 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1479 Bugs: ProtocolBugs{
1480 EmptyCertificateList: true,
1481 },
1482 },
1483 shouldFail: true,
1484 expectedError: ":DECODE_ERROR:",
1485 },
1486 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1487 name: "EmptyCertificateList-TLS13",
1488 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1489 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1490 Bugs: ProtocolBugs{
1491 EmptyCertificateList: true,
1492 },
1493 },
1494 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1495 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1496 },
1497 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1498 name: "TLSFatalBadPackets",
1499 damageFirstWrite: true,
1500 shouldFail: true,
1501 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1502 },
1503 {
1504 protocol: dtls,
1505 name: "DTLSIgnoreBadPackets",
1506 damageFirstWrite: true,
1507 },
1508 {
1509 protocol: dtls,
1510 name: "DTLSIgnoreBadPackets-Async",
1511 damageFirstWrite: true,
1512 flags: []string{"-async"},
1513 },
1514 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1515 name: "AppDataBeforeHandshake",
1516 config: Config{
1517 Bugs: ProtocolBugs{
1518 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1519 },
1520 },
1521 shouldFail: true,
1522 expectedError: ":UNEXPECTED_RECORD:",
1523 },
1524 {
1525 name: "AppDataBeforeHandshake-Empty",
1526 config: Config{
1527 Bugs: ProtocolBugs{
1528 AppDataBeforeHandshake: []byte{},
1529 },
1530 },
1531 shouldFail: true,
1532 expectedError: ":UNEXPECTED_RECORD:",
1533 },
1534 {
1535 protocol: dtls,
1536 name: "AppDataBeforeHandshake-DTLS",
1537 config: Config{
1538 Bugs: ProtocolBugs{
1539 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1540 },
1541 },
1542 shouldFail: true,
1543 expectedError: ":UNEXPECTED_RECORD:",
1544 },
1545 {
1546 protocol: dtls,
1547 name: "AppDataBeforeHandshake-DTLS-Empty",
1548 config: Config{
1549 Bugs: ProtocolBugs{
1550 AppDataBeforeHandshake: []byte{},
1551 },
1552 },
1553 shouldFail: true,
1554 expectedError: ":UNEXPECTED_RECORD:",
1555 },
1556 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1557 name: "AppDataAfterChangeCipherSpec",
1558 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1559 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1560 Bugs: ProtocolBugs{
1561 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1562 },
1563 },
1564 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1565 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1566 },
1567 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1568 name: "AppDataAfterChangeCipherSpec-Empty",
1569 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1570 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1571 Bugs: ProtocolBugs{
1572 AppDataAfterChangeCipherSpec: []byte{},
1573 },
1574 },
1575 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1576 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1577 },
1578 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1579 protocol: dtls,
1580 name: "AppDataAfterChangeCipherSpec-DTLS",
1581 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1582 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1583 Bugs: ProtocolBugs{
1584 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1585 },
1586 },
1587 // BoringSSL's DTLS implementation will drop the out-of-order
1588 // application data.
1589 },
1590 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1591 protocol: dtls,
1592 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1593 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1594 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1595 Bugs: ProtocolBugs{
1596 AppDataAfterChangeCipherSpec: []byte{},
1597 },
1598 },
1599 // BoringSSL's DTLS implementation will drop the out-of-order
1600 // application data.
1601 },
1602 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1603 name: "AlertAfterChangeCipherSpec",
1604 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1605 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1606 Bugs: ProtocolBugs{
1607 AlertAfterChangeCipherSpec: alertRecordOverflow,
1608 },
1609 },
1610 shouldFail: true,
1611 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1612 },
1613 {
1614 protocol: dtls,
1615 name: "AlertAfterChangeCipherSpec-DTLS",
1616 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1617 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1618 Bugs: ProtocolBugs{
1619 AlertAfterChangeCipherSpec: alertRecordOverflow,
1620 },
1621 },
1622 shouldFail: true,
1623 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1624 },
1625 {
1626 protocol: dtls,
1627 name: "ReorderHandshakeFragments-Small-DTLS",
1628 config: Config{
1629 Bugs: ProtocolBugs{
1630 ReorderHandshakeFragments: true,
1631 // Small enough that every handshake message is
1632 // fragmented.
1633 MaxHandshakeRecordLength: 2,
1634 },
1635 },
1636 },
1637 {
1638 protocol: dtls,
1639 name: "ReorderHandshakeFragments-Large-DTLS",
1640 config: Config{
1641 Bugs: ProtocolBugs{
1642 ReorderHandshakeFragments: true,
1643 // Large enough that no handshake message is
1644 // fragmented.
1645 MaxHandshakeRecordLength: 2048,
1646 },
1647 },
1648 },
1649 {
1650 protocol: dtls,
1651 name: "MixCompleteMessageWithFragments-DTLS",
1652 config: Config{
1653 Bugs: ProtocolBugs{
1654 ReorderHandshakeFragments: true,
1655 MixCompleteMessageWithFragments: true,
1656 MaxHandshakeRecordLength: 2,
1657 },
1658 },
1659 },
1660 {
1661 name: "SendInvalidRecordType",
1662 config: Config{
1663 Bugs: ProtocolBugs{
1664 SendInvalidRecordType: true,
1665 },
1666 },
1667 shouldFail: true,
1668 expectedError: ":UNEXPECTED_RECORD:",
1669 },
1670 {
1671 protocol: dtls,
1672 name: "SendInvalidRecordType-DTLS",
1673 config: Config{
1674 Bugs: ProtocolBugs{
1675 SendInvalidRecordType: true,
1676 },
1677 },
1678 shouldFail: true,
1679 expectedError: ":UNEXPECTED_RECORD:",
1680 },
1681 {
1682 name: "FalseStart-SkipServerSecondLeg",
1683 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1684 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1685 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1686 NextProtos: []string{"foo"},
1687 Bugs: ProtocolBugs{
1688 SkipNewSessionTicket: true,
1689 SkipChangeCipherSpec: true,
1690 SkipFinished: true,
1691 ExpectFalseStart: true,
1692 },
1693 },
1694 flags: []string{
1695 "-false-start",
1696 "-handshake-never-done",
1697 "-advertise-alpn", "\x03foo",
1698 },
1699 shimWritesFirst: true,
1700 shouldFail: true,
1701 expectedError: ":UNEXPECTED_RECORD:",
1702 },
1703 {
1704 name: "FalseStart-SkipServerSecondLeg-Implicit",
1705 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1706 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1707 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1708 NextProtos: []string{"foo"},
1709 Bugs: ProtocolBugs{
1710 SkipNewSessionTicket: true,
1711 SkipChangeCipherSpec: true,
1712 SkipFinished: true,
1713 },
1714 },
1715 flags: []string{
1716 "-implicit-handshake",
1717 "-false-start",
1718 "-handshake-never-done",
1719 "-advertise-alpn", "\x03foo",
1720 },
1721 shouldFail: true,
1722 expectedError: ":UNEXPECTED_RECORD:",
1723 },
1724 {
1725 testType: serverTest,
1726 name: "FailEarlyCallback",
1727 flags: []string{"-fail-early-callback"},
1728 shouldFail: true,
1729 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1730 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1731 },
1732 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1733 name: "FailCertCallback-Client-TLS12",
1734 config: Config{
1735 MaxVersion: VersionTLS12,
1736 ClientAuth: RequestClientCert,
1737 },
1738 flags: []string{"-fail-cert-callback"},
1739 shouldFail: true,
1740 expectedError: ":CERT_CB_ERROR:",
1741 expectedLocalError: "remote error: internal error",
1742 },
1743 {
1744 testType: serverTest,
1745 name: "FailCertCallback-Server-TLS12",
1746 config: Config{
1747 MaxVersion: VersionTLS12,
1748 },
1749 flags: []string{"-fail-cert-callback"},
1750 shouldFail: true,
1751 expectedError: ":CERT_CB_ERROR:",
1752 expectedLocalError: "remote error: internal error",
1753 },
1754 {
1755 name: "FailCertCallback-Client-TLS13",
1756 config: Config{
1757 MaxVersion: VersionTLS13,
1758 ClientAuth: RequestClientCert,
1759 },
1760 flags: []string{"-fail-cert-callback"},
1761 shouldFail: true,
1762 expectedError: ":CERT_CB_ERROR:",
1763 expectedLocalError: "remote error: internal error",
1764 },
1765 {
1766 testType: serverTest,
1767 name: "FailCertCallback-Server-TLS13",
1768 config: Config{
1769 MaxVersion: VersionTLS13,
1770 },
1771 flags: []string{"-fail-cert-callback"},
1772 shouldFail: true,
1773 expectedError: ":CERT_CB_ERROR:",
1774 expectedLocalError: "remote error: internal error",
1775 },
1776 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1777 protocol: dtls,
1778 name: "FragmentMessageTypeMismatch-DTLS",
1779 config: Config{
1780 Bugs: ProtocolBugs{
1781 MaxHandshakeRecordLength: 2,
1782 FragmentMessageTypeMismatch: true,
1783 },
1784 },
1785 shouldFail: true,
1786 expectedError: ":FRAGMENT_MISMATCH:",
1787 },
1788 {
1789 protocol: dtls,
1790 name: "FragmentMessageLengthMismatch-DTLS",
1791 config: Config{
1792 Bugs: ProtocolBugs{
1793 MaxHandshakeRecordLength: 2,
1794 FragmentMessageLengthMismatch: true,
1795 },
1796 },
1797 shouldFail: true,
1798 expectedError: ":FRAGMENT_MISMATCH:",
1799 },
1800 {
1801 protocol: dtls,
1802 name: "SplitFragments-Header-DTLS",
1803 config: Config{
1804 Bugs: ProtocolBugs{
1805 SplitFragments: 2,
1806 },
1807 },
1808 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1809 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1810 },
1811 {
1812 protocol: dtls,
1813 name: "SplitFragments-Boundary-DTLS",
1814 config: Config{
1815 Bugs: ProtocolBugs{
1816 SplitFragments: dtlsRecordHeaderLen,
1817 },
1818 },
1819 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1820 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1821 },
1822 {
1823 protocol: dtls,
1824 name: "SplitFragments-Body-DTLS",
1825 config: Config{
1826 Bugs: ProtocolBugs{
1827 SplitFragments: dtlsRecordHeaderLen + 1,
1828 },
1829 },
1830 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1831 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1832 },
1833 {
1834 protocol: dtls,
1835 name: "SendEmptyFragments-DTLS",
1836 config: Config{
1837 Bugs: ProtocolBugs{
1838 SendEmptyFragments: true,
1839 },
1840 },
1841 },
1842 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1843 name: "BadFinished-Client",
1844 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1845 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1846 Bugs: ProtocolBugs{
1847 BadFinished: true,
1848 },
1849 },
1850 shouldFail: true,
1851 expectedError: ":DIGEST_CHECK_FAILED:",
1852 },
1853 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1854 name: "BadFinished-Client-TLS13",
1855 config: Config{
1856 MaxVersion: VersionTLS13,
1857 Bugs: ProtocolBugs{
1858 BadFinished: true,
1859 },
1860 },
1861 shouldFail: true,
1862 expectedError: ":DIGEST_CHECK_FAILED:",
1863 },
1864 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1865 testType: serverTest,
1866 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1867 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1868 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1869 Bugs: ProtocolBugs{
1870 BadFinished: true,
1871 },
1872 },
1873 shouldFail: true,
1874 expectedError: ":DIGEST_CHECK_FAILED:",
1875 },
1876 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1877 testType: serverTest,
1878 name: "BadFinished-Server-TLS13",
1879 config: Config{
1880 MaxVersion: VersionTLS13,
1881 Bugs: ProtocolBugs{
1882 BadFinished: true,
1883 },
1884 },
1885 shouldFail: true,
1886 expectedError: ":DIGEST_CHECK_FAILED:",
1887 },
1888 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1889 name: "FalseStart-BadFinished",
1890 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1891 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1892 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1893 NextProtos: []string{"foo"},
1894 Bugs: ProtocolBugs{
1895 BadFinished: true,
1896 ExpectFalseStart: true,
1897 },
1898 },
1899 flags: []string{
1900 "-false-start",
1901 "-handshake-never-done",
1902 "-advertise-alpn", "\x03foo",
1903 },
1904 shimWritesFirst: true,
1905 shouldFail: true,
1906 expectedError: ":DIGEST_CHECK_FAILED:",
1907 },
1908 {
1909 name: "NoFalseStart-NoALPN",
1910 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1911 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1912 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1913 Bugs: ProtocolBugs{
1914 ExpectFalseStart: true,
1915 AlertBeforeFalseStartTest: alertAccessDenied,
1916 },
1917 },
1918 flags: []string{
1919 "-false-start",
1920 },
1921 shimWritesFirst: true,
1922 shouldFail: true,
1923 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1924 expectedLocalError: "tls: peer did not false start: EOF",
1925 },
1926 {
1927 name: "NoFalseStart-NoAEAD",
1928 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1929 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1930 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1931 NextProtos: []string{"foo"},
1932 Bugs: ProtocolBugs{
1933 ExpectFalseStart: true,
1934 AlertBeforeFalseStartTest: alertAccessDenied,
1935 },
1936 },
1937 flags: []string{
1938 "-false-start",
1939 "-advertise-alpn", "\x03foo",
1940 },
1941 shimWritesFirst: true,
1942 shouldFail: true,
1943 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1944 expectedLocalError: "tls: peer did not false start: EOF",
1945 },
1946 {
1947 name: "NoFalseStart-RSA",
1948 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1949 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1950 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1951 NextProtos: []string{"foo"},
1952 Bugs: ProtocolBugs{
1953 ExpectFalseStart: true,
1954 AlertBeforeFalseStartTest: alertAccessDenied,
1955 },
1956 },
1957 flags: []string{
1958 "-false-start",
1959 "-advertise-alpn", "\x03foo",
1960 },
1961 shimWritesFirst: true,
1962 shouldFail: true,
1963 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1964 expectedLocalError: "tls: peer did not false start: EOF",
1965 },
1966 {
1967 name: "NoFalseStart-DHE_RSA",
1968 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1969 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1970 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1971 NextProtos: []string{"foo"},
1972 Bugs: ProtocolBugs{
1973 ExpectFalseStart: true,
1974 AlertBeforeFalseStartTest: alertAccessDenied,
1975 },
1976 },
1977 flags: []string{
1978 "-false-start",
1979 "-advertise-alpn", "\x03foo",
1980 },
1981 shimWritesFirst: true,
1982 shouldFail: true,
1983 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1984 expectedLocalError: "tls: peer did not false start: EOF",
1985 },
1986 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1987 protocol: dtls,
1988 name: "SendSplitAlert-Sync",
1989 config: Config{
1990 Bugs: ProtocolBugs{
1991 SendSplitAlert: true,
1992 },
1993 },
1994 },
1995 {
1996 protocol: dtls,
1997 name: "SendSplitAlert-Async",
1998 config: Config{
1999 Bugs: ProtocolBugs{
2000 SendSplitAlert: true,
2001 },
2002 },
2003 flags: []string{"-async"},
2004 },
2005 {
2006 protocol: dtls,
2007 name: "PackDTLSHandshake",
2008 config: Config{
2009 Bugs: ProtocolBugs{
2010 MaxHandshakeRecordLength: 2,
2011 PackHandshakeFragments: 20,
2012 PackHandshakeRecords: 200,
2013 },
2014 },
2015 },
2016 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2017 name: "SendEmptyRecords-Pass",
2018 sendEmptyRecords: 32,
2019 },
2020 {
2021 name: "SendEmptyRecords",
2022 sendEmptyRecords: 33,
2023 shouldFail: true,
2024 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2025 },
2026 {
2027 name: "SendEmptyRecords-Async",
2028 sendEmptyRecords: 33,
2029 flags: []string{"-async"},
2030 shouldFail: true,
2031 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2032 },
2033 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2034 name: "SendWarningAlerts-Pass",
2035 config: Config{
2036 MaxVersion: VersionTLS12,
2037 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2038 sendWarningAlerts: 4,
2039 },
2040 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2041 protocol: dtls,
2042 name: "SendWarningAlerts-DTLS-Pass",
2043 config: Config{
2044 MaxVersion: VersionTLS12,
2045 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2046 sendWarningAlerts: 4,
2047 },
2048 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2049 name: "SendWarningAlerts-TLS13",
2050 config: Config{
2051 MaxVersion: VersionTLS13,
2052 },
2053 sendWarningAlerts: 4,
2054 shouldFail: true,
2055 expectedError: ":BAD_ALERT:",
2056 expectedLocalError: "remote error: error decoding message",
2057 },
2058 {
2059 name: "SendWarningAlerts",
2060 config: Config{
2061 MaxVersion: VersionTLS12,
2062 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2063 sendWarningAlerts: 5,
2064 shouldFail: true,
2065 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2066 },
2067 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2068 name: "SendWarningAlerts-Async",
2069 config: Config{
2070 MaxVersion: VersionTLS12,
2071 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2072 sendWarningAlerts: 5,
2073 flags: []string{"-async"},
2074 shouldFail: true,
2075 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2076 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2077 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2078 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2079 config: Config{
2080 MaxVersion: VersionTLS13,
2081 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2082 sendKeyUpdates: 33,
2083 keyUpdateRequest: keyUpdateNotRequested,
2084 shouldFail: true,
2085 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2086 },
2087 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2088 name: "EmptySessionID",
2089 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2090 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2091 SessionTicketsDisabled: true,
2092 },
2093 noSessionCache: true,
2094 flags: []string{"-expect-no-session"},
2095 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2096 {
2097 name: "Unclean-Shutdown",
2098 config: Config{
2099 Bugs: ProtocolBugs{
2100 NoCloseNotify: true,
2101 ExpectCloseNotify: true,
2102 },
2103 },
2104 shimShutsDown: true,
2105 flags: []string{"-check-close-notify"},
2106 shouldFail: true,
2107 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2108 },
2109 {
2110 name: "Unclean-Shutdown-Ignored",
2111 config: Config{
2112 Bugs: ProtocolBugs{
2113 NoCloseNotify: true,
2114 },
2115 },
2116 shimShutsDown: true,
2117 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2118 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2119 name: "Unclean-Shutdown-Alert",
2120 config: Config{
2121 Bugs: ProtocolBugs{
2122 SendAlertOnShutdown: alertDecompressionFailure,
2123 ExpectCloseNotify: true,
2124 },
2125 },
2126 shimShutsDown: true,
2127 flags: []string{"-check-close-notify"},
2128 shouldFail: true,
2129 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2130 },
2131 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2132 name: "LargePlaintext",
2133 config: Config{
2134 Bugs: ProtocolBugs{
2135 SendLargeRecords: true,
2136 },
2137 },
2138 messageLen: maxPlaintext + 1,
2139 shouldFail: true,
2140 expectedError: ":DATA_LENGTH_TOO_LONG:",
2141 },
2142 {
2143 protocol: dtls,
2144 name: "LargePlaintext-DTLS",
2145 config: Config{
2146 Bugs: ProtocolBugs{
2147 SendLargeRecords: true,
2148 },
2149 },
2150 messageLen: maxPlaintext + 1,
2151 shouldFail: true,
2152 expectedError: ":DATA_LENGTH_TOO_LONG:",
2153 },
2154 {
2155 name: "LargeCiphertext",
2156 config: Config{
2157 Bugs: ProtocolBugs{
2158 SendLargeRecords: true,
2159 },
2160 },
2161 messageLen: maxPlaintext * 2,
2162 shouldFail: true,
2163 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2164 },
2165 {
2166 protocol: dtls,
2167 name: "LargeCiphertext-DTLS",
2168 config: Config{
2169 Bugs: ProtocolBugs{
2170 SendLargeRecords: true,
2171 },
2172 },
2173 messageLen: maxPlaintext * 2,
2174 // Unlike the other four cases, DTLS drops records which
2175 // are invalid before authentication, so the connection
2176 // does not fail.
2177 expectMessageDropped: true,
2178 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2179 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2180 name: "BadHelloRequest-1",
2181 renegotiate: 1,
2182 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2183 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2184 Bugs: ProtocolBugs{
2185 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2186 },
2187 },
2188 flags: []string{
2189 "-renegotiate-freely",
2190 "-expect-total-renegotiations", "1",
2191 },
2192 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2193 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2194 },
2195 {
2196 name: "BadHelloRequest-2",
2197 renegotiate: 1,
2198 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2199 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2200 Bugs: ProtocolBugs{
2201 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2202 },
2203 },
2204 flags: []string{
2205 "-renegotiate-freely",
2206 "-expect-total-renegotiations", "1",
2207 },
2208 shouldFail: true,
2209 expectedError: ":BAD_HELLO_REQUEST:",
2210 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2211 {
2212 testType: serverTest,
2213 name: "SupportTicketsWithSessionID",
2214 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2215 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2216 SessionTicketsDisabled: true,
2217 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2218 resumeConfig: &Config{
2219 MaxVersion: VersionTLS12,
2220 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2221 resumeSession: true,
2222 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2223 {
2224 protocol: dtls,
2225 name: "DTLS-SendExtraFinished",
2226 config: Config{
2227 Bugs: ProtocolBugs{
2228 SendExtraFinished: true,
2229 },
2230 },
2231 shouldFail: true,
2232 expectedError: ":UNEXPECTED_RECORD:",
2233 },
2234 {
2235 protocol: dtls,
2236 name: "DTLS-SendExtraFinished-Reordered",
2237 config: Config{
2238 Bugs: ProtocolBugs{
2239 MaxHandshakeRecordLength: 2,
2240 ReorderHandshakeFragments: true,
2241 SendExtraFinished: true,
2242 },
2243 },
2244 shouldFail: true,
2245 expectedError: ":UNEXPECTED_RECORD:",
2246 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2247 {
2248 testType: serverTest,
2249 name: "V2ClientHello-EmptyRecordPrefix",
2250 config: Config{
2251 // Choose a cipher suite that does not involve
2252 // elliptic curves, so no extensions are
2253 // involved.
2254 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2255 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2256 Bugs: ProtocolBugs{
2257 SendV2ClientHello: true,
2258 },
2259 },
2260 sendPrefix: string([]byte{
2261 byte(recordTypeHandshake),
2262 3, 1, // version
2263 0, 0, // length
2264 }),
2265 // A no-op empty record may not be sent before V2ClientHello.
2266 shouldFail: true,
2267 expectedError: ":WRONG_VERSION_NUMBER:",
2268 },
2269 {
2270 testType: serverTest,
2271 name: "V2ClientHello-WarningAlertPrefix",
2272 config: Config{
2273 // Choose a cipher suite that does not involve
2274 // elliptic curves, so no extensions are
2275 // involved.
2276 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2277 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2278 Bugs: ProtocolBugs{
2279 SendV2ClientHello: true,
2280 },
2281 },
2282 sendPrefix: string([]byte{
2283 byte(recordTypeAlert),
2284 3, 1, // version
2285 0, 2, // length
2286 alertLevelWarning, byte(alertDecompressionFailure),
2287 }),
2288 // A no-op warning alert may not be sent before V2ClientHello.
2289 shouldFail: true,
2290 expectedError: ":WRONG_VERSION_NUMBER:",
2291 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2292 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2293 name: "KeyUpdate",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2294 config: Config{
2295 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2296 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2297 sendKeyUpdates: 1,
2298 keyUpdateRequest: keyUpdateNotRequested,
2299 },
2300 {
2301 name: "KeyUpdate-InvalidRequestMode",
2302 config: Config{
2303 MaxVersion: VersionTLS13,
2304 },
2305 sendKeyUpdates: 1,
2306 keyUpdateRequest: 42,
2307 shouldFail: true,
2308 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2309 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2310 {
2311 name: "SendSNIWarningAlert",
2312 config: Config{
2313 MaxVersion: VersionTLS12,
2314 Bugs: ProtocolBugs{
2315 SendSNIWarningAlert: true,
2316 },
2317 },
2318 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2319 {
2320 testType: serverTest,
2321 name: "ExtraCompressionMethods-TLS12",
2322 config: Config{
2323 MaxVersion: VersionTLS12,
2324 Bugs: ProtocolBugs{
2325 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2326 },
2327 },
2328 },
2329 {
2330 testType: serverTest,
2331 name: "ExtraCompressionMethods-TLS13",
2332 config: Config{
2333 MaxVersion: VersionTLS13,
2334 Bugs: ProtocolBugs{
2335 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2336 },
2337 },
2338 shouldFail: true,
2339 expectedError: ":INVALID_COMPRESSION_LIST:",
2340 expectedLocalError: "remote error: illegal parameter",
2341 },
2342 {
2343 testType: serverTest,
2344 name: "NoNullCompression-TLS12",
2345 config: Config{
2346 MaxVersion: VersionTLS12,
2347 Bugs: ProtocolBugs{
2348 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2349 },
2350 },
2351 shouldFail: true,
2352 expectedError: ":NO_COMPRESSION_SPECIFIED:",
2353 expectedLocalError: "remote error: illegal parameter",
2354 },
2355 {
2356 testType: serverTest,
2357 name: "NoNullCompression-TLS13",
2358 config: Config{
2359 MaxVersion: VersionTLS13,
2360 Bugs: ProtocolBugs{
2361 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2362 },
2363 },
2364 shouldFail: true,
2365 expectedError: ":INVALID_COMPRESSION_LIST:",
2366 expectedLocalError: "remote error: illegal parameter",
2367 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2368 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2369 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2370 config: Config{
2371 MaxVersion: VersionTLS12,
2372 Bugs: ProtocolBugs{
2373 ExpectGREASE: true,
2374 },
2375 },
2376 flags: []string{"-enable-grease"},
2377 },
2378 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2379 name: "GREASE-Client-TLS13",
2380 config: Config{
2381 MaxVersion: VersionTLS13,
2382 Bugs: ProtocolBugs{
2383 ExpectGREASE: true,
2384 },
2385 },
2386 flags: []string{"-enable-grease"},
2387 },
2388 {
2389 testType: serverTest,
2390 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2391 config: Config{
2392 MaxVersion: VersionTLS13,
2393 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2394 // TLS 1.3 servers are expected to
2395 // always enable GREASE. TLS 1.3 is new,
2396 // so there is no existing ecosystem to
2397 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2398 ExpectGREASE: true,
2399 },
2400 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2401 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2402 {
2403 // Test the server so there is a large certificate as
2404 // well as application data.
2405 testType: serverTest,
2406 name: "MaxSendFragment",
2407 config: Config{
2408 Bugs: ProtocolBugs{
2409 MaxReceivePlaintext: 512,
2410 },
2411 },
2412 messageLen: 1024,
2413 flags: []string{
2414 "-max-send-fragment", "512",
2415 "-read-size", "1024",
2416 },
2417 },
2418 {
2419 // Test the server so there is a large certificate as
2420 // well as application data.
2421 testType: serverTest,
2422 name: "MaxSendFragment-TooLarge",
2423 config: Config{
2424 Bugs: ProtocolBugs{
2425 // Ensure that some of the records are
2426 // 512.
2427 MaxReceivePlaintext: 511,
2428 },
2429 },
2430 messageLen: 1024,
2431 flags: []string{
2432 "-max-send-fragment", "512",
2433 "-read-size", "1024",
2434 },
2435 shouldFail: true,
2436 expectedLocalError: "local error: record overflow",
2437 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2438 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2439 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2440
2441 // Test that very large messages can be received.
2442 cert := rsaCertificate
2443 for i := 0; i < 50; i++ {
2444 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2445 }
2446 testCases = append(testCases, testCase{
2447 name: "LargeMessage",
2448 config: Config{
2449 Certificates: []Certificate{cert},
2450 },
2451 })
2452 testCases = append(testCases, testCase{
2453 protocol: dtls,
2454 name: "LargeMessage-DTLS",
2455 config: Config{
2456 Certificates: []Certificate{cert},
2457 },
2458 })
2459
2460 // They are rejected if the maximum certificate chain length is capped.
2461 testCases = append(testCases, testCase{
2462 name: "LargeMessage-Reject",
2463 config: Config{
2464 Certificates: []Certificate{cert},
2465 },
2466 flags: []string{"-max-cert-list", "16384"},
2467 shouldFail: true,
2468 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2469 })
2470 testCases = append(testCases, testCase{
2471 protocol: dtls,
2472 name: "LargeMessage-Reject-DTLS",
2473 config: Config{
2474 Certificates: []Certificate{cert},
2475 },
2476 flags: []string{"-max-cert-list", "16384"},
2477 shouldFail: true,
2478 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2479 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2480}
2481
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2482func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2483 const psk = "12345"
2484 const pskIdentity = "luggage combo"
2485
2486 var prefix string
2487 if protocol == dtls {
2488 if !ver.hasDTLS {
2489 return
2490 }
2491 prefix = "D"
2492 }
2493
2494 var cert Certificate
2495 var certFile string
2496 var keyFile string
2497 if hasComponent(suite.name, "ECDSA") {
2498 cert = ecdsaP256Certificate
2499 certFile = ecdsaP256CertificateFile
2500 keyFile = ecdsaP256KeyFile
2501 } else {
2502 cert = rsaCertificate
2503 certFile = rsaCertificateFile
2504 keyFile = rsaKeyFile
2505 }
2506
2507 var flags []string
2508 if hasComponent(suite.name, "PSK") {
2509 flags = append(flags,
2510 "-psk", psk,
2511 "-psk-identity", pskIdentity)
2512 }
2513 if hasComponent(suite.name, "NULL") {
2514 // NULL ciphers must be explicitly enabled.
2515 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2516 }
2517 if hasComponent(suite.name, "ECDHE-PSK") && hasComponent(suite.name, "GCM") {
2518 // ECDHE_PSK AES_GCM ciphers must be explicitly enabled
2519 // for now.
2520 flags = append(flags, "-cipher", suite.name)
2521 }
2522
2523 var shouldServerFail, shouldClientFail bool
2524 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2525 // BoringSSL clients accept ECDHE on SSLv3, but
2526 // a BoringSSL server will never select it
2527 // because the extension is missing.
2528 shouldServerFail = true
2529 }
2530 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2531 shouldClientFail = true
2532 shouldServerFail = true
2533 }
2534 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2535 shouldClientFail = true
2536 shouldServerFail = true
2537 }
2538 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2539 shouldClientFail = true
2540 shouldServerFail = true
2541 }
2542 if !isDTLSCipher(suite.name) && protocol == dtls {
2543 shouldClientFail = true
2544 shouldServerFail = true
2545 }
2546
2547 var sendCipherSuite uint16
2548 var expectedServerError, expectedClientError string
2549 serverCipherSuites := []uint16{suite.id}
2550 if shouldServerFail {
2551 expectedServerError = ":NO_SHARED_CIPHER:"
2552 }
2553 if shouldClientFail {
2554 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2555 // Configure the server to select ciphers as normal but
2556 // select an incompatible cipher in ServerHello.
2557 serverCipherSuites = nil
2558 sendCipherSuite = suite.id
2559 }
2560
2561 testCases = append(testCases, testCase{
2562 testType: serverTest,
2563 protocol: protocol,
2564 name: prefix + ver.name + "-" + suite.name + "-server",
2565 config: Config{
2566 MinVersion: ver.version,
2567 MaxVersion: ver.version,
2568 CipherSuites: []uint16{suite.id},
2569 Certificates: []Certificate{cert},
2570 PreSharedKey: []byte(psk),
2571 PreSharedKeyIdentity: pskIdentity,
2572 Bugs: ProtocolBugs{
2573 AdvertiseAllConfiguredCiphers: true,
2574 },
2575 },
2576 certFile: certFile,
2577 keyFile: keyFile,
2578 flags: flags,
2579 resumeSession: true,
2580 shouldFail: shouldServerFail,
2581 expectedError: expectedServerError,
2582 })
2583
2584 testCases = append(testCases, testCase{
2585 testType: clientTest,
2586 protocol: protocol,
2587 name: prefix + ver.name + "-" + suite.name + "-client",
2588 config: Config{
2589 MinVersion: ver.version,
2590 MaxVersion: ver.version,
2591 CipherSuites: serverCipherSuites,
2592 Certificates: []Certificate{cert},
2593 PreSharedKey: []byte(psk),
2594 PreSharedKeyIdentity: pskIdentity,
2595 Bugs: ProtocolBugs{
2596 IgnorePeerCipherPreferences: shouldClientFail,
2597 SendCipherSuite: sendCipherSuite,
2598 },
2599 },
2600 flags: flags,
2601 resumeSession: true,
2602 shouldFail: shouldClientFail,
2603 expectedError: expectedClientError,
2604 })
2605
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2606 if shouldClientFail {
2607 return
2608 }
2609
2610 // Ensure the maximum record size is accepted.
2611 testCases = append(testCases, testCase{
2612 protocol: protocol,
2613 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2614 config: Config{
2615 MinVersion: ver.version,
2616 MaxVersion: ver.version,
2617 CipherSuites: []uint16{suite.id},
2618 Certificates: []Certificate{cert},
2619 PreSharedKey: []byte(psk),
2620 PreSharedKeyIdentity: pskIdentity,
2621 },
2622 flags: flags,
2623 messageLen: maxPlaintext,
2624 })
2625
2626 // Test bad records for all ciphers. Bad records are fatal in TLS
2627 // and ignored in DTLS.
2628 var shouldFail bool
2629 var expectedError string
2630 if protocol == tls {
2631 shouldFail = true
2632 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2633 }
2634
2635 testCases = append(testCases, testCase{
2636 protocol: protocol,
2637 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2638 config: Config{
2639 MinVersion: ver.version,
2640 MaxVersion: ver.version,
2641 CipherSuites: []uint16{suite.id},
2642 Certificates: []Certificate{cert},
2643 PreSharedKey: []byte(psk),
2644 PreSharedKeyIdentity: pskIdentity,
2645 },
2646 flags: flags,
2647 damageFirstWrite: true,
2648 messageLen: maxPlaintext,
2649 shouldFail: shouldFail,
2650 expectedError: expectedError,
2651 })
2652
2653 if ver.version >= VersionTLS13 {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2654 testCases = append(testCases, testCase{
2655 protocol: protocol,
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2656 name: prefix + ver.name + "-" + suite.name + "-ShortHeader",
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2657 config: Config{
2658 MinVersion: ver.version,
2659 MaxVersion: ver.version,
2660 CipherSuites: []uint16{suite.id},
2661 Certificates: []Certificate{cert},
2662 PreSharedKey: []byte(psk),
2663 PreSharedKeyIdentity: pskIdentity,
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2664 Bugs: ProtocolBugs{
2665 EnableShortHeader: true,
2666 },
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2667 },
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2668 flags: append([]string{"-enable-short-header"}, flags...),
2669 resumeSession: true,
2670 expectShortHeader: true,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2671 })
2672 }
2673}
2674
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2675func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2676 const bogusCipher = 0xfe00
2677
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2678 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2679 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2680 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2681 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2682 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2683 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2684 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2685
2686 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2687 name: "NoSharedCipher",
2688 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2689 MaxVersion: VersionTLS12,
2690 CipherSuites: []uint16{},
2691 },
2692 shouldFail: true,
2693 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2694 })
2695
2696 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2697 name: "NoSharedCipher-TLS13",
2698 config: Config{
2699 MaxVersion: VersionTLS13,
2700 CipherSuites: []uint16{},
2701 },
2702 shouldFail: true,
2703 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2704 })
2705
2706 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2707 name: "UnsupportedCipherSuite",
2708 config: Config{
2709 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2710 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2711 Bugs: ProtocolBugs{
2712 IgnorePeerCipherPreferences: true,
2713 },
2714 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2715 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2716 shouldFail: true,
2717 expectedError: ":WRONG_CIPHER_RETURNED:",
2718 })
2719
2720 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2721 name: "ServerHelloBogusCipher",
2722 config: Config{
2723 MaxVersion: VersionTLS12,
2724 Bugs: ProtocolBugs{
2725 SendCipherSuite: bogusCipher,
2726 },
2727 },
2728 shouldFail: true,
2729 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2730 })
2731 testCases = append(testCases, testCase{
2732 name: "ServerHelloBogusCipher-TLS13",
2733 config: Config{
2734 MaxVersion: VersionTLS13,
2735 Bugs: ProtocolBugs{
2736 SendCipherSuite: bogusCipher,
2737 },
2738 },
2739 shouldFail: true,
2740 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2741 })
2742
2743 testCases = append(testCases, testCase{
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2744 name: "WeakDH",
2745 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2746 MaxVersion: VersionTLS12,
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2747 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2748 Bugs: ProtocolBugs{
2749 // This is a 1023-bit prime number, generated
2750 // with:
2751 // openssl gendh 1023 | openssl asn1parse -i
2752 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
2753 },
2754 },
2755 shouldFail: true,
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2756 expectedError: ":BAD_DH_P_LENGTH:",
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2757 })
Adam Langleycef75832015-09-03 14:51:12 -0700[diff] [blame]2758
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2759 testCases = append(testCases, testCase{
2760 name: "SillyDH",
2761 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2762 MaxVersion: VersionTLS12,
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2763 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2764 Bugs: ProtocolBugs{
2765 // This is a 4097-bit prime number, generated
2766 // with:
2767 // openssl gendh 4097 | openssl asn1parse -i
2768 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
2769 },
2770 },
2771 shouldFail: true,
2772 expectedError: ":DH_P_TOO_LONG:",
2773 })
2774
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2775 // This test ensures that Diffie-Hellman public values are padded with
2776 // zeros so that they're the same length as the prime. This is to avoid
2777 // hitting a bug in yaSSL.
2778 testCases = append(testCases, testCase{
2779 testType: serverTest,
2780 name: "DHPublicValuePadded",
2781 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2782 MaxVersion: VersionTLS12,
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2783 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2784 Bugs: ProtocolBugs{
2785 RequireDHPublicValueLen: (1025 + 7) / 8,
2786 },
2787 },
2788 flags: []string{"-use-sparse-dh-prime"},
2789 })
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2790
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2791 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2792 testCases = append(testCases, testCase{
2793 testType: serverTest,
2794 name: "UnknownCipher",
2795 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2796 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2797 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2798 Bugs: ProtocolBugs{
2799 AdvertiseAllConfiguredCiphers: true,
2800 },
2801 },
2802 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2803
2804 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2805 testCases = append(testCases, testCase{
2806 testType: serverTest,
2807 name: "UnknownCipher-TLS13",
2808 config: Config{
2809 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2810 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2811 Bugs: ProtocolBugs{
2812 AdvertiseAllConfiguredCiphers: true,
2813 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2814 },
2815 })
2816
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2817 // Test empty ECDHE_PSK identity hints work as expected.
2818 testCases = append(testCases, testCase{
2819 name: "EmptyECDHEPSKHint",
2820 config: Config{
2821 MaxVersion: VersionTLS12,
2822 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2823 PreSharedKey: []byte("secret"),
2824 },
2825 flags: []string{"-psk", "secret"},
2826 })
2827
2828 // Test empty PSK identity hints work as expected, even if an explicit
2829 // ServerKeyExchange is sent.
2830 testCases = append(testCases, testCase{
2831 name: "ExplicitEmptyPSKHint",
2832 config: Config{
2833 MaxVersion: VersionTLS12,
2834 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2835 PreSharedKey: []byte("secret"),
2836 Bugs: ProtocolBugs{
2837 AlwaysSendPreSharedKeyIdentityHint: true,
2838 },
2839 },
2840 flags: []string{"-psk", "secret"},
2841 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2842}
2843
2844func addBadECDSASignatureTests() {
2845 for badR := BadValue(1); badR < NumBadValues; badR++ {
2846 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2847 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2848 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2849 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2850 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2851 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2852 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2853 Bugs: ProtocolBugs{
2854 BadECDSAR: badR,
2855 BadECDSAS: badS,
2856 },
2857 },
2858 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2859 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2860 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2861 testCases = append(testCases, testCase{
2862 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2863 config: Config{
2864 MaxVersion: VersionTLS13,
2865 Certificates: []Certificate{ecdsaP256Certificate},
2866 Bugs: ProtocolBugs{
2867 BadECDSAR: badR,
2868 BadECDSAS: badS,
2869 },
2870 },
2871 shouldFail: true,
2872 expectedError: ":BAD_SIGNATURE:",
2873 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2874 }
2875 }
2876}
2877
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2878func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2879 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2880 name: "MaxCBCPadding",
2881 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2882 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2883 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2884 Bugs: ProtocolBugs{
2885 MaxPadding: true,
2886 },
2887 },
2888 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2889 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2890 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2891 name: "BadCBCPadding",
2892 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2893 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2894 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2895 Bugs: ProtocolBugs{
2896 PaddingFirstByteBad: true,
2897 },
2898 },
2899 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2900 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2901 })
2902 // OpenSSL previously had an issue where the first byte of padding in
2903 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2904 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2905 name: "BadCBCPadding255",
2906 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2907 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2908 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2909 Bugs: ProtocolBugs{
2910 MaxPadding: true,
2911 PaddingFirstByteBadIf255: true,
2912 },
2913 },
2914 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2915 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2916 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2917 })
2918}
2919
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2920func addCBCSplittingTests() {
2921 testCases = append(testCases, testCase{
2922 name: "CBCRecordSplitting",
2923 config: Config{
2924 MaxVersion: VersionTLS10,
2925 MinVersion: VersionTLS10,
2926 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2927 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]2928 messageLen: -1, // read until EOF
2929 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2930 flags: []string{
2931 "-async",
2932 "-write-different-record-sizes",
2933 "-cbc-record-splitting",
2934 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]2935 })
2936 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2937 name: "CBCRecordSplittingPartialWrite",
2938 config: Config{
2939 MaxVersion: VersionTLS10,
2940 MinVersion: VersionTLS10,
2941 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2942 },
2943 messageLen: -1, // read until EOF
2944 flags: []string{
2945 "-async",
2946 "-write-different-record-sizes",
2947 "-cbc-record-splitting",
2948 "-partial-write",
2949 },
2950 })
2951}
2952
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2953func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2954 // Add a dummy cert pool to stress certificate authority parsing.
2955 // TODO(davidben): Add tests that those values parse out correctly.
2956 certPool := x509.NewCertPool()
2957 cert, err := x509.ParseCertificate(rsaCertificate.Certificate[0])
2958 if err != nil {
2959 panic(err)
2960 }
2961 certPool.AddCert(cert)
2962
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2963 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2964 testCases = append(testCases, testCase{
2965 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2966 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2967 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2968 MinVersion: ver.version,
2969 MaxVersion: ver.version,
2970 ClientAuth: RequireAnyClientCert,
2971 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2972 },
2973 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2974 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2975 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2976 },
2977 })
2978 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2979 testType: serverTest,
2980 name: ver.name + "-Server-ClientAuth-RSA",
2981 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2982 MinVersion: ver.version,
2983 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2984 Certificates: []Certificate{rsaCertificate},
2985 },
2986 flags: []string{"-require-any-client-certificate"},
2987 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2988 if ver.version != VersionSSL30 {
2989 testCases = append(testCases, testCase{
2990 testType: serverTest,
2991 name: ver.name + "-Server-ClientAuth-ECDSA",
2992 config: Config{
2993 MinVersion: ver.version,
2994 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2995 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2996 },
2997 flags: []string{"-require-any-client-certificate"},
2998 })
2999 testCases = append(testCases, testCase{
3000 testType: clientTest,
3001 name: ver.name + "-Client-ClientAuth-ECDSA",
3002 config: Config{
3003 MinVersion: ver.version,
3004 MaxVersion: ver.version,
3005 ClientAuth: RequireAnyClientCert,
3006 ClientCAs: certPool,
3007 },
3008 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3009 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3010 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3011 },
3012 })
3013 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3014
3015 testCases = append(testCases, testCase{
3016 name: "NoClientCertificate-" + ver.name,
3017 config: Config{
3018 MinVersion: ver.version,
3019 MaxVersion: ver.version,
3020 ClientAuth: RequireAnyClientCert,
3021 },
3022 shouldFail: true,
3023 expectedLocalError: "client didn't provide a certificate",
3024 })
3025
3026 testCases = append(testCases, testCase{
3027 // Even if not configured to expect a certificate, OpenSSL will
3028 // return X509_V_OK as the verify_result.
3029 testType: serverTest,
3030 name: "NoClientCertificateRequested-Server-" + ver.name,
3031 config: Config{
3032 MinVersion: ver.version,
3033 MaxVersion: ver.version,
3034 },
3035 flags: []string{
3036 "-expect-verify-result",
3037 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3038 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3039 })
3040
3041 testCases = append(testCases, testCase{
3042 // If a client certificate is not provided, OpenSSL will still
3043 // return X509_V_OK as the verify_result.
3044 testType: serverTest,
3045 name: "NoClientCertificate-Server-" + ver.name,
3046 config: Config{
3047 MinVersion: ver.version,
3048 MaxVersion: ver.version,
3049 },
3050 flags: []string{
3051 "-expect-verify-result",
3052 "-verify-peer",
3053 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3054 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3055 })
3056
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3057 certificateRequired := "remote error: certificate required"
3058 if ver.version < VersionTLS13 {
3059 // Prior to TLS 1.3, the generic handshake_failure alert
3060 // was used.
3061 certificateRequired = "remote error: handshake failure"
3062 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3063 testCases = append(testCases, testCase{
3064 testType: serverTest,
3065 name: "RequireAnyClientCertificate-" + ver.name,
3066 config: Config{
3067 MinVersion: ver.version,
3068 MaxVersion: ver.version,
3069 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3070 flags: []string{"-require-any-client-certificate"},
3071 shouldFail: true,
3072 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3073 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3074 })
3075
3076 if ver.version != VersionSSL30 {
3077 testCases = append(testCases, testCase{
3078 testType: serverTest,
3079 name: "SkipClientCertificate-" + ver.name,
3080 config: Config{
3081 MinVersion: ver.version,
3082 MaxVersion: ver.version,
3083 Bugs: ProtocolBugs{
3084 SkipClientCertificate: true,
3085 },
3086 },
3087 // Setting SSL_VERIFY_PEER allows anonymous clients.
3088 flags: []string{"-verify-peer"},
3089 shouldFail: true,
3090 expectedError: ":UNEXPECTED_MESSAGE:",
3091 })
3092 }
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3093 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3094
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3095 // Client auth is only legal in certificate-based ciphers.
3096 testCases = append(testCases, testCase{
3097 testType: clientTest,
3098 name: "ClientAuth-PSK",
3099 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3100 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3101 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3102 PreSharedKey: []byte("secret"),
3103 ClientAuth: RequireAnyClientCert,
3104 },
3105 flags: []string{
3106 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3107 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3108 "-psk", "secret",
3109 },
3110 shouldFail: true,
3111 expectedError: ":UNEXPECTED_MESSAGE:",
3112 })
3113 testCases = append(testCases, testCase{
3114 testType: clientTest,
3115 name: "ClientAuth-ECDHE_PSK",
3116 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3117 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3118 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3119 PreSharedKey: []byte("secret"),
3120 ClientAuth: RequireAnyClientCert,
3121 },
3122 flags: []string{
3123 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3124 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3125 "-psk", "secret",
3126 },
3127 shouldFail: true,
3128 expectedError: ":UNEXPECTED_MESSAGE:",
3129 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3130
3131 // Regression test for a bug where the client CA list, if explicitly
3132 // set to NULL, was mis-encoded.
3133 testCases = append(testCases, testCase{
3134 testType: serverTest,
3135 name: "Null-Client-CA-List",
3136 config: Config{
3137 MaxVersion: VersionTLS12,
3138 Certificates: []Certificate{rsaCertificate},
3139 },
3140 flags: []string{
3141 "-require-any-client-certificate",
3142 "-use-null-client-ca-list",
3143 },
3144 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3145}
3146
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3147func addExtendedMasterSecretTests() {
3148 const expectEMSFlag = "-expect-extended-master-secret"
3149
3150 for _, with := range []bool{false, true} {
3151 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3152 if with {
3153 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3154 }
3155
3156 for _, isClient := range []bool{false, true} {
3157 suffix := "-Server"
3158 testType := serverTest
3159 if isClient {
3160 suffix = "-Client"
3161 testType = clientTest
3162 }
3163
3164 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3165 // In TLS 1.3, the extension is irrelevant and
3166 // always reports as enabled.
3167 var flags []string
3168 if with || ver.version >= VersionTLS13 {
3169 flags = []string{expectEMSFlag}
3170 }
3171
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3172 test := testCase{
3173 testType: testType,
3174 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3175 config: Config{
3176 MinVersion: ver.version,
3177 MaxVersion: ver.version,
3178 Bugs: ProtocolBugs{
3179 NoExtendedMasterSecret: !with,
3180 RequireExtendedMasterSecret: with,
3181 },
3182 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3183 flags: flags,
3184 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3185 }
3186 if test.shouldFail {
3187 test.expectedLocalError = "extended master secret required but not supported by peer"
3188 }
3189 testCases = append(testCases, test)
3190 }
3191 }
3192 }
3193
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3194 for _, isClient := range []bool{false, true} {
3195 for _, supportedInFirstConnection := range []bool{false, true} {
3196 for _, supportedInResumeConnection := range []bool{false, true} {
3197 boolToWord := func(b bool) string {
3198 if b {
3199 return "Yes"
3200 }
3201 return "No"
3202 }
3203 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3204 if isClient {
3205 suffix += "Client"
3206 } else {
3207 suffix += "Server"
3208 }
3209
3210 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3211 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3212 Bugs: ProtocolBugs{
3213 RequireExtendedMasterSecret: true,
3214 },
3215 }
3216
3217 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3218 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3219 Bugs: ProtocolBugs{
3220 NoExtendedMasterSecret: true,
3221 },
3222 }
3223
3224 test := testCase{
3225 name: "ExtendedMasterSecret-" + suffix,
3226 resumeSession: true,
3227 }
3228
3229 if !isClient {
3230 test.testType = serverTest
3231 }
3232
3233 if supportedInFirstConnection {
3234 test.config = supportedConfig
3235 } else {
3236 test.config = noSupportConfig
3237 }
3238
3239 if supportedInResumeConnection {
3240 test.resumeConfig = &supportedConfig
3241 } else {
3242 test.resumeConfig = &noSupportConfig
3243 }
3244
3245 switch suffix {
3246 case "YesToYes-Client", "YesToYes-Server":
3247 // When a session is resumed, it should
3248 // still be aware that its master
3249 // secret was generated via EMS and
3250 // thus it's safe to use tls-unique.
3251 test.flags = []string{expectEMSFlag}
3252 case "NoToYes-Server":
3253 // If an original connection did not
3254 // contain EMS, but a resumption
3255 // handshake does, then a server should
3256 // not resume the session.
3257 test.expectResumeRejected = true
3258 case "YesToNo-Server":
3259 // Resuming an EMS session without the
3260 // EMS extension should cause the
3261 // server to abort the connection.
3262 test.shouldFail = true
3263 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3264 case "NoToYes-Client":
3265 // A client should abort a connection
3266 // where the server resumed a non-EMS
3267 // session but echoed the EMS
3268 // extension.
3269 test.shouldFail = true
3270 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3271 case "YesToNo-Client":
3272 // A client should abort a connection
3273 // where the server didn't echo EMS
3274 // when the session used it.
3275 test.shouldFail = true
3276 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3277 }
3278
3279 testCases = append(testCases, test)
3280 }
3281 }
3282 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3283
3284 // Switching EMS on renegotiation is forbidden.
3285 testCases = append(testCases, testCase{
3286 name: "ExtendedMasterSecret-Renego-NoEMS",
3287 config: Config{
3288 MaxVersion: VersionTLS12,
3289 Bugs: ProtocolBugs{
3290 NoExtendedMasterSecret: true,
3291 NoExtendedMasterSecretOnRenegotiation: true,
3292 },
3293 },
3294 renegotiate: 1,
3295 flags: []string{
3296 "-renegotiate-freely",
3297 "-expect-total-renegotiations", "1",
3298 },
3299 })
3300
3301 testCases = append(testCases, testCase{
3302 name: "ExtendedMasterSecret-Renego-Upgrade",
3303 config: Config{
3304 MaxVersion: VersionTLS12,
3305 Bugs: ProtocolBugs{
3306 NoExtendedMasterSecret: true,
3307 },
3308 },
3309 renegotiate: 1,
3310 flags: []string{
3311 "-renegotiate-freely",
3312 "-expect-total-renegotiations", "1",
3313 },
3314 shouldFail: true,
3315 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3316 })
3317
3318 testCases = append(testCases, testCase{
3319 name: "ExtendedMasterSecret-Renego-Downgrade",
3320 config: Config{
3321 MaxVersion: VersionTLS12,
3322 Bugs: ProtocolBugs{
3323 NoExtendedMasterSecretOnRenegotiation: true,
3324 },
3325 },
3326 renegotiate: 1,
3327 flags: []string{
3328 "-renegotiate-freely",
3329 "-expect-total-renegotiations", "1",
3330 },
3331 shouldFail: true,
3332 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3333 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3334}
3335
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3336type stateMachineTestConfig struct {
3337 protocol protocol
3338 async bool
3339 splitHandshake, packHandshakeFlight bool
3340}
3341
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3342// Adds tests that try to cover the range of the handshake state machine, under
3343// various conditions. Some of these are redundant with other tests, but they
3344// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3345func addAllStateMachineCoverageTests() {
3346 for _, async := range []bool{false, true} {
3347 for _, protocol := range []protocol{tls, dtls} {
3348 addStateMachineCoverageTests(stateMachineTestConfig{
3349 protocol: protocol,
3350 async: async,
3351 })
3352 addStateMachineCoverageTests(stateMachineTestConfig{
3353 protocol: protocol,
3354 async: async,
3355 splitHandshake: true,
3356 })
3357 if protocol == tls {
3358 addStateMachineCoverageTests(stateMachineTestConfig{
3359 protocol: protocol,
3360 async: async,
3361 packHandshakeFlight: true,
3362 })
3363 }
3364 }
3365 }
3366}
3367
3368func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3369 var tests []testCase
3370
3371 // Basic handshake, with resumption. Client and server,
3372 // session ID and session ticket.
3373 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3374 name: "Basic-Client",
3375 config: Config{
3376 MaxVersion: VersionTLS12,
3377 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3378 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3379 // Ensure session tickets are used, not session IDs.
3380 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3381 })
3382 tests = append(tests, testCase{
3383 name: "Basic-Client-RenewTicket",
3384 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3385 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3386 Bugs: ProtocolBugs{
3387 RenewTicketOnResume: true,
3388 },
3389 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3390 flags: []string{"-expect-ticket-renewal"},
3391 resumeSession: true,
3392 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3393 })
3394 tests = append(tests, testCase{
3395 name: "Basic-Client-NoTicket",
3396 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3397 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3398 SessionTicketsDisabled: true,
3399 },
3400 resumeSession: true,
3401 })
3402 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3403 name: "Basic-Client-Implicit",
3404 config: Config{
3405 MaxVersion: VersionTLS12,
3406 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3407 flags: []string{"-implicit-handshake"},
3408 resumeSession: true,
3409 })
3410 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3411 testType: serverTest,
3412 name: "Basic-Server",
3413 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3414 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3415 Bugs: ProtocolBugs{
3416 RequireSessionTickets: true,
3417 },
3418 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3419 resumeSession: true,
3420 })
3421 tests = append(tests, testCase{
3422 testType: serverTest,
3423 name: "Basic-Server-NoTickets",
3424 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3425 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3426 SessionTicketsDisabled: true,
3427 },
3428 resumeSession: true,
3429 })
3430 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3431 testType: serverTest,
3432 name: "Basic-Server-Implicit",
3433 config: Config{
3434 MaxVersion: VersionTLS12,
3435 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3436 flags: []string{"-implicit-handshake"},
3437 resumeSession: true,
3438 })
3439 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3440 testType: serverTest,
3441 name: "Basic-Server-EarlyCallback",
3442 config: Config{
3443 MaxVersion: VersionTLS12,
3444 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3445 flags: []string{"-use-early-callback"},
3446 resumeSession: true,
3447 })
3448
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3449 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3450 if config.protocol == tls {
3451 tests = append(tests, testCase{
3452 name: "TLS13-1RTT-Client",
3453 config: Config{
3454 MaxVersion: VersionTLS13,
3455 MinVersion: VersionTLS13,
3456 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3457 resumeSession: true,
3458 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3459 })
3460
3461 tests = append(tests, testCase{
3462 testType: serverTest,
3463 name: "TLS13-1RTT-Server",
3464 config: Config{
3465 MaxVersion: VersionTLS13,
3466 MinVersion: VersionTLS13,
3467 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3468 resumeSession: true,
3469 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3470 })
3471
3472 tests = append(tests, testCase{
3473 name: "TLS13-HelloRetryRequest-Client",
3474 config: Config{
3475 MaxVersion: VersionTLS13,
3476 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3477 // P-384 requires a HelloRetryRequest against BoringSSL's default
3478 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3479 CurvePreferences: []CurveID{CurveP384},
3480 Bugs: ProtocolBugs{
3481 ExpectMissingKeyShare: true,
3482 },
3483 },
3484 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3485 resumeSession: true,
3486 })
3487
3488 tests = append(tests, testCase{
3489 testType: serverTest,
3490 name: "TLS13-HelloRetryRequest-Server",
3491 config: Config{
3492 MaxVersion: VersionTLS13,
3493 MinVersion: VersionTLS13,
3494 // Require a HelloRetryRequest for every curve.
3495 DefaultCurves: []CurveID{},
3496 },
3497 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3498 resumeSession: true,
3499 })
3500 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3501
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3502 // TLS client auth.
3503 tests = append(tests, testCase{
3504 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3505 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3506 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3507 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3508 ClientAuth: RequestClientCert,
3509 },
3510 })
3511 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3512 testType: serverTest,
3513 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3514 config: Config{
3515 MaxVersion: VersionTLS12,
3516 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3517 // Setting SSL_VERIFY_PEER allows anonymous clients.
3518 flags: []string{"-verify-peer"},
3519 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3520 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3521 tests = append(tests, testCase{
3522 testType: clientTest,
3523 name: "ClientAuth-NoCertificate-Client-SSL3",
3524 config: Config{
3525 MaxVersion: VersionSSL30,
3526 ClientAuth: RequestClientCert,
3527 },
3528 })
3529 tests = append(tests, testCase{
3530 testType: serverTest,
3531 name: "ClientAuth-NoCertificate-Server-SSL3",
3532 config: Config{
3533 MaxVersion: VersionSSL30,
3534 },
3535 // Setting SSL_VERIFY_PEER allows anonymous clients.
3536 flags: []string{"-verify-peer"},
3537 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3538 tests = append(tests, testCase{
3539 testType: clientTest,
3540 name: "ClientAuth-NoCertificate-Client-TLS13",
3541 config: Config{
3542 MaxVersion: VersionTLS13,
3543 ClientAuth: RequestClientCert,
3544 },
3545 })
3546 tests = append(tests, testCase{
3547 testType: serverTest,
3548 name: "ClientAuth-NoCertificate-Server-TLS13",
3549 config: Config{
3550 MaxVersion: VersionTLS13,
3551 },
3552 // Setting SSL_VERIFY_PEER allows anonymous clients.
3553 flags: []string{"-verify-peer"},
3554 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3555 }
3556 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3557 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3558 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3559 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3560 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3561 ClientAuth: RequireAnyClientCert,
3562 },
3563 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3564 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3565 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3566 },
3567 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3568 tests = append(tests, testCase{
3569 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3570 name: "ClientAuth-RSA-Client-TLS13",
3571 config: Config{
3572 MaxVersion: VersionTLS13,
3573 ClientAuth: RequireAnyClientCert,
3574 },
3575 flags: []string{
3576 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3577 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3578 },
3579 })
3580 tests = append(tests, testCase{
3581 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3582 name: "ClientAuth-ECDSA-Client",
3583 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3584 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3585 ClientAuth: RequireAnyClientCert,
3586 },
3587 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3588 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3589 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3590 },
3591 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3592 tests = append(tests, testCase{
3593 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3594 name: "ClientAuth-ECDSA-Client-TLS13",
3595 config: Config{
3596 MaxVersion: VersionTLS13,
3597 ClientAuth: RequireAnyClientCert,
3598 },
3599 flags: []string{
3600 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3601 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3602 },
3603 })
3604 tests = append(tests, testCase{
3605 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3606 name: "ClientAuth-NoCertificate-OldCallback",
3607 config: Config{
3608 MaxVersion: VersionTLS12,
3609 ClientAuth: RequestClientCert,
3610 },
3611 flags: []string{"-use-old-client-cert-callback"},
3612 })
3613 tests = append(tests, testCase{
3614 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3615 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3616 config: Config{
3617 MaxVersion: VersionTLS13,
3618 ClientAuth: RequestClientCert,
3619 },
3620 flags: []string{"-use-old-client-cert-callback"},
3621 })
3622 tests = append(tests, testCase{
3623 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3624 name: "ClientAuth-OldCallback",
3625 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3626 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3627 ClientAuth: RequireAnyClientCert,
3628 },
3629 flags: []string{
3630 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3631 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3632 "-use-old-client-cert-callback",
3633 },
3634 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3635 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3636 testType: clientTest,
3637 name: "ClientAuth-OldCallback-TLS13",
3638 config: Config{
3639 MaxVersion: VersionTLS13,
3640 ClientAuth: RequireAnyClientCert,
3641 },
3642 flags: []string{
3643 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3644 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3645 "-use-old-client-cert-callback",
3646 },
3647 })
3648 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3649 testType: serverTest,
3650 name: "ClientAuth-Server",
3651 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3652 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3653 Certificates: []Certificate{rsaCertificate},
3654 },
3655 flags: []string{"-require-any-client-certificate"},
3656 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3657 tests = append(tests, testCase{
3658 testType: serverTest,
3659 name: "ClientAuth-Server-TLS13",
3660 config: Config{
3661 MaxVersion: VersionTLS13,
3662 Certificates: []Certificate{rsaCertificate},
3663 },
3664 flags: []string{"-require-any-client-certificate"},
3665 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3666
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3667 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3668 tests = append(tests, testCase{
3669 testType: serverTest,
3670 name: "Basic-Server-RSA",
3671 config: Config{
3672 MaxVersion: VersionTLS12,
3673 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3674 },
3675 flags: []string{
3676 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3677 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3678 },
3679 })
3680 tests = append(tests, testCase{
3681 testType: serverTest,
3682 name: "Basic-Server-ECDHE-RSA",
3683 config: Config{
3684 MaxVersion: VersionTLS12,
3685 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3686 },
3687 flags: []string{
3688 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3689 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3690 },
3691 })
3692 tests = append(tests, testCase{
3693 testType: serverTest,
3694 name: "Basic-Server-ECDHE-ECDSA",
3695 config: Config{
3696 MaxVersion: VersionTLS12,
3697 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3698 },
3699 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3700 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3701 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3702 },
3703 })
3704
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3705 // No session ticket support; server doesn't send NewSessionTicket.
3706 tests = append(tests, testCase{
3707 name: "SessionTicketsDisabled-Client",
3708 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3709 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3710 SessionTicketsDisabled: true,
3711 },
3712 })
3713 tests = append(tests, testCase{
3714 testType: serverTest,
3715 name: "SessionTicketsDisabled-Server",
3716 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3717 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3718 SessionTicketsDisabled: true,
3719 },
3720 })
3721
3722 // Skip ServerKeyExchange in PSK key exchange if there's no
3723 // identity hint.
3724 tests = append(tests, testCase{
3725 name: "EmptyPSKHint-Client",
3726 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3727 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3728 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3729 PreSharedKey: []byte("secret"),
3730 },
3731 flags: []string{"-psk", "secret"},
3732 })
3733 tests = append(tests, testCase{
3734 testType: serverTest,
3735 name: "EmptyPSKHint-Server",
3736 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3737 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3738 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3739 PreSharedKey: []byte("secret"),
3740 },
3741 flags: []string{"-psk", "secret"},
3742 })
3743
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3744 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3745 tests = append(tests, testCase{
3746 testType: clientTest,
3747 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3748 config: Config{
3749 MaxVersion: VersionTLS12,
3750 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3751 flags: []string{
3752 "-enable-ocsp-stapling",
3753 "-expect-ocsp-response",
3754 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3755 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3756 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3757 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3758 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3759 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3760 testType: serverTest,
3761 name: "OCSPStapling-Server",
3762 config: Config{
3763 MaxVersion: VersionTLS12,
3764 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3765 expectedOCSPResponse: testOCSPResponse,
3766 flags: []string{
3767 "-ocsp-response",
3768 base64.StdEncoding.EncodeToString(testOCSPResponse),
3769 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3770 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3771 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3772 tests = append(tests, testCase{
3773 testType: clientTest,
3774 name: "OCSPStapling-Client-TLS13",
3775 config: Config{
3776 MaxVersion: VersionTLS13,
3777 },
3778 flags: []string{
3779 "-enable-ocsp-stapling",
3780 "-expect-ocsp-response",
3781 base64.StdEncoding.EncodeToString(testOCSPResponse),
3782 "-verify-peer",
3783 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3784 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3785 })
3786 tests = append(tests, testCase{
3787 testType: serverTest,
3788 name: "OCSPStapling-Server-TLS13",
3789 config: Config{
3790 MaxVersion: VersionTLS13,
3791 },
3792 expectedOCSPResponse: testOCSPResponse,
3793 flags: []string{
3794 "-ocsp-response",
3795 base64.StdEncoding.EncodeToString(testOCSPResponse),
3796 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3797 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3798 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3799
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3800 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3801 for _, vers := range tlsVersions {
3802 if config.protocol == dtls && !vers.hasDTLS {
3803 continue
3804 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3805 for _, testType := range []testType{clientTest, serverTest} {
3806 suffix := "-Client"
3807 if testType == serverTest {
3808 suffix = "-Server"
3809 }
3810 suffix += "-" + vers.name
3811
3812 flag := "-verify-peer"
3813 if testType == serverTest {
3814 flag = "-require-any-client-certificate"
3815 }
3816
3817 tests = append(tests, testCase{
3818 testType: testType,
3819 name: "CertificateVerificationSucceed" + suffix,
3820 config: Config{
3821 MaxVersion: vers.version,
3822 Certificates: []Certificate{rsaCertificate},
3823 },
3824 flags: []string{
3825 flag,
3826 "-expect-verify-result",
3827 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3828 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3829 })
3830 tests = append(tests, testCase{
3831 testType: testType,
3832 name: "CertificateVerificationFail" + suffix,
3833 config: Config{
3834 MaxVersion: vers.version,
3835 Certificates: []Certificate{rsaCertificate},
3836 },
3837 flags: []string{
3838 flag,
3839 "-verify-fail",
3840 },
3841 shouldFail: true,
3842 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
3843 })
3844 }
3845
3846 // By default, the client is in a soft fail mode where the peer
3847 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3848 tests = append(tests, testCase{
3849 testType: clientTest,
3850 name: "CertificateVerificationSoftFail-" + vers.name,
3851 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3852 MaxVersion: vers.version,
3853 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3854 },
3855 flags: []string{
3856 "-verify-fail",
3857 "-expect-verify-result",
3858 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3859 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3860 })
3861 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3862
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]3863 tests = append(tests, testCase{
3864 name: "ShimSendAlert",
3865 flags: []string{"-send-alert"},
3866 shimWritesFirst: true,
3867 shouldFail: true,
3868 expectedLocalError: "remote error: decompression failure",
3869 })
3870
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3871 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3872 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3873 name: "Renegotiate-Client",
3874 config: Config{
3875 MaxVersion: VersionTLS12,
3876 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]3877 renegotiate: 1,
3878 flags: []string{
3879 "-renegotiate-freely",
3880 "-expect-total-renegotiations", "1",
3881 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3882 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3883
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]3884 tests = append(tests, testCase{
3885 name: "SendHalfHelloRequest",
3886 config: Config{
3887 MaxVersion: VersionTLS12,
3888 Bugs: ProtocolBugs{
3889 PackHelloRequestWithFinished: config.packHandshakeFlight,
3890 },
3891 },
3892 sendHalfHelloRequest: true,
3893 flags: []string{"-renegotiate-ignore"},
3894 shouldFail: true,
3895 expectedError: ":UNEXPECTED_RECORD:",
3896 })
3897
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3898 // NPN on client and server; results in post-handshake message.
3899 tests = append(tests, testCase{
3900 name: "NPN-Client",
3901 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3902 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3903 NextProtos: []string{"foo"},
3904 },
3905 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]3906 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3907 expectedNextProto: "foo",
3908 expectedNextProtoType: npn,
3909 })
3910 tests = append(tests, testCase{
3911 testType: serverTest,
3912 name: "NPN-Server",
3913 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3914 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3915 NextProtos: []string{"bar"},
3916 },
3917 flags: []string{
3918 "-advertise-npn", "\x03foo\x03bar\x03baz",
3919 "-expect-next-proto", "bar",
3920 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]3921 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3922 expectedNextProto: "bar",
3923 expectedNextProtoType: npn,
3924 })
3925
3926 // TODO(davidben): Add tests for when False Start doesn't trigger.
3927
3928 // Client does False Start and negotiates NPN.
3929 tests = append(tests, testCase{
3930 name: "FalseStart",
3931 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3932 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3933 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3934 NextProtos: []string{"foo"},
3935 Bugs: ProtocolBugs{
3936 ExpectFalseStart: true,
3937 },
3938 },
3939 flags: []string{
3940 "-false-start",
3941 "-select-next-proto", "foo",
3942 },
3943 shimWritesFirst: true,
3944 resumeSession: true,
3945 })
3946
3947 // Client does False Start and negotiates ALPN.
3948 tests = append(tests, testCase{
3949 name: "FalseStart-ALPN",
3950 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3951 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3952 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3953 NextProtos: []string{"foo"},
3954 Bugs: ProtocolBugs{
3955 ExpectFalseStart: true,
3956 },
3957 },
3958 flags: []string{
3959 "-false-start",
3960 "-advertise-alpn", "\x03foo",
3961 },
3962 shimWritesFirst: true,
3963 resumeSession: true,
3964 })
3965
3966 // Client does False Start but doesn't explicitly call
3967 // SSL_connect.
3968 tests = append(tests, testCase{
3969 name: "FalseStart-Implicit",
3970 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3971 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3972 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3973 NextProtos: []string{"foo"},
3974 },
3975 flags: []string{
3976 "-implicit-handshake",
3977 "-false-start",
3978 "-advertise-alpn", "\x03foo",
3979 },
3980 })
3981
3982 // False Start without session tickets.
3983 tests = append(tests, testCase{
3984 name: "FalseStart-SessionTicketsDisabled",
3985 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3986 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3987 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3988 NextProtos: []string{"foo"},
3989 SessionTicketsDisabled: true,
3990 Bugs: ProtocolBugs{
3991 ExpectFalseStart: true,
3992 },
3993 },
3994 flags: []string{
3995 "-false-start",
3996 "-select-next-proto", "foo",
3997 },
3998 shimWritesFirst: true,
3999 })
4000
4001 // Server parses a V2ClientHello.
4002 tests = append(tests, testCase{
4003 testType: serverTest,
4004 name: "SendV2ClientHello",
4005 config: Config{
4006 // Choose a cipher suite that does not involve
4007 // elliptic curves, so no extensions are
4008 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4009 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4010 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4011 Bugs: ProtocolBugs{
4012 SendV2ClientHello: true,
4013 },
4014 },
4015 })
4016
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4017 // Test Channel ID
4018 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4019 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4020 continue
4021 }
4022 // Client sends a Channel ID.
4023 tests = append(tests, testCase{
4024 name: "ChannelID-Client-" + ver.name,
4025 config: Config{
4026 MaxVersion: ver.version,
4027 RequestChannelID: true,
4028 },
4029 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4030 resumeSession: true,
4031 expectChannelID: true,
4032 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4033
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4034 // Server accepts a Channel ID.
4035 tests = append(tests, testCase{
4036 testType: serverTest,
4037 name: "ChannelID-Server-" + ver.name,
4038 config: Config{
4039 MaxVersion: ver.version,
4040 ChannelID: channelIDKey,
4041 },
4042 flags: []string{
4043 "-expect-channel-id",
4044 base64.StdEncoding.EncodeToString(channelIDBytes),
4045 },
4046 resumeSession: true,
4047 expectChannelID: true,
4048 })
4049
4050 tests = append(tests, testCase{
4051 testType: serverTest,
4052 name: "InvalidChannelIDSignature-" + ver.name,
4053 config: Config{
4054 MaxVersion: ver.version,
4055 ChannelID: channelIDKey,
4056 Bugs: ProtocolBugs{
4057 InvalidChannelIDSignature: true,
4058 },
4059 },
4060 flags: []string{"-enable-channel-id"},
4061 shouldFail: true,
4062 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4063 })
4064 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4065
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4066 // Channel ID and NPN at the same time, to ensure their relative
4067 // ordering is correct.
4068 tests = append(tests, testCase{
4069 name: "ChannelID-NPN-Client",
4070 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4071 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4072 RequestChannelID: true,
4073 NextProtos: []string{"foo"},
4074 },
4075 flags: []string{
4076 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4077 "-select-next-proto", "foo",
4078 },
4079 resumeSession: true,
4080 expectChannelID: true,
4081 expectedNextProto: "foo",
4082 expectedNextProtoType: npn,
4083 })
4084 tests = append(tests, testCase{
4085 testType: serverTest,
4086 name: "ChannelID-NPN-Server",
4087 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4088 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4089 ChannelID: channelIDKey,
4090 NextProtos: []string{"bar"},
4091 },
4092 flags: []string{
4093 "-expect-channel-id",
4094 base64.StdEncoding.EncodeToString(channelIDBytes),
4095 "-advertise-npn", "\x03foo\x03bar\x03baz",
4096 "-expect-next-proto", "bar",
4097 },
4098 resumeSession: true,
4099 expectChannelID: true,
4100 expectedNextProto: "bar",
4101 expectedNextProtoType: npn,
4102 })
4103
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4104 // Bidirectional shutdown with the runner initiating.
4105 tests = append(tests, testCase{
4106 name: "Shutdown-Runner",
4107 config: Config{
4108 Bugs: ProtocolBugs{
4109 ExpectCloseNotify: true,
4110 },
4111 },
4112 flags: []string{"-check-close-notify"},
4113 })
4114
4115 // Bidirectional shutdown with the shim initiating. The runner,
4116 // in the meantime, sends garbage before the close_notify which
4117 // the shim must ignore.
4118 tests = append(tests, testCase{
4119 name: "Shutdown-Shim",
4120 config: Config{
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]4121 MaxVersion: VersionTLS12,
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4122 Bugs: ProtocolBugs{
4123 ExpectCloseNotify: true,
4124 },
4125 },
4126 shimShutsDown: true,
4127 sendEmptyRecords: 1,
4128 sendWarningAlerts: 1,
4129 flags: []string{"-check-close-notify"},
4130 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4131 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4132 // TODO(davidben): DTLS 1.3 will want a similar thing for
4133 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4134 tests = append(tests, testCase{
4135 name: "SkipHelloVerifyRequest",
4136 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4137 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4138 Bugs: ProtocolBugs{
4139 SkipHelloVerifyRequest: true,
4140 },
4141 },
4142 })
4143 }
4144
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4145 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4146 test.protocol = config.protocol
4147 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4148 test.name += "-DTLS"
4149 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4150 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4151 test.name += "-Async"
4152 test.flags = append(test.flags, "-async")
4153 } else {
4154 test.name += "-Sync"
4155 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4156 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4157 test.name += "-SplitHandshakeRecords"
4158 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4159 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4160 test.config.Bugs.MaxPacketLength = 256
4161 test.flags = append(test.flags, "-mtu", "256")
4162 }
4163 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4164 if config.packHandshakeFlight {
4165 test.name += "-PackHandshakeFlight"
4166 test.config.Bugs.PackHandshakeFlight = true
4167 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4168 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4169 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4170}
4171
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4172func addDDoSCallbackTests() {
4173 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4174 for _, resume := range []bool{false, true} {
4175 suffix := "Resume"
4176 if resume {
4177 suffix = "No" + suffix
4178 }
4179
4180 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4181 testType: serverTest,
4182 name: "Server-DDoS-OK-" + suffix,
4183 config: Config{
4184 MaxVersion: VersionTLS12,
4185 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4186 flags: []string{"-install-ddos-callback"},
4187 resumeSession: resume,
4188 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4189 testCases = append(testCases, testCase{
4190 testType: serverTest,
4191 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4192 config: Config{
4193 MaxVersion: VersionTLS13,
4194 },
4195 flags: []string{"-install-ddos-callback"},
4196 resumeSession: resume,
4197 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4198
4199 failFlag := "-fail-ddos-callback"
4200 if resume {
4201 failFlag = "-fail-second-ddos-callback"
4202 }
4203 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4204 testType: serverTest,
4205 name: "Server-DDoS-Reject-" + suffix,
4206 config: Config{
4207 MaxVersion: VersionTLS12,
4208 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4209 flags: []string{"-install-ddos-callback", failFlag},
4210 resumeSession: resume,
4211 shouldFail: true,
4212 expectedError: ":CONNECTION_REJECTED:",
4213 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4214 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4215 testCases = append(testCases, testCase{
4216 testType: serverTest,
4217 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4218 config: Config{
4219 MaxVersion: VersionTLS13,
4220 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4221 flags: []string{"-install-ddos-callback", failFlag},
4222 resumeSession: resume,
4223 shouldFail: true,
4224 expectedError: ":CONNECTION_REJECTED:",
4225 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4226 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4227 }
4228}
4229
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4230func addVersionNegotiationTests() {
4231 for i, shimVers := range tlsVersions {
4232 // Assemble flags to disable all newer versions on the shim.
4233 var flags []string
4234 for _, vers := range tlsVersions[i+1:] {
4235 flags = append(flags, vers.flag)
4236 }
4237
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4238 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4239 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4240 protocols := []protocol{tls}
4241 if runnerVers.hasDTLS && shimVers.hasDTLS {
4242 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4243 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4244 for _, protocol := range protocols {
4245 expectedVersion := shimVers.version
4246 if runnerVers.version < shimVers.version {
4247 expectedVersion = runnerVers.version
4248 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4249
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4250 suffix := shimVers.name + "-" + runnerVers.name
4251 if protocol == dtls {
4252 suffix += "-DTLS"
4253 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4254
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4255 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4256
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4257 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4258 clientVers := shimVers.version
4259 if clientVers > VersionTLS10 {
4260 clientVers = VersionTLS10
4261 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4262 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4263 serverVers := expectedVersion
4264 if expectedVersion >= VersionTLS13 {
4265 serverVers = VersionTLS10
4266 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4267 serverVers = versionToWire(serverVers, protocol == dtls)
4268
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4269 testCases = append(testCases, testCase{
4270 protocol: protocol,
4271 testType: clientTest,
4272 name: "VersionNegotiation-Client-" + suffix,
4273 config: Config{
4274 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4275 Bugs: ProtocolBugs{
4276 ExpectInitialRecordVersion: clientVers,
4277 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4278 },
4279 flags: flags,
4280 expectedVersion: expectedVersion,
4281 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4282 testCases = append(testCases, testCase{
4283 protocol: protocol,
4284 testType: clientTest,
4285 name: "VersionNegotiation-Client2-" + suffix,
4286 config: Config{
4287 MaxVersion: runnerVers.version,
4288 Bugs: ProtocolBugs{
4289 ExpectInitialRecordVersion: clientVers,
4290 },
4291 },
4292 flags: []string{"-max-version", shimVersFlag},
4293 expectedVersion: expectedVersion,
4294 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4295
4296 testCases = append(testCases, testCase{
4297 protocol: protocol,
4298 testType: serverTest,
4299 name: "VersionNegotiation-Server-" + suffix,
4300 config: Config{
4301 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4302 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4303 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4304 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4305 },
4306 flags: flags,
4307 expectedVersion: expectedVersion,
4308 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4309 testCases = append(testCases, testCase{
4310 protocol: protocol,
4311 testType: serverTest,
4312 name: "VersionNegotiation-Server2-" + suffix,
4313 config: Config{
4314 MaxVersion: runnerVers.version,
4315 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4316 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4317 },
4318 },
4319 flags: []string{"-max-version", shimVersFlag},
4320 expectedVersion: expectedVersion,
4321 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4322 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4323 }
4324 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4325
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4326 // Test the version extension at all versions.
4327 for _, vers := range tlsVersions {
4328 protocols := []protocol{tls}
4329 if vers.hasDTLS {
4330 protocols = append(protocols, dtls)
4331 }
4332 for _, protocol := range protocols {
4333 suffix := vers.name
4334 if protocol == dtls {
4335 suffix += "-DTLS"
4336 }
4337
4338 wireVersion := versionToWire(vers.version, protocol == dtls)
4339 testCases = append(testCases, testCase{
4340 protocol: protocol,
4341 testType: serverTest,
4342 name: "VersionNegotiationExtension-" + suffix,
4343 config: Config{
4344 Bugs: ProtocolBugs{
4345 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4346 },
4347 },
4348 expectedVersion: vers.version,
4349 })
4350 }
4351
4352 }
4353
4354 // If all versions are unknown, negotiation fails.
4355 testCases = append(testCases, testCase{
4356 testType: serverTest,
4357 name: "NoSupportedVersions",
4358 config: Config{
4359 Bugs: ProtocolBugs{
4360 SendSupportedVersions: []uint16{0x1111},
4361 },
4362 },
4363 shouldFail: true,
4364 expectedError: ":UNSUPPORTED_PROTOCOL:",
4365 })
4366 testCases = append(testCases, testCase{
4367 protocol: dtls,
4368 testType: serverTest,
4369 name: "NoSupportedVersions-DTLS",
4370 config: Config{
4371 Bugs: ProtocolBugs{
4372 SendSupportedVersions: []uint16{0x1111},
4373 },
4374 },
4375 shouldFail: true,
4376 expectedError: ":UNSUPPORTED_PROTOCOL:",
4377 })
4378
4379 testCases = append(testCases, testCase{
4380 testType: serverTest,
4381 name: "ClientHelloVersionTooHigh",
4382 config: Config{
4383 MaxVersion: VersionTLS13,
4384 Bugs: ProtocolBugs{
4385 SendClientVersion: 0x0304,
4386 OmitSupportedVersions: true,
4387 },
4388 },
4389 expectedVersion: VersionTLS12,
4390 })
4391
4392 testCases = append(testCases, testCase{
4393 testType: serverTest,
4394 name: "ConflictingVersionNegotiation",
4395 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4396 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4397 SendClientVersion: VersionTLS12,
4398 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4399 },
4400 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4401 // The extension takes precedence over the ClientHello version.
4402 expectedVersion: VersionTLS11,
4403 })
4404
4405 testCases = append(testCases, testCase{
4406 testType: serverTest,
4407 name: "ConflictingVersionNegotiation-2",
4408 config: Config{
4409 Bugs: ProtocolBugs{
4410 SendClientVersion: VersionTLS11,
4411 SendSupportedVersions: []uint16{VersionTLS12},
4412 },
4413 },
4414 // The extension takes precedence over the ClientHello version.
4415 expectedVersion: VersionTLS12,
4416 })
4417
4418 testCases = append(testCases, testCase{
4419 testType: serverTest,
4420 name: "RejectFinalTLS13",
4421 config: Config{
4422 Bugs: ProtocolBugs{
4423 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4424 },
4425 },
4426 // We currently implement a draft TLS 1.3 version. Ensure that
4427 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4428 expectedVersion: VersionTLS12,
4429 })
4430
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4431 // Test that the maximum version is selected regardless of the
4432 // client-sent order.
4433 testCases = append(testCases, testCase{
4434 testType: serverTest,
4435 name: "IgnoreClientVersionOrder",
4436 config: Config{
4437 Bugs: ProtocolBugs{
4438 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4439 },
4440 },
4441 expectedVersion: VersionTLS13,
4442 })
4443
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4444 // Test for version tolerance.
4445 testCases = append(testCases, testCase{
4446 testType: serverTest,
4447 name: "MinorVersionTolerance",
4448 config: Config{
4449 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4450 SendClientVersion: 0x03ff,
4451 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4452 },
4453 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4454 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4455 })
4456 testCases = append(testCases, testCase{
4457 testType: serverTest,
4458 name: "MajorVersionTolerance",
4459 config: Config{
4460 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4461 SendClientVersion: 0x0400,
4462 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4463 },
4464 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4465 // TLS 1.3 must be negotiated with the supported_versions
4466 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4467 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4468 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4469 testCases = append(testCases, testCase{
4470 testType: serverTest,
4471 name: "VersionTolerance-TLS13",
4472 config: Config{
4473 Bugs: ProtocolBugs{
4474 // Although TLS 1.3 does not use
4475 // ClientHello.version, it still tolerates high
4476 // values there.
4477 SendClientVersion: 0x0400,
4478 },
4479 },
4480 expectedVersion: VersionTLS13,
4481 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4482
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4483 testCases = append(testCases, testCase{
4484 protocol: dtls,
4485 testType: serverTest,
4486 name: "MinorVersionTolerance-DTLS",
4487 config: Config{
4488 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4489 SendClientVersion: 0xfe00,
4490 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4491 },
4492 },
4493 expectedVersion: VersionTLS12,
4494 })
4495 testCases = append(testCases, testCase{
4496 protocol: dtls,
4497 testType: serverTest,
4498 name: "MajorVersionTolerance-DTLS",
4499 config: Config{
4500 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4501 SendClientVersion: 0xfdff,
4502 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4503 },
4504 },
4505 expectedVersion: VersionTLS12,
4506 })
4507
4508 // Test that versions below 3.0 are rejected.
4509 testCases = append(testCases, testCase{
4510 testType: serverTest,
4511 name: "VersionTooLow",
4512 config: Config{
4513 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4514 SendClientVersion: 0x0200,
4515 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4516 },
4517 },
4518 shouldFail: true,
4519 expectedError: ":UNSUPPORTED_PROTOCOL:",
4520 })
4521 testCases = append(testCases, testCase{
4522 protocol: dtls,
4523 testType: serverTest,
4524 name: "VersionTooLow-DTLS",
4525 config: Config{
4526 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4527 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4528 },
4529 },
4530 shouldFail: true,
4531 expectedError: ":UNSUPPORTED_PROTOCOL:",
4532 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4533
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4534 testCases = append(testCases, testCase{
4535 name: "ServerBogusVersion",
4536 config: Config{
4537 Bugs: ProtocolBugs{
4538 SendServerHelloVersion: 0x1234,
4539 },
4540 },
4541 shouldFail: true,
4542 expectedError: ":UNSUPPORTED_PROTOCOL:",
4543 })
4544
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4545 // Test TLS 1.3's downgrade signal.
4546 testCases = append(testCases, testCase{
4547 name: "Downgrade-TLS12-Client",
4548 config: Config{
4549 Bugs: ProtocolBugs{
4550 NegotiateVersion: VersionTLS12,
4551 },
4552 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4553 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4554 // TODO(davidben): This test should fail once TLS 1.3 is final
4555 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4556 })
4557 testCases = append(testCases, testCase{
4558 testType: serverTest,
4559 name: "Downgrade-TLS12-Server",
4560 config: Config{
4561 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4562 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4563 },
4564 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4565 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4566 // TODO(davidben): This test should fail once TLS 1.3 is final
4567 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4568 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4569}
4570
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4571func addMinimumVersionTests() {
4572 for i, shimVers := range tlsVersions {
4573 // Assemble flags to disable all older versions on the shim.
4574 var flags []string
4575 for _, vers := range tlsVersions[:i] {
4576 flags = append(flags, vers.flag)
4577 }
4578
4579 for _, runnerVers := range tlsVersions {
4580 protocols := []protocol{tls}
4581 if runnerVers.hasDTLS && shimVers.hasDTLS {
4582 protocols = append(protocols, dtls)
4583 }
4584 for _, protocol := range protocols {
4585 suffix := shimVers.name + "-" + runnerVers.name
4586 if protocol == dtls {
4587 suffix += "-DTLS"
4588 }
4589 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4590
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4591 var expectedVersion uint16
4592 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4593 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4594 if runnerVers.version >= shimVers.version {
4595 expectedVersion = runnerVers.version
4596 } else {
4597 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4598 expectedError = ":UNSUPPORTED_PROTOCOL:"
4599 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4600 }
4601
4602 testCases = append(testCases, testCase{
4603 protocol: protocol,
4604 testType: clientTest,
4605 name: "MinimumVersion-Client-" + suffix,
4606 config: Config{
4607 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4608 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4609 // Ensure the server does not decline to
4610 // select a version (versions extension) or
4611 // cipher (some ciphers depend on versions).
4612 NegotiateVersion: runnerVers.version,
4613 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4614 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4615 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4616 flags: flags,
4617 expectedVersion: expectedVersion,
4618 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4619 expectedError: expectedError,
4620 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4621 })
4622 testCases = append(testCases, testCase{
4623 protocol: protocol,
4624 testType: clientTest,
4625 name: "MinimumVersion-Client2-" + suffix,
4626 config: Config{
4627 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4628 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4629 // Ensure the server does not decline to
4630 // select a version (versions extension) or
4631 // cipher (some ciphers depend on versions).
4632 NegotiateVersion: runnerVers.version,
4633 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4634 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4635 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4636 flags: []string{"-min-version", shimVersFlag},
4637 expectedVersion: expectedVersion,
4638 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4639 expectedError: expectedError,
4640 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4641 })
4642
4643 testCases = append(testCases, testCase{
4644 protocol: protocol,
4645 testType: serverTest,
4646 name: "MinimumVersion-Server-" + suffix,
4647 config: Config{
4648 MaxVersion: runnerVers.version,
4649 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4650 flags: flags,
4651 expectedVersion: expectedVersion,
4652 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4653 expectedError: expectedError,
4654 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4655 })
4656 testCases = append(testCases, testCase{
4657 protocol: protocol,
4658 testType: serverTest,
4659 name: "MinimumVersion-Server2-" + suffix,
4660 config: Config{
4661 MaxVersion: runnerVers.version,
4662 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4663 flags: []string{"-min-version", shimVersFlag},
4664 expectedVersion: expectedVersion,
4665 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4666 expectedError: expectedError,
4667 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4668 })
4669 }
4670 }
4671 }
4672}
4673
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4674func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4675 // TODO(davidben): Extensions, where applicable, all move their server
4676 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4677 // tests for both. Also test interaction with 0-RTT when implemented.
4678
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4679 // Repeat extensions tests all versions except SSL 3.0.
4680 for _, ver := range tlsVersions {
4681 if ver.version == VersionSSL30 {
4682 continue
4683 }
4684
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4685 // Test that duplicate extensions are rejected.
4686 testCases = append(testCases, testCase{
4687 testType: clientTest,
4688 name: "DuplicateExtensionClient-" + ver.name,
4689 config: Config{
4690 MaxVersion: ver.version,
4691 Bugs: ProtocolBugs{
4692 DuplicateExtension: true,
4693 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4694 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4695 shouldFail: true,
4696 expectedLocalError: "remote error: error decoding message",
4697 })
4698 testCases = append(testCases, testCase{
4699 testType: serverTest,
4700 name: "DuplicateExtensionServer-" + ver.name,
4701 config: Config{
4702 MaxVersion: ver.version,
4703 Bugs: ProtocolBugs{
4704 DuplicateExtension: true,
4705 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4706 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4707 shouldFail: true,
4708 expectedLocalError: "remote error: error decoding message",
4709 })
4710
4711 // Test SNI.
4712 testCases = append(testCases, testCase{
4713 testType: clientTest,
4714 name: "ServerNameExtensionClient-" + ver.name,
4715 config: Config{
4716 MaxVersion: ver.version,
4717 Bugs: ProtocolBugs{
4718 ExpectServerName: "example.com",
4719 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4720 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4721 flags: []string{"-host-name", "example.com"},
4722 })
4723 testCases = append(testCases, testCase{
4724 testType: clientTest,
4725 name: "ServerNameExtensionClientMismatch-" + ver.name,
4726 config: Config{
4727 MaxVersion: ver.version,
4728 Bugs: ProtocolBugs{
4729 ExpectServerName: "mismatch.com",
4730 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4731 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4732 flags: []string{"-host-name", "example.com"},
4733 shouldFail: true,
4734 expectedLocalError: "tls: unexpected server name",
4735 })
4736 testCases = append(testCases, testCase{
4737 testType: clientTest,
4738 name: "ServerNameExtensionClientMissing-" + ver.name,
4739 config: Config{
4740 MaxVersion: ver.version,
4741 Bugs: ProtocolBugs{
4742 ExpectServerName: "missing.com",
4743 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4744 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4745 shouldFail: true,
4746 expectedLocalError: "tls: unexpected server name",
4747 })
4748 testCases = append(testCases, testCase{
4749 testType: serverTest,
4750 name: "ServerNameExtensionServer-" + ver.name,
4751 config: Config{
4752 MaxVersion: ver.version,
4753 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4754 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4755 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4756 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4757 })
4758
4759 // Test ALPN.
4760 testCases = append(testCases, testCase{
4761 testType: clientTest,
4762 name: "ALPNClient-" + ver.name,
4763 config: Config{
4764 MaxVersion: ver.version,
4765 NextProtos: []string{"foo"},
4766 },
4767 flags: []string{
4768 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4769 "-expect-alpn", "foo",
4770 },
4771 expectedNextProto: "foo",
4772 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4773 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4774 })
4775 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4776 testType: clientTest,
4777 name: "ALPNClient-Mismatch-" + ver.name,
4778 config: Config{
4779 MaxVersion: ver.version,
4780 Bugs: ProtocolBugs{
4781 SendALPN: "baz",
4782 },
4783 },
4784 flags: []string{
4785 "-advertise-alpn", "\x03foo\x03bar",
4786 },
4787 shouldFail: true,
4788 expectedError: ":INVALID_ALPN_PROTOCOL:",
4789 expectedLocalError: "remote error: illegal parameter",
4790 })
4791 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4792 testType: serverTest,
4793 name: "ALPNServer-" + ver.name,
4794 config: Config{
4795 MaxVersion: ver.version,
4796 NextProtos: []string{"foo", "bar", "baz"},
4797 },
4798 flags: []string{
4799 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4800 "-select-alpn", "foo",
4801 },
4802 expectedNextProto: "foo",
4803 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4804 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4805 })
4806 testCases = append(testCases, testCase{
4807 testType: serverTest,
4808 name: "ALPNServer-Decline-" + ver.name,
4809 config: Config{
4810 MaxVersion: ver.version,
4811 NextProtos: []string{"foo", "bar", "baz"},
4812 },
4813 flags: []string{"-decline-alpn"},
4814 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4815 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4816 })
4817
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4818 // Test ALPN in async mode as well to ensure that extensions callbacks are only
4819 // called once.
4820 testCases = append(testCases, testCase{
4821 testType: serverTest,
4822 name: "ALPNServer-Async-" + ver.name,
4823 config: Config{
4824 MaxVersion: ver.version,
4825 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]4826 // Prior to TLS 1.3, exercise the asynchronous session callback.
4827 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4828 },
4829 flags: []string{
4830 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4831 "-select-alpn", "foo",
4832 "-async",
4833 },
4834 expectedNextProto: "foo",
4835 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4836 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4837 })
4838
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4839 var emptyString string
4840 testCases = append(testCases, testCase{
4841 testType: clientTest,
4842 name: "ALPNClient-EmptyProtocolName-" + ver.name,
4843 config: Config{
4844 MaxVersion: ver.version,
4845 NextProtos: []string{""},
4846 Bugs: ProtocolBugs{
4847 // A server returning an empty ALPN protocol
4848 // should be rejected.
4849 ALPNProtocol: &emptyString,
4850 },
4851 },
4852 flags: []string{
4853 "-advertise-alpn", "\x03foo",
4854 },
4855 shouldFail: true,
4856 expectedError: ":PARSE_TLSEXT:",
4857 })
4858 testCases = append(testCases, testCase{
4859 testType: serverTest,
4860 name: "ALPNServer-EmptyProtocolName-" + ver.name,
4861 config: Config{
4862 MaxVersion: ver.version,
4863 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4864 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4865 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4866 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4867 flags: []string{
4868 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]4869 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4870 shouldFail: true,
4871 expectedError: ":PARSE_TLSEXT:",
4872 })
4873
4874 // Test NPN and the interaction with ALPN.
4875 if ver.version < VersionTLS13 {
4876 // Test that the server prefers ALPN over NPN.
4877 testCases = append(testCases, testCase{
4878 testType: serverTest,
4879 name: "ALPNServer-Preferred-" + ver.name,
4880 config: Config{
4881 MaxVersion: ver.version,
4882 NextProtos: []string{"foo", "bar", "baz"},
4883 },
4884 flags: []string{
4885 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4886 "-select-alpn", "foo",
4887 "-advertise-npn", "\x03foo\x03bar\x03baz",
4888 },
4889 expectedNextProto: "foo",
4890 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4891 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4892 })
4893 testCases = append(testCases, testCase{
4894 testType: serverTest,
4895 name: "ALPNServer-Preferred-Swapped-" + ver.name,
4896 config: Config{
4897 MaxVersion: ver.version,
4898 NextProtos: []string{"foo", "bar", "baz"},
4899 Bugs: ProtocolBugs{
4900 SwapNPNAndALPN: true,
4901 },
4902 },
4903 flags: []string{
4904 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4905 "-select-alpn", "foo",
4906 "-advertise-npn", "\x03foo\x03bar\x03baz",
4907 },
4908 expectedNextProto: "foo",
4909 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4910 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4911 })
4912
4913 // Test that negotiating both NPN and ALPN is forbidden.
4914 testCases = append(testCases, testCase{
4915 name: "NegotiateALPNAndNPN-" + ver.name,
4916 config: Config{
4917 MaxVersion: ver.version,
4918 NextProtos: []string{"foo", "bar", "baz"},
4919 Bugs: ProtocolBugs{
4920 NegotiateALPNAndNPN: true,
4921 },
4922 },
4923 flags: []string{
4924 "-advertise-alpn", "\x03foo",
4925 "-select-next-proto", "foo",
4926 },
4927 shouldFail: true,
4928 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4929 })
4930 testCases = append(testCases, testCase{
4931 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
4932 config: Config{
4933 MaxVersion: ver.version,
4934 NextProtos: []string{"foo", "bar", "baz"},
4935 Bugs: ProtocolBugs{
4936 NegotiateALPNAndNPN: true,
4937 SwapNPNAndALPN: true,
4938 },
4939 },
4940 flags: []string{
4941 "-advertise-alpn", "\x03foo",
4942 "-select-next-proto", "foo",
4943 },
4944 shouldFail: true,
4945 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4946 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4947 }
4948
4949 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4950
4951 // Resume with a corrupt ticket.
4952 testCases = append(testCases, testCase{
4953 testType: serverTest,
4954 name: "CorruptTicket-" + ver.name,
4955 config: Config{
4956 MaxVersion: ver.version,
4957 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]4958 FilterTicket: func(in []byte) ([]byte, error) {
4959 in[len(in)-1] ^= 1
4960 return in, nil
4961 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4962 },
4963 },
4964 resumeSession: true,
4965 expectResumeRejected: true,
4966 })
4967 // Test the ticket callback, with and without renewal.
4968 testCases = append(testCases, testCase{
4969 testType: serverTest,
4970 name: "TicketCallback-" + ver.name,
4971 config: Config{
4972 MaxVersion: ver.version,
4973 },
4974 resumeSession: true,
4975 flags: []string{"-use-ticket-callback"},
4976 })
4977 testCases = append(testCases, testCase{
4978 testType: serverTest,
4979 name: "TicketCallback-Renew-" + ver.name,
4980 config: Config{
4981 MaxVersion: ver.version,
4982 Bugs: ProtocolBugs{
4983 ExpectNewTicket: true,
4984 },
4985 },
4986 flags: []string{"-use-ticket-callback", "-renew-ticket"},
4987 resumeSession: true,
4988 })
4989
4990 // Test that the ticket callback is only called once when everything before
4991 // it in the ClientHello is asynchronous. This corrupts the ticket so
4992 // certificate selection callbacks run.
4993 testCases = append(testCases, testCase{
4994 testType: serverTest,
4995 name: "TicketCallback-SingleCall-" + ver.name,
4996 config: Config{
4997 MaxVersion: ver.version,
4998 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]4999 FilterTicket: func(in []byte) ([]byte, error) {
5000 in[len(in)-1] ^= 1
5001 return in, nil
5002 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5003 },
5004 },
5005 resumeSession: true,
5006 expectResumeRejected: true,
5007 flags: []string{
5008 "-use-ticket-callback",
5009 "-async",
5010 },
5011 })
5012
5013 // Resume with an oversized session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5014 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5015 testCases = append(testCases, testCase{
5016 testType: serverTest,
5017 name: "OversizedSessionId-" + ver.name,
5018 config: Config{
5019 MaxVersion: ver.version,
5020 Bugs: ProtocolBugs{
5021 OversizedSessionId: true,
5022 },
5023 },
5024 resumeSession: true,
5025 shouldFail: true,
5026 expectedError: ":DECODE_ERROR:",
5027 })
5028 }
5029
5030 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5031 // are ignored.
5032 if ver.hasDTLS {
5033 testCases = append(testCases, testCase{
5034 protocol: dtls,
5035 name: "SRTP-Client-" + ver.name,
5036 config: Config{
5037 MaxVersion: ver.version,
5038 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5039 },
5040 flags: []string{
5041 "-srtp-profiles",
5042 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5043 },
5044 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5045 })
5046 testCases = append(testCases, testCase{
5047 protocol: dtls,
5048 testType: serverTest,
5049 name: "SRTP-Server-" + ver.name,
5050 config: Config{
5051 MaxVersion: ver.version,
5052 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5053 },
5054 flags: []string{
5055 "-srtp-profiles",
5056 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5057 },
5058 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5059 })
5060 // Test that the MKI is ignored.
5061 testCases = append(testCases, testCase{
5062 protocol: dtls,
5063 testType: serverTest,
5064 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5065 config: Config{
5066 MaxVersion: ver.version,
5067 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5068 Bugs: ProtocolBugs{
5069 SRTPMasterKeyIdentifer: "bogus",
5070 },
5071 },
5072 flags: []string{
5073 "-srtp-profiles",
5074 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5075 },
5076 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5077 })
5078 // Test that SRTP isn't negotiated on the server if there were
5079 // no matching profiles.
5080 testCases = append(testCases, testCase{
5081 protocol: dtls,
5082 testType: serverTest,
5083 name: "SRTP-Server-NoMatch-" + ver.name,
5084 config: Config{
5085 MaxVersion: ver.version,
5086 SRTPProtectionProfiles: []uint16{100, 101, 102},
5087 },
5088 flags: []string{
5089 "-srtp-profiles",
5090 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5091 },
5092 expectedSRTPProtectionProfile: 0,
5093 })
5094 // Test that the server returning an invalid SRTP profile is
5095 // flagged as an error by the client.
5096 testCases = append(testCases, testCase{
5097 protocol: dtls,
5098 name: "SRTP-Client-NoMatch-" + ver.name,
5099 config: Config{
5100 MaxVersion: ver.version,
5101 Bugs: ProtocolBugs{
5102 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5103 },
5104 },
5105 flags: []string{
5106 "-srtp-profiles",
5107 "SRTP_AES128_CM_SHA1_80",
5108 },
5109 shouldFail: true,
5110 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5111 })
5112 }
5113
5114 // Test SCT list.
5115 testCases = append(testCases, testCase{
5116 name: "SignedCertificateTimestampList-Client-" + ver.name,
5117 testType: clientTest,
5118 config: Config{
5119 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5120 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5121 flags: []string{
5122 "-enable-signed-cert-timestamps",
5123 "-expect-signed-cert-timestamps",
5124 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5125 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5126 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5127 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5128
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5129 var differentSCTList []byte
5130 differentSCTList = append(differentSCTList, testSCTList...)
5131 differentSCTList[len(differentSCTList)-1] ^= 1
5132
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5133 // The SCT extension did not specify that it must only be sent on resumption as it
5134 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5135 testCases = append(testCases, testCase{
5136 name: "SendSCTListOnResume-" + ver.name,
5137 config: Config{
5138 MaxVersion: ver.version,
5139 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5140 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5141 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5142 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5143 flags: []string{
5144 "-enable-signed-cert-timestamps",
5145 "-expect-signed-cert-timestamps",
5146 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5147 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5148 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5149 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5150
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5151 testCases = append(testCases, testCase{
5152 name: "SignedCertificateTimestampList-Server-" + ver.name,
5153 testType: serverTest,
5154 config: Config{
5155 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5156 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5157 flags: []string{
5158 "-signed-cert-timestamps",
5159 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5160 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5161 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5162 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5163 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5164
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5165 emptySCTListCert := *testCerts[0].cert
5166 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5167
5168 // Test empty SCT list.
5169 testCases = append(testCases, testCase{
5170 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5171 testType: clientTest,
5172 config: Config{
5173 MaxVersion: ver.version,
5174 Certificates: []Certificate{emptySCTListCert},
5175 },
5176 flags: []string{
5177 "-enable-signed-cert-timestamps",
5178 },
5179 shouldFail: true,
5180 expectedError: ":ERROR_PARSING_EXTENSION:",
5181 })
5182
5183 emptySCTCert := *testCerts[0].cert
5184 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5185
5186 // Test empty SCT in non-empty list.
5187 testCases = append(testCases, testCase{
5188 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5189 testType: clientTest,
5190 config: Config{
5191 MaxVersion: ver.version,
5192 Certificates: []Certificate{emptySCTCert},
5193 },
5194 flags: []string{
5195 "-enable-signed-cert-timestamps",
5196 },
5197 shouldFail: true,
5198 expectedError: ":ERROR_PARSING_EXTENSION:",
5199 })
5200
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5201 // Test that certificate-related extensions are not sent unsolicited.
5202 testCases = append(testCases, testCase{
5203 testType: serverTest,
5204 name: "UnsolicitedCertificateExtensions-" + ver.name,
5205 config: Config{
5206 MaxVersion: ver.version,
5207 Bugs: ProtocolBugs{
5208 NoOCSPStapling: true,
5209 NoSignedCertificateTimestamps: true,
5210 },
5211 },
5212 flags: []string{
5213 "-ocsp-response",
5214 base64.StdEncoding.EncodeToString(testOCSPResponse),
5215 "-signed-cert-timestamps",
5216 base64.StdEncoding.EncodeToString(testSCTList),
5217 },
5218 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5219 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5220
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5221 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5222 testType: clientTest,
5223 name: "ClientHelloPadding",
5224 config: Config{
5225 Bugs: ProtocolBugs{
5226 RequireClientHelloSize: 512,
5227 },
5228 },
5229 // This hostname just needs to be long enough to push the
5230 // ClientHello into F5's danger zone between 256 and 511 bytes
5231 // long.
5232 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5233 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5234
5235 // Extensions should not function in SSL 3.0.
5236 testCases = append(testCases, testCase{
5237 testType: serverTest,
5238 name: "SSLv3Extensions-NoALPN",
5239 config: Config{
5240 MaxVersion: VersionSSL30,
5241 NextProtos: []string{"foo", "bar", "baz"},
5242 },
5243 flags: []string{
5244 "-select-alpn", "foo",
5245 },
5246 expectNoNextProto: true,
5247 })
5248
5249 // Test session tickets separately as they follow a different codepath.
5250 testCases = append(testCases, testCase{
5251 testType: serverTest,
5252 name: "SSLv3Extensions-NoTickets",
5253 config: Config{
5254 MaxVersion: VersionSSL30,
5255 Bugs: ProtocolBugs{
5256 // Historically, session tickets in SSL 3.0
5257 // failed in different ways depending on whether
5258 // the client supported renegotiation_info.
5259 NoRenegotiationInfo: true,
5260 },
5261 },
5262 resumeSession: true,
5263 })
5264 testCases = append(testCases, testCase{
5265 testType: serverTest,
5266 name: "SSLv3Extensions-NoTickets2",
5267 config: Config{
5268 MaxVersion: VersionSSL30,
5269 },
5270 resumeSession: true,
5271 })
5272
5273 // But SSL 3.0 does send and process renegotiation_info.
5274 testCases = append(testCases, testCase{
5275 testType: serverTest,
5276 name: "SSLv3Extensions-RenegotiationInfo",
5277 config: Config{
5278 MaxVersion: VersionSSL30,
5279 Bugs: ProtocolBugs{
5280 RequireRenegotiationInfo: true,
5281 },
5282 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5283 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5284 })
5285 testCases = append(testCases, testCase{
5286 testType: serverTest,
5287 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5288 config: Config{
5289 MaxVersion: VersionSSL30,
5290 Bugs: ProtocolBugs{
5291 NoRenegotiationInfo: true,
5292 SendRenegotiationSCSV: true,
5293 RequireRenegotiationInfo: true,
5294 },
5295 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5296 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5297 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5298
5299 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5300 // in ServerHello.
5301 testCases = append(testCases, testCase{
5302 name: "NPN-Forbidden-TLS13",
5303 config: Config{
5304 MaxVersion: VersionTLS13,
5305 NextProtos: []string{"foo"},
5306 Bugs: ProtocolBugs{
5307 NegotiateNPNAtAllVersions: true,
5308 },
5309 },
5310 flags: []string{"-select-next-proto", "foo"},
5311 shouldFail: true,
5312 expectedError: ":ERROR_PARSING_EXTENSION:",
5313 })
5314 testCases = append(testCases, testCase{
5315 name: "EMS-Forbidden-TLS13",
5316 config: Config{
5317 MaxVersion: VersionTLS13,
5318 Bugs: ProtocolBugs{
5319 NegotiateEMSAtAllVersions: true,
5320 },
5321 },
5322 shouldFail: true,
5323 expectedError: ":ERROR_PARSING_EXTENSION:",
5324 })
5325 testCases = append(testCases, testCase{
5326 name: "RenegotiationInfo-Forbidden-TLS13",
5327 config: Config{
5328 MaxVersion: VersionTLS13,
5329 Bugs: ProtocolBugs{
5330 NegotiateRenegotiationInfoAtAllVersions: true,
5331 },
5332 },
5333 shouldFail: true,
5334 expectedError: ":ERROR_PARSING_EXTENSION:",
5335 })
5336 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5337 name: "Ticket-Forbidden-TLS13",
5338 config: Config{
5339 MaxVersion: VersionTLS12,
5340 },
5341 resumeConfig: &Config{
5342 MaxVersion: VersionTLS13,
5343 Bugs: ProtocolBugs{
5344 AdvertiseTicketExtension: true,
5345 },
5346 },
5347 resumeSession: true,
5348 shouldFail: true,
5349 expectedError: ":ERROR_PARSING_EXTENSION:",
5350 })
5351
5352 // Test that illegal extensions in TLS 1.3 are declined by the server if
5353 // offered in ClientHello. The runner's server will fail if this occurs,
5354 // so we exercise the offering path. (EMS and Renegotiation Info are
5355 // implicit in every test.)
5356 testCases = append(testCases, testCase{
5357 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5358 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5359 config: Config{
5360 MaxVersion: VersionTLS13,
5361 NextProtos: []string{"bar"},
5362 },
5363 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5364 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5365
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5366 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5367 // tolerated.
5368 testCases = append(testCases, testCase{
5369 name: "SendOCSPResponseOnResume-TLS12",
5370 config: Config{
5371 MaxVersion: VersionTLS12,
5372 Bugs: ProtocolBugs{
5373 SendOCSPResponseOnResume: []byte("bogus"),
5374 },
5375 },
5376 flags: []string{
5377 "-enable-ocsp-stapling",
5378 "-expect-ocsp-response",
5379 base64.StdEncoding.EncodeToString(testOCSPResponse),
5380 },
5381 resumeSession: true,
5382 })
5383
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5384 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5385 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5386 config: Config{
5387 MaxVersion: VersionTLS13,
5388 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5389 SendExtensionOnCertificate: testOCSPExtension,
5390 },
5391 },
5392 shouldFail: true,
5393 expectedError: ":UNEXPECTED_EXTENSION:",
5394 })
5395
5396 testCases = append(testCases, testCase{
5397 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5398 config: Config{
5399 MaxVersion: VersionTLS13,
5400 Bugs: ProtocolBugs{
5401 SendExtensionOnCertificate: testSCTExtension,
5402 },
5403 },
5404 shouldFail: true,
5405 expectedError: ":UNEXPECTED_EXTENSION:",
5406 })
5407
5408 // Test that extensions on client certificates are never accepted.
5409 testCases = append(testCases, testCase{
5410 name: "SendExtensionOnClientCertificate-TLS13",
5411 testType: serverTest,
5412 config: Config{
5413 MaxVersion: VersionTLS13,
5414 Certificates: []Certificate{rsaCertificate},
5415 Bugs: ProtocolBugs{
5416 SendExtensionOnCertificate: testOCSPExtension,
5417 },
5418 },
5419 flags: []string{
5420 "-enable-ocsp-stapling",
5421 "-require-any-client-certificate",
5422 },
5423 shouldFail: true,
5424 expectedError: ":UNEXPECTED_EXTENSION:",
5425 })
5426
5427 testCases = append(testCases, testCase{
5428 name: "SendUnknownExtensionOnCertificate-TLS13",
5429 config: Config{
5430 MaxVersion: VersionTLS13,
5431 Bugs: ProtocolBugs{
5432 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5433 },
5434 },
5435 shouldFail: true,
5436 expectedError: ":UNEXPECTED_EXTENSION:",
5437 })
5438
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5439 var differentSCTList []byte
5440 differentSCTList = append(differentSCTList, testSCTList...)
5441 differentSCTList[len(differentSCTList)-1] ^= 1
5442
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5443 // Test that extensions on intermediates are allowed but ignored.
5444 testCases = append(testCases, testCase{
5445 name: "IgnoreExtensionsOnIntermediates-TLS13",
5446 config: Config{
5447 MaxVersion: VersionTLS13,
5448 Certificates: []Certificate{rsaChainCertificate},
5449 Bugs: ProtocolBugs{
5450 // Send different values on the intermediate. This tests
5451 // the intermediate's extensions do not override the
5452 // leaf's.
5453 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5454 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5455 },
5456 },
5457 flags: []string{
5458 "-enable-ocsp-stapling",
5459 "-expect-ocsp-response",
5460 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5461 "-enable-signed-cert-timestamps",
5462 "-expect-signed-cert-timestamps",
5463 base64.StdEncoding.EncodeToString(testSCTList),
5464 },
5465 resumeSession: true,
5466 })
5467
5468 // Test that extensions are not sent on intermediates when configured
5469 // only for a leaf.
5470 testCases = append(testCases, testCase{
5471 testType: serverTest,
5472 name: "SendNoExtensionsOnIntermediate-TLS13",
5473 config: Config{
5474 MaxVersion: VersionTLS13,
5475 Bugs: ProtocolBugs{
5476 ExpectNoExtensionsOnIntermediate: true,
5477 },
5478 },
5479 flags: []string{
5480 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5481 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5482 "-ocsp-response",
5483 base64.StdEncoding.EncodeToString(testOCSPResponse),
5484 "-signed-cert-timestamps",
5485 base64.StdEncoding.EncodeToString(testSCTList),
5486 },
5487 })
5488
5489 // Test that extensions are not sent on client certificates.
5490 testCases = append(testCases, testCase{
5491 name: "SendNoClientCertificateExtensions-TLS13",
5492 config: Config{
5493 MaxVersion: VersionTLS13,
5494 ClientAuth: RequireAnyClientCert,
5495 },
5496 flags: []string{
5497 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5498 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5499 "-ocsp-response",
5500 base64.StdEncoding.EncodeToString(testOCSPResponse),
5501 "-signed-cert-timestamps",
5502 base64.StdEncoding.EncodeToString(testSCTList),
5503 },
5504 })
5505
5506 testCases = append(testCases, testCase{
5507 name: "SendDuplicateExtensionsOnCerts-TLS13",
5508 config: Config{
5509 MaxVersion: VersionTLS13,
5510 Bugs: ProtocolBugs{
5511 SendDuplicateCertExtensions: true,
5512 },
5513 },
5514 flags: []string{
5515 "-enable-ocsp-stapling",
5516 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5517 },
5518 resumeSession: true,
5519 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5520 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5521 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5522
5523 testCases = append(testCases, testCase{
5524 name: "SignedCertificateTimestampListInvalid-Server",
5525 testType: serverTest,
5526 flags: []string{
5527 "-signed-cert-timestamps",
5528 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5529 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5530 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5531 expectedError: ":INVALID_SCT_LIST:",
5532 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5533}
5534
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5535func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5536 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5537 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5538 // SSL 3.0 does not have tickets and TLS 1.3 does not
5539 // have session IDs, so skip their cross-resumption
5540 // tests.
5541 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5542 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5543 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5544 }
5545
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5546 protocols := []protocol{tls}
5547 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5548 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5549 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5550 for _, protocol := range protocols {
5551 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5552 if protocol == dtls {
5553 suffix += "-DTLS"
5554 }
5555
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5556 if sessionVers.version == resumeVers.version {
5557 testCases = append(testCases, testCase{
5558 protocol: protocol,
5559 name: "Resume-Client" + suffix,
5560 resumeSession: true,
5561 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5562 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5563 Bugs: ProtocolBugs{
5564 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5565 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5566 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5567 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5568 expectedVersion: sessionVers.version,
5569 expectedResumeVersion: resumeVers.version,
5570 })
5571 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5572 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5573
5574 // Offering a TLS 1.3 session sends an empty session ID, so
5575 // there is no way to convince a non-lookahead client the
5576 // session was resumed. It will appear to the client that a
5577 // stray ChangeCipherSpec was sent.
5578 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5579 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5580 }
5581
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5582 testCases = append(testCases, testCase{
5583 protocol: protocol,
5584 name: "Resume-Client-Mismatch" + suffix,
5585 resumeSession: true,
5586 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5587 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5588 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5589 expectedVersion: sessionVers.version,
5590 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5591 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5592 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5593 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5594 },
5595 },
5596 expectedResumeVersion: resumeVers.version,
5597 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5598 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5599 })
5600 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5601
5602 testCases = append(testCases, testCase{
5603 protocol: protocol,
5604 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5605 resumeSession: true,
5606 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5607 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5608 },
5609 expectedVersion: sessionVers.version,
5610 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5611 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5612 },
5613 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5614 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5615 expectedResumeVersion: resumeVers.version,
5616 })
5617
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5618 testCases = append(testCases, testCase{
5619 protocol: protocol,
5620 testType: serverTest,
5621 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5622 resumeSession: true,
5623 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5624 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5625 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5626 expectedVersion: sessionVers.version,
5627 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5628 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5629 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5630 Bugs: ProtocolBugs{
5631 SendBothTickets: true,
5632 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5633 },
5634 expectedResumeVersion: resumeVers.version,
5635 })
5636 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5637 }
5638 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5639
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5640 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5641 testCases = append(testCases, testCase{
5642 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5643 name: "ShimTicketRewritable",
5644 resumeSession: true,
5645 config: Config{
5646 MaxVersion: VersionTLS12,
5647 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5648 Bugs: ProtocolBugs{
5649 FilterTicket: func(in []byte) ([]byte, error) {
5650 in, err := SetShimTicketVersion(in, VersionTLS12)
5651 if err != nil {
5652 return nil, err
5653 }
5654 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5655 },
5656 },
5657 },
5658 flags: []string{
5659 "-ticket-key",
5660 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5661 },
5662 })
5663
5664 // Resumptions are declined if the version does not match.
5665 testCases = append(testCases, testCase{
5666 testType: serverTest,
5667 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5668 resumeSession: true,
5669 config: Config{
5670 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5671 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5672 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5673 FilterTicket: func(in []byte) ([]byte, error) {
5674 return SetShimTicketVersion(in, VersionTLS13)
5675 },
5676 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5677 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5678 flags: []string{
5679 "-ticket-key",
5680 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5681 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5682 expectResumeRejected: true,
5683 })
5684
5685 testCases = append(testCases, testCase{
5686 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5687 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5688 resumeSession: true,
5689 config: Config{
5690 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5691 Bugs: ProtocolBugs{
5692 FilterTicket: func(in []byte) ([]byte, error) {
5693 return SetShimTicketVersion(in, VersionTLS12)
5694 },
5695 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5696 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5697 flags: []string{
5698 "-ticket-key",
5699 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5700 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5701 expectResumeRejected: true,
5702 })
5703
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5704 // Resumptions are declined if the cipher is invalid or disabled.
5705 testCases = append(testCases, testCase{
5706 testType: serverTest,
5707 name: "Resume-Server-DeclineBadCipher",
5708 resumeSession: true,
5709 config: Config{
5710 MaxVersion: VersionTLS12,
5711 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5712 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5713 FilterTicket: func(in []byte) ([]byte, error) {
5714 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5715 },
5716 },
5717 },
5718 flags: []string{
5719 "-ticket-key",
5720 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5721 },
5722 expectResumeRejected: true,
5723 })
5724
5725 testCases = append(testCases, testCase{
5726 testType: serverTest,
5727 name: "Resume-Server-DeclineBadCipher-2",
5728 resumeSession: true,
5729 config: Config{
5730 MaxVersion: VersionTLS12,
5731 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5732 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5733 FilterTicket: func(in []byte) ([]byte, error) {
5734 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5735 },
5736 },
5737 },
5738 flags: []string{
5739 "-cipher", "AES128",
5740 "-ticket-key",
5741 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5742 },
5743 expectResumeRejected: true,
5744 })
5745
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5746 // Sessions are not resumed if they do not use the preferred cipher.
5747 testCases = append(testCases, testCase{
5748 testType: serverTest,
5749 name: "Resume-Server-CipherNotPreferred",
5750 resumeSession: true,
5751 config: Config{
5752 MaxVersion: VersionTLS12,
5753 Bugs: ProtocolBugs{
5754 ExpectNewTicket: true,
5755 FilterTicket: func(in []byte) ([]byte, error) {
5756 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
5757 },
5758 },
5759 },
5760 flags: []string{
5761 "-ticket-key",
5762 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5763 },
5764 shouldFail: false,
5765 expectResumeRejected: true,
5766 })
5767
5768 // TLS 1.3 allows sessions to be resumed at a different cipher if their
5769 // PRF hashes match, but BoringSSL will always decline such resumptions.
5770 testCases = append(testCases, testCase{
5771 testType: serverTest,
5772 name: "Resume-Server-CipherNotPreferred-TLS13",
5773 resumeSession: true,
5774 config: Config{
5775 MaxVersion: VersionTLS13,
5776 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
5777 Bugs: ProtocolBugs{
5778 FilterTicket: func(in []byte) ([]byte, error) {
5779 // If the client (runner) offers ChaCha20-Poly1305 first, the
5780 // server (shim) always prefers it. Switch it to AES-GCM.
5781 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5782 },
5783 },
5784 },
5785 flags: []string{
5786 "-ticket-key",
5787 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5788 },
5789 shouldFail: false,
5790 expectResumeRejected: true,
5791 })
5792
5793 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5794 testCases = append(testCases, testCase{
5795 testType: serverTest,
5796 name: "Resume-Server-DeclineBadCipher-TLS13",
5797 resumeSession: true,
5798 config: Config{
5799 MaxVersion: VersionTLS13,
5800 Bugs: ProtocolBugs{
5801 FilterTicket: func(in []byte) ([]byte, error) {
5802 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5803 },
5804 },
5805 },
5806 flags: []string{
5807 "-ticket-key",
5808 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5809 },
5810 expectResumeRejected: true,
5811 })
5812
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5813 // If the client does not offer the cipher from the session, decline to
5814 // resume. Clients are forbidden from doing this, but BoringSSL selects
5815 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5816 testCases = append(testCases, testCase{
5817 testType: serverTest,
5818 name: "Resume-Server-UnofferedCipher",
5819 resumeSession: true,
5820 config: Config{
5821 MaxVersion: VersionTLS12,
5822 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5823 },
5824 resumeConfig: &Config{
5825 MaxVersion: VersionTLS12,
5826 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5827 Bugs: ProtocolBugs{
5828 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5829 },
5830 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5831 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5832 })
5833
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5834 // In TLS 1.3, clients may advertise a cipher list which does not
5835 // include the selected cipher. Test that we tolerate this. Servers may
5836 // resume at another cipher if the PRF matches, but BoringSSL will
5837 // always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5838 testCases = append(testCases, testCase{
5839 testType: serverTest,
5840 name: "Resume-Server-UnofferedCipher-TLS13",
5841 resumeSession: true,
5842 config: Config{
5843 MaxVersion: VersionTLS13,
5844 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5845 },
5846 resumeConfig: &Config{
5847 MaxVersion: VersionTLS13,
5848 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5849 Bugs: ProtocolBugs{
5850 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
5851 },
5852 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5853 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5854 })
5855
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5856 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5857 testCases = append(testCases, testCase{
5858 name: "Resume-Client-CipherMismatch",
5859 resumeSession: true,
5860 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5861 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5862 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5863 },
5864 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5865 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5866 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5867 Bugs: ProtocolBugs{
5868 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
5869 },
5870 },
5871 shouldFail: true,
5872 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
5873 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5874
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5875 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
5876 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5877 testCases = append(testCases, testCase{
5878 name: "Resume-Client-CipherMismatch-TLS13",
5879 resumeSession: true,
5880 config: Config{
5881 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5882 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5883 },
5884 resumeConfig: &Config{
5885 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5886 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5887 },
5888 })
5889
5890 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
5891 testCases = append(testCases, testCase{
5892 name: "Resume-Client-PRFMismatch-TLS13",
5893 resumeSession: true,
5894 config: Config{
5895 MaxVersion: VersionTLS13,
5896 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
5897 },
5898 resumeConfig: &Config{
5899 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5900 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5901 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5902 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5903 },
5904 },
5905 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5906 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5907 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5908
5909 testCases = append(testCases, testCase{
5910 testType: serverTest,
5911 name: "Resume-Server-BinderWrongLength",
5912 resumeSession: true,
5913 config: Config{
5914 MaxVersion: VersionTLS13,
5915 Bugs: ProtocolBugs{
5916 SendShortPSKBinder: true,
5917 },
5918 },
5919 shouldFail: true,
5920 expectedLocalError: "remote error: error decrypting message",
5921 expectedError: ":DIGEST_CHECK_FAILED:",
5922 })
5923
5924 testCases = append(testCases, testCase{
5925 testType: serverTest,
5926 name: "Resume-Server-NoPSKBinder",
5927 resumeSession: true,
5928 config: Config{
5929 MaxVersion: VersionTLS13,
5930 Bugs: ProtocolBugs{
5931 SendNoPSKBinder: true,
5932 },
5933 },
5934 shouldFail: true,
5935 expectedLocalError: "remote error: error decoding message",
5936 expectedError: ":DECODE_ERROR:",
5937 })
5938
5939 testCases = append(testCases, testCase{
5940 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]5941 name: "Resume-Server-ExtraPSKBinder",
5942 resumeSession: true,
5943 config: Config{
5944 MaxVersion: VersionTLS13,
5945 Bugs: ProtocolBugs{
5946 SendExtraPSKBinder: true,
5947 },
5948 },
5949 shouldFail: true,
5950 expectedLocalError: "remote error: illegal parameter",
5951 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
5952 })
5953
5954 testCases = append(testCases, testCase{
5955 testType: serverTest,
5956 name: "Resume-Server-ExtraIdentityNoBinder",
5957 resumeSession: true,
5958 config: Config{
5959 MaxVersion: VersionTLS13,
5960 Bugs: ProtocolBugs{
5961 ExtraPSKIdentity: true,
5962 },
5963 },
5964 shouldFail: true,
5965 expectedLocalError: "remote error: illegal parameter",
5966 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
5967 })
5968
5969 testCases = append(testCases, testCase{
5970 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5971 name: "Resume-Server-InvalidPSKBinder",
5972 resumeSession: true,
5973 config: Config{
5974 MaxVersion: VersionTLS13,
5975 Bugs: ProtocolBugs{
5976 SendInvalidPSKBinder: true,
5977 },
5978 },
5979 shouldFail: true,
5980 expectedLocalError: "remote error: error decrypting message",
5981 expectedError: ":DIGEST_CHECK_FAILED:",
5982 })
5983
5984 testCases = append(testCases, testCase{
5985 testType: serverTest,
5986 name: "Resume-Server-PSKBinderFirstExtension",
5987 resumeSession: true,
5988 config: Config{
5989 MaxVersion: VersionTLS13,
5990 Bugs: ProtocolBugs{
5991 PSKBinderFirst: true,
5992 },
5993 },
5994 shouldFail: true,
5995 expectedLocalError: "remote error: illegal parameter",
5996 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
5997 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5998}
5999
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6000func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6001 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6002 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6003 testType: serverTest,
6004 name: "Renegotiate-Server-Forbidden",
6005 config: Config{
6006 MaxVersion: VersionTLS12,
6007 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6008 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6009 shouldFail: true,
6010 expectedError: ":NO_RENEGOTIATION:",
6011 expectedLocalError: "remote error: no renegotiation",
6012 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6013 // The server shouldn't echo the renegotiation extension unless
6014 // requested by the client.
6015 testCases = append(testCases, testCase{
6016 testType: serverTest,
6017 name: "Renegotiate-Server-NoExt",
6018 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6019 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6020 Bugs: ProtocolBugs{
6021 NoRenegotiationInfo: true,
6022 RequireRenegotiationInfo: true,
6023 },
6024 },
6025 shouldFail: true,
6026 expectedLocalError: "renegotiation extension missing",
6027 })
6028 // The renegotiation SCSV should be sufficient for the server to echo
6029 // the extension.
6030 testCases = append(testCases, testCase{
6031 testType: serverTest,
6032 name: "Renegotiate-Server-NoExt-SCSV",
6033 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6034 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6035 Bugs: ProtocolBugs{
6036 NoRenegotiationInfo: true,
6037 SendRenegotiationSCSV: true,
6038 RequireRenegotiationInfo: true,
6039 },
6040 },
6041 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6042 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6043 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6044 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6045 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6046 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6047 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6048 },
6049 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6050 renegotiate: 1,
6051 flags: []string{
6052 "-renegotiate-freely",
6053 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6054 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6055 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6056 })
6057 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6058 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6059 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6060 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6061 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6062 Bugs: ProtocolBugs{
6063 EmptyRenegotiationInfo: true,
6064 },
6065 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6066 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6067 shouldFail: true,
6068 expectedError: ":RENEGOTIATION_MISMATCH:",
6069 })
6070 testCases = append(testCases, testCase{
6071 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6072 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6073 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6074 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6075 Bugs: ProtocolBugs{
6076 BadRenegotiationInfo: true,
6077 },
6078 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6079 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6080 shouldFail: true,
6081 expectedError: ":RENEGOTIATION_MISMATCH:",
6082 })
6083 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6084 name: "Renegotiate-Client-Downgrade",
6085 renegotiate: 1,
6086 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6087 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6088 Bugs: ProtocolBugs{
6089 NoRenegotiationInfoAfterInitial: true,
6090 },
6091 },
6092 flags: []string{"-renegotiate-freely"},
6093 shouldFail: true,
6094 expectedError: ":RENEGOTIATION_MISMATCH:",
6095 })
6096 testCases = append(testCases, testCase{
6097 name: "Renegotiate-Client-Upgrade",
6098 renegotiate: 1,
6099 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6100 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6101 Bugs: ProtocolBugs{
6102 NoRenegotiationInfoInInitial: true,
6103 },
6104 },
6105 flags: []string{"-renegotiate-freely"},
6106 shouldFail: true,
6107 expectedError: ":RENEGOTIATION_MISMATCH:",
6108 })
6109 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6110 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6111 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6112 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6113 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6114 Bugs: ProtocolBugs{
6115 NoRenegotiationInfo: true,
6116 },
6117 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6118 flags: []string{
6119 "-renegotiate-freely",
6120 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6121 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6122 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6123 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6124
6125 // Test that the server may switch ciphers on renegotiation without
6126 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6127 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6128 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6129 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6130 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6131 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6132 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6133 },
6134 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6135 flags: []string{
6136 "-renegotiate-freely",
6137 "-expect-total-renegotiations", "1",
6138 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6139 })
6140 testCases = append(testCases, testCase{
6141 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6142 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6143 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6144 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6145 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6146 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6147 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6148 flags: []string{
6149 "-renegotiate-freely",
6150 "-expect-total-renegotiations", "1",
6151 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6152 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6153
6154 // Test that the server may not switch versions on renegotiation.
6155 testCases = append(testCases, testCase{
6156 name: "Renegotiate-Client-SwitchVersion",
6157 config: Config{
6158 MaxVersion: VersionTLS12,
6159 // Pick a cipher which exists at both versions.
6160 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6161 Bugs: ProtocolBugs{
6162 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6163 // Avoid failing early at the record layer.
6164 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6165 },
6166 },
6167 renegotiate: 1,
6168 flags: []string{
6169 "-renegotiate-freely",
6170 "-expect-total-renegotiations", "1",
6171 },
6172 shouldFail: true,
6173 expectedError: ":WRONG_SSL_VERSION:",
6174 })
6175
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6176 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6177 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6178 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6179 config: Config{
6180 MaxVersion: VersionTLS10,
6181 Bugs: ProtocolBugs{
6182 RequireSameRenegoClientVersion: true,
6183 },
6184 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6185 flags: []string{
6186 "-renegotiate-freely",
6187 "-expect-total-renegotiations", "1",
6188 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6189 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6190 testCases = append(testCases, testCase{
6191 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6192 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6193 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6194 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6195 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6196 NextProtos: []string{"foo"},
6197 },
6198 flags: []string{
6199 "-false-start",
6200 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6201 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6202 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6203 },
6204 shimWritesFirst: true,
6205 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6206
6207 // Client-side renegotiation controls.
6208 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6209 name: "Renegotiate-Client-Forbidden-1",
6210 config: Config{
6211 MaxVersion: VersionTLS12,
6212 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6213 renegotiate: 1,
6214 shouldFail: true,
6215 expectedError: ":NO_RENEGOTIATION:",
6216 expectedLocalError: "remote error: no renegotiation",
6217 })
6218 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6219 name: "Renegotiate-Client-Once-1",
6220 config: Config{
6221 MaxVersion: VersionTLS12,
6222 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6223 renegotiate: 1,
6224 flags: []string{
6225 "-renegotiate-once",
6226 "-expect-total-renegotiations", "1",
6227 },
6228 })
6229 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6230 name: "Renegotiate-Client-Freely-1",
6231 config: Config{
6232 MaxVersion: VersionTLS12,
6233 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6234 renegotiate: 1,
6235 flags: []string{
6236 "-renegotiate-freely",
6237 "-expect-total-renegotiations", "1",
6238 },
6239 })
6240 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6241 name: "Renegotiate-Client-Once-2",
6242 config: Config{
6243 MaxVersion: VersionTLS12,
6244 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6245 renegotiate: 2,
6246 flags: []string{"-renegotiate-once"},
6247 shouldFail: true,
6248 expectedError: ":NO_RENEGOTIATION:",
6249 expectedLocalError: "remote error: no renegotiation",
6250 })
6251 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6252 name: "Renegotiate-Client-Freely-2",
6253 config: Config{
6254 MaxVersion: VersionTLS12,
6255 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6256 renegotiate: 2,
6257 flags: []string{
6258 "-renegotiate-freely",
6259 "-expect-total-renegotiations", "2",
6260 },
6261 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6262 testCases = append(testCases, testCase{
6263 name: "Renegotiate-Client-NoIgnore",
6264 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6265 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6266 Bugs: ProtocolBugs{
6267 SendHelloRequestBeforeEveryAppDataRecord: true,
6268 },
6269 },
6270 shouldFail: true,
6271 expectedError: ":NO_RENEGOTIATION:",
6272 })
6273 testCases = append(testCases, testCase{
6274 name: "Renegotiate-Client-Ignore",
6275 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6276 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6277 Bugs: ProtocolBugs{
6278 SendHelloRequestBeforeEveryAppDataRecord: true,
6279 },
6280 },
6281 flags: []string{
6282 "-renegotiate-ignore",
6283 "-expect-total-renegotiations", "0",
6284 },
6285 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6286
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6287 // Renegotiation is not allowed at SSL 3.0.
6288 testCases = append(testCases, testCase{
6289 name: "Renegotiate-Client-SSL3",
6290 config: Config{
6291 MaxVersion: VersionSSL30,
6292 },
6293 renegotiate: 1,
6294 flags: []string{
6295 "-renegotiate-freely",
6296 "-expect-total-renegotiations", "1",
6297 },
6298 shouldFail: true,
6299 expectedError: ":NO_RENEGOTIATION:",
6300 expectedLocalError: "remote error: no renegotiation",
6301 })
6302
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6303 // Renegotiation is not allowed when there is an unfinished write.
6304 testCases = append(testCases, testCase{
6305 name: "Renegotiate-Client-UnfinishedWrite",
6306 config: Config{
6307 MaxVersion: VersionTLS12,
6308 },
6309 renegotiate: 1,
6310 flags: []string{
6311 "-async",
6312 "-renegotiate-freely",
6313 "-read-with-unfinished-write",
6314 },
6315 shouldFail: true,
6316 expectedError: ":NO_RENEGOTIATION:",
6317 // We do not successfully send the no_renegotiation alert in
6318 // this case. https://crbug.com/boringssl/130
6319 })
6320
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6321 // Stray HelloRequests during the handshake are ignored in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6322 testCases = append(testCases, testCase{
6323 name: "StrayHelloRequest",
6324 config: Config{
6325 MaxVersion: VersionTLS12,
6326 Bugs: ProtocolBugs{
6327 SendHelloRequestBeforeEveryHandshakeMessage: true,
6328 },
6329 },
6330 })
6331 testCases = append(testCases, testCase{
6332 name: "StrayHelloRequest-Packed",
6333 config: Config{
6334 MaxVersion: VersionTLS12,
6335 Bugs: ProtocolBugs{
6336 PackHandshakeFlight: true,
6337 SendHelloRequestBeforeEveryHandshakeMessage: true,
6338 },
6339 },
6340 })
6341
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6342 // Test renegotiation works if HelloRequest and server Finished come in
6343 // the same record.
6344 testCases = append(testCases, testCase{
6345 name: "Renegotiate-Client-Packed",
6346 config: Config{
6347 MaxVersion: VersionTLS12,
6348 Bugs: ProtocolBugs{
6349 PackHandshakeFlight: true,
6350 PackHelloRequestWithFinished: true,
6351 },
6352 },
6353 renegotiate: 1,
6354 flags: []string{
6355 "-renegotiate-freely",
6356 "-expect-total-renegotiations", "1",
6357 },
6358 })
6359
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6360 // Renegotiation is forbidden in TLS 1.3.
6361 testCases = append(testCases, testCase{
6362 name: "Renegotiate-Client-TLS13",
6363 config: Config{
6364 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6365 Bugs: ProtocolBugs{
6366 SendHelloRequestBeforeEveryAppDataRecord: true,
6367 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6368 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6369 flags: []string{
6370 "-renegotiate-freely",
6371 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6372 shouldFail: true,
6373 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6374 })
6375
6376 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6377 testCases = append(testCases, testCase{
6378 name: "StrayHelloRequest-TLS13",
6379 config: Config{
6380 MaxVersion: VersionTLS13,
6381 Bugs: ProtocolBugs{
6382 SendHelloRequestBeforeEveryHandshakeMessage: true,
6383 },
6384 },
6385 shouldFail: true,
6386 expectedError: ":UNEXPECTED_MESSAGE:",
6387 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6388
6389 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6390 // always reads as supporting it, regardless of whether it was
6391 // negotiated.
6392 testCases = append(testCases, testCase{
6393 name: "AlwaysReportRenegotiationInfo-TLS13",
6394 config: Config{
6395 MaxVersion: VersionTLS13,
6396 Bugs: ProtocolBugs{
6397 NoRenegotiationInfo: true,
6398 },
6399 },
6400 flags: []string{
6401 "-expect-secure-renegotiation",
6402 },
6403 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6404}
6405
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6406func addDTLSReplayTests() {
6407 // Test that sequence number replays are detected.
6408 testCases = append(testCases, testCase{
6409 protocol: dtls,
6410 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6411 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6412 replayWrites: true,
6413 })
6414
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6415 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6416 // than the retransmit window.
6417 testCases = append(testCases, testCase{
6418 protocol: dtls,
6419 name: "DTLS-Replay-LargeGaps",
6420 config: Config{
6421 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6422 SequenceNumberMapping: func(in uint64) uint64 {
6423 return in * 127
6424 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6425 },
6426 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6427 messageCount: 200,
6428 replayWrites: true,
6429 })
6430
6431 // Test the incoming sequence number changing non-monotonically.
6432 testCases = append(testCases, testCase{
6433 protocol: dtls,
6434 name: "DTLS-Replay-NonMonotonic",
6435 config: Config{
6436 Bugs: ProtocolBugs{
6437 SequenceNumberMapping: func(in uint64) uint64 {
6438 return in ^ 31
6439 },
6440 },
6441 },
6442 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6443 replayWrites: true,
6444 })
6445}
6446
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6447var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6448 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6449 id signatureAlgorithm
6450 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6451}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6452 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6453 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6454 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6455 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6456 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6457 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6458 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6459 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6460 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6461 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6462 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6463 // Tests for key types prior to TLS 1.2.
6464 {"RSA", 0, testCertRSA},
6465 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6466}
6467
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6468const fakeSigAlg1 signatureAlgorithm = 0x2a01
6469const fakeSigAlg2 signatureAlgorithm = 0xff01
6470
6471func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6472 // Not all ciphers involve a signature. Advertise a list which gives all
6473 // versions a signing cipher.
6474 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6475 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6476 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6477 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6478 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6479 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
6480 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
6481 }
6482
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6483 var allAlgorithms []signatureAlgorithm
6484 for _, alg := range testSignatureAlgorithms {
6485 if alg.id != 0 {
6486 allAlgorithms = append(allAlgorithms, alg.id)
6487 }
6488 }
6489
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6490 // Make sure each signature algorithm works. Include some fake values in
6491 // the list and ensure they're ignored.
6492 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6493 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6494 if (ver.version < VersionTLS12) != (alg.id == 0) {
6495 continue
6496 }
6497
6498 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6499 // or remove it in C.
6500 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6501 continue
6502 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6503
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6504 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6505 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6506 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6507 shouldSignFail = true
6508 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6509 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6510 // RSA-PKCS1 does not exist in TLS 1.3.
6511 if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6512 shouldSignFail = true
6513 shouldVerifyFail = true
6514 }
6515
6516 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6517 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6518 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6519 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6520
6521 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6522 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6523 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6524 }
6525 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6526 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6527 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6528
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6529 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6530
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6531 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6532 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6533 config: Config{
6534 MaxVersion: ver.version,
6535 ClientAuth: RequireAnyClientCert,
6536 VerifySignatureAlgorithms: []signatureAlgorithm{
6537 fakeSigAlg1,
6538 alg.id,
6539 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6540 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6541 },
6542 flags: []string{
6543 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6544 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6545 "-enable-all-curves",
6546 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6547 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6548 expectedError: signError,
6549 expectedPeerSignatureAlgorithm: alg.id,
6550 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6551
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6552 testCases = append(testCases, testCase{
6553 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6554 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6555 config: Config{
6556 MaxVersion: ver.version,
6557 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6558 SignSignatureAlgorithms: []signatureAlgorithm{
6559 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6560 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6561 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6562 SkipECDSACurveCheck: shouldVerifyFail,
6563 IgnoreSignatureVersionChecks: shouldVerifyFail,
6564 // Some signature algorithms may not be advertised.
6565 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6566 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6567 },
6568 flags: []string{
6569 "-require-any-client-certificate",
6570 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6571 "-enable-all-curves",
6572 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6573 // Resume the session to assert the peer signature
6574 // algorithm is reported on both handshakes.
6575 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6576 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6577 expectedError: verifyError,
6578 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6579
6580 testCases = append(testCases, testCase{
6581 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6582 name: "ServerAuth-Sign" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6583 config: Config{
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6584 MaxVersion: ver.version,
6585 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6586 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6587 fakeSigAlg1,
6588 alg.id,
6589 fakeSigAlg2,
6590 },
6591 },
6592 flags: []string{
6593 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6594 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6595 "-enable-all-curves",
6596 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6597 shouldFail: shouldSignFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6598 expectedError: signError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6599 expectedPeerSignatureAlgorithm: alg.id,
6600 })
6601
6602 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6603 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6604 config: Config{
6605 MaxVersion: ver.version,
6606 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6607 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6608 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6609 alg.id,
6610 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6611 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6612 SkipECDSACurveCheck: shouldVerifyFail,
6613 IgnoreSignatureVersionChecks: shouldVerifyFail,
6614 // Some signature algorithms may not be advertised.
6615 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6616 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6617 },
6618 flags: []string{
6619 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6620 "-enable-all-curves",
6621 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6622 // Resume the session to assert the peer signature
6623 // algorithm is reported on both handshakes.
6624 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6625 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6626 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6627 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6628
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6629 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6630 testCases = append(testCases, testCase{
6631 testType: serverTest,
6632 name: "ClientAuth-InvalidSignature" + suffix,
6633 config: Config{
6634 MaxVersion: ver.version,
6635 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6636 SignSignatureAlgorithms: []signatureAlgorithm{
6637 alg.id,
6638 },
6639 Bugs: ProtocolBugs{
6640 InvalidSignature: true,
6641 },
6642 },
6643 flags: []string{
6644 "-require-any-client-certificate",
6645 "-enable-all-curves",
6646 },
6647 shouldFail: true,
6648 expectedError: ":BAD_SIGNATURE:",
6649 })
6650
6651 testCases = append(testCases, testCase{
6652 name: "ServerAuth-InvalidSignature" + suffix,
6653 config: Config{
6654 MaxVersion: ver.version,
6655 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6656 CipherSuites: signingCiphers,
6657 SignSignatureAlgorithms: []signatureAlgorithm{
6658 alg.id,
6659 },
6660 Bugs: ProtocolBugs{
6661 InvalidSignature: true,
6662 },
6663 },
6664 flags: []string{"-enable-all-curves"},
6665 shouldFail: true,
6666 expectedError: ":BAD_SIGNATURE:",
6667 })
6668 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6669
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6670 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6671 testCases = append(testCases, testCase{
6672 name: "ClientAuth-Sign-Negotiate" + suffix,
6673 config: Config{
6674 MaxVersion: ver.version,
6675 ClientAuth: RequireAnyClientCert,
6676 VerifySignatureAlgorithms: allAlgorithms,
6677 },
6678 flags: []string{
6679 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6680 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6681 "-enable-all-curves",
6682 "-signing-prefs", strconv.Itoa(int(alg.id)),
6683 },
6684 expectedPeerSignatureAlgorithm: alg.id,
6685 })
6686
6687 testCases = append(testCases, testCase{
6688 testType: serverTest,
6689 name: "ServerAuth-Sign-Negotiate" + suffix,
6690 config: Config{
6691 MaxVersion: ver.version,
6692 CipherSuites: signingCiphers,
6693 VerifySignatureAlgorithms: allAlgorithms,
6694 },
6695 flags: []string{
6696 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6697 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6698 "-enable-all-curves",
6699 "-signing-prefs", strconv.Itoa(int(alg.id)),
6700 },
6701 expectedPeerSignatureAlgorithm: alg.id,
6702 })
6703 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6704 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6705 }
6706
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6707 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6708 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6709 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6710 config: Config{
6711 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6712 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6713 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6714 signatureECDSAWithP521AndSHA512,
6715 signatureRSAPKCS1WithSHA384,
6716 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6717 },
6718 },
6719 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]6720 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6721 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6722 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6723 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6724 })
6725
6726 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6727 name: "ClientAuth-SignatureType-TLS13",
6728 config: Config{
6729 ClientAuth: RequireAnyClientCert,
6730 MaxVersion: VersionTLS13,
6731 VerifySignatureAlgorithms: []signatureAlgorithm{
6732 signatureECDSAWithP521AndSHA512,
6733 signatureRSAPKCS1WithSHA384,
6734 signatureRSAPSSWithSHA384,
6735 signatureECDSAWithSHA1,
6736 },
6737 },
6738 flags: []string{
6739 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6740 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6741 },
6742 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6743 })
6744
6745 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6746 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6747 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6748 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6749 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6750 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6751 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6752 signatureECDSAWithP521AndSHA512,
6753 signatureRSAPKCS1WithSHA384,
6754 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6755 },
6756 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6757 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6758 })
6759
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6760 testCases = append(testCases, testCase{
6761 testType: serverTest,
6762 name: "ServerAuth-SignatureType-TLS13",
6763 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6764 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6765 VerifySignatureAlgorithms: []signatureAlgorithm{
6766 signatureECDSAWithP521AndSHA512,
6767 signatureRSAPKCS1WithSHA384,
6768 signatureRSAPSSWithSHA384,
6769 signatureECDSAWithSHA1,
6770 },
6771 },
6772 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6773 })
6774
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6775 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6776 testCases = append(testCases, testCase{
6777 testType: serverTest,
6778 name: "Verify-ClientAuth-SignatureType",
6779 config: Config{
6780 MaxVersion: VersionTLS12,
6781 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6782 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6783 signatureRSAPKCS1WithSHA256,
6784 },
6785 Bugs: ProtocolBugs{
6786 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6787 },
6788 },
6789 flags: []string{
6790 "-require-any-client-certificate",
6791 },
6792 shouldFail: true,
6793 expectedError: ":WRONG_SIGNATURE_TYPE:",
6794 })
6795
6796 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6797 testType: serverTest,
6798 name: "Verify-ClientAuth-SignatureType-TLS13",
6799 config: Config{
6800 MaxVersion: VersionTLS13,
6801 Certificates: []Certificate{rsaCertificate},
6802 SignSignatureAlgorithms: []signatureAlgorithm{
6803 signatureRSAPSSWithSHA256,
6804 },
6805 Bugs: ProtocolBugs{
6806 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6807 },
6808 },
6809 flags: []string{
6810 "-require-any-client-certificate",
6811 },
6812 shouldFail: true,
6813 expectedError: ":WRONG_SIGNATURE_TYPE:",
6814 })
6815
6816 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6817 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6818 config: Config{
6819 MaxVersion: VersionTLS12,
6820 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6821 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6822 signatureRSAPKCS1WithSHA256,
6823 },
6824 Bugs: ProtocolBugs{
6825 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6826 },
6827 },
6828 shouldFail: true,
6829 expectedError: ":WRONG_SIGNATURE_TYPE:",
6830 })
6831
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6832 testCases = append(testCases, testCase{
6833 name: "Verify-ServerAuth-SignatureType-TLS13",
6834 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6835 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6836 SignSignatureAlgorithms: []signatureAlgorithm{
6837 signatureRSAPSSWithSHA256,
6838 },
6839 Bugs: ProtocolBugs{
6840 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6841 },
6842 },
6843 shouldFail: true,
6844 expectedError: ":WRONG_SIGNATURE_TYPE:",
6845 })
6846
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6847 // Test that, if the list is missing, the peer falls back to SHA-1 in
6848 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6849 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6850 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6851 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6852 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6853 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6854 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6855 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6856 },
6857 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6858 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6859 },
6860 },
6861 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]6862 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6863 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6864 },
6865 })
6866
6867 testCases = append(testCases, testCase{
6868 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6869 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6870 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6871 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6872 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6873 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6874 },
6875 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6876 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6877 },
6878 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6879 flags: []string{
6880 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6881 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6882 },
6883 })
6884
6885 testCases = append(testCases, testCase{
6886 name: "ClientAuth-SHA1-Fallback-ECDSA",
6887 config: Config{
6888 MaxVersion: VersionTLS12,
6889 ClientAuth: RequireAnyClientCert,
6890 VerifySignatureAlgorithms: []signatureAlgorithm{
6891 signatureECDSAWithSHA1,
6892 },
6893 Bugs: ProtocolBugs{
6894 NoSignatureAlgorithms: true,
6895 },
6896 },
6897 flags: []string{
6898 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6899 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6900 },
6901 })
6902
6903 testCases = append(testCases, testCase{
6904 testType: serverTest,
6905 name: "ServerAuth-SHA1-Fallback-ECDSA",
6906 config: Config{
6907 MaxVersion: VersionTLS12,
6908 VerifySignatureAlgorithms: []signatureAlgorithm{
6909 signatureECDSAWithSHA1,
6910 },
6911 Bugs: ProtocolBugs{
6912 NoSignatureAlgorithms: true,
6913 },
6914 },
6915 flags: []string{
6916 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6917 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6918 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6919 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6920
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6921 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6922 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6923 config: Config{
6924 MaxVersion: VersionTLS13,
6925 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6926 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6927 signatureRSAPKCS1WithSHA1,
6928 },
6929 Bugs: ProtocolBugs{
6930 NoSignatureAlgorithms: true,
6931 },
6932 },
6933 flags: []string{
6934 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6935 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6936 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]6937 shouldFail: true,
6938 // An empty CertificateRequest signature algorithm list is a
6939 // syntax error in TLS 1.3.
6940 expectedError: ":DECODE_ERROR:",
6941 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6942 })
6943
6944 testCases = append(testCases, testCase{
6945 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6946 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6947 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6948 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6949 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6950 signatureRSAPKCS1WithSHA1,
6951 },
6952 Bugs: ProtocolBugs{
6953 NoSignatureAlgorithms: true,
6954 },
6955 },
6956 shouldFail: true,
6957 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6958 })
6959
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]6960 // Test that hash preferences are enforced. BoringSSL does not implement
6961 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6962 testCases = append(testCases, testCase{
6963 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6964 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6965 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6966 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6967 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6968 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6969 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6970 },
6971 Bugs: ProtocolBugs{
6972 IgnorePeerSignatureAlgorithmPreferences: true,
6973 },
6974 },
6975 flags: []string{"-require-any-client-certificate"},
6976 shouldFail: true,
6977 expectedError: ":WRONG_SIGNATURE_TYPE:",
6978 })
6979
6980 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6981 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6982 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6983 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6984 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6985 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6986 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6987 },
6988 Bugs: ProtocolBugs{
6989 IgnorePeerSignatureAlgorithmPreferences: true,
6990 },
6991 },
6992 shouldFail: true,
6993 expectedError: ":WRONG_SIGNATURE_TYPE:",
6994 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]6995 testCases = append(testCases, testCase{
6996 testType: serverTest,
6997 name: "ClientAuth-Enforced-TLS13",
6998 config: Config{
6999 MaxVersion: VersionTLS13,
7000 Certificates: []Certificate{rsaCertificate},
7001 SignSignatureAlgorithms: []signatureAlgorithm{
7002 signatureRSAPKCS1WithMD5,
7003 },
7004 Bugs: ProtocolBugs{
7005 IgnorePeerSignatureAlgorithmPreferences: true,
7006 IgnoreSignatureVersionChecks: true,
7007 },
7008 },
7009 flags: []string{"-require-any-client-certificate"},
7010 shouldFail: true,
7011 expectedError: ":WRONG_SIGNATURE_TYPE:",
7012 })
7013
7014 testCases = append(testCases, testCase{
7015 name: "ServerAuth-Enforced-TLS13",
7016 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7017 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7018 SignSignatureAlgorithms: []signatureAlgorithm{
7019 signatureRSAPKCS1WithMD5,
7020 },
7021 Bugs: ProtocolBugs{
7022 IgnorePeerSignatureAlgorithmPreferences: true,
7023 IgnoreSignatureVersionChecks: true,
7024 },
7025 },
7026 shouldFail: true,
7027 expectedError: ":WRONG_SIGNATURE_TYPE:",
7028 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7029
7030 // Test that the agreed upon digest respects the client preferences and
7031 // the server digests.
7032 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7033 name: "NoCommonAlgorithms-Digests",
7034 config: Config{
7035 MaxVersion: VersionTLS12,
7036 ClientAuth: RequireAnyClientCert,
7037 VerifySignatureAlgorithms: []signatureAlgorithm{
7038 signatureRSAPKCS1WithSHA512,
7039 signatureRSAPKCS1WithSHA1,
7040 },
7041 },
7042 flags: []string{
7043 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7044 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7045 "-digest-prefs", "SHA256",
7046 },
7047 shouldFail: true,
7048 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7049 })
7050 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7051 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7052 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7053 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7054 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7055 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7056 signatureRSAPKCS1WithSHA512,
7057 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7058 },
7059 },
7060 flags: []string{
7061 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7062 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7063 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7064 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7065 shouldFail: true,
7066 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7067 })
7068 testCases = append(testCases, testCase{
7069 name: "NoCommonAlgorithms-TLS13",
7070 config: Config{
7071 MaxVersion: VersionTLS13,
7072 ClientAuth: RequireAnyClientCert,
7073 VerifySignatureAlgorithms: []signatureAlgorithm{
7074 signatureRSAPSSWithSHA512,
7075 signatureRSAPSSWithSHA384,
7076 },
7077 },
7078 flags: []string{
7079 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7080 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7081 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7082 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7083 shouldFail: true,
7084 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7085 })
7086 testCases = append(testCases, testCase{
7087 name: "Agree-Digest-SHA256",
7088 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7089 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7090 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7091 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7092 signatureRSAPKCS1WithSHA1,
7093 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7094 },
7095 },
7096 flags: []string{
7097 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7098 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7099 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7100 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7101 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7102 })
7103 testCases = append(testCases, testCase{
7104 name: "Agree-Digest-SHA1",
7105 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7106 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7107 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7108 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7109 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7110 },
7111 },
7112 flags: []string{
7113 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7114 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7115 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7116 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7117 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7118 })
7119 testCases = append(testCases, testCase{
7120 name: "Agree-Digest-Default",
7121 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7122 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7123 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7124 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7125 signatureRSAPKCS1WithSHA256,
7126 signatureECDSAWithP256AndSHA256,
7127 signatureRSAPKCS1WithSHA1,
7128 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7129 },
7130 },
7131 flags: []string{
7132 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7133 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7134 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7135 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7136 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7137
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7138 // Test that the signing preference list may include extra algorithms
7139 // without negotiation problems.
7140 testCases = append(testCases, testCase{
7141 testType: serverTest,
7142 name: "FilterExtraAlgorithms",
7143 config: Config{
7144 MaxVersion: VersionTLS12,
7145 VerifySignatureAlgorithms: []signatureAlgorithm{
7146 signatureRSAPKCS1WithSHA256,
7147 },
7148 },
7149 flags: []string{
7150 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7151 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7152 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7153 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7154 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7155 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7156 },
7157 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7158 })
7159
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7160 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7161 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7162 testCases = append(testCases, testCase{
7163 name: "CheckLeafCurve",
7164 config: Config{
7165 MaxVersion: VersionTLS12,
7166 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7167 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7168 },
7169 flags: []string{"-p384-only"},
7170 shouldFail: true,
7171 expectedError: ":BAD_ECC_CERT:",
7172 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7173
7174 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7175 testCases = append(testCases, testCase{
7176 name: "CheckLeafCurve-TLS13",
7177 config: Config{
7178 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7179 Certificates: []Certificate{ecdsaP256Certificate},
7180 },
7181 flags: []string{"-p384-only"},
7182 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7183
7184 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7185 testCases = append(testCases, testCase{
7186 name: "ECDSACurveMismatch-Verify-TLS12",
7187 config: Config{
7188 MaxVersion: VersionTLS12,
7189 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7190 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7191 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7192 signatureECDSAWithP384AndSHA384,
7193 },
7194 },
7195 })
7196
7197 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7198 testCases = append(testCases, testCase{
7199 name: "ECDSACurveMismatch-Verify-TLS13",
7200 config: Config{
7201 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7202 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7203 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7204 signatureECDSAWithP384AndSHA384,
7205 },
7206 Bugs: ProtocolBugs{
7207 SkipECDSACurveCheck: true,
7208 },
7209 },
7210 shouldFail: true,
7211 expectedError: ":WRONG_SIGNATURE_TYPE:",
7212 })
7213
7214 // Signature algorithm selection in TLS 1.3 should take the curve into
7215 // account.
7216 testCases = append(testCases, testCase{
7217 testType: serverTest,
7218 name: "ECDSACurveMismatch-Sign-TLS13",
7219 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7220 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7221 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7222 signatureECDSAWithP384AndSHA384,
7223 signatureECDSAWithP256AndSHA256,
7224 },
7225 },
7226 flags: []string{
7227 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7228 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7229 },
7230 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7231 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7232
7233 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7234 // server does not attempt to sign in that case.
7235 testCases = append(testCases, testCase{
7236 testType: serverTest,
7237 name: "RSA-PSS-Large",
7238 config: Config{
7239 MaxVersion: VersionTLS13,
7240 VerifySignatureAlgorithms: []signatureAlgorithm{
7241 signatureRSAPSSWithSHA512,
7242 },
7243 },
7244 flags: []string{
7245 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7246 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7247 },
7248 shouldFail: true,
7249 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7250 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7251
7252 // Test that RSA-PSS is enabled by default for TLS 1.2.
7253 testCases = append(testCases, testCase{
7254 testType: clientTest,
7255 name: "RSA-PSS-Default-Verify",
7256 config: Config{
7257 MaxVersion: VersionTLS12,
7258 SignSignatureAlgorithms: []signatureAlgorithm{
7259 signatureRSAPSSWithSHA256,
7260 },
7261 },
7262 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7263 })
7264
7265 testCases = append(testCases, testCase{
7266 testType: serverTest,
7267 name: "RSA-PSS-Default-Sign",
7268 config: Config{
7269 MaxVersion: VersionTLS12,
7270 VerifySignatureAlgorithms: []signatureAlgorithm{
7271 signatureRSAPSSWithSHA256,
7272 },
7273 },
7274 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7275 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7276}
7277
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7278// timeouts is the retransmit schedule for BoringSSL. It doubles and
7279// caps at 60 seconds. On the 13th timeout, it gives up.
7280var timeouts = []time.Duration{
7281 1 * time.Second,
7282 2 * time.Second,
7283 4 * time.Second,
7284 8 * time.Second,
7285 16 * time.Second,
7286 32 * time.Second,
7287 60 * time.Second,
7288 60 * time.Second,
7289 60 * time.Second,
7290 60 * time.Second,
7291 60 * time.Second,
7292 60 * time.Second,
7293 60 * time.Second,
7294}
7295
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7296// shortTimeouts is an alternate set of timeouts which would occur if the
7297// initial timeout duration was set to 250ms.
7298var shortTimeouts = []time.Duration{
7299 250 * time.Millisecond,
7300 500 * time.Millisecond,
7301 1 * time.Second,
7302 2 * time.Second,
7303 4 * time.Second,
7304 8 * time.Second,
7305 16 * time.Second,
7306 32 * time.Second,
7307 60 * time.Second,
7308 60 * time.Second,
7309 60 * time.Second,
7310 60 * time.Second,
7311 60 * time.Second,
7312}
7313
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7314func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7315 // These tests work by coordinating some behavior on both the shim and
7316 // the runner.
7317 //
7318 // TimeoutSchedule configures the runner to send a series of timeout
7319 // opcodes to the shim (see packetAdaptor) immediately before reading
7320 // each peer handshake flight N. The timeout opcode both simulates a
7321 // timeout in the shim and acts as a synchronization point to help the
7322 // runner bracket each handshake flight.
7323 //
7324 // We assume the shim does not read from the channel eagerly. It must
7325 // first wait until it has sent flight N and is ready to receive
7326 // handshake flight N+1. At this point, it will process the timeout
7327 // opcode. It must then immediately respond with a timeout ACK and act
7328 // as if the shim was idle for the specified amount of time.
7329 //
7330 // The runner then drops all packets received before the ACK and
7331 // continues waiting for flight N. This ordering results in one attempt
7332 // at sending flight N to be dropped. For the test to complete, the
7333 // shim must send flight N again, testing that the shim implements DTLS
7334 // retransmit on a timeout.
7335
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7336 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7337 // likely be more epochs to cross and the final message's retransmit may
7338 // be more complex.
7339
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7340 for _, async := range []bool{true, false} {
7341 var tests []testCase
7342
7343 // Test that this is indeed the timeout schedule. Stress all
7344 // four patterns of handshake.
7345 for i := 1; i < len(timeouts); i++ {
7346 number := strconv.Itoa(i)
7347 tests = append(tests, testCase{
7348 protocol: dtls,
7349 name: "DTLS-Retransmit-Client-" + number,
7350 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7351 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7352 Bugs: ProtocolBugs{
7353 TimeoutSchedule: timeouts[:i],
7354 },
7355 },
7356 resumeSession: true,
7357 })
7358 tests = append(tests, testCase{
7359 protocol: dtls,
7360 testType: serverTest,
7361 name: "DTLS-Retransmit-Server-" + number,
7362 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7363 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7364 Bugs: ProtocolBugs{
7365 TimeoutSchedule: timeouts[:i],
7366 },
7367 },
7368 resumeSession: true,
7369 })
7370 }
7371
7372 // Test that exceeding the timeout schedule hits a read
7373 // timeout.
7374 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7375 protocol: dtls,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7376 name: "DTLS-Retransmit-Timeout",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7377 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7378 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7379 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7380 TimeoutSchedule: timeouts,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7381 },
7382 },
7383 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7384 shouldFail: true,
7385 expectedError: ":READ_TIMEOUT_EXPIRED:",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7386 })
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7387
7388 if async {
7389 // Test that timeout handling has a fudge factor, due to API
7390 // problems.
7391 tests = append(tests, testCase{
7392 protocol: dtls,
7393 name: "DTLS-Retransmit-Fudge",
7394 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7395 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7396 Bugs: ProtocolBugs{
7397 TimeoutSchedule: []time.Duration{
7398 timeouts[0] - 10*time.Millisecond,
7399 },
7400 },
7401 },
7402 resumeSession: true,
7403 })
7404 }
7405
7406 // Test that the final Finished retransmitting isn't
7407 // duplicated if the peer badly fragments everything.
7408 tests = append(tests, testCase{
7409 testType: serverTest,
7410 protocol: dtls,
7411 name: "DTLS-Retransmit-Fragmented",
7412 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7413 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7414 Bugs: ProtocolBugs{
7415 TimeoutSchedule: []time.Duration{timeouts[0]},
7416 MaxHandshakeRecordLength: 2,
7417 },
7418 },
7419 })
7420
7421 // Test the timeout schedule when a shorter initial timeout duration is set.
7422 tests = append(tests, testCase{
7423 protocol: dtls,
7424 name: "DTLS-Retransmit-Short-Client",
7425 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7426 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7427 Bugs: ProtocolBugs{
7428 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7429 },
7430 },
7431 resumeSession: true,
7432 flags: []string{"-initial-timeout-duration-ms", "250"},
7433 })
7434 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7435 protocol: dtls,
7436 testType: serverTest,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7437 name: "DTLS-Retransmit-Short-Server",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7438 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7439 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7440 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7441 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7442 },
7443 },
7444 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7445 flags: []string{"-initial-timeout-duration-ms", "250"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7446 })
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7447
7448 for _, test := range tests {
7449 if async {
7450 test.name += "-Async"
7451 test.flags = append(test.flags, "-async")
7452 }
7453
7454 testCases = append(testCases, test)
7455 }
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7456 }
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7457}
7458
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7459func addExportKeyingMaterialTests() {
7460 for _, vers := range tlsVersions {
7461 if vers.version == VersionSSL30 {
7462 continue
7463 }
7464 testCases = append(testCases, testCase{
7465 name: "ExportKeyingMaterial-" + vers.name,
7466 config: Config{
7467 MaxVersion: vers.version,
7468 },
7469 exportKeyingMaterial: 1024,
7470 exportLabel: "label",
7471 exportContext: "context",
7472 useExportContext: true,
7473 })
7474 testCases = append(testCases, testCase{
7475 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7476 config: Config{
7477 MaxVersion: vers.version,
7478 },
7479 exportKeyingMaterial: 1024,
7480 })
7481 testCases = append(testCases, testCase{
7482 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7483 config: Config{
7484 MaxVersion: vers.version,
7485 },
7486 exportKeyingMaterial: 1024,
7487 useExportContext: true,
7488 })
7489 testCases = append(testCases, testCase{
7490 name: "ExportKeyingMaterial-Small-" + vers.name,
7491 config: Config{
7492 MaxVersion: vers.version,
7493 },
7494 exportKeyingMaterial: 1,
7495 exportLabel: "label",
7496 exportContext: "context",
7497 useExportContext: true,
7498 })
7499 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7500
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7501 testCases = append(testCases, testCase{
7502 name: "ExportKeyingMaterial-SSL3",
7503 config: Config{
7504 MaxVersion: VersionSSL30,
7505 },
7506 exportKeyingMaterial: 1024,
7507 exportLabel: "label",
7508 exportContext: "context",
7509 useExportContext: true,
7510 shouldFail: true,
7511 expectedError: "failed to export keying material",
7512 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7513
7514 // Exporters work during a False Start.
7515 testCases = append(testCases, testCase{
7516 name: "ExportKeyingMaterial-FalseStart",
7517 config: Config{
7518 MaxVersion: VersionTLS12,
7519 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7520 NextProtos: []string{"foo"},
7521 Bugs: ProtocolBugs{
7522 ExpectFalseStart: true,
7523 },
7524 },
7525 flags: []string{
7526 "-false-start",
7527 "-advertise-alpn", "\x03foo",
7528 },
7529 shimWritesFirst: true,
7530 exportKeyingMaterial: 1024,
7531 exportLabel: "label",
7532 exportContext: "context",
7533 useExportContext: true,
7534 })
7535
7536 // Exporters do not work in the middle of a renegotiation. Test this by
7537 // triggering the exporter after every SSL_read call and configuring the
7538 // shim to run asynchronously.
7539 testCases = append(testCases, testCase{
7540 name: "ExportKeyingMaterial-Renegotiate",
7541 config: Config{
7542 MaxVersion: VersionTLS12,
7543 },
7544 renegotiate: 1,
7545 flags: []string{
7546 "-async",
7547 "-use-exporter-between-reads",
7548 "-renegotiate-freely",
7549 "-expect-total-renegotiations", "1",
7550 },
7551 shouldFail: true,
7552 expectedError: "failed to export keying material",
7553 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7554}
7555
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7556func addTLSUniqueTests() {
7557 for _, isClient := range []bool{false, true} {
7558 for _, isResumption := range []bool{false, true} {
7559 for _, hasEMS := range []bool{false, true} {
7560 var suffix string
7561 if isResumption {
7562 suffix = "Resume-"
7563 } else {
7564 suffix = "Full-"
7565 }
7566
7567 if hasEMS {
7568 suffix += "EMS-"
7569 } else {
7570 suffix += "NoEMS-"
7571 }
7572
7573 if isClient {
7574 suffix += "Client"
7575 } else {
7576 suffix += "Server"
7577 }
7578
7579 test := testCase{
7580 name: "TLSUnique-" + suffix,
7581 testTLSUnique: true,
7582 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7583 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7584 Bugs: ProtocolBugs{
7585 NoExtendedMasterSecret: !hasEMS,
7586 },
7587 },
7588 }
7589
7590 if isResumption {
7591 test.resumeSession = true
7592 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7593 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7594 Bugs: ProtocolBugs{
7595 NoExtendedMasterSecret: !hasEMS,
7596 },
7597 }
7598 }
7599
7600 if isResumption && !hasEMS {
7601 test.shouldFail = true
7602 test.expectedError = "failed to get tls-unique"
7603 }
7604
7605 testCases = append(testCases, test)
7606 }
7607 }
7608 }
7609}
7610
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7611func addCustomExtensionTests() {
7612 expectedContents := "custom extension"
7613 emptyString := ""
7614
7615 for _, isClient := range []bool{false, true} {
7616 suffix := "Server"
7617 flag := "-enable-server-custom-extension"
7618 testType := serverTest
7619 if isClient {
7620 suffix = "Client"
7621 flag = "-enable-client-custom-extension"
7622 testType = clientTest
7623 }
7624
7625 testCases = append(testCases, testCase{
7626 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7627 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7628 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7629 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7630 Bugs: ProtocolBugs{
7631 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7632 ExpectedCustomExtension: &expectedContents,
7633 },
7634 },
7635 flags: []string{flag},
7636 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7637 testCases = append(testCases, testCase{
7638 testType: testType,
7639 name: "CustomExtensions-" + suffix + "-TLS13",
7640 config: Config{
7641 MaxVersion: VersionTLS13,
7642 Bugs: ProtocolBugs{
7643 CustomExtension: expectedContents,
7644 ExpectedCustomExtension: &expectedContents,
7645 },
7646 },
7647 flags: []string{flag},
7648 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7649
7650 // If the parse callback fails, the handshake should also fail.
7651 testCases = append(testCases, testCase{
7652 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7653 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7654 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7655 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7656 Bugs: ProtocolBugs{
7657 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7658 ExpectedCustomExtension: &expectedContents,
7659 },
7660 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7661 flags: []string{flag},
7662 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7663 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7664 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7665 testCases = append(testCases, testCase{
7666 testType: testType,
7667 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
7668 config: Config{
7669 MaxVersion: VersionTLS13,
7670 Bugs: ProtocolBugs{
7671 CustomExtension: expectedContents + "foo",
7672 ExpectedCustomExtension: &expectedContents,
7673 },
7674 },
7675 flags: []string{flag},
7676 shouldFail: true,
7677 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7678 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7679
7680 // If the add callback fails, the handshake should also fail.
7681 testCases = append(testCases, testCase{
7682 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7683 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7684 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7685 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7686 Bugs: ProtocolBugs{
7687 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7688 ExpectedCustomExtension: &expectedContents,
7689 },
7690 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7691 flags: []string{flag, "-custom-extension-fail-add"},
7692 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7693 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7694 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7695 testCases = append(testCases, testCase{
7696 testType: testType,
7697 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
7698 config: Config{
7699 MaxVersion: VersionTLS13,
7700 Bugs: ProtocolBugs{
7701 CustomExtension: expectedContents,
7702 ExpectedCustomExtension: &expectedContents,
7703 },
7704 },
7705 flags: []string{flag, "-custom-extension-fail-add"},
7706 shouldFail: true,
7707 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7708 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7709
7710 // If the add callback returns zero, no extension should be
7711 // added.
7712 skipCustomExtension := expectedContents
7713 if isClient {
7714 // For the case where the client skips sending the
7715 // custom extension, the server must not “echo” it.
7716 skipCustomExtension = ""
7717 }
7718 testCases = append(testCases, testCase{
7719 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7720 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7721 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7722 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7723 Bugs: ProtocolBugs{
7724 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7725 ExpectedCustomExtension: &emptyString,
7726 },
7727 },
7728 flags: []string{flag, "-custom-extension-skip"},
7729 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7730 testCases = append(testCases, testCase{
7731 testType: testType,
7732 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
7733 config: Config{
7734 MaxVersion: VersionTLS13,
7735 Bugs: ProtocolBugs{
7736 CustomExtension: skipCustomExtension,
7737 ExpectedCustomExtension: &emptyString,
7738 },
7739 },
7740 flags: []string{flag, "-custom-extension-skip"},
7741 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7742 }
7743
7744 // The custom extension add callback should not be called if the client
7745 // doesn't send the extension.
7746 testCases = append(testCases, testCase{
7747 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7748 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7749 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7750 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7751 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7752 ExpectedCustomExtension: &emptyString,
7753 },
7754 },
7755 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7756 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7757
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7758 testCases = append(testCases, testCase{
7759 testType: serverTest,
7760 name: "CustomExtensions-NotCalled-Server-TLS13",
7761 config: Config{
7762 MaxVersion: VersionTLS13,
7763 Bugs: ProtocolBugs{
7764 ExpectedCustomExtension: &emptyString,
7765 },
7766 },
7767 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7768 })
7769
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7770 // Test an unknown extension from the server.
7771 testCases = append(testCases, testCase{
7772 testType: clientTest,
7773 name: "UnknownExtension-Client",
7774 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7775 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7776 Bugs: ProtocolBugs{
7777 CustomExtension: expectedContents,
7778 },
7779 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7780 shouldFail: true,
7781 expectedError: ":UNEXPECTED_EXTENSION:",
7782 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7783 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7784 testCases = append(testCases, testCase{
7785 testType: clientTest,
7786 name: "UnknownExtension-Client-TLS13",
7787 config: Config{
7788 MaxVersion: VersionTLS13,
7789 Bugs: ProtocolBugs{
7790 CustomExtension: expectedContents,
7791 },
7792 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7793 shouldFail: true,
7794 expectedError: ":UNEXPECTED_EXTENSION:",
7795 expectedLocalError: "remote error: unsupported extension",
7796 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]7797 testCases = append(testCases, testCase{
7798 testType: clientTest,
7799 name: "UnknownUnencryptedExtension-Client-TLS13",
7800 config: Config{
7801 MaxVersion: VersionTLS13,
7802 Bugs: ProtocolBugs{
7803 CustomUnencryptedExtension: expectedContents,
7804 },
7805 },
7806 shouldFail: true,
7807 expectedError: ":UNEXPECTED_EXTENSION:",
7808 // The shim must send an alert, but alerts at this point do not
7809 // get successfully decrypted by the runner.
7810 expectedLocalError: "local error: bad record MAC",
7811 })
7812 testCases = append(testCases, testCase{
7813 testType: clientTest,
7814 name: "UnexpectedUnencryptedExtension-Client-TLS13",
7815 config: Config{
7816 MaxVersion: VersionTLS13,
7817 Bugs: ProtocolBugs{
7818 SendUnencryptedALPN: "foo",
7819 },
7820 },
7821 flags: []string{
7822 "-advertise-alpn", "\x03foo\x03bar",
7823 },
7824 shouldFail: true,
7825 expectedError: ":UNEXPECTED_EXTENSION:",
7826 // The shim must send an alert, but alerts at this point do not
7827 // get successfully decrypted by the runner.
7828 expectedLocalError: "local error: bad record MAC",
7829 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7830
7831 // Test a known but unoffered extension from the server.
7832 testCases = append(testCases, testCase{
7833 testType: clientTest,
7834 name: "UnofferedExtension-Client",
7835 config: Config{
7836 MaxVersion: VersionTLS12,
7837 Bugs: ProtocolBugs{
7838 SendALPN: "alpn",
7839 },
7840 },
7841 shouldFail: true,
7842 expectedError: ":UNEXPECTED_EXTENSION:",
7843 expectedLocalError: "remote error: unsupported extension",
7844 })
7845 testCases = append(testCases, testCase{
7846 testType: clientTest,
7847 name: "UnofferedExtension-Client-TLS13",
7848 config: Config{
7849 MaxVersion: VersionTLS13,
7850 Bugs: ProtocolBugs{
7851 SendALPN: "alpn",
7852 },
7853 },
7854 shouldFail: true,
7855 expectedError: ":UNEXPECTED_EXTENSION:",
7856 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7857 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7858}
7859
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7860func addRSAClientKeyExchangeTests() {
7861 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
7862 testCases = append(testCases, testCase{
7863 testType: serverTest,
7864 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
7865 config: Config{
7866 // Ensure the ClientHello version and final
7867 // version are different, to detect if the
7868 // server uses the wrong one.
7869 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]7870 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7871 Bugs: ProtocolBugs{
7872 BadRSAClientKeyExchange: bad,
7873 },
7874 },
7875 shouldFail: true,
7876 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7877 })
7878 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]7879
7880 // The server must compare whatever was in ClientHello.version for the
7881 // RSA premaster.
7882 testCases = append(testCases, testCase{
7883 testType: serverTest,
7884 name: "SendClientVersion-RSA",
7885 config: Config{
7886 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
7887 Bugs: ProtocolBugs{
7888 SendClientVersion: 0x1234,
7889 },
7890 },
7891 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7892 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7893}
7894
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7895var testCurves = []struct {
7896 name string
7897 id CurveID
7898}{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7899 {"P-256", CurveP256},
7900 {"P-384", CurveP384},
7901 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]7902 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7903}
7904
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7905const bogusCurve = 0x1234
7906
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7907func addCurveTests() {
7908 for _, curve := range testCurves {
7909 testCases = append(testCases, testCase{
7910 name: "CurveTest-Client-" + curve.name,
7911 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7912 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7913 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7914 CurvePreferences: []CurveID{curve.id},
7915 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7916 flags: []string{
7917 "-enable-all-curves",
7918 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7919 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7920 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7921 })
7922 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7923 name: "CurveTest-Client-" + curve.name + "-TLS13",
7924 config: Config{
7925 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7926 CurvePreferences: []CurveID{curve.id},
7927 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7928 flags: []string{
7929 "-enable-all-curves",
7930 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7931 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7932 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7933 })
7934 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7935 testType: serverTest,
7936 name: "CurveTest-Server-" + curve.name,
7937 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7938 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7939 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7940 CurvePreferences: []CurveID{curve.id},
7941 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7942 flags: []string{
7943 "-enable-all-curves",
7944 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7945 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7946 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7947 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7948 testCases = append(testCases, testCase{
7949 testType: serverTest,
7950 name: "CurveTest-Server-" + curve.name + "-TLS13",
7951 config: Config{
7952 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7953 CurvePreferences: []CurveID{curve.id},
7954 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7955 flags: []string{
7956 "-enable-all-curves",
7957 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7958 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7959 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7960 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7961 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7962
7963 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7964 testCases = append(testCases, testCase{
7965 testType: serverTest,
7966 name: "UnknownCurve",
7967 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7968 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7969 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7970 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7971 },
7972 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7973
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7974 // The server must be tolerant to bogus curves.
7975 testCases = append(testCases, testCase{
7976 testType: serverTest,
7977 name: "UnknownCurve-TLS13",
7978 config: Config{
7979 MaxVersion: VersionTLS13,
7980 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7981 },
7982 })
7983
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7984 // The server must not consider ECDHE ciphers when there are no
7985 // supported curves.
7986 testCases = append(testCases, testCase{
7987 testType: serverTest,
7988 name: "NoSupportedCurves",
7989 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7990 MaxVersion: VersionTLS12,
7991 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7992 Bugs: ProtocolBugs{
7993 NoSupportedCurves: true,
7994 },
7995 },
7996 shouldFail: true,
7997 expectedError: ":NO_SHARED_CIPHER:",
7998 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7999 testCases = append(testCases, testCase{
8000 testType: serverTest,
8001 name: "NoSupportedCurves-TLS13",
8002 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8003 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8004 Bugs: ProtocolBugs{
8005 NoSupportedCurves: true,
8006 },
8007 },
8008 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8009 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8010 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8011
8012 // The server must fall back to another cipher when there are no
8013 // supported curves.
8014 testCases = append(testCases, testCase{
8015 testType: serverTest,
8016 name: "NoCommonCurves",
8017 config: Config{
8018 MaxVersion: VersionTLS12,
8019 CipherSuites: []uint16{
8020 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
8021 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
8022 },
8023 CurvePreferences: []CurveID{CurveP224},
8024 },
8025 expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
8026 })
8027
8028 // The client must reject bogus curves and disabled curves.
8029 testCases = append(testCases, testCase{
8030 name: "BadECDHECurve",
8031 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8032 MaxVersion: VersionTLS12,
8033 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8034 Bugs: ProtocolBugs{
8035 SendCurve: bogusCurve,
8036 },
8037 },
8038 shouldFail: true,
8039 expectedError: ":WRONG_CURVE:",
8040 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8041 testCases = append(testCases, testCase{
8042 name: "BadECDHECurve-TLS13",
8043 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8044 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8045 Bugs: ProtocolBugs{
8046 SendCurve: bogusCurve,
8047 },
8048 },
8049 shouldFail: true,
8050 expectedError: ":WRONG_CURVE:",
8051 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8052
8053 testCases = append(testCases, testCase{
8054 name: "UnsupportedCurve",
8055 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8056 MaxVersion: VersionTLS12,
8057 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8058 CurvePreferences: []CurveID{CurveP256},
8059 Bugs: ProtocolBugs{
8060 IgnorePeerCurvePreferences: true,
8061 },
8062 },
8063 flags: []string{"-p384-only"},
8064 shouldFail: true,
8065 expectedError: ":WRONG_CURVE:",
8066 })
8067
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8068 testCases = append(testCases, testCase{
8069 // TODO(davidben): Add a TLS 1.3 version where
8070 // HelloRetryRequest requests an unsupported curve.
8071 name: "UnsupportedCurve-ServerHello-TLS13",
8072 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8073 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8074 CurvePreferences: []CurveID{CurveP384},
8075 Bugs: ProtocolBugs{
8076 SendCurve: CurveP256,
8077 },
8078 },
8079 flags: []string{"-p384-only"},
8080 shouldFail: true,
8081 expectedError: ":WRONG_CURVE:",
8082 })
8083
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8084 // Test invalid curve points.
8085 testCases = append(testCases, testCase{
8086 name: "InvalidECDHPoint-Client",
8087 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8088 MaxVersion: VersionTLS12,
8089 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8090 CurvePreferences: []CurveID{CurveP256},
8091 Bugs: ProtocolBugs{
8092 InvalidECDHPoint: true,
8093 },
8094 },
8095 shouldFail: true,
8096 expectedError: ":INVALID_ENCODING:",
8097 })
8098 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8099 name: "InvalidECDHPoint-Client-TLS13",
8100 config: Config{
8101 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8102 CurvePreferences: []CurveID{CurveP256},
8103 Bugs: ProtocolBugs{
8104 InvalidECDHPoint: true,
8105 },
8106 },
8107 shouldFail: true,
8108 expectedError: ":INVALID_ENCODING:",
8109 })
8110 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8111 testType: serverTest,
8112 name: "InvalidECDHPoint-Server",
8113 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8114 MaxVersion: VersionTLS12,
8115 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8116 CurvePreferences: []CurveID{CurveP256},
8117 Bugs: ProtocolBugs{
8118 InvalidECDHPoint: true,
8119 },
8120 },
8121 shouldFail: true,
8122 expectedError: ":INVALID_ENCODING:",
8123 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8124 testCases = append(testCases, testCase{
8125 testType: serverTest,
8126 name: "InvalidECDHPoint-Server-TLS13",
8127 config: Config{
8128 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8129 CurvePreferences: []CurveID{CurveP256},
8130 Bugs: ProtocolBugs{
8131 InvalidECDHPoint: true,
8132 },
8133 },
8134 shouldFail: true,
8135 expectedError: ":INVALID_ENCODING:",
8136 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8137
8138 // The previous curve ID should be reported on TLS 1.2 resumption.
8139 testCases = append(testCases, testCase{
8140 name: "CurveID-Resume-Client",
8141 config: Config{
8142 MaxVersion: VersionTLS12,
8143 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8144 CurvePreferences: []CurveID{CurveX25519},
8145 },
8146 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8147 resumeSession: true,
8148 })
8149 testCases = append(testCases, testCase{
8150 testType: serverTest,
8151 name: "CurveID-Resume-Server",
8152 config: Config{
8153 MaxVersion: VersionTLS12,
8154 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8155 CurvePreferences: []CurveID{CurveX25519},
8156 },
8157 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8158 resumeSession: true,
8159 })
8160
8161 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8162 // one should be reported.
8163 testCases = append(testCases, testCase{
8164 name: "CurveID-Resume-Client-TLS13",
8165 config: Config{
8166 MaxVersion: VersionTLS13,
8167 CurvePreferences: []CurveID{CurveX25519},
8168 },
8169 resumeConfig: &Config{
8170 MaxVersion: VersionTLS13,
8171 CurvePreferences: []CurveID{CurveP256},
8172 },
8173 flags: []string{
8174 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8175 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8176 },
8177 resumeSession: true,
8178 })
8179 testCases = append(testCases, testCase{
8180 testType: serverTest,
8181 name: "CurveID-Resume-Server-TLS13",
8182 config: Config{
8183 MaxVersion: VersionTLS13,
8184 CurvePreferences: []CurveID{CurveX25519},
8185 },
8186 resumeConfig: &Config{
8187 MaxVersion: VersionTLS13,
8188 CurvePreferences: []CurveID{CurveP256},
8189 },
8190 flags: []string{
8191 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8192 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8193 },
8194 resumeSession: true,
8195 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8196
8197 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8198 testCases = append(testCases, testCase{
8199 name: "PointFormat-ServerHello-TLS12",
8200 config: Config{
8201 MaxVersion: VersionTLS12,
8202 Bugs: ProtocolBugs{
8203 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8204 },
8205 },
8206 })
8207 testCases = append(testCases, testCase{
8208 name: "PointFormat-EncryptedExtensions-TLS13",
8209 config: Config{
8210 MaxVersion: VersionTLS13,
8211 Bugs: ProtocolBugs{
8212 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8213 },
8214 },
8215 shouldFail: true,
8216 expectedError: ":ERROR_PARSING_EXTENSION:",
8217 })
8218
8219 // Test that we tolerate unknown point formats, as long as
8220 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8221 // check they are still functional.
8222 testCases = append(testCases, testCase{
8223 name: "PointFormat-Client-Tolerance",
8224 config: Config{
8225 MaxVersion: VersionTLS12,
8226 Bugs: ProtocolBugs{
8227 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8228 },
8229 },
8230 })
8231 testCases = append(testCases, testCase{
8232 testType: serverTest,
8233 name: "PointFormat-Server-Tolerance",
8234 config: Config{
8235 MaxVersion: VersionTLS12,
8236 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8237 Bugs: ProtocolBugs{
8238 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8239 },
8240 },
8241 })
8242
8243 // Test TLS 1.2 does not require the point format extension to be
8244 // present.
8245 testCases = append(testCases, testCase{
8246 name: "PointFormat-Client-Missing",
8247 config: Config{
8248 MaxVersion: VersionTLS12,
8249 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8250 Bugs: ProtocolBugs{
8251 SendSupportedPointFormats: []byte{},
8252 },
8253 },
8254 })
8255 testCases = append(testCases, testCase{
8256 testType: serverTest,
8257 name: "PointFormat-Server-Missing",
8258 config: Config{
8259 MaxVersion: VersionTLS12,
8260 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8261 Bugs: ProtocolBugs{
8262 SendSupportedPointFormats: []byte{},
8263 },
8264 },
8265 })
8266
8267 // If the point format extension is present, uncompressed points must be
8268 // offered. BoringSSL requires this whether or not ECDHE is used.
8269 testCases = append(testCases, testCase{
8270 name: "PointFormat-Client-MissingUncompressed",
8271 config: Config{
8272 MaxVersion: VersionTLS12,
8273 Bugs: ProtocolBugs{
8274 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8275 },
8276 },
8277 shouldFail: true,
8278 expectedError: ":ERROR_PARSING_EXTENSION:",
8279 })
8280 testCases = append(testCases, testCase{
8281 testType: serverTest,
8282 name: "PointFormat-Server-MissingUncompressed",
8283 config: Config{
8284 MaxVersion: VersionTLS12,
8285 Bugs: ProtocolBugs{
8286 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8287 },
8288 },
8289 shouldFail: true,
8290 expectedError: ":ERROR_PARSING_EXTENSION:",
8291 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8292}
8293
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8294func addTLS13RecordTests() {
8295 testCases = append(testCases, testCase{
8296 name: "TLS13-RecordPadding",
8297 config: Config{
8298 MaxVersion: VersionTLS13,
8299 MinVersion: VersionTLS13,
8300 Bugs: ProtocolBugs{
8301 RecordPadding: 10,
8302 },
8303 },
8304 })
8305
8306 testCases = append(testCases, testCase{
8307 name: "TLS13-EmptyRecords",
8308 config: Config{
8309 MaxVersion: VersionTLS13,
8310 MinVersion: VersionTLS13,
8311 Bugs: ProtocolBugs{
8312 OmitRecordContents: true,
8313 },
8314 },
8315 shouldFail: true,
8316 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8317 })
8318
8319 testCases = append(testCases, testCase{
8320 name: "TLS13-OnlyPadding",
8321 config: Config{
8322 MaxVersion: VersionTLS13,
8323 MinVersion: VersionTLS13,
8324 Bugs: ProtocolBugs{
8325 OmitRecordContents: true,
8326 RecordPadding: 10,
8327 },
8328 },
8329 shouldFail: true,
8330 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8331 })
8332
8333 testCases = append(testCases, testCase{
8334 name: "TLS13-WrongOuterRecord",
8335 config: Config{
8336 MaxVersion: VersionTLS13,
8337 MinVersion: VersionTLS13,
8338 Bugs: ProtocolBugs{
8339 OuterRecordType: recordTypeHandshake,
8340 },
8341 },
8342 shouldFail: true,
8343 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8344 })
8345}
8346
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8347func addSessionTicketTests() {
8348 testCases = append(testCases, testCase{
8349 // In TLS 1.2 and below, empty NewSessionTicket messages
8350 // mean the server changed its mind on sending a ticket.
8351 name: "SendEmptySessionTicket",
8352 config: Config{
8353 MaxVersion: VersionTLS12,
8354 Bugs: ProtocolBugs{
8355 SendEmptySessionTicket: true,
8356 },
8357 },
8358 flags: []string{"-expect-no-session"},
8359 })
8360
8361 // Test that the server ignores unknown PSK modes.
8362 testCases = append(testCases, testCase{
8363 testType: serverTest,
8364 name: "TLS13-SendUnknownModeSessionTicket-Server",
8365 config: Config{
8366 MaxVersion: VersionTLS13,
8367 Bugs: ProtocolBugs{
8368 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8369 },
8370 },
8371 resumeSession: true,
8372 expectedResumeVersion: VersionTLS13,
8373 })
8374
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8375 // Test that the server does not send session tickets with no matching key exchange mode.
8376 testCases = append(testCases, testCase{
8377 testType: serverTest,
8378 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8379 config: Config{
8380 MaxVersion: VersionTLS13,
8381 Bugs: ProtocolBugs{
8382 SendPSKKeyExchangeModes: []byte{0x1a},
8383 ExpectNoNewSessionTicket: true,
8384 },
8385 },
8386 })
8387
8388 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8389 testCases = append(testCases, testCase{
8390 testType: serverTest,
8391 name: "TLS13-SendBadKEModeSessionTicket-Server",
8392 config: Config{
8393 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8394 },
8395 resumeConfig: &Config{
8396 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8397 Bugs: ProtocolBugs{
8398 SendPSKKeyExchangeModes: []byte{0x1a},
8399 },
8400 },
8401 resumeSession: true,
8402 expectResumeRejected: true,
8403 })
8404
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8405 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8406 testCases = append(testCases, testCase{
8407 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8408 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8409 config: Config{
8410 MaxVersion: VersionTLS13,
8411 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8412 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8413 },
8414 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8415 resumeSession: true,
8416 flags: []string{
8417 "-resumption-delay", "10",
8418 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8419 })
8420
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8421 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8422 testCases = append(testCases, testCase{
8423 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8424 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8425 config: Config{
8426 MaxVersion: VersionTLS13,
8427 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8428 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8429 },
8430 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8431 resumeSession: true,
8432 shouldFail: true,
8433 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8434 })
8435
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8436 testCases = append(testCases, testCase{
8437 testType: clientTest,
8438 name: "TLS13-SendTicketEarlyDataInfo",
8439 config: Config{
8440 MaxVersion: VersionTLS13,
8441 Bugs: ProtocolBugs{
8442 SendTicketEarlyDataInfo: 16384,
8443 },
8444 },
8445 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame^]8446 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8447 "-expect-early-data-info",
8448 },
8449 })
8450
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame^]8451 // Test that 0-RTT tickets are ignored in clients unless opted in.
8452 testCases = append(testCases, testCase{
8453 testType: clientTest,
8454 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8455 config: Config{
8456 MaxVersion: VersionTLS13,
8457 Bugs: ProtocolBugs{
8458 SendTicketEarlyDataInfo: 16384,
8459 },
8460 },
8461 })
8462
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8463 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8464 testType: clientTest,
8465 name: "TLS13-DuplicateTicketEarlyDataInfo",
8466 config: Config{
8467 MaxVersion: VersionTLS13,
8468 Bugs: ProtocolBugs{
8469 SendTicketEarlyDataInfo: 16384,
8470 DuplicateTicketEarlyDataInfo: true,
8471 },
8472 },
8473 shouldFail: true,
8474 expectedError: ":DUPLICATE_EXTENSION:",
8475 expectedLocalError: "remote error: illegal parameter",
8476 })
8477
8478 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8479 testType: serverTest,
8480 name: "TLS13-ExpectTicketEarlyDataInfo",
8481 config: Config{
8482 MaxVersion: VersionTLS13,
8483 Bugs: ProtocolBugs{
8484 ExpectTicketEarlyDataInfo: true,
8485 },
8486 },
8487 flags: []string{
8488 "-enable-early-data",
8489 },
8490 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8491}
8492
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8493func addChangeCipherSpecTests() {
8494 // Test missing ChangeCipherSpecs.
8495 testCases = append(testCases, testCase{
8496 name: "SkipChangeCipherSpec-Client",
8497 config: Config{
8498 MaxVersion: VersionTLS12,
8499 Bugs: ProtocolBugs{
8500 SkipChangeCipherSpec: true,
8501 },
8502 },
8503 shouldFail: true,
8504 expectedError: ":UNEXPECTED_RECORD:",
8505 })
8506 testCases = append(testCases, testCase{
8507 testType: serverTest,
8508 name: "SkipChangeCipherSpec-Server",
8509 config: Config{
8510 MaxVersion: VersionTLS12,
8511 Bugs: ProtocolBugs{
8512 SkipChangeCipherSpec: true,
8513 },
8514 },
8515 shouldFail: true,
8516 expectedError: ":UNEXPECTED_RECORD:",
8517 })
8518 testCases = append(testCases, testCase{
8519 testType: serverTest,
8520 name: "SkipChangeCipherSpec-Server-NPN",
8521 config: Config{
8522 MaxVersion: VersionTLS12,
8523 NextProtos: []string{"bar"},
8524 Bugs: ProtocolBugs{
8525 SkipChangeCipherSpec: true,
8526 },
8527 },
8528 flags: []string{
8529 "-advertise-npn", "\x03foo\x03bar\x03baz",
8530 },
8531 shouldFail: true,
8532 expectedError: ":UNEXPECTED_RECORD:",
8533 })
8534
8535 // Test synchronization between the handshake and ChangeCipherSpec.
8536 // Partial post-CCS handshake messages before ChangeCipherSpec should be
8537 // rejected. Test both with and without handshake packing to handle both
8538 // when the partial post-CCS message is in its own record and when it is
8539 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8540 for _, packed := range []bool{false, true} {
8541 var suffix string
8542 if packed {
8543 suffix = "-Packed"
8544 }
8545
8546 testCases = append(testCases, testCase{
8547 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
8548 config: Config{
8549 MaxVersion: VersionTLS12,
8550 Bugs: ProtocolBugs{
8551 FragmentAcrossChangeCipherSpec: true,
8552 PackHandshakeFlight: packed,
8553 },
8554 },
8555 shouldFail: true,
8556 expectedError: ":UNEXPECTED_RECORD:",
8557 })
8558 testCases = append(testCases, testCase{
8559 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
8560 config: Config{
8561 MaxVersion: VersionTLS12,
8562 },
8563 resumeSession: true,
8564 resumeConfig: &Config{
8565 MaxVersion: VersionTLS12,
8566 Bugs: ProtocolBugs{
8567 FragmentAcrossChangeCipherSpec: true,
8568 PackHandshakeFlight: packed,
8569 },
8570 },
8571 shouldFail: true,
8572 expectedError: ":UNEXPECTED_RECORD:",
8573 })
8574 testCases = append(testCases, testCase{
8575 testType: serverTest,
8576 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
8577 config: Config{
8578 MaxVersion: VersionTLS12,
8579 Bugs: ProtocolBugs{
8580 FragmentAcrossChangeCipherSpec: true,
8581 PackHandshakeFlight: packed,
8582 },
8583 },
8584 shouldFail: true,
8585 expectedError: ":UNEXPECTED_RECORD:",
8586 })
8587 testCases = append(testCases, testCase{
8588 testType: serverTest,
8589 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
8590 config: Config{
8591 MaxVersion: VersionTLS12,
8592 },
8593 resumeSession: true,
8594 resumeConfig: &Config{
8595 MaxVersion: VersionTLS12,
8596 Bugs: ProtocolBugs{
8597 FragmentAcrossChangeCipherSpec: true,
8598 PackHandshakeFlight: packed,
8599 },
8600 },
8601 shouldFail: true,
8602 expectedError: ":UNEXPECTED_RECORD:",
8603 })
8604 testCases = append(testCases, testCase{
8605 testType: serverTest,
8606 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
8607 config: Config{
8608 MaxVersion: VersionTLS12,
8609 NextProtos: []string{"bar"},
8610 Bugs: ProtocolBugs{
8611 FragmentAcrossChangeCipherSpec: true,
8612 PackHandshakeFlight: packed,
8613 },
8614 },
8615 flags: []string{
8616 "-advertise-npn", "\x03foo\x03bar\x03baz",
8617 },
8618 shouldFail: true,
8619 expectedError: ":UNEXPECTED_RECORD:",
8620 })
8621 }
8622
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]8623 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
8624 // messages in the handshake queue. Do this by testing the server
8625 // reading the client Finished, reversing the flight so Finished comes
8626 // first.
8627 testCases = append(testCases, testCase{
8628 protocol: dtls,
8629 testType: serverTest,
8630 name: "SendUnencryptedFinished-DTLS",
8631 config: Config{
8632 MaxVersion: VersionTLS12,
8633 Bugs: ProtocolBugs{
8634 SendUnencryptedFinished: true,
8635 ReverseHandshakeFragments: true,
8636 },
8637 },
8638 shouldFail: true,
8639 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8640 })
8641
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8642 // Test synchronization between encryption changes and the handshake in
8643 // TLS 1.3, where ChangeCipherSpec is implicit.
8644 testCases = append(testCases, testCase{
8645 name: "PartialEncryptedExtensionsWithServerHello",
8646 config: Config{
8647 MaxVersion: VersionTLS13,
8648 Bugs: ProtocolBugs{
8649 PartialEncryptedExtensionsWithServerHello: true,
8650 },
8651 },
8652 shouldFail: true,
8653 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8654 })
8655 testCases = append(testCases, testCase{
8656 testType: serverTest,
8657 name: "PartialClientFinishedWithClientHello",
8658 config: Config{
8659 MaxVersion: VersionTLS13,
8660 Bugs: ProtocolBugs{
8661 PartialClientFinishedWithClientHello: true,
8662 },
8663 },
8664 shouldFail: true,
8665 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8666 })
8667
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8668 // Test that early ChangeCipherSpecs are handled correctly.
8669 testCases = append(testCases, testCase{
8670 testType: serverTest,
8671 name: "EarlyChangeCipherSpec-server-1",
8672 config: Config{
8673 MaxVersion: VersionTLS12,
8674 Bugs: ProtocolBugs{
8675 EarlyChangeCipherSpec: 1,
8676 },
8677 },
8678 shouldFail: true,
8679 expectedError: ":UNEXPECTED_RECORD:",
8680 })
8681 testCases = append(testCases, testCase{
8682 testType: serverTest,
8683 name: "EarlyChangeCipherSpec-server-2",
8684 config: Config{
8685 MaxVersion: VersionTLS12,
8686 Bugs: ProtocolBugs{
8687 EarlyChangeCipherSpec: 2,
8688 },
8689 },
8690 shouldFail: true,
8691 expectedError: ":UNEXPECTED_RECORD:",
8692 })
8693 testCases = append(testCases, testCase{
8694 protocol: dtls,
8695 name: "StrayChangeCipherSpec",
8696 config: Config{
8697 // TODO(davidben): Once DTLS 1.3 exists, test
8698 // that stray ChangeCipherSpec messages are
8699 // rejected.
8700 MaxVersion: VersionTLS12,
8701 Bugs: ProtocolBugs{
8702 StrayChangeCipherSpec: true,
8703 },
8704 },
8705 })
8706
8707 // Test that the contents of ChangeCipherSpec are checked.
8708 testCases = append(testCases, testCase{
8709 name: "BadChangeCipherSpec-1",
8710 config: Config{
8711 MaxVersion: VersionTLS12,
8712 Bugs: ProtocolBugs{
8713 BadChangeCipherSpec: []byte{2},
8714 },
8715 },
8716 shouldFail: true,
8717 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8718 })
8719 testCases = append(testCases, testCase{
8720 name: "BadChangeCipherSpec-2",
8721 config: Config{
8722 MaxVersion: VersionTLS12,
8723 Bugs: ProtocolBugs{
8724 BadChangeCipherSpec: []byte{1, 1},
8725 },
8726 },
8727 shouldFail: true,
8728 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8729 })
8730 testCases = append(testCases, testCase{
8731 protocol: dtls,
8732 name: "BadChangeCipherSpec-DTLS-1",
8733 config: Config{
8734 MaxVersion: VersionTLS12,
8735 Bugs: ProtocolBugs{
8736 BadChangeCipherSpec: []byte{2},
8737 },
8738 },
8739 shouldFail: true,
8740 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8741 })
8742 testCases = append(testCases, testCase{
8743 protocol: dtls,
8744 name: "BadChangeCipherSpec-DTLS-2",
8745 config: Config{
8746 MaxVersion: VersionTLS12,
8747 Bugs: ProtocolBugs{
8748 BadChangeCipherSpec: []byte{1, 1},
8749 },
8750 },
8751 shouldFail: true,
8752 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8753 })
8754}
8755
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8756type perMessageTest struct {
8757 messageType uint8
8758 test testCase
8759}
8760
8761// makePerMessageTests returns a series of test templates which cover each
8762// message in the TLS handshake. These may be used with bugs like
8763// WrongMessageType to fully test a per-message bug.
8764func makePerMessageTests() []perMessageTest {
8765 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8766 for _, protocol := range []protocol{tls, dtls} {
8767 var suffix string
8768 if protocol == dtls {
8769 suffix = "-DTLS"
8770 }
8771
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8772 ret = append(ret, perMessageTest{
8773 messageType: typeClientHello,
8774 test: testCase{
8775 protocol: protocol,
8776 testType: serverTest,
8777 name: "ClientHello" + suffix,
8778 config: Config{
8779 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8780 },
8781 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8782 })
8783
8784 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8785 ret = append(ret, perMessageTest{
8786 messageType: typeHelloVerifyRequest,
8787 test: testCase{
8788 protocol: protocol,
8789 name: "HelloVerifyRequest" + suffix,
8790 config: Config{
8791 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8792 },
8793 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8794 })
8795 }
8796
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8797 ret = append(ret, perMessageTest{
8798 messageType: typeServerHello,
8799 test: testCase{
8800 protocol: protocol,
8801 name: "ServerHello" + suffix,
8802 config: Config{
8803 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8804 },
8805 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8806 })
8807
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8808 ret = append(ret, perMessageTest{
8809 messageType: typeCertificate,
8810 test: testCase{
8811 protocol: protocol,
8812 name: "ServerCertificate" + suffix,
8813 config: Config{
8814 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8815 },
8816 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8817 })
8818
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8819 ret = append(ret, perMessageTest{
8820 messageType: typeCertificateStatus,
8821 test: testCase{
8822 protocol: protocol,
8823 name: "CertificateStatus" + suffix,
8824 config: Config{
8825 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8826 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8827 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8828 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8829 })
8830
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8831 ret = append(ret, perMessageTest{
8832 messageType: typeServerKeyExchange,
8833 test: testCase{
8834 protocol: protocol,
8835 name: "ServerKeyExchange" + suffix,
8836 config: Config{
8837 MaxVersion: VersionTLS12,
8838 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8839 },
8840 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8841 })
8842
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8843 ret = append(ret, perMessageTest{
8844 messageType: typeCertificateRequest,
8845 test: testCase{
8846 protocol: protocol,
8847 name: "CertificateRequest" + suffix,
8848 config: Config{
8849 MaxVersion: VersionTLS12,
8850 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8851 },
8852 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8853 })
8854
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8855 ret = append(ret, perMessageTest{
8856 messageType: typeServerHelloDone,
8857 test: testCase{
8858 protocol: protocol,
8859 name: "ServerHelloDone" + suffix,
8860 config: Config{
8861 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8862 },
8863 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8864 })
8865
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8866 ret = append(ret, perMessageTest{
8867 messageType: typeCertificate,
8868 test: testCase{
8869 testType: serverTest,
8870 protocol: protocol,
8871 name: "ClientCertificate" + suffix,
8872 config: Config{
8873 Certificates: []Certificate{rsaCertificate},
8874 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8875 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8876 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8877 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8878 })
8879
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8880 ret = append(ret, perMessageTest{
8881 messageType: typeCertificateVerify,
8882 test: testCase{
8883 testType: serverTest,
8884 protocol: protocol,
8885 name: "CertificateVerify" + suffix,
8886 config: Config{
8887 Certificates: []Certificate{rsaCertificate},
8888 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8889 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8890 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8891 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8892 })
8893
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8894 ret = append(ret, perMessageTest{
8895 messageType: typeClientKeyExchange,
8896 test: testCase{
8897 testType: serverTest,
8898 protocol: protocol,
8899 name: "ClientKeyExchange" + suffix,
8900 config: Config{
8901 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8902 },
8903 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8904 })
8905
8906 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8907 ret = append(ret, perMessageTest{
8908 messageType: typeNextProtocol,
8909 test: testCase{
8910 testType: serverTest,
8911 protocol: protocol,
8912 name: "NextProtocol" + suffix,
8913 config: Config{
8914 MaxVersion: VersionTLS12,
8915 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8916 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8917 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8918 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8919 })
8920
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8921 ret = append(ret, perMessageTest{
8922 messageType: typeChannelID,
8923 test: testCase{
8924 testType: serverTest,
8925 protocol: protocol,
8926 name: "ChannelID" + suffix,
8927 config: Config{
8928 MaxVersion: VersionTLS12,
8929 ChannelID: channelIDKey,
8930 },
8931 flags: []string{
8932 "-expect-channel-id",
8933 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8934 },
8935 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8936 })
8937 }
8938
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8939 ret = append(ret, perMessageTest{
8940 messageType: typeFinished,
8941 test: testCase{
8942 testType: serverTest,
8943 protocol: protocol,
8944 name: "ClientFinished" + suffix,
8945 config: Config{
8946 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8947 },
8948 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8949 })
8950
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8951 ret = append(ret, perMessageTest{
8952 messageType: typeNewSessionTicket,
8953 test: testCase{
8954 protocol: protocol,
8955 name: "NewSessionTicket" + suffix,
8956 config: Config{
8957 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8958 },
8959 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8960 })
8961
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8962 ret = append(ret, perMessageTest{
8963 messageType: typeFinished,
8964 test: testCase{
8965 protocol: protocol,
8966 name: "ServerFinished" + suffix,
8967 config: Config{
8968 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8969 },
8970 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8971 })
8972
8973 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8974
8975 ret = append(ret, perMessageTest{
8976 messageType: typeClientHello,
8977 test: testCase{
8978 testType: serverTest,
8979 name: "TLS13-ClientHello",
8980 config: Config{
8981 MaxVersion: VersionTLS13,
8982 },
8983 },
8984 })
8985
8986 ret = append(ret, perMessageTest{
8987 messageType: typeServerHello,
8988 test: testCase{
8989 name: "TLS13-ServerHello",
8990 config: Config{
8991 MaxVersion: VersionTLS13,
8992 },
8993 },
8994 })
8995
8996 ret = append(ret, perMessageTest{
8997 messageType: typeEncryptedExtensions,
8998 test: testCase{
8999 name: "TLS13-EncryptedExtensions",
9000 config: Config{
9001 MaxVersion: VersionTLS13,
9002 },
9003 },
9004 })
9005
9006 ret = append(ret, perMessageTest{
9007 messageType: typeCertificateRequest,
9008 test: testCase{
9009 name: "TLS13-CertificateRequest",
9010 config: Config{
9011 MaxVersion: VersionTLS13,
9012 ClientAuth: RequireAnyClientCert,
9013 },
9014 },
9015 })
9016
9017 ret = append(ret, perMessageTest{
9018 messageType: typeCertificate,
9019 test: testCase{
9020 name: "TLS13-ServerCertificate",
9021 config: Config{
9022 MaxVersion: VersionTLS13,
9023 },
9024 },
9025 })
9026
9027 ret = append(ret, perMessageTest{
9028 messageType: typeCertificateVerify,
9029 test: testCase{
9030 name: "TLS13-ServerCertificateVerify",
9031 config: Config{
9032 MaxVersion: VersionTLS13,
9033 },
9034 },
9035 })
9036
9037 ret = append(ret, perMessageTest{
9038 messageType: typeFinished,
9039 test: testCase{
9040 name: "TLS13-ServerFinished",
9041 config: Config{
9042 MaxVersion: VersionTLS13,
9043 },
9044 },
9045 })
9046
9047 ret = append(ret, perMessageTest{
9048 messageType: typeCertificate,
9049 test: testCase{
9050 testType: serverTest,
9051 name: "TLS13-ClientCertificate",
9052 config: Config{
9053 Certificates: []Certificate{rsaCertificate},
9054 MaxVersion: VersionTLS13,
9055 },
9056 flags: []string{"-require-any-client-certificate"},
9057 },
9058 })
9059
9060 ret = append(ret, perMessageTest{
9061 messageType: typeCertificateVerify,
9062 test: testCase{
9063 testType: serverTest,
9064 name: "TLS13-ClientCertificateVerify",
9065 config: Config{
9066 Certificates: []Certificate{rsaCertificate},
9067 MaxVersion: VersionTLS13,
9068 },
9069 flags: []string{"-require-any-client-certificate"},
9070 },
9071 })
9072
9073 ret = append(ret, perMessageTest{
9074 messageType: typeFinished,
9075 test: testCase{
9076 testType: serverTest,
9077 name: "TLS13-ClientFinished",
9078 config: Config{
9079 MaxVersion: VersionTLS13,
9080 },
9081 },
9082 })
9083
9084 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9085}
9086
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9087func addWrongMessageTypeTests() {
9088 for _, t := range makePerMessageTests() {
9089 t.test.name = "WrongMessageType-" + t.test.name
9090 t.test.config.Bugs.SendWrongMessageType = t.messageType
9091 t.test.shouldFail = true
9092 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9093 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9094
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9095 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9096 // In TLS 1.3, a bad ServerHello means the client sends
9097 // an unencrypted alert while the server expects
9098 // encryption, so the alert is not readable by runner.
9099 t.test.expectedLocalError = "local error: bad record MAC"
9100 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9101
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9102 testCases = append(testCases, t.test)
9103 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9104}
9105
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9106func addTrailingMessageDataTests() {
9107 for _, t := range makePerMessageTests() {
9108 t.test.name = "TrailingMessageData-" + t.test.name
9109 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9110 t.test.shouldFail = true
9111 t.test.expectedError = ":DECODE_ERROR:"
9112 t.test.expectedLocalError = "remote error: error decoding message"
9113
9114 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9115 // In TLS 1.3, a bad ServerHello means the client sends
9116 // an unencrypted alert while the server expects
9117 // encryption, so the alert is not readable by runner.
9118 t.test.expectedLocalError = "local error: bad record MAC"
9119 }
9120
9121 if t.messageType == typeFinished {
9122 // Bad Finished messages read as the verify data having
9123 // the wrong length.
9124 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9125 t.test.expectedLocalError = "remote error: error decrypting message"
9126 }
9127
9128 testCases = append(testCases, t.test)
9129 }
9130}
9131
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9132func addTLS13HandshakeTests() {
9133 testCases = append(testCases, testCase{
9134 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9135 name: "NegotiatePSKResumption-TLS13",
9136 config: Config{
9137 MaxVersion: VersionTLS13,
9138 Bugs: ProtocolBugs{
9139 NegotiatePSKResumption: true,
9140 },
9141 },
9142 resumeSession: true,
9143 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9144 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9145 })
9146
9147 testCases = append(testCases, testCase{
9148 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9149 name: "MissingKeyShare-Client",
9150 config: Config{
9151 MaxVersion: VersionTLS13,
9152 Bugs: ProtocolBugs{
9153 MissingKeyShare: true,
9154 },
9155 },
9156 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9157 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9158 })
9159
9160 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9161 testType: serverTest,
9162 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9163 config: Config{
9164 MaxVersion: VersionTLS13,
9165 Bugs: ProtocolBugs{
9166 MissingKeyShare: true,
9167 },
9168 },
9169 shouldFail: true,
9170 expectedError: ":MISSING_KEY_SHARE:",
9171 })
9172
9173 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9174 testType: serverTest,
9175 name: "DuplicateKeyShares",
9176 config: Config{
9177 MaxVersion: VersionTLS13,
9178 Bugs: ProtocolBugs{
9179 DuplicateKeyShares: true,
9180 },
9181 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9182 shouldFail: true,
9183 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9184 })
9185
9186 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9187 testType: serverTest,
9188 name: "SkipEarlyData",
9189 config: Config{
9190 MaxVersion: VersionTLS13,
9191 Bugs: ProtocolBugs{
9192 SendEarlyDataLength: 4,
9193 },
9194 },
9195 })
9196
9197 testCases = append(testCases, testCase{
9198 testType: serverTest,
9199 name: "SkipEarlyData-OmitEarlyDataExtension",
9200 config: Config{
9201 MaxVersion: VersionTLS13,
9202 Bugs: ProtocolBugs{
9203 SendEarlyDataLength: 4,
9204 OmitEarlyDataExtension: true,
9205 },
9206 },
9207 shouldFail: true,
9208 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9209 })
9210
9211 testCases = append(testCases, testCase{
9212 testType: serverTest,
9213 name: "SkipEarlyData-TooMuchData",
9214 config: Config{
9215 MaxVersion: VersionTLS13,
9216 Bugs: ProtocolBugs{
9217 SendEarlyDataLength: 16384 + 1,
9218 },
9219 },
9220 shouldFail: true,
9221 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9222 })
9223
9224 testCases = append(testCases, testCase{
9225 testType: serverTest,
9226 name: "SkipEarlyData-Interleaved",
9227 config: Config{
9228 MaxVersion: VersionTLS13,
9229 Bugs: ProtocolBugs{
9230 SendEarlyDataLength: 4,
9231 InterleaveEarlyData: true,
9232 },
9233 },
9234 shouldFail: true,
9235 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9236 })
9237
9238 testCases = append(testCases, testCase{
9239 testType: serverTest,
9240 name: "SkipEarlyData-EarlyDataInTLS12",
9241 config: Config{
9242 MaxVersion: VersionTLS13,
9243 Bugs: ProtocolBugs{
9244 SendEarlyDataLength: 4,
9245 },
9246 },
9247 shouldFail: true,
9248 expectedError: ":UNEXPECTED_RECORD:",
9249 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9250 })
9251
9252 testCases = append(testCases, testCase{
9253 testType: serverTest,
9254 name: "SkipEarlyData-HRR",
9255 config: Config{
9256 MaxVersion: VersionTLS13,
9257 Bugs: ProtocolBugs{
9258 SendEarlyDataLength: 4,
9259 },
9260 DefaultCurves: []CurveID{},
9261 },
9262 })
9263
9264 testCases = append(testCases, testCase{
9265 testType: serverTest,
9266 name: "SkipEarlyData-HRR-Interleaved",
9267 config: Config{
9268 MaxVersion: VersionTLS13,
9269 Bugs: ProtocolBugs{
9270 SendEarlyDataLength: 4,
9271 InterleaveEarlyData: true,
9272 },
9273 DefaultCurves: []CurveID{},
9274 },
9275 shouldFail: true,
9276 expectedError: ":UNEXPECTED_RECORD:",
9277 })
9278
9279 testCases = append(testCases, testCase{
9280 testType: serverTest,
9281 name: "SkipEarlyData-HRR-TooMuchData",
9282 config: Config{
9283 MaxVersion: VersionTLS13,
9284 Bugs: ProtocolBugs{
9285 SendEarlyDataLength: 16384 + 1,
9286 },
9287 DefaultCurves: []CurveID{},
9288 },
9289 shouldFail: true,
9290 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9291 })
9292
9293 // Test that skipping early data looking for cleartext correctly
9294 // processes an alert record.
9295 testCases = append(testCases, testCase{
9296 testType: serverTest,
9297 name: "SkipEarlyData-HRR-FatalAlert",
9298 config: Config{
9299 MaxVersion: VersionTLS13,
9300 Bugs: ProtocolBugs{
9301 SendEarlyAlert: true,
9302 SendEarlyDataLength: 4,
9303 },
9304 DefaultCurves: []CurveID{},
9305 },
9306 shouldFail: true,
9307 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9308 })
9309
9310 testCases = append(testCases, testCase{
9311 testType: serverTest,
9312 name: "SkipEarlyData-SecondClientHelloEarlyData",
9313 config: Config{
9314 MaxVersion: VersionTLS13,
9315 Bugs: ProtocolBugs{
9316 SendEarlyDataOnSecondClientHello: true,
9317 },
9318 DefaultCurves: []CurveID{},
9319 },
9320 shouldFail: true,
9321 expectedLocalError: "remote error: bad record MAC",
9322 })
9323
9324 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9325 testType: clientTest,
9326 name: "EmptyEncryptedExtensions",
9327 config: Config{
9328 MaxVersion: VersionTLS13,
9329 Bugs: ProtocolBugs{
9330 EmptyEncryptedExtensions: true,
9331 },
9332 },
9333 shouldFail: true,
9334 expectedLocalError: "remote error: error decoding message",
9335 })
9336
9337 testCases = append(testCases, testCase{
9338 testType: clientTest,
9339 name: "EncryptedExtensionsWithKeyShare",
9340 config: Config{
9341 MaxVersion: VersionTLS13,
9342 Bugs: ProtocolBugs{
9343 EncryptedExtensionsWithKeyShare: true,
9344 },
9345 },
9346 shouldFail: true,
9347 expectedLocalError: "remote error: unsupported extension",
9348 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9349
9350 testCases = append(testCases, testCase{
9351 testType: serverTest,
9352 name: "SendHelloRetryRequest",
9353 config: Config{
9354 MaxVersion: VersionTLS13,
9355 // Require a HelloRetryRequest for every curve.
9356 DefaultCurves: []CurveID{},
9357 },
9358 expectedCurveID: CurveX25519,
9359 })
9360
9361 testCases = append(testCases, testCase{
9362 testType: serverTest,
9363 name: "SendHelloRetryRequest-2",
9364 config: Config{
9365 MaxVersion: VersionTLS13,
9366 DefaultCurves: []CurveID{CurveP384},
9367 },
9368 // Although the ClientHello did not predict our preferred curve,
9369 // we always select it whether it is predicted or not.
9370 expectedCurveID: CurveX25519,
9371 })
9372
9373 testCases = append(testCases, testCase{
9374 name: "UnknownCurve-HelloRetryRequest",
9375 config: Config{
9376 MaxVersion: VersionTLS13,
9377 // P-384 requires HelloRetryRequest in BoringSSL.
9378 CurvePreferences: []CurveID{CurveP384},
9379 Bugs: ProtocolBugs{
9380 SendHelloRetryRequestCurve: bogusCurve,
9381 },
9382 },
9383 shouldFail: true,
9384 expectedError: ":WRONG_CURVE:",
9385 })
9386
9387 testCases = append(testCases, testCase{
9388 name: "DisabledCurve-HelloRetryRequest",
9389 config: Config{
9390 MaxVersion: VersionTLS13,
9391 CurvePreferences: []CurveID{CurveP256},
9392 Bugs: ProtocolBugs{
9393 IgnorePeerCurvePreferences: true,
9394 },
9395 },
9396 flags: []string{"-p384-only"},
9397 shouldFail: true,
9398 expectedError: ":WRONG_CURVE:",
9399 })
9400
9401 testCases = append(testCases, testCase{
9402 name: "UnnecessaryHelloRetryRequest",
9403 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9404 MaxVersion: VersionTLS13,
9405 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9406 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9407 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9408 },
9409 },
9410 shouldFail: true,
9411 expectedError: ":WRONG_CURVE:",
9412 })
9413
9414 testCases = append(testCases, testCase{
9415 name: "SecondHelloRetryRequest",
9416 config: Config{
9417 MaxVersion: VersionTLS13,
9418 // P-384 requires HelloRetryRequest in BoringSSL.
9419 CurvePreferences: []CurveID{CurveP384},
9420 Bugs: ProtocolBugs{
9421 SecondHelloRetryRequest: true,
9422 },
9423 },
9424 shouldFail: true,
9425 expectedError: ":UNEXPECTED_MESSAGE:",
9426 })
9427
9428 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9429 name: "HelloRetryRequest-Empty",
9430 config: Config{
9431 MaxVersion: VersionTLS13,
9432 Bugs: ProtocolBugs{
9433 AlwaysSendHelloRetryRequest: true,
9434 },
9435 },
9436 shouldFail: true,
9437 expectedError: ":DECODE_ERROR:",
9438 })
9439
9440 testCases = append(testCases, testCase{
9441 name: "HelloRetryRequest-DuplicateCurve",
9442 config: Config{
9443 MaxVersion: VersionTLS13,
9444 // P-384 requires a HelloRetryRequest against BoringSSL's default
9445 // configuration. Assert this ExpectMissingKeyShare.
9446 CurvePreferences: []CurveID{CurveP384},
9447 Bugs: ProtocolBugs{
9448 ExpectMissingKeyShare: true,
9449 DuplicateHelloRetryRequestExtensions: true,
9450 },
9451 },
9452 shouldFail: true,
9453 expectedError: ":DUPLICATE_EXTENSION:",
9454 expectedLocalError: "remote error: illegal parameter",
9455 })
9456
9457 testCases = append(testCases, testCase{
9458 name: "HelloRetryRequest-Cookie",
9459 config: Config{
9460 MaxVersion: VersionTLS13,
9461 Bugs: ProtocolBugs{
9462 SendHelloRetryRequestCookie: []byte("cookie"),
9463 },
9464 },
9465 })
9466
9467 testCases = append(testCases, testCase{
9468 name: "HelloRetryRequest-DuplicateCookie",
9469 config: Config{
9470 MaxVersion: VersionTLS13,
9471 Bugs: ProtocolBugs{
9472 SendHelloRetryRequestCookie: []byte("cookie"),
9473 DuplicateHelloRetryRequestExtensions: true,
9474 },
9475 },
9476 shouldFail: true,
9477 expectedError: ":DUPLICATE_EXTENSION:",
9478 expectedLocalError: "remote error: illegal parameter",
9479 })
9480
9481 testCases = append(testCases, testCase{
9482 name: "HelloRetryRequest-EmptyCookie",
9483 config: Config{
9484 MaxVersion: VersionTLS13,
9485 Bugs: ProtocolBugs{
9486 SendHelloRetryRequestCookie: []byte{},
9487 },
9488 },
9489 shouldFail: true,
9490 expectedError: ":DECODE_ERROR:",
9491 })
9492
9493 testCases = append(testCases, testCase{
9494 name: "HelloRetryRequest-Cookie-Curve",
9495 config: Config{
9496 MaxVersion: VersionTLS13,
9497 // P-384 requires HelloRetryRequest in BoringSSL.
9498 CurvePreferences: []CurveID{CurveP384},
9499 Bugs: ProtocolBugs{
9500 SendHelloRetryRequestCookie: []byte("cookie"),
9501 ExpectMissingKeyShare: true,
9502 },
9503 },
9504 })
9505
9506 testCases = append(testCases, testCase{
9507 name: "HelloRetryRequest-Unknown",
9508 config: Config{
9509 MaxVersion: VersionTLS13,
9510 Bugs: ProtocolBugs{
9511 CustomHelloRetryRequestExtension: "extension",
9512 },
9513 },
9514 shouldFail: true,
9515 expectedError: ":UNEXPECTED_EXTENSION:",
9516 expectedLocalError: "remote error: unsupported extension",
9517 })
9518
9519 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9520 testType: serverTest,
9521 name: "SecondClientHelloMissingKeyShare",
9522 config: Config{
9523 MaxVersion: VersionTLS13,
9524 DefaultCurves: []CurveID{},
9525 Bugs: ProtocolBugs{
9526 SecondClientHelloMissingKeyShare: true,
9527 },
9528 },
9529 shouldFail: true,
9530 expectedError: ":MISSING_KEY_SHARE:",
9531 })
9532
9533 testCases = append(testCases, testCase{
9534 testType: serverTest,
9535 name: "SecondClientHelloWrongCurve",
9536 config: Config{
9537 MaxVersion: VersionTLS13,
9538 DefaultCurves: []CurveID{},
9539 Bugs: ProtocolBugs{
9540 MisinterpretHelloRetryRequestCurve: CurveP521,
9541 },
9542 },
9543 shouldFail: true,
9544 expectedError: ":WRONG_CURVE:",
9545 })
9546
9547 testCases = append(testCases, testCase{
9548 name: "HelloRetryRequestVersionMismatch",
9549 config: Config{
9550 MaxVersion: VersionTLS13,
9551 // P-384 requires HelloRetryRequest in BoringSSL.
9552 CurvePreferences: []CurveID{CurveP384},
9553 Bugs: ProtocolBugs{
9554 SendServerHelloVersion: 0x0305,
9555 },
9556 },
9557 shouldFail: true,
9558 expectedError: ":WRONG_VERSION_NUMBER:",
9559 })
9560
9561 testCases = append(testCases, testCase{
9562 name: "HelloRetryRequestCurveMismatch",
9563 config: Config{
9564 MaxVersion: VersionTLS13,
9565 // P-384 requires HelloRetryRequest in BoringSSL.
9566 CurvePreferences: []CurveID{CurveP384},
9567 Bugs: ProtocolBugs{
9568 // Send P-384 (correct) in the HelloRetryRequest.
9569 SendHelloRetryRequestCurve: CurveP384,
9570 // But send P-256 in the ServerHello.
9571 SendCurve: CurveP256,
9572 },
9573 },
9574 shouldFail: true,
9575 expectedError: ":WRONG_CURVE:",
9576 })
9577
9578 // Test the server selecting a curve that requires a HelloRetryRequest
9579 // without sending it.
9580 testCases = append(testCases, testCase{
9581 name: "SkipHelloRetryRequest",
9582 config: Config{
9583 MaxVersion: VersionTLS13,
9584 // P-384 requires HelloRetryRequest in BoringSSL.
9585 CurvePreferences: []CurveID{CurveP384},
9586 Bugs: ProtocolBugs{
9587 SkipHelloRetryRequest: true,
9588 },
9589 },
9590 shouldFail: true,
9591 expectedError: ":WRONG_CURVE:",
9592 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]9593
9594 testCases = append(testCases, testCase{
9595 name: "TLS13-RequestContextInHandshake",
9596 config: Config{
9597 MaxVersion: VersionTLS13,
9598 MinVersion: VersionTLS13,
9599 ClientAuth: RequireAnyClientCert,
9600 Bugs: ProtocolBugs{
9601 SendRequestContext: []byte("request context"),
9602 },
9603 },
9604 flags: []string{
9605 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9606 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9607 },
9608 shouldFail: true,
9609 expectedError: ":DECODE_ERROR:",
9610 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9611
9612 testCases = append(testCases, testCase{
9613 testType: serverTest,
9614 name: "TLS13-TrailingKeyShareData",
9615 config: Config{
9616 MaxVersion: VersionTLS13,
9617 Bugs: ProtocolBugs{
9618 TrailingKeyShareData: true,
9619 },
9620 },
9621 shouldFail: true,
9622 expectedError: ":DECODE_ERROR:",
9623 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]9624
9625 testCases = append(testCases, testCase{
9626 name: "TLS13-AlwaysSelectPSKIdentity",
9627 config: Config{
9628 MaxVersion: VersionTLS13,
9629 Bugs: ProtocolBugs{
9630 AlwaysSelectPSKIdentity: true,
9631 },
9632 },
9633 shouldFail: true,
9634 expectedError: ":UNEXPECTED_EXTENSION:",
9635 })
9636
9637 testCases = append(testCases, testCase{
9638 name: "TLS13-InvalidPSKIdentity",
9639 config: Config{
9640 MaxVersion: VersionTLS13,
9641 Bugs: ProtocolBugs{
9642 SelectPSKIdentityOnResume: 1,
9643 },
9644 },
9645 resumeSession: true,
9646 shouldFail: true,
9647 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
9648 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9649
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9650 testCases = append(testCases, testCase{
9651 testType: serverTest,
9652 name: "TLS13-ExtraPSKIdentity",
9653 config: Config{
9654 MaxVersion: VersionTLS13,
9655 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]9656 ExtraPSKIdentity: true,
9657 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9658 },
9659 },
9660 resumeSession: true,
9661 })
9662
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9663 // Test that unknown NewSessionTicket extensions are tolerated.
9664 testCases = append(testCases, testCase{
9665 name: "TLS13-CustomTicketExtension",
9666 config: Config{
9667 MaxVersion: VersionTLS13,
9668 Bugs: ProtocolBugs{
9669 CustomTicketExtension: "1234",
9670 },
9671 },
9672 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9673}
9674
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]9675func addTLS13CipherPreferenceTests() {
9676 // Test that client preference is honored if the shim has AES hardware
9677 // and ChaCha20-Poly1305 is preferred otherwise.
9678 testCases = append(testCases, testCase{
9679 testType: serverTest,
9680 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
9681 config: Config{
9682 MaxVersion: VersionTLS13,
9683 CipherSuites: []uint16{
9684 TLS_CHACHA20_POLY1305_SHA256,
9685 TLS_AES_128_GCM_SHA256,
9686 },
9687 },
9688 flags: []string{
9689 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9690 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9691 },
9692 })
9693
9694 testCases = append(testCases, testCase{
9695 testType: serverTest,
9696 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
9697 config: Config{
9698 MaxVersion: VersionTLS13,
9699 CipherSuites: []uint16{
9700 TLS_AES_128_GCM_SHA256,
9701 TLS_CHACHA20_POLY1305_SHA256,
9702 },
9703 },
9704 flags: []string{
9705 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
9706 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9707 },
9708 })
9709
9710 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
9711 // whether it has AES hardware.
9712 testCases = append(testCases, testCase{
9713 name: "TLS13-CipherPreference-Client",
9714 config: Config{
9715 MaxVersion: VersionTLS13,
9716 // Use the client cipher order. (This is the default but
9717 // is listed to be explicit.)
9718 PreferServerCipherSuites: false,
9719 },
9720 flags: []string{
9721 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
9722 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9723 },
9724 })
9725}
9726
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9727func addPeekTests() {
9728 // Test SSL_peek works, including on empty records.
9729 testCases = append(testCases, testCase{
9730 name: "Peek-Basic",
9731 sendEmptyRecords: 1,
9732 flags: []string{"-peek-then-read"},
9733 })
9734
9735 // Test SSL_peek can drive the initial handshake.
9736 testCases = append(testCases, testCase{
9737 name: "Peek-ImplicitHandshake",
9738 flags: []string{
9739 "-peek-then-read",
9740 "-implicit-handshake",
9741 },
9742 })
9743
9744 // Test SSL_peek can discover and drive a renegotiation.
9745 testCases = append(testCases, testCase{
9746 name: "Peek-Renegotiate",
9747 config: Config{
9748 MaxVersion: VersionTLS12,
9749 },
9750 renegotiate: 1,
9751 flags: []string{
9752 "-peek-then-read",
9753 "-renegotiate-freely",
9754 "-expect-total-renegotiations", "1",
9755 },
9756 })
9757
9758 // Test SSL_peek can discover a close_notify.
9759 testCases = append(testCases, testCase{
9760 name: "Peek-Shutdown",
9761 config: Config{
9762 Bugs: ProtocolBugs{
9763 ExpectCloseNotify: true,
9764 },
9765 },
9766 flags: []string{
9767 "-peek-then-read",
9768 "-check-close-notify",
9769 },
9770 })
9771
9772 // Test SSL_peek can discover an alert.
9773 testCases = append(testCases, testCase{
9774 name: "Peek-Alert",
9775 config: Config{
9776 Bugs: ProtocolBugs{
9777 SendSpuriousAlert: alertRecordOverflow,
9778 },
9779 },
9780 flags: []string{"-peek-then-read"},
9781 shouldFail: true,
9782 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
9783 })
9784
9785 // Test SSL_peek can handle KeyUpdate.
9786 testCases = append(testCases, testCase{
9787 name: "Peek-KeyUpdate",
9788 config: Config{
9789 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9790 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]9791 sendKeyUpdates: 1,
9792 keyUpdateRequest: keyUpdateNotRequested,
9793 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9794 })
9795}
9796
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]9797func addRecordVersionTests() {
9798 for _, ver := range tlsVersions {
9799 // Test that the record version is enforced.
9800 testCases = append(testCases, testCase{
9801 name: "CheckRecordVersion-" + ver.name,
9802 config: Config{
9803 MinVersion: ver.version,
9804 MaxVersion: ver.version,
9805 Bugs: ProtocolBugs{
9806 SendRecordVersion: 0x03ff,
9807 },
9808 },
9809 shouldFail: true,
9810 expectedError: ":WRONG_VERSION_NUMBER:",
9811 })
9812
9813 // Test that the ClientHello may use any record version, for
9814 // compatibility reasons.
9815 testCases = append(testCases, testCase{
9816 testType: serverTest,
9817 name: "LooseInitialRecordVersion-" + ver.name,
9818 config: Config{
9819 MinVersion: ver.version,
9820 MaxVersion: ver.version,
9821 Bugs: ProtocolBugs{
9822 SendInitialRecordVersion: 0x03ff,
9823 },
9824 },
9825 })
9826
9827 // Test that garbage ClientHello record versions are rejected.
9828 testCases = append(testCases, testCase{
9829 testType: serverTest,
9830 name: "GarbageInitialRecordVersion-" + ver.name,
9831 config: Config{
9832 MinVersion: ver.version,
9833 MaxVersion: ver.version,
9834 Bugs: ProtocolBugs{
9835 SendInitialRecordVersion: 0xffff,
9836 },
9837 },
9838 shouldFail: true,
9839 expectedError: ":WRONG_VERSION_NUMBER:",
9840 })
9841 }
9842}
9843
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9844func addCertificateTests() {
9845 // Test that a certificate chain with intermediate may be sent and
9846 // received as both client and server.
9847 for _, ver := range tlsVersions {
9848 testCases = append(testCases, testCase{
9849 testType: clientTest,
9850 name: "SendReceiveIntermediate-Client-" + ver.name,
9851 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]9852 MinVersion: ver.version,
9853 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9854 Certificates: []Certificate{rsaChainCertificate},
9855 ClientAuth: RequireAnyClientCert,
9856 },
9857 expectPeerCertificate: &rsaChainCertificate,
9858 flags: []string{
9859 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9860 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
9861 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9862 },
9863 })
9864
9865 testCases = append(testCases, testCase{
9866 testType: serverTest,
9867 name: "SendReceiveIntermediate-Server-" + ver.name,
9868 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]9869 MinVersion: ver.version,
9870 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9871 Certificates: []Certificate{rsaChainCertificate},
9872 },
9873 expectPeerCertificate: &rsaChainCertificate,
9874 flags: []string{
9875 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9876 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
9877 "-require-any-client-certificate",
9878 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9879 },
9880 })
9881 }
9882}
9883
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]9884func addRetainOnlySHA256ClientCertTests() {
9885 for _, ver := range tlsVersions {
9886 // Test that enabling
9887 // SSL_CTX_set_retain_only_sha256_of_client_certs without
9888 // actually requesting a client certificate is a no-op.
9889 testCases = append(testCases, testCase{
9890 testType: serverTest,
9891 name: "RetainOnlySHA256-NoCert-" + ver.name,
9892 config: Config{
9893 MinVersion: ver.version,
9894 MaxVersion: ver.version,
9895 },
9896 flags: []string{
9897 "-retain-only-sha256-client-cert-initial",
9898 "-retain-only-sha256-client-cert-resume",
9899 },
9900 resumeSession: true,
9901 })
9902
9903 // Test that when retaining only a SHA-256 certificate is
9904 // enabled, the hash appears as expected.
9905 testCases = append(testCases, testCase{
9906 testType: serverTest,
9907 name: "RetainOnlySHA256-Cert-" + ver.name,
9908 config: Config{
9909 MinVersion: ver.version,
9910 MaxVersion: ver.version,
9911 Certificates: []Certificate{rsaCertificate},
9912 },
9913 flags: []string{
9914 "-verify-peer",
9915 "-retain-only-sha256-client-cert-initial",
9916 "-retain-only-sha256-client-cert-resume",
9917 "-expect-sha256-client-cert-initial",
9918 "-expect-sha256-client-cert-resume",
9919 },
9920 resumeSession: true,
9921 })
9922
9923 // Test that when the config changes from on to off, a
9924 // resumption is rejected because the server now wants the full
9925 // certificate chain.
9926 testCases = append(testCases, testCase{
9927 testType: serverTest,
9928 name: "RetainOnlySHA256-OnOff-" + ver.name,
9929 config: Config{
9930 MinVersion: ver.version,
9931 MaxVersion: ver.version,
9932 Certificates: []Certificate{rsaCertificate},
9933 },
9934 flags: []string{
9935 "-verify-peer",
9936 "-retain-only-sha256-client-cert-initial",
9937 "-expect-sha256-client-cert-initial",
9938 },
9939 resumeSession: true,
9940 expectResumeRejected: true,
9941 })
9942
9943 // Test that when the config changes from off to on, a
9944 // resumption is rejected because the server now wants just the
9945 // hash.
9946 testCases = append(testCases, testCase{
9947 testType: serverTest,
9948 name: "RetainOnlySHA256-OffOn-" + ver.name,
9949 config: Config{
9950 MinVersion: ver.version,
9951 MaxVersion: ver.version,
9952 Certificates: []Certificate{rsaCertificate},
9953 },
9954 flags: []string{
9955 "-verify-peer",
9956 "-retain-only-sha256-client-cert-resume",
9957 "-expect-sha256-client-cert-resume",
9958 },
9959 resumeSession: true,
9960 expectResumeRejected: true,
9961 })
9962 }
9963}
9964
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]9965func addECDSAKeyUsageTests() {
9966 p256 := elliptic.P256()
9967 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
9968 if err != nil {
9969 panic(err)
9970 }
9971
9972 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
9973 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
9974 if err != nil {
9975 panic(err)
9976 }
9977
9978 template := x509.Certificate{
9979 SerialNumber: serialNumber,
9980 Subject: pkix.Name{
9981 Organization: []string{"Acme Co"},
9982 },
9983 NotBefore: time.Now(),
9984 NotAfter: time.Now(),
9985
9986 // An ECC certificate with only the keyAgreement key usgae may
9987 // be used with ECDH, but not ECDSA.
9988 KeyUsage: x509.KeyUsageKeyAgreement,
9989 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
9990 BasicConstraintsValid: true,
9991 }
9992
9993 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
9994 if err != nil {
9995 panic(err)
9996 }
9997
9998 cert := Certificate{
9999 Certificate: [][]byte{derBytes},
10000 PrivateKey: priv,
10001 }
10002
10003 for _, ver := range tlsVersions {
10004 if ver.version < VersionTLS12 {
10005 continue
10006 }
10007
10008 testCases = append(testCases, testCase{
10009 testType: clientTest,
10010 name: "ECDSAKeyUsage-" + ver.name,
10011 config: Config{
10012 MinVersion: ver.version,
10013 MaxVersion: ver.version,
10014 Certificates: []Certificate{cert},
10015 },
10016 shouldFail: true,
10017 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
10018 })
10019 }
10020}
10021
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]10022func addShortHeaderTests() {
10023 // The short header extension may be negotiated as either client or
10024 // server.
10025 testCases = append(testCases, testCase{
10026 name: "ShortHeader-Client",
10027 config: Config{
10028 MaxVersion: VersionTLS13,
10029 Bugs: ProtocolBugs{
10030 EnableShortHeader: true,
10031 },
10032 },
10033 flags: []string{"-enable-short-header"},
10034 expectShortHeader: true,
10035 })
10036 testCases = append(testCases, testCase{
10037 testType: serverTest,
10038 name: "ShortHeader-Server",
10039 config: Config{
10040 MaxVersion: VersionTLS13,
10041 Bugs: ProtocolBugs{
10042 EnableShortHeader: true,
10043 },
10044 },
10045 flags: []string{"-enable-short-header"},
10046 expectShortHeader: true,
10047 })
10048
10049 // If the peer doesn't support it, it will not be negotiated.
10050 testCases = append(testCases, testCase{
10051 name: "ShortHeader-No-Yes-Client",
10052 config: Config{
10053 MaxVersion: VersionTLS13,
10054 },
10055 flags: []string{"-enable-short-header"},
10056 })
10057 testCases = append(testCases, testCase{
10058 testType: serverTest,
10059 name: "ShortHeader-No-Yes-Server",
10060 config: Config{
10061 MaxVersion: VersionTLS13,
10062 },
10063 flags: []string{"-enable-short-header"},
10064 })
10065
10066 // If we don't support it, it will not be negotiated.
10067 testCases = append(testCases, testCase{
10068 name: "ShortHeader-Yes-No-Client",
10069 config: Config{
10070 MaxVersion: VersionTLS13,
10071 Bugs: ProtocolBugs{
10072 EnableShortHeader: true,
10073 },
10074 },
10075 })
10076 testCases = append(testCases, testCase{
10077 testType: serverTest,
10078 name: "ShortHeader-Yes-No-Server",
10079 config: Config{
10080 MaxVersion: VersionTLS13,
10081 Bugs: ProtocolBugs{
10082 EnableShortHeader: true,
10083 },
10084 },
10085 })
10086
10087 // It will not be negotiated at TLS 1.2.
10088 testCases = append(testCases, testCase{
10089 name: "ShortHeader-TLS12-Client",
10090 config: Config{
10091 MaxVersion: VersionTLS12,
10092 Bugs: ProtocolBugs{
10093 EnableShortHeader: true,
10094 },
10095 },
10096 flags: []string{"-enable-short-header"},
10097 })
10098 testCases = append(testCases, testCase{
10099 testType: serverTest,
10100 name: "ShortHeader-TLS12-Server",
10101 config: Config{
10102 MaxVersion: VersionTLS12,
10103 Bugs: ProtocolBugs{
10104 EnableShortHeader: true,
10105 },
10106 },
10107 flags: []string{"-enable-short-header"},
10108 })
10109
10110 // Servers reject early data and short header sent together.
10111 testCases = append(testCases, testCase{
10112 testType: serverTest,
10113 name: "ShortHeader-EarlyData",
10114 config: Config{
10115 MaxVersion: VersionTLS13,
10116 Bugs: ProtocolBugs{
10117 EnableShortHeader: true,
10118 SendEarlyDataLength: 1,
10119 },
10120 },
10121 flags: []string{"-enable-short-header"},
10122 shouldFail: true,
10123 expectedError: ":UNEXPECTED_EXTENSION:",
10124 })
10125
10126 // Clients reject unsolicited short header extensions.
10127 testCases = append(testCases, testCase{
10128 name: "ShortHeader-Unsolicited",
10129 config: Config{
10130 MaxVersion: VersionTLS13,
10131 Bugs: ProtocolBugs{
10132 AlwaysNegotiateShortHeader: true,
10133 },
10134 },
10135 shouldFail: true,
10136 expectedError: ":UNEXPECTED_EXTENSION:",
10137 })
10138 testCases = append(testCases, testCase{
10139 name: "ShortHeader-Unsolicited-TLS12",
10140 config: Config{
10141 MaxVersion: VersionTLS12,
10142 Bugs: ProtocolBugs{
10143 AlwaysNegotiateShortHeader: true,
10144 },
10145 },
10146 shouldFail: true,
10147 expectedError: ":UNEXPECTED_EXTENSION:",
10148 })
10149
10150 // The high bit must be checked in short headers.
10151 testCases = append(testCases, testCase{
10152 name: "ShortHeader-ClearShortHeaderBit",
10153 config: Config{
10154 Bugs: ProtocolBugs{
10155 EnableShortHeader: true,
10156 ClearShortHeaderBit: true,
10157 },
10158 },
10159 flags: []string{"-enable-short-header"},
10160 shouldFail: true,
10161 expectedError: ":DECODE_ERROR:",
10162 expectedLocalError: "remote error: error decoding message",
10163 })
10164}
10165
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10166func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10167 defer wg.Done()
10168
10169 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10170 var err error
10171
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10172 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10173 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
10174 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10175 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10176 if err != nil {
10177 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
10178 }
10179 break
10180 }
10181 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10182 } else if *repeatUntilFailure {
10183 for err == nil {
10184 statusChan <- statusMsg{test: test, started: true}
10185 err = runTest(test, shimPath, -1)
10186 }
10187 } else {
10188 statusChan <- statusMsg{test: test, started: true}
10189 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10190 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10191 statusChan <- statusMsg{test: test, err: err}
10192 }
10193}
10194
10195type statusMsg struct {
10196 test *testCase
10197 started bool
10198 err error
10199}
10200
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10201func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10202 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10203
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10204 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10205 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10206 if !*pipe {
10207 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]10208 var erase string
10209 for i := 0; i < lineLen; i++ {
10210 erase += "\b \b"
10211 }
10212 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10213 }
10214
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10215 if msg.started {
10216 started++
10217 } else {
10218 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10219
10220 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10221 if msg.err == errUnimplemented {
10222 if *pipe {
10223 // Print each test instead of a status line.
10224 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
10225 }
10226 unimplemented++
10227 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
10228 } else {
10229 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
10230 failed++
10231 testOutput.addResult(msg.test.name, "FAIL")
10232 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10233 } else {
10234 if *pipe {
10235 // Print each test instead of a status line.
10236 fmt.Printf("PASSED (%s)\n", msg.test.name)
10237 }
10238 testOutput.addResult(msg.test.name, "PASS")
10239 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10240 }
10241
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10242 if !*pipe {
10243 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10244 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10245 lineLen = len(line)
10246 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10247 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10248 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10249
10250 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10251}
10252
10253func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10254 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10255 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]10256 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10257
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10258 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10259 addCipherSuiteTests()
10260 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]10261 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]10262 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]10263 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]10264 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]10265 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]10266 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]10267 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]10268 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]10269 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]10270 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]10271 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]10272 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]10273 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]10274 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]10275 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]10276 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]10277 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]10278 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]10279 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]10280 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]10281 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]10282 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10283 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]10284 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10285 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10286 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10287 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10288 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10289 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10290 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10291 addECDSAKeyUsageTests()
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]10292 addShortHeaderTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10293
10294 var wg sync.WaitGroup
10295
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10296 statusChan := make(chan statusMsg, *numWorkers)
10297 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10298 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10299
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10300 if len(*shimConfigFile) != 0 {
10301 encoded, err := ioutil.ReadFile(*shimConfigFile)
10302 if err != nil {
10303 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
10304 os.Exit(1)
10305 }
10306
10307 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
10308 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
10309 os.Exit(1)
10310 }
10311 }
10312
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10313 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10314
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10315 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10316 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10317 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10318 }
10319
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10320 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10321 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10322 matched := true
10323 if len(*testToRun) != 0 {
10324 var err error
10325 matched, err = filepath.Match(*testToRun, testCases[i].name)
10326 if err != nil {
10327 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
10328 os.Exit(1)
10329 }
10330 }
10331
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10332 if !*includeDisabled {
10333 for pattern := range shimConfig.DisabledTests {
10334 isDisabled, err := filepath.Match(pattern, testCases[i].name)
10335 if err != nil {
10336 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
10337 os.Exit(1)
10338 }
10339
10340 if isDisabled {
10341 matched = false
10342 break
10343 }
10344 }
10345 }
10346
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10347 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10348 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10349 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10350
10351 // Only run one test if repeating until failure.
10352 if *repeatUntilFailure {
10353 break
10354 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10355 }
10356 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10357
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10358 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10359 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10360 os.Exit(1)
10361 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10362
10363 close(testChan)
10364 wg.Wait()
10365 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10366 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10367
10368 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10369
10370 if *jsonOutput != "" {
10371 if err := testOutput.writeTo(*jsonOutput); err != nil {
10372 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
10373 }
10374 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10375
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10376 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
10377 os.Exit(1)
10378 }
10379
10380 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10381 os.Exit(1)
10382 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10383}