blob: a5c075cb73d9e7dd992f7ee9542d4c3185e29159 [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -07001// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -040013// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -070014
Adam Langleydc7e9c42015-09-29 15:21:04 -070015package runner
Adam Langley95c29f32014-06-20 12:00:00 -070016
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -040019 "crypto/ecdsa"
20 "crypto/elliptic"
David Benjamin407a10c2014-07-16 12:58:59 -040021 "crypto/x509"
David Benjamin2561dc32014-08-24 01:25:27 -040022 "encoding/base64"
EKRf71d7ed2016-08-06 13:25:12 -070023 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -040024 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +020025 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -070026 "flag"
27 "fmt"
28 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -070029 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -070030 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -070031 "net"
32 "os"
33 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -040034 "path"
David Benjamin17e12922016-07-28 18:04:43 -040035 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -040036 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -080037 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -070038 "strings"
39 "sync"
40 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -050041 "time"
Adam Langley95c29f32014-06-20 12:00:00 -070042)
43
Adam Langley69a01602014-11-17 17:26:55 -080044var (
EKR842ae6c2016-07-27 09:22:05 +020045 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
46 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
47 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
48 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
49 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
50 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
51 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
52 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -040053 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +020054 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
55 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
56 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
57 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
58 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
59 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
60 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
61 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +020062 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -070063 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
64 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
Adam Langley69a01602014-11-17 17:26:55 -080065)
Adam Langley95c29f32014-06-20 12:00:00 -070066
EKRf71d7ed2016-08-06 13:25:12 -070067// ShimConfigurations is used with the “json” package and represents a shim
68// config file.
69type ShimConfiguration struct {
70 // DisabledTests maps from a glob-based pattern to a freeform string.
71 // The glob pattern is used to exclude tests from being run and the
72 // freeform string is unparsed but expected to explain why the test is
73 // disabled.
74 DisabledTests map[string]string
75
76 // ErrorMap maps from expected error strings to the correct error
77 // string for the shim in question. For example, it might map
78 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
79 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
80 ErrorMap map[string]string
81}
82
83var shimConfig ShimConfiguration
84
David Benjamin33863262016-07-08 17:20:12 -070085type testCert int
86
David Benjamin025b3d32014-07-01 19:53:04 -040087const (
David Benjamin33863262016-07-08 17:20:12 -070088 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -040089 testCertRSA1024
David Benjamin33863262016-07-08 17:20:12 -070090 testCertECDSAP256
91 testCertECDSAP384
92 testCertECDSAP521
93)
94
95const (
96 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -040097 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -070098 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
99 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
100 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400101)
102
103const (
David Benjamina08e49d2014-08-24 01:46:07 -0400104 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400105 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700106 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
107 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
108 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400109 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400110)
111
David Benjamin7944a9f2016-07-12 22:27:01 -0400112var (
113 rsaCertificate Certificate
114 rsa1024Certificate Certificate
115 ecdsaP256Certificate Certificate
116 ecdsaP384Certificate Certificate
117 ecdsaP521Certificate Certificate
118)
David Benjamin33863262016-07-08 17:20:12 -0700119
120var testCerts = []struct {
121 id testCert
122 certFile, keyFile string
123 cert *Certificate
124}{
125 {
126 id: testCertRSA,
127 certFile: rsaCertificateFile,
128 keyFile: rsaKeyFile,
129 cert: &rsaCertificate,
130 },
131 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400132 id: testCertRSA1024,
133 certFile: rsa1024CertificateFile,
134 keyFile: rsa1024KeyFile,
135 cert: &rsa1024Certificate,
136 },
137 {
David Benjamin33863262016-07-08 17:20:12 -0700138 id: testCertECDSAP256,
139 certFile: ecdsaP256CertificateFile,
140 keyFile: ecdsaP256KeyFile,
141 cert: &ecdsaP256Certificate,
142 },
143 {
144 id: testCertECDSAP384,
145 certFile: ecdsaP384CertificateFile,
146 keyFile: ecdsaP384KeyFile,
147 cert: &ecdsaP384Certificate,
148 },
149 {
150 id: testCertECDSAP521,
151 certFile: ecdsaP521CertificateFile,
152 keyFile: ecdsaP521KeyFile,
153 cert: &ecdsaP521Certificate,
154 },
155}
156
David Benjamina08e49d2014-08-24 01:46:07 -0400157var channelIDKey *ecdsa.PrivateKey
158var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700159
David Benjamin61f95272014-11-25 01:55:35 -0500160var testOCSPResponse = []byte{1, 2, 3, 4}
161var testSCTList = []byte{5, 6, 7, 8}
162
Adam Langley95c29f32014-06-20 12:00:00 -0700163func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700164 for i := range testCerts {
165 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
166 if err != nil {
167 panic(err)
168 }
169 cert.OCSPStaple = testOCSPResponse
170 cert.SignedCertificateTimestampList = testSCTList
171 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700172 }
David Benjamina08e49d2014-08-24 01:46:07 -0400173
Adam Langley7c803a62015-06-15 15:35:05 -0700174 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400175 if err != nil {
176 panic(err)
177 }
178 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
179 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
180 panic("bad key type")
181 }
182 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
183 if err != nil {
184 panic(err)
185 }
186 if channelIDKey.Curve != elliptic.P256() {
187 panic("bad curve")
188 }
189
190 channelIDBytes = make([]byte, 64)
191 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
192 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700193}
194
David Benjamin33863262016-07-08 17:20:12 -0700195func getRunnerCertificate(t testCert) Certificate {
196 for _, cert := range testCerts {
197 if cert.id == t {
198 return *cert.cert
199 }
200 }
201 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700202}
203
David Benjamin33863262016-07-08 17:20:12 -0700204func getShimCertificate(t testCert) string {
205 for _, cert := range testCerts {
206 if cert.id == t {
207 return cert.certFile
208 }
209 }
210 panic("Unknown test certificate")
211}
212
213func getShimKey(t testCert) string {
214 for _, cert := range testCerts {
215 if cert.id == t {
216 return cert.keyFile
217 }
218 }
219 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700220}
221
David Benjamin025b3d32014-07-01 19:53:04 -0400222type testType int
223
224const (
225 clientTest testType = iota
226 serverTest
227)
228
David Benjamin6fd297b2014-08-11 18:43:38 -0400229type protocol int
230
231const (
232 tls protocol = iota
233 dtls
234)
235
David Benjaminfc7b0862014-09-06 13:21:53 -0400236const (
237 alpn = 1
238 npn = 2
239)
240
Adam Langley95c29f32014-06-20 12:00:00 -0700241type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400242 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400243 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700244 name string
245 config Config
246 shouldFail bool
247 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700248 // expectedLocalError, if not empty, contains a substring that must be
249 // found in the local error.
250 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400251 // expectedVersion, if non-zero, specifies the TLS version that must be
252 // negotiated.
253 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400254 // expectedResumeVersion, if non-zero, specifies the TLS version that
255 // must be negotiated on resumption. If zero, expectedVersion is used.
256 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400257 // expectedCipher, if non-zero, specifies the TLS cipher suite that
258 // should be negotiated.
259 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400260 // expectChannelID controls whether the connection should have
261 // negotiated a Channel ID with channelIDKey.
262 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400263 // expectedNextProto controls whether the connection should
264 // negotiate a next protocol via NPN or ALPN.
265 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400266 // expectNoNextProto, if true, means that no next protocol should be
267 // negotiated.
268 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400269 // expectedNextProtoType, if non-zero, is the expected next
270 // protocol negotiation mechanism.
271 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500272 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
273 // should be negotiated. If zero, none should be negotiated.
274 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100275 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
276 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100277 // expectedSCTList, if not nil, is the expected SCT list to be received.
278 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700279 // expectedPeerSignatureAlgorithm, if not zero, is the signature
280 // algorithm that the peer should have used in the handshake.
281 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400282 // expectedCurveID, if not zero, is the curve that the handshake should
283 // have used.
284 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700285 // messageLen is the length, in bytes, of the test message that will be
286 // sent.
287 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400288 // messageCount is the number of test messages that will be sent.
289 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400290 // certFile is the path to the certificate to use for the server.
291 certFile string
292 // keyFile is the path to the private key to use for the server.
293 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400294 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400295 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400296 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400297 // resumeRenewedSession controls whether a third connection should be
298 // tested which attempts to resume the second connection's session.
299 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700300 // expectResumeRejected, if true, specifies that the attempted
301 // resumption must be rejected by the client. This is only valid for a
302 // serverTest.
303 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400304 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500305 // resumption. Unless newSessionsOnResume is set,
306 // SessionTicketKey, ServerSessionCache, and
307 // ClientSessionCache are copied from the initial connection's
308 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400309 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500310 // newSessionsOnResume, if true, will cause resumeConfig to
311 // use a different session resumption context.
312 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400313 // noSessionCache, if true, will cause the server to run without a
314 // session cache.
315 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400316 // sendPrefix sends a prefix on the socket before actually performing a
317 // handshake.
318 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400319 // shimWritesFirst controls whether the shim sends an initial "hello"
320 // message before doing a roundtrip with the runner.
321 shimWritesFirst bool
David Benjamin30789da2015-08-29 22:56:45 -0400322 // shimShutsDown, if true, runs a test where the shim shuts down the
323 // connection immediately after the handshake rather than echoing
324 // messages from the runner.
325 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400326 // renegotiate indicates the number of times the connection should be
327 // renegotiated during the exchange.
328 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400329 // sendHalfHelloRequest, if true, causes the server to send half a
330 // HelloRequest when the handshake completes.
331 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700332 // renegotiateCiphers is a list of ciphersuite ids that will be
333 // switched in just before renegotiation.
334 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500335 // replayWrites, if true, configures the underlying transport
336 // to replay every write it makes in DTLS tests.
337 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500338 // damageFirstWrite, if true, configures the underlying transport to
339 // damage the final byte of the first application data write.
340 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400341 // exportKeyingMaterial, if non-zero, configures the test to exchange
342 // keying material and verify they match.
343 exportKeyingMaterial int
344 exportLabel string
345 exportContext string
346 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400347 // flags, if not empty, contains a list of command-line flags that will
348 // be passed to the shim program.
349 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700350 // testTLSUnique, if true, causes the shim to send the tls-unique value
351 // which will be compared against the expected value.
352 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400353 // sendEmptyRecords is the number of consecutive empty records to send
354 // before and after the test message.
355 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400356 // sendWarningAlerts is the number of consecutive warning alerts to send
357 // before and after the test message.
358 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400359 // sendKeyUpdates is the number of consecutive key updates to send
360 // before and after the test message.
361 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400362 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
363 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400364 // expectMessageDropped, if true, means the test message is expected to
365 // be dropped by the client rather than echoed back.
366 expectMessageDropped bool
Adam Langley95c29f32014-06-20 12:00:00 -0700367}
368
Adam Langley7c803a62015-06-15 15:35:05 -0700369var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700370
David Benjaminc07afb72016-09-22 10:18:58 -0400371func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500372 if len(data) == 0 {
373 return
374 }
375
376 protocol := "tls"
377 if test.protocol == dtls {
378 protocol = "dtls"
379 }
380
381 side := "client"
382 if test.testType == serverTest {
383 side = "server"
384 }
385
386 dir := path.Join(*transcriptDir, protocol, side)
387 if err := os.MkdirAll(dir, 0755); err != nil {
388 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
389 return
390 }
391
David Benjaminc07afb72016-09-22 10:18:58 -0400392 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500393 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
394 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
395 }
396}
397
David Benjamin3ed59772016-03-08 12:50:21 -0500398// A timeoutConn implements an idle timeout on each Read and Write operation.
399type timeoutConn struct {
400 net.Conn
401 timeout time.Duration
402}
403
404func (t *timeoutConn) Read(b []byte) (int, error) {
405 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
406 return 0, err
407 }
408 return t.Conn.Read(b)
409}
410
411func (t *timeoutConn) Write(b []byte) (int, error) {
412 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
413 return 0, err
414 }
415 return t.Conn.Write(b)
416}
417
David Benjaminc07afb72016-09-22 10:18:58 -0400418func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400419 if !test.noSessionCache {
420 if config.ClientSessionCache == nil {
421 config.ClientSessionCache = NewLRUClientSessionCache(1)
422 }
423 if config.ServerSessionCache == nil {
424 config.ServerSessionCache = NewLRUServerSessionCache(1)
425 }
426 }
427 if test.testType == clientTest {
428 if len(config.Certificates) == 0 {
429 config.Certificates = []Certificate{rsaCertificate}
430 }
431 } else {
432 // Supply a ServerName to ensure a constant session cache key,
433 // rather than falling back to net.Conn.RemoteAddr.
434 if len(config.ServerName) == 0 {
435 config.ServerName = "test"
436 }
437 }
438 if *fuzzer {
439 config.Bugs.NullAllCiphers = true
440 }
David Benjamin01a90572016-09-22 00:11:43 -0400441 if *deterministic {
442 config.Time = func() time.Time { return time.Unix(1234, 1234) }
443 }
David Benjamine54af062016-08-08 19:21:18 -0400444
David Benjamin01784b42016-06-07 18:00:52 -0400445 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500446
David Benjamin6fd297b2014-08-11 18:43:38 -0400447 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500448 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
449 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500450 }
451
David Benjamin9867b7d2016-03-01 23:25:48 -0500452 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500453 local, peer := "client", "server"
454 if test.testType == clientTest {
455 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500456 }
David Benjaminebda9b32015-11-02 15:33:18 -0500457 connDebug := &recordingConn{
458 Conn: conn,
459 isDatagram: test.protocol == dtls,
460 local: local,
461 peer: peer,
462 }
463 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500464 if *flagDebug {
465 defer connDebug.WriteTo(os.Stdout)
466 }
467 if len(*transcriptDir) != 0 {
468 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400469 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500470 }()
471 }
David Benjaminebda9b32015-11-02 15:33:18 -0500472
473 if config.Bugs.PacketAdaptor != nil {
474 config.Bugs.PacketAdaptor.debug = connDebug
475 }
476 }
477
478 if test.replayWrites {
479 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400480 }
481
David Benjamin3ed59772016-03-08 12:50:21 -0500482 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500483 if test.damageFirstWrite {
484 connDamage = newDamageAdaptor(conn)
485 conn = connDamage
486 }
487
David Benjamin6fd297b2014-08-11 18:43:38 -0400488 if test.sendPrefix != "" {
489 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
490 return err
491 }
David Benjamin98e882e2014-08-08 13:24:34 -0400492 }
493
David Benjamin1d5c83e2014-07-22 19:20:02 -0400494 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400495 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400496 if test.protocol == dtls {
497 tlsConn = DTLSServer(conn, config)
498 } else {
499 tlsConn = Server(conn, config)
500 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400501 } else {
502 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400503 if test.protocol == dtls {
504 tlsConn = DTLSClient(conn, config)
505 } else {
506 tlsConn = Client(conn, config)
507 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400508 }
David Benjamin30789da2015-08-29 22:56:45 -0400509 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400510
Adam Langley95c29f32014-06-20 12:00:00 -0700511 if err := tlsConn.Handshake(); err != nil {
512 return err
513 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700514
David Benjamin01fe8202014-09-24 15:21:44 -0400515 // TODO(davidben): move all per-connection expectations into a dedicated
516 // expectations struct that can be specified separately for the two
517 // legs.
518 expectedVersion := test.expectedVersion
519 if isResume && test.expectedResumeVersion != 0 {
520 expectedVersion = test.expectedResumeVersion
521 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700522 connState := tlsConn.ConnectionState()
523 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400524 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400525 }
526
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700527 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400528 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
529 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700530 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
531 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
532 }
David Benjamin90da8c82015-04-20 14:57:57 -0400533
David Benjamina08e49d2014-08-24 01:46:07 -0400534 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700535 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400536 if channelID == nil {
537 return fmt.Errorf("no channel ID negotiated")
538 }
539 if channelID.Curve != channelIDKey.Curve ||
540 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
541 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
542 return fmt.Errorf("incorrect channel ID")
543 }
544 }
545
David Benjaminae2888f2014-09-06 12:58:58 -0400546 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700547 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400548 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
549 }
550 }
551
David Benjaminc7ce9772015-10-09 19:32:41 -0400552 if test.expectNoNextProto {
553 if actual := connState.NegotiatedProtocol; actual != "" {
554 return fmt.Errorf("got unexpected next proto %s", actual)
555 }
556 }
557
David Benjaminfc7b0862014-09-06 13:21:53 -0400558 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700559 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400560 return fmt.Errorf("next proto type mismatch")
561 }
562 }
563
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700564 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500565 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
566 }
567
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100568 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300569 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100570 }
571
Paul Lietar4fac72e2015-09-09 13:44:55 +0100572 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
573 return fmt.Errorf("SCT list mismatch")
574 }
575
Nick Harper60edffd2016-06-21 15:19:24 -0700576 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
577 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400578 }
579
Steven Valdez5440fe02016-07-18 12:40:30 -0400580 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
581 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
582 }
583
David Benjaminc565ebb2015-04-03 04:06:36 -0400584 if test.exportKeyingMaterial > 0 {
585 actual := make([]byte, test.exportKeyingMaterial)
586 if _, err := io.ReadFull(tlsConn, actual); err != nil {
587 return err
588 }
589 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
590 if err != nil {
591 return err
592 }
593 if !bytes.Equal(actual, expected) {
594 return fmt.Errorf("keying material mismatch")
595 }
596 }
597
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700598 if test.testTLSUnique {
599 var peersValue [12]byte
600 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
601 return err
602 }
603 expected := tlsConn.ConnectionState().TLSUnique
604 if !bytes.Equal(peersValue[:], expected) {
605 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
606 }
607 }
608
David Benjamine58c4f52014-08-24 03:47:07 -0400609 if test.shimWritesFirst {
610 var buf [5]byte
611 _, err := io.ReadFull(tlsConn, buf[:])
612 if err != nil {
613 return err
614 }
615 if string(buf[:]) != "hello" {
616 return fmt.Errorf("bad initial message")
617 }
618 }
619
Steven Valdez32635b82016-08-16 11:25:03 -0400620 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400621 if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil {
David Benjamin7f0965a2016-09-30 15:14:01 -0400622 return err
623 }
Steven Valdez32635b82016-08-16 11:25:03 -0400624 }
625
David Benjamina8ebe222015-06-06 03:04:39 -0400626 for i := 0; i < test.sendEmptyRecords; i++ {
627 tlsConn.Write(nil)
628 }
629
David Benjamin24f346d2015-06-06 03:28:08 -0400630 for i := 0; i < test.sendWarningAlerts; i++ {
631 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
632 }
633
David Benjamin47921102016-07-28 11:29:18 -0400634 if test.sendHalfHelloRequest {
635 tlsConn.SendHalfHelloRequest()
636 }
637
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400638 if test.renegotiate > 0 {
Adam Langleycf2d4f42014-10-28 19:06:14 -0700639 if test.renegotiateCiphers != nil {
640 config.CipherSuites = test.renegotiateCiphers
641 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400642 for i := 0; i < test.renegotiate; i++ {
643 if err := tlsConn.Renegotiate(); err != nil {
644 return err
645 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700646 }
647 } else if test.renegotiateCiphers != nil {
648 panic("renegotiateCiphers without renegotiate")
649 }
650
David Benjamin5fa3eba2015-01-22 16:35:40 -0500651 if test.damageFirstWrite {
652 connDamage.setDamage(true)
653 tlsConn.Write([]byte("DAMAGED WRITE"))
654 connDamage.setDamage(false)
655 }
656
David Benjamin8e6db492015-07-25 18:29:23 -0400657 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700658 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400659 if test.protocol == dtls {
660 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
661 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700662 // Read until EOF.
663 _, err := io.Copy(ioutil.Discard, tlsConn)
664 return err
665 }
David Benjamin4417d052015-04-05 04:17:25 -0400666 if messageLen == 0 {
667 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700668 }
Adam Langley95c29f32014-06-20 12:00:00 -0700669
David Benjamin8e6db492015-07-25 18:29:23 -0400670 messageCount := test.messageCount
671 if messageCount == 0 {
672 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400673 }
674
David Benjamin8e6db492015-07-25 18:29:23 -0400675 for j := 0; j < messageCount; j++ {
676 testMessage := make([]byte, messageLen)
677 for i := range testMessage {
678 testMessage[i] = 0x42 ^ byte(j)
David Benjamin6fd297b2014-08-11 18:43:38 -0400679 }
David Benjamin8e6db492015-07-25 18:29:23 -0400680 tlsConn.Write(testMessage)
Adam Langley95c29f32014-06-20 12:00:00 -0700681
Steven Valdez32635b82016-08-16 11:25:03 -0400682 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400683 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400684 }
685
David Benjamin8e6db492015-07-25 18:29:23 -0400686 for i := 0; i < test.sendEmptyRecords; i++ {
687 tlsConn.Write(nil)
688 }
689
690 for i := 0; i < test.sendWarningAlerts; i++ {
691 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
692 }
693
David Benjamin4f75aaf2015-09-01 16:53:10 -0400694 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400695 // The shim will not respond.
696 continue
697 }
698
David Benjamin8e6db492015-07-25 18:29:23 -0400699 buf := make([]byte, len(testMessage))
700 if test.protocol == dtls {
701 bufTmp := make([]byte, len(buf)+1)
702 n, err := tlsConn.Read(bufTmp)
703 if err != nil {
704 return err
705 }
706 if n != len(buf) {
707 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
708 }
709 copy(buf, bufTmp)
710 } else {
711 _, err := io.ReadFull(tlsConn, buf)
712 if err != nil {
713 return err
714 }
715 }
716
717 for i, v := range buf {
718 if v != testMessage[i]^0xff {
719 return fmt.Errorf("bad reply contents at byte %d", i)
720 }
Adam Langley95c29f32014-06-20 12:00:00 -0700721 }
722 }
723
724 return nil
725}
726
David Benjamin325b5c32014-07-01 19:40:31 -0400727func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400728 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700729 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400730 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700731 }
David Benjamin325b5c32014-07-01 19:40:31 -0400732 valgrindArgs = append(valgrindArgs, path)
733 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700734
David Benjamin325b5c32014-07-01 19:40:31 -0400735 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700736}
737
David Benjamin325b5c32014-07-01 19:40:31 -0400738func gdbOf(path string, args ...string) *exec.Cmd {
739 xtermArgs := []string{"-e", "gdb", "--args"}
740 xtermArgs = append(xtermArgs, path)
741 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700742
David Benjamin325b5c32014-07-01 19:40:31 -0400743 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700744}
745
David Benjamind16bf342015-12-18 00:53:12 -0500746func lldbOf(path string, args ...string) *exec.Cmd {
747 xtermArgs := []string{"-e", "lldb", "--"}
748 xtermArgs = append(xtermArgs, path)
749 xtermArgs = append(xtermArgs, args...)
750
751 return exec.Command("xterm", xtermArgs...)
752}
753
EKR842ae6c2016-07-27 09:22:05 +0200754var (
755 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
756 errUnimplemented = errors.New("child process does not implement needed flags")
757)
Adam Langley69a01602014-11-17 17:26:55 -0800758
David Benjamin87c8a642015-02-21 01:54:29 -0500759// accept accepts a connection from listener, unless waitChan signals a process
760// exit first.
761func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
762 type connOrError struct {
763 conn net.Conn
764 err error
765 }
766 connChan := make(chan connOrError, 1)
767 go func() {
768 conn, err := listener.Accept()
769 connChan <- connOrError{conn, err}
770 close(connChan)
771 }()
772 select {
773 case result := <-connChan:
774 return result.conn, result.err
775 case childErr := <-waitChan:
776 waitChan <- childErr
777 return nil, fmt.Errorf("child exited early: %s", childErr)
778 }
779}
780
EKRf71d7ed2016-08-06 13:25:12 -0700781func translateExpectedError(errorStr string) string {
782 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
783 return translated
784 }
785
786 if *looseErrors {
787 return ""
788 }
789
790 return errorStr
791}
792
Adam Langley7c803a62015-06-15 15:35:05 -0700793func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400794 // Help debugging panics on the Go side.
795 defer func() {
796 if r := recover(); r != nil {
797 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
798 panic(r)
799 }
800 }()
801
Adam Langley38311732014-10-16 19:04:35 -0700802 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
803 panic("Error expected without shouldFail in " + test.name)
804 }
805
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700806 if test.expectResumeRejected && !test.resumeSession {
807 panic("expectResumeRejected without resumeSession in " + test.name)
808 }
809
David Benjamin87c8a642015-02-21 01:54:29 -0500810 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
811 if err != nil {
812 panic(err)
813 }
814 defer func() {
815 if listener != nil {
816 listener.Close()
817 }
818 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700819
David Benjamin87c8a642015-02-21 01:54:29 -0500820 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400821 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400822 flags = append(flags, "-server")
823
David Benjamin025b3d32014-07-01 19:53:04 -0400824 flags = append(flags, "-key-file")
825 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700826 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400827 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700828 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400829 }
830
831 flags = append(flags, "-cert-file")
832 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700833 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400834 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700835 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400836 }
837 }
David Benjamin5a593af2014-08-11 19:51:50 -0400838
David Benjamin6fd297b2014-08-11 18:43:38 -0400839 if test.protocol == dtls {
840 flags = append(flags, "-dtls")
841 }
842
David Benjamin46662482016-08-17 00:51:00 -0400843 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400844 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400845 resumeCount++
846 if test.resumeRenewedSession {
847 resumeCount++
848 }
849 }
850
851 if resumeCount > 0 {
852 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400853 }
854
David Benjamine58c4f52014-08-24 03:47:07 -0400855 if test.shimWritesFirst {
856 flags = append(flags, "-shim-writes-first")
857 }
858
David Benjamin30789da2015-08-29 22:56:45 -0400859 if test.shimShutsDown {
860 flags = append(flags, "-shim-shuts-down")
861 }
862
David Benjaminc565ebb2015-04-03 04:06:36 -0400863 if test.exportKeyingMaterial > 0 {
864 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
865 flags = append(flags, "-export-label", test.exportLabel)
866 flags = append(flags, "-export-context", test.exportContext)
867 if test.useExportContext {
868 flags = append(flags, "-use-export-context")
869 }
870 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700871 if test.expectResumeRejected {
872 flags = append(flags, "-expect-session-miss")
873 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400874
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700875 if test.testTLSUnique {
876 flags = append(flags, "-tls-unique")
877 }
878
David Benjamin025b3d32014-07-01 19:53:04 -0400879 flags = append(flags, test.flags...)
880
881 var shim *exec.Cmd
882 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700883 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700884 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700885 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500886 } else if *useLLDB {
887 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400888 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700889 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400890 }
David Benjamin025b3d32014-07-01 19:53:04 -0400891 shim.Stdin = os.Stdin
892 var stdoutBuf, stderrBuf bytes.Buffer
893 shim.Stdout = &stdoutBuf
894 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800895 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500896 shim.Env = os.Environ()
897 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800898 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400899 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800900 }
901 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
902 }
David Benjamin025b3d32014-07-01 19:53:04 -0400903
904 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700905 panic(err)
906 }
David Benjamin87c8a642015-02-21 01:54:29 -0500907 waitChan := make(chan error, 1)
908 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700909
910 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700911
David Benjamin7a4aaa42016-09-20 17:58:14 -0400912 if *deterministic {
913 config.Rand = &deterministicRand{}
914 }
915
David Benjamin87c8a642015-02-21 01:54:29 -0500916 conn, err := acceptOrWait(listener, waitChan)
917 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400918 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500919 conn.Close()
920 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500921
David Benjamin46662482016-08-17 00:51:00 -0400922 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400923 var resumeConfig Config
924 if test.resumeConfig != nil {
925 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400926 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500927 resumeConfig.SessionTicketKey = config.SessionTicketKey
928 resumeConfig.ClientSessionCache = config.ClientSessionCache
929 resumeConfig.ServerSessionCache = config.ServerSessionCache
930 }
David Benjamin2e045a92016-06-08 13:09:56 -0400931 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400932 } else {
933 resumeConfig = config
934 }
David Benjamin87c8a642015-02-21 01:54:29 -0500935 var connResume net.Conn
936 connResume, err = acceptOrWait(listener, waitChan)
937 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400938 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500939 connResume.Close()
940 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400941 }
942
David Benjamin87c8a642015-02-21 01:54:29 -0500943 // Close the listener now. This is to avoid hangs should the shim try to
944 // open more connections than expected.
945 listener.Close()
946 listener = nil
947
948 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400949 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800950 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200951 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
952 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800953 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200954 case 89:
955 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400956 case 99:
957 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800958 }
959 }
Adam Langley95c29f32014-06-20 12:00:00 -0700960
David Benjamin9bea3492016-03-02 10:59:16 -0500961 // Account for Windows line endings.
962 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
963 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500964
965 // Separate the errors from the shim and those from tools like
966 // AddressSanitizer.
967 var extraStderr string
968 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
969 stderr = stderrParts[0]
970 extraStderr = stderrParts[1]
971 }
972
Adam Langley95c29f32014-06-20 12:00:00 -0700973 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700974 expectedError := translateExpectedError(test.expectedError)
975 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200976
Adam Langleyac61fa32014-06-23 12:03:11 -0700977 localError := "none"
978 if err != nil {
979 localError = err.Error()
980 }
981 if len(test.expectedLocalError) != 0 {
982 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
983 }
Adam Langley95c29f32014-06-20 12:00:00 -0700984
985 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700986 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700987 if childErr != nil {
988 childError = childErr.Error()
989 }
990
991 var msg string
992 switch {
993 case failed && !test.shouldFail:
994 msg = "unexpected failure"
995 case !failed && test.shouldFail:
996 msg = "unexpected success"
997 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700998 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700999 default:
1000 panic("internal error")
1001 }
1002
David Benjamin9aafb642016-09-20 19:36:53 -04001003 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -07001004 }
1005
David Benjamind2ba8892016-09-20 19:41:04 -04001006 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -05001007 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -07001008 }
1009
David Benjamind2ba8892016-09-20 19:41:04 -04001010 if *useValgrind && isValgrindError {
1011 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1012 }
1013
Adam Langley95c29f32014-06-20 12:00:00 -07001014 return nil
1015}
1016
1017var tlsVersions = []struct {
1018 name string
1019 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -04001020 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -05001021 hasDTLS bool
Adam Langley95c29f32014-06-20 12:00:00 -07001022}{
David Benjamin8b8c0062014-11-23 02:47:52 -05001023 {"SSL3", VersionSSL30, "-no-ssl3", false},
1024 {"TLS1", VersionTLS10, "-no-tls1", true},
1025 {"TLS11", VersionTLS11, "-no-tls11", false},
1026 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -04001027 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -07001028}
1029
1030var testCipherSuites = []struct {
1031 name string
1032 id uint16
1033}{
1034 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -04001035 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -07001036 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001037 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -04001038 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -07001039 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001040 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -04001041 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1042 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001043 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -04001044 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
1045 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001046 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -07001047 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1048 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001049 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1050 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -07001051 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001052 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -05001053 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamine3203922015-12-09 21:21:31 -05001054 {"ECDHE-ECDSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD},
Adam Langley95c29f32014-06-20 12:00:00 -07001055 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -07001056 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001057 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -04001058 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -07001059 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001060 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -05001061 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamine3203922015-12-09 21:21:31 -05001062 {"ECDHE-RSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD},
Matt Braithwaite053931e2016-05-25 12:06:05 -07001063 {"CECPQ1-RSA-CHACHA20-POLY1305-SHA256", TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256},
1064 {"CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256", TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
1065 {"CECPQ1-RSA-AES256-GCM-SHA384", TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
1066 {"CECPQ1-ECDSA-AES256-GCM-SHA384", TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384},
David Benjamin48cae082014-10-27 01:06:24 -04001067 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1068 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -07001069 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1070 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -05001071 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -04001072 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1073 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1074 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -07001075 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -07001076}
1077
David Benjamin8b8c0062014-11-23 02:47:52 -05001078func hasComponent(suiteName, component string) bool {
1079 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1080}
1081
David Benjaminf7768e42014-08-31 02:06:47 -04001082func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -05001083 return hasComponent(suiteName, "GCM") ||
1084 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -04001085 hasComponent(suiteName, "SHA384") ||
1086 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -05001087}
1088
Nick Harper1fd39d82016-06-14 18:14:35 -07001089func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -04001090 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -07001091}
1092
David Benjamin8b8c0062014-11-23 02:47:52 -05001093func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -07001094 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -04001095}
1096
Adam Langleya7997f12015-05-14 17:38:50 -07001097func bigFromHex(hex string) *big.Int {
1098 ret, ok := new(big.Int).SetString(hex, 16)
1099 if !ok {
1100 panic("failed to parse hex number 0x" + hex)
1101 }
1102 return ret
1103}
1104
Adam Langley7c803a62015-06-15 15:35:05 -07001105func addBasicTests() {
1106 basicTests := []testCase{
1107 {
Adam Langley7c803a62015-06-15 15:35:05 -07001108 name: "NoFallbackSCSV",
1109 config: Config{
1110 Bugs: ProtocolBugs{
1111 FailIfNotFallbackSCSV: true,
1112 },
1113 },
1114 shouldFail: true,
1115 expectedLocalError: "no fallback SCSV found",
1116 },
1117 {
1118 name: "SendFallbackSCSV",
1119 config: Config{
1120 Bugs: ProtocolBugs{
1121 FailIfNotFallbackSCSV: true,
1122 },
1123 },
1124 flags: []string{"-fallback-scsv"},
1125 },
1126 {
1127 name: "ClientCertificateTypes",
1128 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001129 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001130 ClientAuth: RequestClientCert,
1131 ClientCertificateTypes: []byte{
1132 CertTypeDSSSign,
1133 CertTypeRSASign,
1134 CertTypeECDSASign,
1135 },
1136 },
1137 flags: []string{
1138 "-expect-certificate-types",
1139 base64.StdEncoding.EncodeToString([]byte{
1140 CertTypeDSSSign,
1141 CertTypeRSASign,
1142 CertTypeECDSASign,
1143 }),
1144 },
1145 },
1146 {
Adam Langley7c803a62015-06-15 15:35:05 -07001147 name: "UnauthenticatedECDH",
1148 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001149 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001150 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1151 Bugs: ProtocolBugs{
1152 UnauthenticatedECDH: true,
1153 },
1154 },
1155 shouldFail: true,
1156 expectedError: ":UNEXPECTED_MESSAGE:",
1157 },
1158 {
1159 name: "SkipCertificateStatus",
1160 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001161 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001162 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1163 Bugs: ProtocolBugs{
1164 SkipCertificateStatus: true,
1165 },
1166 },
1167 flags: []string{
1168 "-enable-ocsp-stapling",
1169 },
1170 },
1171 {
1172 name: "SkipServerKeyExchange",
1173 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001174 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001175 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1176 Bugs: ProtocolBugs{
1177 SkipServerKeyExchange: true,
1178 },
1179 },
1180 shouldFail: true,
1181 expectedError: ":UNEXPECTED_MESSAGE:",
1182 },
1183 {
Adam Langley7c803a62015-06-15 15:35:05 -07001184 testType: serverTest,
1185 name: "Alert",
1186 config: Config{
1187 Bugs: ProtocolBugs{
1188 SendSpuriousAlert: alertRecordOverflow,
1189 },
1190 },
1191 shouldFail: true,
1192 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1193 },
1194 {
1195 protocol: dtls,
1196 testType: serverTest,
1197 name: "Alert-DTLS",
1198 config: Config{
1199 Bugs: ProtocolBugs{
1200 SendSpuriousAlert: alertRecordOverflow,
1201 },
1202 },
1203 shouldFail: true,
1204 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1205 },
1206 {
1207 testType: serverTest,
1208 name: "FragmentAlert",
1209 config: Config{
1210 Bugs: ProtocolBugs{
1211 FragmentAlert: true,
1212 SendSpuriousAlert: alertRecordOverflow,
1213 },
1214 },
1215 shouldFail: true,
1216 expectedError: ":BAD_ALERT:",
1217 },
1218 {
1219 protocol: dtls,
1220 testType: serverTest,
1221 name: "FragmentAlert-DTLS",
1222 config: Config{
1223 Bugs: ProtocolBugs{
1224 FragmentAlert: true,
1225 SendSpuriousAlert: alertRecordOverflow,
1226 },
1227 },
1228 shouldFail: true,
1229 expectedError: ":BAD_ALERT:",
1230 },
1231 {
1232 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -05001233 name: "DoubleAlert",
1234 config: Config{
1235 Bugs: ProtocolBugs{
1236 DoubleAlert: true,
1237 SendSpuriousAlert: alertRecordOverflow,
1238 },
1239 },
1240 shouldFail: true,
1241 expectedError: ":BAD_ALERT:",
1242 },
1243 {
1244 protocol: dtls,
1245 testType: serverTest,
1246 name: "DoubleAlert-DTLS",
1247 config: Config{
1248 Bugs: ProtocolBugs{
1249 DoubleAlert: true,
1250 SendSpuriousAlert: alertRecordOverflow,
1251 },
1252 },
1253 shouldFail: true,
1254 expectedError: ":BAD_ALERT:",
1255 },
1256 {
Adam Langley7c803a62015-06-15 15:35:05 -07001257 name: "SkipNewSessionTicket",
1258 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001259 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001260 Bugs: ProtocolBugs{
1261 SkipNewSessionTicket: true,
1262 },
1263 },
1264 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -05001265 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -07001266 },
1267 {
1268 testType: serverTest,
1269 name: "FallbackSCSV",
1270 config: Config{
1271 MaxVersion: VersionTLS11,
1272 Bugs: ProtocolBugs{
1273 SendFallbackSCSV: true,
1274 },
1275 },
1276 shouldFail: true,
1277 expectedError: ":INAPPROPRIATE_FALLBACK:",
1278 },
1279 {
1280 testType: serverTest,
1281 name: "FallbackSCSV-VersionMatch",
1282 config: Config{
1283 Bugs: ProtocolBugs{
1284 SendFallbackSCSV: true,
1285 },
1286 },
1287 },
1288 {
1289 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -04001290 name: "FallbackSCSV-VersionMatch-TLS12",
1291 config: Config{
1292 MaxVersion: VersionTLS12,
1293 Bugs: ProtocolBugs{
1294 SendFallbackSCSV: true,
1295 },
1296 },
1297 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1298 },
1299 {
1300 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -07001301 name: "FragmentedClientVersion",
1302 config: Config{
1303 Bugs: ProtocolBugs{
1304 MaxHandshakeRecordLength: 1,
1305 FragmentClientVersion: true,
1306 },
1307 },
Nick Harper1fd39d82016-06-14 18:14:35 -07001308 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -07001309 },
1310 {
Adam Langley7c803a62015-06-15 15:35:05 -07001311 testType: serverTest,
1312 name: "HttpGET",
1313 sendPrefix: "GET / HTTP/1.0\n",
1314 shouldFail: true,
1315 expectedError: ":HTTP_REQUEST:",
1316 },
1317 {
1318 testType: serverTest,
1319 name: "HttpPOST",
1320 sendPrefix: "POST / HTTP/1.0\n",
1321 shouldFail: true,
1322 expectedError: ":HTTP_REQUEST:",
1323 },
1324 {
1325 testType: serverTest,
1326 name: "HttpHEAD",
1327 sendPrefix: "HEAD / HTTP/1.0\n",
1328 shouldFail: true,
1329 expectedError: ":HTTP_REQUEST:",
1330 },
1331 {
1332 testType: serverTest,
1333 name: "HttpPUT",
1334 sendPrefix: "PUT / HTTP/1.0\n",
1335 shouldFail: true,
1336 expectedError: ":HTTP_REQUEST:",
1337 },
1338 {
1339 testType: serverTest,
1340 name: "HttpCONNECT",
1341 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1342 shouldFail: true,
1343 expectedError: ":HTTPS_PROXY_REQUEST:",
1344 },
1345 {
1346 testType: serverTest,
1347 name: "Garbage",
1348 sendPrefix: "blah",
1349 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -04001350 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -07001351 },
1352 {
Adam Langley7c803a62015-06-15 15:35:05 -07001353 name: "RSAEphemeralKey",
1354 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001355 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001356 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1357 Bugs: ProtocolBugs{
1358 RSAEphemeralKey: true,
1359 },
1360 },
1361 shouldFail: true,
1362 expectedError: ":UNEXPECTED_MESSAGE:",
1363 },
1364 {
1365 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -04001366 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -07001367 shouldFail: true,
1368 expectedError: ":WRONG_SSL_VERSION:",
1369 },
1370 {
1371 protocol: dtls,
1372 name: "DisableEverything-DTLS",
1373 flags: []string{"-no-tls12", "-no-tls1"},
1374 shouldFail: true,
1375 expectedError: ":WRONG_SSL_VERSION:",
1376 },
1377 {
Adam Langley7c803a62015-06-15 15:35:05 -07001378 protocol: dtls,
1379 testType: serverTest,
1380 name: "MTU",
1381 config: Config{
1382 Bugs: ProtocolBugs{
1383 MaxPacketLength: 256,
1384 },
1385 },
1386 flags: []string{"-mtu", "256"},
1387 },
1388 {
1389 protocol: dtls,
1390 testType: serverTest,
1391 name: "MTUExceeded",
1392 config: Config{
1393 Bugs: ProtocolBugs{
1394 MaxPacketLength: 255,
1395 },
1396 },
1397 flags: []string{"-mtu", "256"},
1398 shouldFail: true,
1399 expectedLocalError: "dtls: exceeded maximum packet length",
1400 },
1401 {
1402 name: "CertMismatchRSA",
1403 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001404 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001405 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -07001406 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley7c803a62015-06-15 15:35:05 -07001407 Bugs: ProtocolBugs{
1408 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1409 },
1410 },
1411 shouldFail: true,
1412 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1413 },
1414 {
1415 name: "CertMismatchECDSA",
1416 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001417 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001418 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -07001419 Certificates: []Certificate{rsaCertificate},
Adam Langley7c803a62015-06-15 15:35:05 -07001420 Bugs: ProtocolBugs{
1421 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1422 },
1423 },
1424 shouldFail: true,
1425 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1426 },
1427 {
1428 name: "EmptyCertificateList",
1429 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04001430 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001431 Bugs: ProtocolBugs{
1432 EmptyCertificateList: true,
1433 },
1434 },
1435 shouldFail: true,
1436 expectedError: ":DECODE_ERROR:",
1437 },
1438 {
David Benjamin9ec1c752016-07-14 12:45:01 -04001439 name: "EmptyCertificateList-TLS13",
1440 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04001441 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -04001442 Bugs: ProtocolBugs{
1443 EmptyCertificateList: true,
1444 },
1445 },
1446 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -04001447 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -04001448 },
1449 {
Adam Langley7c803a62015-06-15 15:35:05 -07001450 name: "TLSFatalBadPackets",
1451 damageFirstWrite: true,
1452 shouldFail: true,
1453 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1454 },
1455 {
1456 protocol: dtls,
1457 name: "DTLSIgnoreBadPackets",
1458 damageFirstWrite: true,
1459 },
1460 {
1461 protocol: dtls,
1462 name: "DTLSIgnoreBadPackets-Async",
1463 damageFirstWrite: true,
1464 flags: []string{"-async"},
1465 },
1466 {
David Benjamin4cf369b2015-08-22 01:35:43 -04001467 name: "AppDataBeforeHandshake",
1468 config: Config{
1469 Bugs: ProtocolBugs{
1470 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1471 },
1472 },
1473 shouldFail: true,
1474 expectedError: ":UNEXPECTED_RECORD:",
1475 },
1476 {
1477 name: "AppDataBeforeHandshake-Empty",
1478 config: Config{
1479 Bugs: ProtocolBugs{
1480 AppDataBeforeHandshake: []byte{},
1481 },
1482 },
1483 shouldFail: true,
1484 expectedError: ":UNEXPECTED_RECORD:",
1485 },
1486 {
1487 protocol: dtls,
1488 name: "AppDataBeforeHandshake-DTLS",
1489 config: Config{
1490 Bugs: ProtocolBugs{
1491 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1492 },
1493 },
1494 shouldFail: true,
1495 expectedError: ":UNEXPECTED_RECORD:",
1496 },
1497 {
1498 protocol: dtls,
1499 name: "AppDataBeforeHandshake-DTLS-Empty",
1500 config: Config{
1501 Bugs: ProtocolBugs{
1502 AppDataBeforeHandshake: []byte{},
1503 },
1504 },
1505 shouldFail: true,
1506 expectedError: ":UNEXPECTED_RECORD:",
1507 },
1508 {
Adam Langley7c803a62015-06-15 15:35:05 -07001509 name: "AppDataAfterChangeCipherSpec",
1510 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001511 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001512 Bugs: ProtocolBugs{
1513 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1514 },
1515 },
1516 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -05001517 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -07001518 },
1519 {
David Benjamin4cf369b2015-08-22 01:35:43 -04001520 name: "AppDataAfterChangeCipherSpec-Empty",
1521 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001522 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -04001523 Bugs: ProtocolBugs{
1524 AppDataAfterChangeCipherSpec: []byte{},
1525 },
1526 },
1527 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -05001528 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -04001529 },
1530 {
Adam Langley7c803a62015-06-15 15:35:05 -07001531 protocol: dtls,
1532 name: "AppDataAfterChangeCipherSpec-DTLS",
1533 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001534 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001535 Bugs: ProtocolBugs{
1536 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1537 },
1538 },
1539 // BoringSSL's DTLS implementation will drop the out-of-order
1540 // application data.
1541 },
1542 {
David Benjamin4cf369b2015-08-22 01:35:43 -04001543 protocol: dtls,
1544 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1545 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001546 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -04001547 Bugs: ProtocolBugs{
1548 AppDataAfterChangeCipherSpec: []byte{},
1549 },
1550 },
1551 // BoringSSL's DTLS implementation will drop the out-of-order
1552 // application data.
1553 },
1554 {
Adam Langley7c803a62015-06-15 15:35:05 -07001555 name: "AlertAfterChangeCipherSpec",
1556 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001557 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001558 Bugs: ProtocolBugs{
1559 AlertAfterChangeCipherSpec: alertRecordOverflow,
1560 },
1561 },
1562 shouldFail: true,
1563 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1564 },
1565 {
1566 protocol: dtls,
1567 name: "AlertAfterChangeCipherSpec-DTLS",
1568 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001569 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001570 Bugs: ProtocolBugs{
1571 AlertAfterChangeCipherSpec: alertRecordOverflow,
1572 },
1573 },
1574 shouldFail: true,
1575 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1576 },
1577 {
1578 protocol: dtls,
1579 name: "ReorderHandshakeFragments-Small-DTLS",
1580 config: Config{
1581 Bugs: ProtocolBugs{
1582 ReorderHandshakeFragments: true,
1583 // Small enough that every handshake message is
1584 // fragmented.
1585 MaxHandshakeRecordLength: 2,
1586 },
1587 },
1588 },
1589 {
1590 protocol: dtls,
1591 name: "ReorderHandshakeFragments-Large-DTLS",
1592 config: Config{
1593 Bugs: ProtocolBugs{
1594 ReorderHandshakeFragments: true,
1595 // Large enough that no handshake message is
1596 // fragmented.
1597 MaxHandshakeRecordLength: 2048,
1598 },
1599 },
1600 },
1601 {
1602 protocol: dtls,
1603 name: "MixCompleteMessageWithFragments-DTLS",
1604 config: Config{
1605 Bugs: ProtocolBugs{
1606 ReorderHandshakeFragments: true,
1607 MixCompleteMessageWithFragments: true,
1608 MaxHandshakeRecordLength: 2,
1609 },
1610 },
1611 },
1612 {
1613 name: "SendInvalidRecordType",
1614 config: Config{
1615 Bugs: ProtocolBugs{
1616 SendInvalidRecordType: true,
1617 },
1618 },
1619 shouldFail: true,
1620 expectedError: ":UNEXPECTED_RECORD:",
1621 },
1622 {
1623 protocol: dtls,
1624 name: "SendInvalidRecordType-DTLS",
1625 config: Config{
1626 Bugs: ProtocolBugs{
1627 SendInvalidRecordType: true,
1628 },
1629 },
1630 shouldFail: true,
1631 expectedError: ":UNEXPECTED_RECORD:",
1632 },
1633 {
1634 name: "FalseStart-SkipServerSecondLeg",
1635 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001636 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001637 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1638 NextProtos: []string{"foo"},
1639 Bugs: ProtocolBugs{
1640 SkipNewSessionTicket: true,
1641 SkipChangeCipherSpec: true,
1642 SkipFinished: true,
1643 ExpectFalseStart: true,
1644 },
1645 },
1646 flags: []string{
1647 "-false-start",
1648 "-handshake-never-done",
1649 "-advertise-alpn", "\x03foo",
1650 },
1651 shimWritesFirst: true,
1652 shouldFail: true,
1653 expectedError: ":UNEXPECTED_RECORD:",
1654 },
1655 {
1656 name: "FalseStart-SkipServerSecondLeg-Implicit",
1657 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001658 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001659 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1660 NextProtos: []string{"foo"},
1661 Bugs: ProtocolBugs{
1662 SkipNewSessionTicket: true,
1663 SkipChangeCipherSpec: true,
1664 SkipFinished: true,
1665 },
1666 },
1667 flags: []string{
1668 "-implicit-handshake",
1669 "-false-start",
1670 "-handshake-never-done",
1671 "-advertise-alpn", "\x03foo",
1672 },
1673 shouldFail: true,
1674 expectedError: ":UNEXPECTED_RECORD:",
1675 },
1676 {
1677 testType: serverTest,
1678 name: "FailEarlyCallback",
1679 flags: []string{"-fail-early-callback"},
1680 shouldFail: true,
1681 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -04001682 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -07001683 },
1684 {
Adam Langley7c803a62015-06-15 15:35:05 -07001685 protocol: dtls,
1686 name: "FragmentMessageTypeMismatch-DTLS",
1687 config: Config{
1688 Bugs: ProtocolBugs{
1689 MaxHandshakeRecordLength: 2,
1690 FragmentMessageTypeMismatch: true,
1691 },
1692 },
1693 shouldFail: true,
1694 expectedError: ":FRAGMENT_MISMATCH:",
1695 },
1696 {
1697 protocol: dtls,
1698 name: "FragmentMessageLengthMismatch-DTLS",
1699 config: Config{
1700 Bugs: ProtocolBugs{
1701 MaxHandshakeRecordLength: 2,
1702 FragmentMessageLengthMismatch: true,
1703 },
1704 },
1705 shouldFail: true,
1706 expectedError: ":FRAGMENT_MISMATCH:",
1707 },
1708 {
1709 protocol: dtls,
1710 name: "SplitFragments-Header-DTLS",
1711 config: Config{
1712 Bugs: ProtocolBugs{
1713 SplitFragments: 2,
1714 },
1715 },
1716 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -04001717 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -07001718 },
1719 {
1720 protocol: dtls,
1721 name: "SplitFragments-Boundary-DTLS",
1722 config: Config{
1723 Bugs: ProtocolBugs{
1724 SplitFragments: dtlsRecordHeaderLen,
1725 },
1726 },
1727 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -04001728 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -07001729 },
1730 {
1731 protocol: dtls,
1732 name: "SplitFragments-Body-DTLS",
1733 config: Config{
1734 Bugs: ProtocolBugs{
1735 SplitFragments: dtlsRecordHeaderLen + 1,
1736 },
1737 },
1738 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -04001739 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -07001740 },
1741 {
1742 protocol: dtls,
1743 name: "SendEmptyFragments-DTLS",
1744 config: Config{
1745 Bugs: ProtocolBugs{
1746 SendEmptyFragments: true,
1747 },
1748 },
1749 },
1750 {
David Benjaminbf82aed2016-03-01 22:57:40 -05001751 name: "BadFinished-Client",
1752 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001753 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -05001754 Bugs: ProtocolBugs{
1755 BadFinished: true,
1756 },
1757 },
1758 shouldFail: true,
1759 expectedError: ":DIGEST_CHECK_FAILED:",
1760 },
1761 {
Steven Valdez143e8b32016-07-11 13:19:03 -04001762 name: "BadFinished-Client-TLS13",
1763 config: Config{
1764 MaxVersion: VersionTLS13,
1765 Bugs: ProtocolBugs{
1766 BadFinished: true,
1767 },
1768 },
1769 shouldFail: true,
1770 expectedError: ":DIGEST_CHECK_FAILED:",
1771 },
1772 {
David Benjaminbf82aed2016-03-01 22:57:40 -05001773 testType: serverTest,
1774 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -07001775 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001776 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001777 Bugs: ProtocolBugs{
1778 BadFinished: true,
1779 },
1780 },
1781 shouldFail: true,
1782 expectedError: ":DIGEST_CHECK_FAILED:",
1783 },
1784 {
Steven Valdez143e8b32016-07-11 13:19:03 -04001785 testType: serverTest,
1786 name: "BadFinished-Server-TLS13",
1787 config: Config{
1788 MaxVersion: VersionTLS13,
1789 Bugs: ProtocolBugs{
1790 BadFinished: true,
1791 },
1792 },
1793 shouldFail: true,
1794 expectedError: ":DIGEST_CHECK_FAILED:",
1795 },
1796 {
Adam Langley7c803a62015-06-15 15:35:05 -07001797 name: "FalseStart-BadFinished",
1798 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001799 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001800 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1801 NextProtos: []string{"foo"},
1802 Bugs: ProtocolBugs{
1803 BadFinished: true,
1804 ExpectFalseStart: true,
1805 },
1806 },
1807 flags: []string{
1808 "-false-start",
1809 "-handshake-never-done",
1810 "-advertise-alpn", "\x03foo",
1811 },
1812 shimWritesFirst: true,
1813 shouldFail: true,
1814 expectedError: ":DIGEST_CHECK_FAILED:",
1815 },
1816 {
1817 name: "NoFalseStart-NoALPN",
1818 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001819 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001820 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1821 Bugs: ProtocolBugs{
1822 ExpectFalseStart: true,
1823 AlertBeforeFalseStartTest: alertAccessDenied,
1824 },
1825 },
1826 flags: []string{
1827 "-false-start",
1828 },
1829 shimWritesFirst: true,
1830 shouldFail: true,
1831 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1832 expectedLocalError: "tls: peer did not false start: EOF",
1833 },
1834 {
1835 name: "NoFalseStart-NoAEAD",
1836 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001837 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001838 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1839 NextProtos: []string{"foo"},
1840 Bugs: ProtocolBugs{
1841 ExpectFalseStart: true,
1842 AlertBeforeFalseStartTest: alertAccessDenied,
1843 },
1844 },
1845 flags: []string{
1846 "-false-start",
1847 "-advertise-alpn", "\x03foo",
1848 },
1849 shimWritesFirst: true,
1850 shouldFail: true,
1851 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1852 expectedLocalError: "tls: peer did not false start: EOF",
1853 },
1854 {
1855 name: "NoFalseStart-RSA",
1856 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001857 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001858 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1859 NextProtos: []string{"foo"},
1860 Bugs: ProtocolBugs{
1861 ExpectFalseStart: true,
1862 AlertBeforeFalseStartTest: alertAccessDenied,
1863 },
1864 },
1865 flags: []string{
1866 "-false-start",
1867 "-advertise-alpn", "\x03foo",
1868 },
1869 shimWritesFirst: true,
1870 shouldFail: true,
1871 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1872 expectedLocalError: "tls: peer did not false start: EOF",
1873 },
1874 {
1875 name: "NoFalseStart-DHE_RSA",
1876 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001877 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001878 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1879 NextProtos: []string{"foo"},
1880 Bugs: ProtocolBugs{
1881 ExpectFalseStart: true,
1882 AlertBeforeFalseStartTest: alertAccessDenied,
1883 },
1884 },
1885 flags: []string{
1886 "-false-start",
1887 "-advertise-alpn", "\x03foo",
1888 },
1889 shimWritesFirst: true,
1890 shouldFail: true,
1891 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1892 expectedLocalError: "tls: peer did not false start: EOF",
1893 },
1894 {
Adam Langley7c803a62015-06-15 15:35:05 -07001895 protocol: dtls,
1896 name: "SendSplitAlert-Sync",
1897 config: Config{
1898 Bugs: ProtocolBugs{
1899 SendSplitAlert: true,
1900 },
1901 },
1902 },
1903 {
1904 protocol: dtls,
1905 name: "SendSplitAlert-Async",
1906 config: Config{
1907 Bugs: ProtocolBugs{
1908 SendSplitAlert: true,
1909 },
1910 },
1911 flags: []string{"-async"},
1912 },
1913 {
1914 protocol: dtls,
1915 name: "PackDTLSHandshake",
1916 config: Config{
1917 Bugs: ProtocolBugs{
1918 MaxHandshakeRecordLength: 2,
1919 PackHandshakeFragments: 20,
1920 PackHandshakeRecords: 200,
1921 },
1922 },
1923 },
1924 {
Adam Langley7c803a62015-06-15 15:35:05 -07001925 name: "SendEmptyRecords-Pass",
1926 sendEmptyRecords: 32,
1927 },
1928 {
1929 name: "SendEmptyRecords",
1930 sendEmptyRecords: 33,
1931 shouldFail: true,
1932 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
1933 },
1934 {
1935 name: "SendEmptyRecords-Async",
1936 sendEmptyRecords: 33,
1937 flags: []string{"-async"},
1938 shouldFail: true,
1939 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
1940 },
1941 {
David Benjamine8e84b92016-08-03 15:39:47 -04001942 name: "SendWarningAlerts-Pass",
1943 config: Config{
1944 MaxVersion: VersionTLS12,
1945 },
Adam Langley7c803a62015-06-15 15:35:05 -07001946 sendWarningAlerts: 4,
1947 },
1948 {
David Benjamine8e84b92016-08-03 15:39:47 -04001949 protocol: dtls,
1950 name: "SendWarningAlerts-DTLS-Pass",
1951 config: Config{
1952 MaxVersion: VersionTLS12,
1953 },
Adam Langley7c803a62015-06-15 15:35:05 -07001954 sendWarningAlerts: 4,
1955 },
1956 {
David Benjamine8e84b92016-08-03 15:39:47 -04001957 name: "SendWarningAlerts-TLS13",
1958 config: Config{
1959 MaxVersion: VersionTLS13,
1960 },
1961 sendWarningAlerts: 4,
1962 shouldFail: true,
1963 expectedError: ":BAD_ALERT:",
1964 expectedLocalError: "remote error: error decoding message",
1965 },
1966 {
1967 name: "SendWarningAlerts",
1968 config: Config{
1969 MaxVersion: VersionTLS12,
1970 },
Adam Langley7c803a62015-06-15 15:35:05 -07001971 sendWarningAlerts: 5,
1972 shouldFail: true,
1973 expectedError: ":TOO_MANY_WARNING_ALERTS:",
1974 },
1975 {
David Benjamine8e84b92016-08-03 15:39:47 -04001976 name: "SendWarningAlerts-Async",
1977 config: Config{
1978 MaxVersion: VersionTLS12,
1979 },
Adam Langley7c803a62015-06-15 15:35:05 -07001980 sendWarningAlerts: 5,
1981 flags: []string{"-async"},
1982 shouldFail: true,
1983 expectedError: ":TOO_MANY_WARNING_ALERTS:",
1984 },
David Benjaminba4594a2015-06-18 18:36:15 -04001985 {
Steven Valdezc4aa7272016-10-03 12:25:56 -04001986 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -04001987 config: Config{
1988 MaxVersion: VersionTLS13,
1989 },
Steven Valdezc4aa7272016-10-03 12:25:56 -04001990 sendKeyUpdates: 33,
1991 keyUpdateRequest: keyUpdateNotRequested,
1992 shouldFail: true,
1993 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -04001994 },
1995 {
David Benjaminba4594a2015-06-18 18:36:15 -04001996 name: "EmptySessionID",
1997 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001998 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -04001999 SessionTicketsDisabled: true,
2000 },
2001 noSessionCache: true,
2002 flags: []string{"-expect-no-session"},
2003 },
David Benjamin30789da2015-08-29 22:56:45 -04002004 {
2005 name: "Unclean-Shutdown",
2006 config: Config{
2007 Bugs: ProtocolBugs{
2008 NoCloseNotify: true,
2009 ExpectCloseNotify: true,
2010 },
2011 },
2012 shimShutsDown: true,
2013 flags: []string{"-check-close-notify"},
2014 shouldFail: true,
2015 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2016 },
2017 {
2018 name: "Unclean-Shutdown-Ignored",
2019 config: Config{
2020 Bugs: ProtocolBugs{
2021 NoCloseNotify: true,
2022 },
2023 },
2024 shimShutsDown: true,
2025 },
David Benjamin4f75aaf2015-09-01 16:53:10 -04002026 {
David Benjaminfa214e42016-05-10 17:03:10 -04002027 name: "Unclean-Shutdown-Alert",
2028 config: Config{
2029 Bugs: ProtocolBugs{
2030 SendAlertOnShutdown: alertDecompressionFailure,
2031 ExpectCloseNotify: true,
2032 },
2033 },
2034 shimShutsDown: true,
2035 flags: []string{"-check-close-notify"},
2036 shouldFail: true,
2037 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2038 },
2039 {
David Benjamin4f75aaf2015-09-01 16:53:10 -04002040 name: "LargePlaintext",
2041 config: Config{
2042 Bugs: ProtocolBugs{
2043 SendLargeRecords: true,
2044 },
2045 },
2046 messageLen: maxPlaintext + 1,
2047 shouldFail: true,
2048 expectedError: ":DATA_LENGTH_TOO_LONG:",
2049 },
2050 {
2051 protocol: dtls,
2052 name: "LargePlaintext-DTLS",
2053 config: Config{
2054 Bugs: ProtocolBugs{
2055 SendLargeRecords: true,
2056 },
2057 },
2058 messageLen: maxPlaintext + 1,
2059 shouldFail: true,
2060 expectedError: ":DATA_LENGTH_TOO_LONG:",
2061 },
2062 {
2063 name: "LargeCiphertext",
2064 config: Config{
2065 Bugs: ProtocolBugs{
2066 SendLargeRecords: true,
2067 },
2068 },
2069 messageLen: maxPlaintext * 2,
2070 shouldFail: true,
2071 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2072 },
2073 {
2074 protocol: dtls,
2075 name: "LargeCiphertext-DTLS",
2076 config: Config{
2077 Bugs: ProtocolBugs{
2078 SendLargeRecords: true,
2079 },
2080 },
2081 messageLen: maxPlaintext * 2,
2082 // Unlike the other four cases, DTLS drops records which
2083 // are invalid before authentication, so the connection
2084 // does not fail.
2085 expectMessageDropped: true,
2086 },
David Benjamindd6fed92015-10-23 17:41:12 -04002087 {
David Benjaminef5dfd22015-12-06 13:17:07 -05002088 name: "BadHelloRequest-1",
2089 renegotiate: 1,
2090 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002091 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -05002092 Bugs: ProtocolBugs{
2093 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2094 },
2095 },
2096 flags: []string{
2097 "-renegotiate-freely",
2098 "-expect-total-renegotiations", "1",
2099 },
2100 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -04002101 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -05002102 },
2103 {
2104 name: "BadHelloRequest-2",
2105 renegotiate: 1,
2106 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002107 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -05002108 Bugs: ProtocolBugs{
2109 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2110 },
2111 },
2112 flags: []string{
2113 "-renegotiate-freely",
2114 "-expect-total-renegotiations", "1",
2115 },
2116 shouldFail: true,
2117 expectedError: ":BAD_HELLO_REQUEST:",
2118 },
David Benjaminef1b0092015-11-21 14:05:44 -05002119 {
2120 testType: serverTest,
2121 name: "SupportTicketsWithSessionID",
2122 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002123 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -05002124 SessionTicketsDisabled: true,
2125 },
David Benjamin4c3ddf72016-06-29 18:13:53 -04002126 resumeConfig: &Config{
2127 MaxVersion: VersionTLS12,
2128 },
David Benjaminef1b0092015-11-21 14:05:44 -05002129 resumeSession: true,
2130 },
David Benjamin02edcd02016-07-27 17:40:37 -04002131 {
2132 protocol: dtls,
2133 name: "DTLS-SendExtraFinished",
2134 config: Config{
2135 Bugs: ProtocolBugs{
2136 SendExtraFinished: true,
2137 },
2138 },
2139 shouldFail: true,
2140 expectedError: ":UNEXPECTED_RECORD:",
2141 },
2142 {
2143 protocol: dtls,
2144 name: "DTLS-SendExtraFinished-Reordered",
2145 config: Config{
2146 Bugs: ProtocolBugs{
2147 MaxHandshakeRecordLength: 2,
2148 ReorderHandshakeFragments: true,
2149 SendExtraFinished: true,
2150 },
2151 },
2152 shouldFail: true,
2153 expectedError: ":UNEXPECTED_RECORD:",
2154 },
David Benjamine97fb482016-07-29 09:23:07 -04002155 {
2156 testType: serverTest,
2157 name: "V2ClientHello-EmptyRecordPrefix",
2158 config: Config{
2159 // Choose a cipher suite that does not involve
2160 // elliptic curves, so no extensions are
2161 // involved.
2162 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -07002163 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -04002164 Bugs: ProtocolBugs{
2165 SendV2ClientHello: true,
2166 },
2167 },
2168 sendPrefix: string([]byte{
2169 byte(recordTypeHandshake),
2170 3, 1, // version
2171 0, 0, // length
2172 }),
2173 // A no-op empty record may not be sent before V2ClientHello.
2174 shouldFail: true,
2175 expectedError: ":WRONG_VERSION_NUMBER:",
2176 },
2177 {
2178 testType: serverTest,
2179 name: "V2ClientHello-WarningAlertPrefix",
2180 config: Config{
2181 // Choose a cipher suite that does not involve
2182 // elliptic curves, so no extensions are
2183 // involved.
2184 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -07002185 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -04002186 Bugs: ProtocolBugs{
2187 SendV2ClientHello: true,
2188 },
2189 },
2190 sendPrefix: string([]byte{
2191 byte(recordTypeAlert),
2192 3, 1, // version
2193 0, 2, // length
2194 alertLevelWarning, byte(alertDecompressionFailure),
2195 }),
2196 // A no-op warning alert may not be sent before V2ClientHello.
2197 shouldFail: true,
2198 expectedError: ":WRONG_VERSION_NUMBER:",
2199 },
Steven Valdez1dc53d22016-07-26 12:27:38 -04002200 {
Steven Valdezc4aa7272016-10-03 12:25:56 -04002201 name: "KeyUpdate",
Steven Valdez1dc53d22016-07-26 12:27:38 -04002202 config: Config{
2203 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -04002204 },
Steven Valdezc4aa7272016-10-03 12:25:56 -04002205 sendKeyUpdates: 1,
2206 keyUpdateRequest: keyUpdateNotRequested,
2207 },
2208 {
2209 name: "KeyUpdate-InvalidRequestMode",
2210 config: Config{
2211 MaxVersion: VersionTLS13,
2212 },
2213 sendKeyUpdates: 1,
2214 keyUpdateRequest: 42,
2215 shouldFail: true,
2216 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -04002217 },
David Benjaminabe94e32016-09-04 14:18:58 -04002218 {
2219 name: "SendSNIWarningAlert",
2220 config: Config{
2221 MaxVersion: VersionTLS12,
2222 Bugs: ProtocolBugs{
2223 SendSNIWarningAlert: true,
2224 },
2225 },
2226 },
David Benjaminc241d792016-09-09 10:34:20 -04002227 {
2228 testType: serverTest,
2229 name: "ExtraCompressionMethods-TLS12",
2230 config: Config{
2231 MaxVersion: VersionTLS12,
2232 Bugs: ProtocolBugs{
2233 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2234 },
2235 },
2236 },
2237 {
2238 testType: serverTest,
2239 name: "ExtraCompressionMethods-TLS13",
2240 config: Config{
2241 MaxVersion: VersionTLS13,
2242 Bugs: ProtocolBugs{
2243 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2244 },
2245 },
2246 shouldFail: true,
2247 expectedError: ":INVALID_COMPRESSION_LIST:",
2248 expectedLocalError: "remote error: illegal parameter",
2249 },
2250 {
2251 testType: serverTest,
2252 name: "NoNullCompression-TLS12",
2253 config: Config{
2254 MaxVersion: VersionTLS12,
2255 Bugs: ProtocolBugs{
2256 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2257 },
2258 },
2259 shouldFail: true,
2260 expectedError: ":NO_COMPRESSION_SPECIFIED:",
2261 expectedLocalError: "remote error: illegal parameter",
2262 },
2263 {
2264 testType: serverTest,
2265 name: "NoNullCompression-TLS13",
2266 config: Config{
2267 MaxVersion: VersionTLS13,
2268 Bugs: ProtocolBugs{
2269 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2270 },
2271 },
2272 shouldFail: true,
2273 expectedError: ":INVALID_COMPRESSION_LIST:",
2274 expectedLocalError: "remote error: illegal parameter",
2275 },
David Benjamin65ac9972016-09-02 21:35:25 -04002276 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -04002277 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -04002278 config: Config{
2279 MaxVersion: VersionTLS12,
2280 Bugs: ProtocolBugs{
2281 ExpectGREASE: true,
2282 },
2283 },
2284 flags: []string{"-enable-grease"},
2285 },
2286 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -04002287 name: "GREASE-Client-TLS13",
2288 config: Config{
2289 MaxVersion: VersionTLS13,
2290 Bugs: ProtocolBugs{
2291 ExpectGREASE: true,
2292 },
2293 },
2294 flags: []string{"-enable-grease"},
2295 },
2296 {
2297 testType: serverTest,
2298 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -04002299 config: Config{
2300 MaxVersion: VersionTLS13,
2301 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -04002302 // TLS 1.3 servers are expected to
2303 // always enable GREASE. TLS 1.3 is new,
2304 // so there is no existing ecosystem to
2305 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -04002306 ExpectGREASE: true,
2307 },
2308 },
David Benjamin65ac9972016-09-02 21:35:25 -04002309 },
Adam Langley7c803a62015-06-15 15:35:05 -07002310 }
Adam Langley7c803a62015-06-15 15:35:05 -07002311 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -04002312
2313 // Test that very large messages can be received.
2314 cert := rsaCertificate
2315 for i := 0; i < 50; i++ {
2316 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2317 }
2318 testCases = append(testCases, testCase{
2319 name: "LargeMessage",
2320 config: Config{
2321 Certificates: []Certificate{cert},
2322 },
2323 })
2324 testCases = append(testCases, testCase{
2325 protocol: dtls,
2326 name: "LargeMessage-DTLS",
2327 config: Config{
2328 Certificates: []Certificate{cert},
2329 },
2330 })
2331
2332 // They are rejected if the maximum certificate chain length is capped.
2333 testCases = append(testCases, testCase{
2334 name: "LargeMessage-Reject",
2335 config: Config{
2336 Certificates: []Certificate{cert},
2337 },
2338 flags: []string{"-max-cert-list", "16384"},
2339 shouldFail: true,
2340 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2341 })
2342 testCases = append(testCases, testCase{
2343 protocol: dtls,
2344 name: "LargeMessage-Reject-DTLS",
2345 config: Config{
2346 Certificates: []Certificate{cert},
2347 },
2348 flags: []string{"-max-cert-list", "16384"},
2349 shouldFail: true,
2350 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2351 })
Adam Langley7c803a62015-06-15 15:35:05 -07002352}
2353
Adam Langley95c29f32014-06-20 12:00:00 -07002354func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +02002355 const bogusCipher = 0xfe00
2356
Adam Langley95c29f32014-06-20 12:00:00 -07002357 for _, suite := range testCipherSuites {
David Benjamin48cae082014-10-27 01:06:24 -04002358 const psk = "12345"
2359 const pskIdentity = "luggage combo"
2360
Adam Langley95c29f32014-06-20 12:00:00 -07002361 var cert Certificate
David Benjamin025b3d32014-07-01 19:53:04 -04002362 var certFile string
2363 var keyFile string
David Benjamin8b8c0062014-11-23 02:47:52 -05002364 if hasComponent(suite.name, "ECDSA") {
David Benjamin33863262016-07-08 17:20:12 -07002365 cert = ecdsaP256Certificate
2366 certFile = ecdsaP256CertificateFile
2367 keyFile = ecdsaP256KeyFile
Adam Langley95c29f32014-06-20 12:00:00 -07002368 } else {
David Benjamin33863262016-07-08 17:20:12 -07002369 cert = rsaCertificate
David Benjamin025b3d32014-07-01 19:53:04 -04002370 certFile = rsaCertificateFile
2371 keyFile = rsaKeyFile
Adam Langley95c29f32014-06-20 12:00:00 -07002372 }
2373
David Benjamin48cae082014-10-27 01:06:24 -04002374 var flags []string
David Benjamin8b8c0062014-11-23 02:47:52 -05002375 if hasComponent(suite.name, "PSK") {
David Benjamin48cae082014-10-27 01:06:24 -04002376 flags = append(flags,
2377 "-psk", psk,
2378 "-psk-identity", pskIdentity)
2379 }
Matt Braithwaiteaf096752015-09-02 19:48:16 -07002380 if hasComponent(suite.name, "NULL") {
2381 // NULL ciphers must be explicitly enabled.
2382 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2383 }
Matt Braithwaite053931e2016-05-25 12:06:05 -07002384 if hasComponent(suite.name, "CECPQ1") {
2385 // CECPQ1 ciphers must be explicitly enabled.
2386 flags = append(flags, "-cipher", "DEFAULT:kCECPQ1")
2387 }
David Benjamin881f1962016-08-10 18:29:12 -04002388 if hasComponent(suite.name, "ECDHE-PSK") && hasComponent(suite.name, "GCM") {
2389 // ECDHE_PSK AES_GCM ciphers must be explicitly enabled
2390 // for now.
2391 flags = append(flags, "-cipher", suite.name)
2392 }
David Benjamin48cae082014-10-27 01:06:24 -04002393
Adam Langley95c29f32014-06-20 12:00:00 -07002394 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -04002395 for _, protocol := range []protocol{tls, dtls} {
2396 var prefix string
2397 if protocol == dtls {
2398 if !ver.hasDTLS {
2399 continue
2400 }
2401 prefix = "D"
2402 }
Adam Langley95c29f32014-06-20 12:00:00 -07002403
David Benjamin0407e762016-06-17 16:41:18 -04002404 var shouldServerFail, shouldClientFail bool
2405 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2406 // BoringSSL clients accept ECDHE on SSLv3, but
2407 // a BoringSSL server will never select it
2408 // because the extension is missing.
2409 shouldServerFail = true
2410 }
2411 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2412 shouldClientFail = true
2413 shouldServerFail = true
2414 }
David Benjamin54c217c2016-07-13 12:35:25 -04002415 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
Nick Harper1fd39d82016-06-14 18:14:35 -07002416 shouldClientFail = true
2417 shouldServerFail = true
2418 }
Steven Valdez803c77a2016-09-06 14:13:43 -04002419 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2420 shouldClientFail = true
2421 shouldServerFail = true
2422 }
David Benjamin0407e762016-06-17 16:41:18 -04002423 if !isDTLSCipher(suite.name) && protocol == dtls {
2424 shouldClientFail = true
2425 shouldServerFail = true
2426 }
David Benjamin4298d772015-12-19 00:18:25 -05002427
David Benjamin5ecb88b2016-10-04 17:51:35 -04002428 var sendCipherSuite uint16
David Benjamin0407e762016-06-17 16:41:18 -04002429 var expectedServerError, expectedClientError string
David Benjamin5ecb88b2016-10-04 17:51:35 -04002430 serverCipherSuites := []uint16{suite.id}
David Benjamin0407e762016-06-17 16:41:18 -04002431 if shouldServerFail {
2432 expectedServerError = ":NO_SHARED_CIPHER:"
2433 }
2434 if shouldClientFail {
2435 expectedClientError = ":WRONG_CIPHER_RETURNED:"
David Benjamin5ecb88b2016-10-04 17:51:35 -04002436 // Configure the server to select ciphers as normal but
2437 // select an incompatible cipher in ServerHello.
2438 serverCipherSuites = nil
2439 sendCipherSuite = suite.id
David Benjamin0407e762016-06-17 16:41:18 -04002440 }
David Benjamin025b3d32014-07-01 19:53:04 -04002441
David Benjamin6fd297b2014-08-11 18:43:38 -04002442 testCases = append(testCases, testCase{
2443 testType: serverTest,
David Benjamin0407e762016-06-17 16:41:18 -04002444 protocol: protocol,
2445
2446 name: prefix + ver.name + "-" + suite.name + "-server",
David Benjamin6fd297b2014-08-11 18:43:38 -04002447 config: Config{
David Benjamin48cae082014-10-27 01:06:24 -04002448 MinVersion: ver.version,
2449 MaxVersion: ver.version,
2450 CipherSuites: []uint16{suite.id},
2451 Certificates: []Certificate{cert},
2452 PreSharedKey: []byte(psk),
2453 PreSharedKeyIdentity: pskIdentity,
David Benjamin0407e762016-06-17 16:41:18 -04002454 Bugs: ProtocolBugs{
David Benjamin5ecb88b2016-10-04 17:51:35 -04002455 AdvertiseAllConfiguredCiphers: true,
David Benjamin0407e762016-06-17 16:41:18 -04002456 },
David Benjamin6fd297b2014-08-11 18:43:38 -04002457 },
2458 certFile: certFile,
2459 keyFile: keyFile,
David Benjamin48cae082014-10-27 01:06:24 -04002460 flags: flags,
Steven Valdez4aa154e2016-07-29 14:32:55 -04002461 resumeSession: true,
David Benjamin0407e762016-06-17 16:41:18 -04002462 shouldFail: shouldServerFail,
2463 expectedError: expectedServerError,
2464 })
2465
2466 testCases = append(testCases, testCase{
2467 testType: clientTest,
2468 protocol: protocol,
2469 name: prefix + ver.name + "-" + suite.name + "-client",
2470 config: Config{
2471 MinVersion: ver.version,
2472 MaxVersion: ver.version,
David Benjamin5ecb88b2016-10-04 17:51:35 -04002473 CipherSuites: serverCipherSuites,
David Benjamin0407e762016-06-17 16:41:18 -04002474 Certificates: []Certificate{cert},
2475 PreSharedKey: []byte(psk),
2476 PreSharedKeyIdentity: pskIdentity,
2477 Bugs: ProtocolBugs{
David Benjamin9acf0ca2016-06-25 00:01:28 -04002478 IgnorePeerCipherPreferences: shouldClientFail,
David Benjamin5ecb88b2016-10-04 17:51:35 -04002479 SendCipherSuite: sendCipherSuite,
David Benjamin0407e762016-06-17 16:41:18 -04002480 },
2481 },
2482 flags: flags,
Steven Valdez4aa154e2016-07-29 14:32:55 -04002483 resumeSession: true,
David Benjamin0407e762016-06-17 16:41:18 -04002484 shouldFail: shouldClientFail,
2485 expectedError: expectedClientError,
David Benjamin6fd297b2014-08-11 18:43:38 -04002486 })
David Benjamin2c99d282015-09-01 10:23:00 -04002487
Nick Harper1fd39d82016-06-14 18:14:35 -07002488 if !shouldClientFail {
2489 // Ensure the maximum record size is accepted.
2490 testCases = append(testCases, testCase{
2491 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2492 config: Config{
2493 MinVersion: ver.version,
2494 MaxVersion: ver.version,
2495 CipherSuites: []uint16{suite.id},
2496 Certificates: []Certificate{cert},
2497 PreSharedKey: []byte(psk),
2498 PreSharedKeyIdentity: pskIdentity,
2499 },
2500 flags: flags,
2501 messageLen: maxPlaintext,
2502 })
2503 }
2504 }
David Benjamin2c99d282015-09-01 10:23:00 -04002505 }
Adam Langley95c29f32014-06-20 12:00:00 -07002506 }
Adam Langleya7997f12015-05-14 17:38:50 -07002507
2508 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002509 name: "NoSharedCipher",
2510 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002511 MaxVersion: VersionTLS12,
2512 CipherSuites: []uint16{},
2513 },
2514 shouldFail: true,
2515 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2516 })
2517
2518 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04002519 name: "NoSharedCipher-TLS13",
2520 config: Config{
2521 MaxVersion: VersionTLS13,
2522 CipherSuites: []uint16{},
2523 },
2524 shouldFail: true,
2525 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2526 })
2527
2528 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002529 name: "UnsupportedCipherSuite",
2530 config: Config{
2531 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -07002532 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -04002533 Bugs: ProtocolBugs{
2534 IgnorePeerCipherPreferences: true,
2535 },
2536 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -07002537 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -04002538 shouldFail: true,
2539 expectedError: ":WRONG_CIPHER_RETURNED:",
2540 })
2541
2542 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +02002543 name: "ServerHelloBogusCipher",
2544 config: Config{
2545 MaxVersion: VersionTLS12,
2546 Bugs: ProtocolBugs{
2547 SendCipherSuite: bogusCipher,
2548 },
2549 },
2550 shouldFail: true,
2551 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2552 })
2553 testCases = append(testCases, testCase{
2554 name: "ServerHelloBogusCipher-TLS13",
2555 config: Config{
2556 MaxVersion: VersionTLS13,
2557 Bugs: ProtocolBugs{
2558 SendCipherSuite: bogusCipher,
2559 },
2560 },
2561 shouldFail: true,
2562 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2563 })
2564
2565 testCases = append(testCases, testCase{
Adam Langleya7997f12015-05-14 17:38:50 -07002566 name: "WeakDH",
2567 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002568 MaxVersion: VersionTLS12,
Adam Langleya7997f12015-05-14 17:38:50 -07002569 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2570 Bugs: ProtocolBugs{
2571 // This is a 1023-bit prime number, generated
2572 // with:
2573 // openssl gendh 1023 | openssl asn1parse -i
2574 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
2575 },
2576 },
2577 shouldFail: true,
David Benjamincd24a392015-11-11 13:23:05 -08002578 expectedError: ":BAD_DH_P_LENGTH:",
Adam Langleya7997f12015-05-14 17:38:50 -07002579 })
Adam Langleycef75832015-09-03 14:51:12 -07002580
David Benjamincd24a392015-11-11 13:23:05 -08002581 testCases = append(testCases, testCase{
2582 name: "SillyDH",
2583 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002584 MaxVersion: VersionTLS12,
David Benjamincd24a392015-11-11 13:23:05 -08002585 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2586 Bugs: ProtocolBugs{
2587 // This is a 4097-bit prime number, generated
2588 // with:
2589 // openssl gendh 4097 | openssl asn1parse -i
2590 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
2591 },
2592 },
2593 shouldFail: true,
2594 expectedError: ":DH_P_TOO_LONG:",
2595 })
2596
Adam Langleyc4f25ce2015-11-26 16:39:08 -08002597 // This test ensures that Diffie-Hellman public values are padded with
2598 // zeros so that they're the same length as the prime. This is to avoid
2599 // hitting a bug in yaSSL.
2600 testCases = append(testCases, testCase{
2601 testType: serverTest,
2602 name: "DHPublicValuePadded",
2603 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002604 MaxVersion: VersionTLS12,
Adam Langleyc4f25ce2015-11-26 16:39:08 -08002605 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2606 Bugs: ProtocolBugs{
2607 RequireDHPublicValueLen: (1025 + 7) / 8,
2608 },
2609 },
2610 flags: []string{"-use-sparse-dh-prime"},
2611 })
David Benjamincd24a392015-11-11 13:23:05 -08002612
David Benjamin241ae832016-01-15 03:04:54 -05002613 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -05002614 testCases = append(testCases, testCase{
2615 testType: serverTest,
2616 name: "UnknownCipher",
2617 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04002618 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -05002619 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -04002620 Bugs: ProtocolBugs{
2621 AdvertiseAllConfiguredCiphers: true,
2622 },
2623 },
2624 })
Steven Valdez803c77a2016-09-06 14:13:43 -04002625
2626 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -04002627 testCases = append(testCases, testCase{
2628 testType: serverTest,
2629 name: "UnknownCipher-TLS13",
2630 config: Config{
2631 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -04002632 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -04002633 Bugs: ProtocolBugs{
2634 AdvertiseAllConfiguredCiphers: true,
2635 },
David Benjamin241ae832016-01-15 03:04:54 -05002636 },
2637 })
2638
David Benjamin78679342016-09-16 19:42:05 -04002639 // Test empty ECDHE_PSK identity hints work as expected.
2640 testCases = append(testCases, testCase{
2641 name: "EmptyECDHEPSKHint",
2642 config: Config{
2643 MaxVersion: VersionTLS12,
2644 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2645 PreSharedKey: []byte("secret"),
2646 },
2647 flags: []string{"-psk", "secret"},
2648 })
2649
2650 // Test empty PSK identity hints work as expected, even if an explicit
2651 // ServerKeyExchange is sent.
2652 testCases = append(testCases, testCase{
2653 name: "ExplicitEmptyPSKHint",
2654 config: Config{
2655 MaxVersion: VersionTLS12,
2656 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2657 PreSharedKey: []byte("secret"),
2658 Bugs: ProtocolBugs{
2659 AlwaysSendPreSharedKeyIdentityHint: true,
2660 },
2661 },
2662 flags: []string{"-psk", "secret"},
2663 })
2664
Adam Langleycef75832015-09-03 14:51:12 -07002665 // versionSpecificCiphersTest specifies a test for the TLS 1.0 and TLS
2666 // 1.1 specific cipher suite settings. A server is setup with the given
2667 // cipher lists and then a connection is made for each member of
2668 // expectations. The cipher suite that the server selects must match
2669 // the specified one.
2670 var versionSpecificCiphersTest = []struct {
2671 ciphersDefault, ciphersTLS10, ciphersTLS11 string
2672 // expectations is a map from TLS version to cipher suite id.
2673 expectations map[uint16]uint16
2674 }{
2675 {
2676 // Test that the null case (where no version-specific ciphers are set)
2677 // works as expected.
Matt Braithwaite07e78062016-08-21 14:50:43 -07002678 "DES-CBC3-SHA:AES128-SHA", // default ciphers
2679 "", // no ciphers specifically for TLS ≥ 1.0
2680 "", // no ciphers specifically for TLS ≥ 1.1
Adam Langleycef75832015-09-03 14:51:12 -07002681 map[uint16]uint16{
Matt Braithwaite07e78062016-08-21 14:50:43 -07002682 VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
2683 VersionTLS10: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
2684 VersionTLS11: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
2685 VersionTLS12: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
Adam Langleycef75832015-09-03 14:51:12 -07002686 },
2687 },
2688 {
2689 // With ciphers_tls10 set, TLS 1.0, 1.1 and 1.2 should get a different
2690 // cipher.
Matt Braithwaite07e78062016-08-21 14:50:43 -07002691 "DES-CBC3-SHA:AES128-SHA", // default
2692 "AES128-SHA", // these ciphers for TLS ≥ 1.0
2693 "", // no ciphers specifically for TLS ≥ 1.1
Adam Langleycef75832015-09-03 14:51:12 -07002694 map[uint16]uint16{
Matt Braithwaite07e78062016-08-21 14:50:43 -07002695 VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
Adam Langleycef75832015-09-03 14:51:12 -07002696 VersionTLS10: TLS_RSA_WITH_AES_128_CBC_SHA,
2697 VersionTLS11: TLS_RSA_WITH_AES_128_CBC_SHA,
2698 VersionTLS12: TLS_RSA_WITH_AES_128_CBC_SHA,
2699 },
2700 },
2701 {
2702 // With ciphers_tls11 set, TLS 1.1 and 1.2 should get a different
2703 // cipher.
Matt Braithwaite07e78062016-08-21 14:50:43 -07002704 "DES-CBC3-SHA:AES128-SHA", // default
2705 "", // no ciphers specifically for TLS ≥ 1.0
2706 "AES128-SHA", // these ciphers for TLS ≥ 1.1
Adam Langleycef75832015-09-03 14:51:12 -07002707 map[uint16]uint16{
Matt Braithwaite07e78062016-08-21 14:50:43 -07002708 VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
2709 VersionTLS10: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
Adam Langleycef75832015-09-03 14:51:12 -07002710 VersionTLS11: TLS_RSA_WITH_AES_128_CBC_SHA,
2711 VersionTLS12: TLS_RSA_WITH_AES_128_CBC_SHA,
2712 },
2713 },
2714 {
2715 // With both ciphers_tls10 and ciphers_tls11 set, ciphers_tls11 should
2716 // mask ciphers_tls10 for TLS 1.1 and 1.2.
Matt Braithwaite07e78062016-08-21 14:50:43 -07002717 "DES-CBC3-SHA:AES128-SHA", // default
2718 "AES128-SHA", // these ciphers for TLS ≥ 1.0
2719 "AES256-SHA", // these ciphers for TLS ≥ 1.1
Adam Langleycef75832015-09-03 14:51:12 -07002720 map[uint16]uint16{
Matt Braithwaite07e78062016-08-21 14:50:43 -07002721 VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
Adam Langleycef75832015-09-03 14:51:12 -07002722 VersionTLS10: TLS_RSA_WITH_AES_128_CBC_SHA,
2723 VersionTLS11: TLS_RSA_WITH_AES_256_CBC_SHA,
2724 VersionTLS12: TLS_RSA_WITH_AES_256_CBC_SHA,
2725 },
2726 },
2727 }
2728
2729 for i, test := range versionSpecificCiphersTest {
2730 for version, expectedCipherSuite := range test.expectations {
2731 flags := []string{"-cipher", test.ciphersDefault}
2732 if len(test.ciphersTLS10) > 0 {
2733 flags = append(flags, "-cipher-tls10", test.ciphersTLS10)
2734 }
2735 if len(test.ciphersTLS11) > 0 {
2736 flags = append(flags, "-cipher-tls11", test.ciphersTLS11)
2737 }
2738
2739 testCases = append(testCases, testCase{
2740 testType: serverTest,
2741 name: fmt.Sprintf("VersionSpecificCiphersTest-%d-%x", i, version),
2742 config: Config{
2743 MaxVersion: version,
2744 MinVersion: version,
Matt Braithwaite07e78062016-08-21 14:50:43 -07002745 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA},
Adam Langleycef75832015-09-03 14:51:12 -07002746 },
2747 flags: flags,
2748 expectedCipher: expectedCipherSuite,
2749 })
2750 }
2751 }
Adam Langley95c29f32014-06-20 12:00:00 -07002752}
2753
2754func addBadECDSASignatureTests() {
2755 for badR := BadValue(1); badR < NumBadValues; badR++ {
2756 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -04002757 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -07002758 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2759 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04002760 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -07002761 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -07002762 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -07002763 Bugs: ProtocolBugs{
2764 BadECDSAR: badR,
2765 BadECDSAS: badS,
2766 },
2767 },
2768 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -05002769 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -07002770 })
Steven Valdez803c77a2016-09-06 14:13:43 -04002771 testCases = append(testCases, testCase{
2772 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2773 config: Config{
2774 MaxVersion: VersionTLS13,
2775 Certificates: []Certificate{ecdsaP256Certificate},
2776 Bugs: ProtocolBugs{
2777 BadECDSAR: badR,
2778 BadECDSAS: badS,
2779 },
2780 },
2781 shouldFail: true,
2782 expectedError: ":BAD_SIGNATURE:",
2783 })
Adam Langley95c29f32014-06-20 12:00:00 -07002784 }
2785 }
2786}
2787
Adam Langley80842bd2014-06-20 12:00:00 -07002788func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -04002789 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -07002790 name: "MaxCBCPadding",
2791 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002792 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -07002793 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2794 Bugs: ProtocolBugs{
2795 MaxPadding: true,
2796 },
2797 },
2798 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2799 })
David Benjamin025b3d32014-07-01 19:53:04 -04002800 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -07002801 name: "BadCBCPadding",
2802 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002803 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -07002804 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2805 Bugs: ProtocolBugs{
2806 PaddingFirstByteBad: true,
2807 },
2808 },
2809 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -05002810 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -07002811 })
2812 // OpenSSL previously had an issue where the first byte of padding in
2813 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -04002814 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -07002815 name: "BadCBCPadding255",
2816 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002817 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -07002818 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2819 Bugs: ProtocolBugs{
2820 MaxPadding: true,
2821 PaddingFirstByteBadIf255: true,
2822 },
2823 },
2824 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2825 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -05002826 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -07002827 })
2828}
2829
Kenny Root7fdeaf12014-08-05 15:23:37 -07002830func addCBCSplittingTests() {
2831 testCases = append(testCases, testCase{
2832 name: "CBCRecordSplitting",
2833 config: Config{
2834 MaxVersion: VersionTLS10,
2835 MinVersion: VersionTLS10,
2836 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2837 },
David Benjaminac8302a2015-09-01 17:18:15 -04002838 messageLen: -1, // read until EOF
2839 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -07002840 flags: []string{
2841 "-async",
2842 "-write-different-record-sizes",
2843 "-cbc-record-splitting",
2844 },
David Benjamina8e3e0e2014-08-06 22:11:10 -04002845 })
2846 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -07002847 name: "CBCRecordSplittingPartialWrite",
2848 config: Config{
2849 MaxVersion: VersionTLS10,
2850 MinVersion: VersionTLS10,
2851 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2852 },
2853 messageLen: -1, // read until EOF
2854 flags: []string{
2855 "-async",
2856 "-write-different-record-sizes",
2857 "-cbc-record-splitting",
2858 "-partial-write",
2859 },
2860 })
2861}
2862
David Benjamin636293b2014-07-08 17:59:18 -04002863func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -04002864 // Add a dummy cert pool to stress certificate authority parsing.
2865 // TODO(davidben): Add tests that those values parse out correctly.
2866 certPool := x509.NewCertPool()
2867 cert, err := x509.ParseCertificate(rsaCertificate.Certificate[0])
2868 if err != nil {
2869 panic(err)
2870 }
2871 certPool.AddCert(cert)
2872
David Benjamin636293b2014-07-08 17:59:18 -04002873 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -04002874 testCases = append(testCases, testCase{
2875 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -04002876 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -04002877 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -04002878 MinVersion: ver.version,
2879 MaxVersion: ver.version,
2880 ClientAuth: RequireAnyClientCert,
2881 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -04002882 },
2883 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -07002884 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2885 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -04002886 },
2887 })
2888 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -04002889 testType: serverTest,
2890 name: ver.name + "-Server-ClientAuth-RSA",
2891 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -04002892 MinVersion: ver.version,
2893 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -04002894 Certificates: []Certificate{rsaCertificate},
2895 },
2896 flags: []string{"-require-any-client-certificate"},
2897 })
David Benjamine098ec22014-08-27 23:13:20 -04002898 if ver.version != VersionSSL30 {
2899 testCases = append(testCases, testCase{
2900 testType: serverTest,
2901 name: ver.name + "-Server-ClientAuth-ECDSA",
2902 config: Config{
2903 MinVersion: ver.version,
2904 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -07002905 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -04002906 },
2907 flags: []string{"-require-any-client-certificate"},
2908 })
2909 testCases = append(testCases, testCase{
2910 testType: clientTest,
2911 name: ver.name + "-Client-ClientAuth-ECDSA",
2912 config: Config{
2913 MinVersion: ver.version,
2914 MaxVersion: ver.version,
2915 ClientAuth: RequireAnyClientCert,
2916 ClientCAs: certPool,
2917 },
2918 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -07002919 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2920 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -04002921 },
2922 })
2923 }
Adam Langley37646832016-08-01 16:16:46 -07002924
2925 testCases = append(testCases, testCase{
2926 name: "NoClientCertificate-" + ver.name,
2927 config: Config{
2928 MinVersion: ver.version,
2929 MaxVersion: ver.version,
2930 ClientAuth: RequireAnyClientCert,
2931 },
2932 shouldFail: true,
2933 expectedLocalError: "client didn't provide a certificate",
2934 })
2935
2936 testCases = append(testCases, testCase{
2937 // Even if not configured to expect a certificate, OpenSSL will
2938 // return X509_V_OK as the verify_result.
2939 testType: serverTest,
2940 name: "NoClientCertificateRequested-Server-" + ver.name,
2941 config: Config{
2942 MinVersion: ver.version,
2943 MaxVersion: ver.version,
2944 },
2945 flags: []string{
2946 "-expect-verify-result",
2947 },
David Benjamin5d9ba812016-10-07 20:51:20 -04002948 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -07002949 })
2950
2951 testCases = append(testCases, testCase{
2952 // If a client certificate is not provided, OpenSSL will still
2953 // return X509_V_OK as the verify_result.
2954 testType: serverTest,
2955 name: "NoClientCertificate-Server-" + ver.name,
2956 config: Config{
2957 MinVersion: ver.version,
2958 MaxVersion: ver.version,
2959 },
2960 flags: []string{
2961 "-expect-verify-result",
2962 "-verify-peer",
2963 },
David Benjamin5d9ba812016-10-07 20:51:20 -04002964 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -07002965 })
2966
David Benjamin1db9e1b2016-10-07 20:51:43 -04002967 certificateRequired := "remote error: certificate required"
2968 if ver.version < VersionTLS13 {
2969 // Prior to TLS 1.3, the generic handshake_failure alert
2970 // was used.
2971 certificateRequired = "remote error: handshake failure"
2972 }
Adam Langley37646832016-08-01 16:16:46 -07002973 testCases = append(testCases, testCase{
2974 testType: serverTest,
2975 name: "RequireAnyClientCertificate-" + ver.name,
2976 config: Config{
2977 MinVersion: ver.version,
2978 MaxVersion: ver.version,
2979 },
David Benjamin1db9e1b2016-10-07 20:51:43 -04002980 flags: []string{"-require-any-client-certificate"},
2981 shouldFail: true,
2982 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
2983 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -07002984 })
2985
2986 if ver.version != VersionSSL30 {
2987 testCases = append(testCases, testCase{
2988 testType: serverTest,
2989 name: "SkipClientCertificate-" + ver.name,
2990 config: Config{
2991 MinVersion: ver.version,
2992 MaxVersion: ver.version,
2993 Bugs: ProtocolBugs{
2994 SkipClientCertificate: true,
2995 },
2996 },
2997 // Setting SSL_VERIFY_PEER allows anonymous clients.
2998 flags: []string{"-verify-peer"},
2999 shouldFail: true,
3000 expectedError: ":UNEXPECTED_MESSAGE:",
3001 })
3002 }
David Benjamin636293b2014-07-08 17:59:18 -04003003 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003004
David Benjaminc032dfa2016-05-12 14:54:57 -04003005 // Client auth is only legal in certificate-based ciphers.
3006 testCases = append(testCases, testCase{
3007 testType: clientTest,
3008 name: "ClientAuth-PSK",
3009 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003010 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -04003011 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3012 PreSharedKey: []byte("secret"),
3013 ClientAuth: RequireAnyClientCert,
3014 },
3015 flags: []string{
3016 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3017 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3018 "-psk", "secret",
3019 },
3020 shouldFail: true,
3021 expectedError: ":UNEXPECTED_MESSAGE:",
3022 })
3023 testCases = append(testCases, testCase{
3024 testType: clientTest,
3025 name: "ClientAuth-ECDHE_PSK",
3026 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003027 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -04003028 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3029 PreSharedKey: []byte("secret"),
3030 ClientAuth: RequireAnyClientCert,
3031 },
3032 flags: []string{
3033 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3034 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3035 "-psk", "secret",
3036 },
3037 shouldFail: true,
3038 expectedError: ":UNEXPECTED_MESSAGE:",
3039 })
David Benjamin2f8935d2016-07-13 19:47:39 -04003040
3041 // Regression test for a bug where the client CA list, if explicitly
3042 // set to NULL, was mis-encoded.
3043 testCases = append(testCases, testCase{
3044 testType: serverTest,
3045 name: "Null-Client-CA-List",
3046 config: Config{
3047 MaxVersion: VersionTLS12,
3048 Certificates: []Certificate{rsaCertificate},
3049 },
3050 flags: []string{
3051 "-require-any-client-certificate",
3052 "-use-null-client-ca-list",
3053 },
3054 })
David Benjamin636293b2014-07-08 17:59:18 -04003055}
3056
Adam Langley75712922014-10-10 16:23:43 -07003057func addExtendedMasterSecretTests() {
3058 const expectEMSFlag = "-expect-extended-master-secret"
3059
3060 for _, with := range []bool{false, true} {
3061 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -07003062 if with {
3063 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -07003064 }
3065
3066 for _, isClient := range []bool{false, true} {
3067 suffix := "-Server"
3068 testType := serverTest
3069 if isClient {
3070 suffix = "-Client"
3071 testType = clientTest
3072 }
3073
3074 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -04003075 // In TLS 1.3, the extension is irrelevant and
3076 // always reports as enabled.
3077 var flags []string
3078 if with || ver.version >= VersionTLS13 {
3079 flags = []string{expectEMSFlag}
3080 }
3081
Adam Langley75712922014-10-10 16:23:43 -07003082 test := testCase{
3083 testType: testType,
3084 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3085 config: Config{
3086 MinVersion: ver.version,
3087 MaxVersion: ver.version,
3088 Bugs: ProtocolBugs{
3089 NoExtendedMasterSecret: !with,
3090 RequireExtendedMasterSecret: with,
3091 },
3092 },
David Benjamin48cae082014-10-27 01:06:24 -04003093 flags: flags,
3094 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -07003095 }
3096 if test.shouldFail {
3097 test.expectedLocalError = "extended master secret required but not supported by peer"
3098 }
3099 testCases = append(testCases, test)
3100 }
3101 }
3102 }
3103
Adam Langleyba5934b2015-06-02 10:50:35 -07003104 for _, isClient := range []bool{false, true} {
3105 for _, supportedInFirstConnection := range []bool{false, true} {
3106 for _, supportedInResumeConnection := range []bool{false, true} {
3107 boolToWord := func(b bool) string {
3108 if b {
3109 return "Yes"
3110 }
3111 return "No"
3112 }
3113 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3114 if isClient {
3115 suffix += "Client"
3116 } else {
3117 suffix += "Server"
3118 }
3119
3120 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003121 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -07003122 Bugs: ProtocolBugs{
3123 RequireExtendedMasterSecret: true,
3124 },
3125 }
3126
3127 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003128 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -07003129 Bugs: ProtocolBugs{
3130 NoExtendedMasterSecret: true,
3131 },
3132 }
3133
3134 test := testCase{
3135 name: "ExtendedMasterSecret-" + suffix,
3136 resumeSession: true,
3137 }
3138
3139 if !isClient {
3140 test.testType = serverTest
3141 }
3142
3143 if supportedInFirstConnection {
3144 test.config = supportedConfig
3145 } else {
3146 test.config = noSupportConfig
3147 }
3148
3149 if supportedInResumeConnection {
3150 test.resumeConfig = &supportedConfig
3151 } else {
3152 test.resumeConfig = &noSupportConfig
3153 }
3154
3155 switch suffix {
3156 case "YesToYes-Client", "YesToYes-Server":
3157 // When a session is resumed, it should
3158 // still be aware that its master
3159 // secret was generated via EMS and
3160 // thus it's safe to use tls-unique.
3161 test.flags = []string{expectEMSFlag}
3162 case "NoToYes-Server":
3163 // If an original connection did not
3164 // contain EMS, but a resumption
3165 // handshake does, then a server should
3166 // not resume the session.
3167 test.expectResumeRejected = true
3168 case "YesToNo-Server":
3169 // Resuming an EMS session without the
3170 // EMS extension should cause the
3171 // server to abort the connection.
3172 test.shouldFail = true
3173 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3174 case "NoToYes-Client":
3175 // A client should abort a connection
3176 // where the server resumed a non-EMS
3177 // session but echoed the EMS
3178 // extension.
3179 test.shouldFail = true
3180 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3181 case "YesToNo-Client":
3182 // A client should abort a connection
3183 // where the server didn't echo EMS
3184 // when the session used it.
3185 test.shouldFail = true
3186 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3187 }
3188
3189 testCases = append(testCases, test)
3190 }
3191 }
3192 }
David Benjamin163c9562016-08-29 23:14:17 -04003193
3194 // Switching EMS on renegotiation is forbidden.
3195 testCases = append(testCases, testCase{
3196 name: "ExtendedMasterSecret-Renego-NoEMS",
3197 config: Config{
3198 MaxVersion: VersionTLS12,
3199 Bugs: ProtocolBugs{
3200 NoExtendedMasterSecret: true,
3201 NoExtendedMasterSecretOnRenegotiation: true,
3202 },
3203 },
3204 renegotiate: 1,
3205 flags: []string{
3206 "-renegotiate-freely",
3207 "-expect-total-renegotiations", "1",
3208 },
3209 })
3210
3211 testCases = append(testCases, testCase{
3212 name: "ExtendedMasterSecret-Renego-Upgrade",
3213 config: Config{
3214 MaxVersion: VersionTLS12,
3215 Bugs: ProtocolBugs{
3216 NoExtendedMasterSecret: true,
3217 },
3218 },
3219 renegotiate: 1,
3220 flags: []string{
3221 "-renegotiate-freely",
3222 "-expect-total-renegotiations", "1",
3223 },
3224 shouldFail: true,
3225 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3226 })
3227
3228 testCases = append(testCases, testCase{
3229 name: "ExtendedMasterSecret-Renego-Downgrade",
3230 config: Config{
3231 MaxVersion: VersionTLS12,
3232 Bugs: ProtocolBugs{
3233 NoExtendedMasterSecretOnRenegotiation: true,
3234 },
3235 },
3236 renegotiate: 1,
3237 flags: []string{
3238 "-renegotiate-freely",
3239 "-expect-total-renegotiations", "1",
3240 },
3241 shouldFail: true,
3242 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3243 })
Adam Langley75712922014-10-10 16:23:43 -07003244}
3245
David Benjamin582ba042016-07-07 12:33:25 -07003246type stateMachineTestConfig struct {
3247 protocol protocol
3248 async bool
3249 splitHandshake, packHandshakeFlight bool
3250}
3251
David Benjamin43ec06f2014-08-05 02:28:57 -04003252// Adds tests that try to cover the range of the handshake state machine, under
3253// various conditions. Some of these are redundant with other tests, but they
3254// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -07003255func addAllStateMachineCoverageTests() {
3256 for _, async := range []bool{false, true} {
3257 for _, protocol := range []protocol{tls, dtls} {
3258 addStateMachineCoverageTests(stateMachineTestConfig{
3259 protocol: protocol,
3260 async: async,
3261 })
3262 addStateMachineCoverageTests(stateMachineTestConfig{
3263 protocol: protocol,
3264 async: async,
3265 splitHandshake: true,
3266 })
3267 if protocol == tls {
3268 addStateMachineCoverageTests(stateMachineTestConfig{
3269 protocol: protocol,
3270 async: async,
3271 packHandshakeFlight: true,
3272 })
3273 }
3274 }
3275 }
3276}
3277
3278func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -04003279 var tests []testCase
3280
3281 // Basic handshake, with resumption. Client and server,
3282 // session ID and session ticket.
3283 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003284 name: "Basic-Client",
3285 config: Config{
3286 MaxVersion: VersionTLS12,
3287 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003288 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -05003289 // Ensure session tickets are used, not session IDs.
3290 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -04003291 })
3292 tests = append(tests, testCase{
3293 name: "Basic-Client-RenewTicket",
3294 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003295 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003296 Bugs: ProtocolBugs{
3297 RenewTicketOnResume: true,
3298 },
3299 },
David Benjamin46662482016-08-17 00:51:00 -04003300 flags: []string{"-expect-ticket-renewal"},
3301 resumeSession: true,
3302 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -04003303 })
3304 tests = append(tests, testCase{
3305 name: "Basic-Client-NoTicket",
3306 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003307 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003308 SessionTicketsDisabled: true,
3309 },
3310 resumeSession: true,
3311 })
3312 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003313 name: "Basic-Client-Implicit",
3314 config: Config{
3315 MaxVersion: VersionTLS12,
3316 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003317 flags: []string{"-implicit-handshake"},
3318 resumeSession: true,
3319 })
3320 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -05003321 testType: serverTest,
3322 name: "Basic-Server",
3323 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003324 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -05003325 Bugs: ProtocolBugs{
3326 RequireSessionTickets: true,
3327 },
3328 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003329 resumeSession: true,
3330 })
3331 tests = append(tests, testCase{
3332 testType: serverTest,
3333 name: "Basic-Server-NoTickets",
3334 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003335 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003336 SessionTicketsDisabled: true,
3337 },
3338 resumeSession: true,
3339 })
3340 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003341 testType: serverTest,
3342 name: "Basic-Server-Implicit",
3343 config: Config{
3344 MaxVersion: VersionTLS12,
3345 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003346 flags: []string{"-implicit-handshake"},
3347 resumeSession: true,
3348 })
3349 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003350 testType: serverTest,
3351 name: "Basic-Server-EarlyCallback",
3352 config: Config{
3353 MaxVersion: VersionTLS12,
3354 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003355 flags: []string{"-use-early-callback"},
3356 resumeSession: true,
3357 })
3358
Steven Valdez143e8b32016-07-11 13:19:03 -04003359 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -04003360 if config.protocol == tls {
3361 tests = append(tests, testCase{
3362 name: "TLS13-1RTT-Client",
3363 config: Config{
3364 MaxVersion: VersionTLS13,
3365 MinVersion: VersionTLS13,
3366 },
David Benjamin46662482016-08-17 00:51:00 -04003367 resumeSession: true,
3368 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -04003369 })
3370
3371 tests = append(tests, testCase{
3372 testType: serverTest,
3373 name: "TLS13-1RTT-Server",
3374 config: Config{
3375 MaxVersion: VersionTLS13,
3376 MinVersion: VersionTLS13,
3377 },
David Benjamin46662482016-08-17 00:51:00 -04003378 resumeSession: true,
3379 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -04003380 })
3381
3382 tests = append(tests, testCase{
3383 name: "TLS13-HelloRetryRequest-Client",
3384 config: Config{
3385 MaxVersion: VersionTLS13,
3386 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -04003387 // P-384 requires a HelloRetryRequest against BoringSSL's default
3388 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -04003389 CurvePreferences: []CurveID{CurveP384},
3390 Bugs: ProtocolBugs{
3391 ExpectMissingKeyShare: true,
3392 },
3393 },
3394 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3395 resumeSession: true,
3396 })
3397
3398 tests = append(tests, testCase{
3399 testType: serverTest,
3400 name: "TLS13-HelloRetryRequest-Server",
3401 config: Config{
3402 MaxVersion: VersionTLS13,
3403 MinVersion: VersionTLS13,
3404 // Require a HelloRetryRequest for every curve.
3405 DefaultCurves: []CurveID{},
3406 },
3407 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3408 resumeSession: true,
3409 })
3410 }
Steven Valdez143e8b32016-07-11 13:19:03 -04003411
David Benjamin760b1dd2015-05-15 23:33:48 -04003412 // TLS client auth.
3413 tests = append(tests, testCase{
3414 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003415 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -05003416 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003417 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -05003418 ClientAuth: RequestClientCert,
3419 },
3420 })
3421 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003422 testType: serverTest,
3423 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -04003424 config: Config{
3425 MaxVersion: VersionTLS12,
3426 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003427 // Setting SSL_VERIFY_PEER allows anonymous clients.
3428 flags: []string{"-verify-peer"},
3429 })
David Benjamin582ba042016-07-07 12:33:25 -07003430 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003431 tests = append(tests, testCase{
3432 testType: clientTest,
3433 name: "ClientAuth-NoCertificate-Client-SSL3",
3434 config: Config{
3435 MaxVersion: VersionSSL30,
3436 ClientAuth: RequestClientCert,
3437 },
3438 })
3439 tests = append(tests, testCase{
3440 testType: serverTest,
3441 name: "ClientAuth-NoCertificate-Server-SSL3",
3442 config: Config{
3443 MaxVersion: VersionSSL30,
3444 },
3445 // Setting SSL_VERIFY_PEER allows anonymous clients.
3446 flags: []string{"-verify-peer"},
3447 })
Steven Valdez143e8b32016-07-11 13:19:03 -04003448 tests = append(tests, testCase{
3449 testType: clientTest,
3450 name: "ClientAuth-NoCertificate-Client-TLS13",
3451 config: Config{
3452 MaxVersion: VersionTLS13,
3453 ClientAuth: RequestClientCert,
3454 },
3455 })
3456 tests = append(tests, testCase{
3457 testType: serverTest,
3458 name: "ClientAuth-NoCertificate-Server-TLS13",
3459 config: Config{
3460 MaxVersion: VersionTLS13,
3461 },
3462 // Setting SSL_VERIFY_PEER allows anonymous clients.
3463 flags: []string{"-verify-peer"},
3464 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003465 }
3466 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -05003467 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -07003468 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -04003469 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003470 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003471 ClientAuth: RequireAnyClientCert,
3472 },
3473 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -07003474 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3475 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -04003476 },
3477 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -07003478 tests = append(tests, testCase{
3479 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -04003480 name: "ClientAuth-RSA-Client-TLS13",
3481 config: Config{
3482 MaxVersion: VersionTLS13,
3483 ClientAuth: RequireAnyClientCert,
3484 },
3485 flags: []string{
3486 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3487 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3488 },
3489 })
3490 tests = append(tests, testCase{
3491 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -07003492 name: "ClientAuth-ECDSA-Client",
3493 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003494 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -07003495 ClientAuth: RequireAnyClientCert,
3496 },
3497 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -07003498 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3499 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -07003500 },
3501 })
David Benjaminacb6dcc2016-03-10 09:15:01 -05003502 tests = append(tests, testCase{
3503 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -04003504 name: "ClientAuth-ECDSA-Client-TLS13",
3505 config: Config{
3506 MaxVersion: VersionTLS13,
3507 ClientAuth: RequireAnyClientCert,
3508 },
3509 flags: []string{
3510 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3511 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3512 },
3513 })
3514 tests = append(tests, testCase{
3515 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -04003516 name: "ClientAuth-NoCertificate-OldCallback",
3517 config: Config{
3518 MaxVersion: VersionTLS12,
3519 ClientAuth: RequestClientCert,
3520 },
3521 flags: []string{"-use-old-client-cert-callback"},
3522 })
3523 tests = append(tests, testCase{
3524 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -04003525 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3526 config: Config{
3527 MaxVersion: VersionTLS13,
3528 ClientAuth: RequestClientCert,
3529 },
3530 flags: []string{"-use-old-client-cert-callback"},
3531 })
3532 tests = append(tests, testCase{
3533 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -05003534 name: "ClientAuth-OldCallback",
3535 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003536 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -05003537 ClientAuth: RequireAnyClientCert,
3538 },
3539 flags: []string{
3540 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3541 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3542 "-use-old-client-cert-callback",
3543 },
3544 })
David Benjamin760b1dd2015-05-15 23:33:48 -04003545 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04003546 testType: clientTest,
3547 name: "ClientAuth-OldCallback-TLS13",
3548 config: Config{
3549 MaxVersion: VersionTLS13,
3550 ClientAuth: RequireAnyClientCert,
3551 },
3552 flags: []string{
3553 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3554 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3555 "-use-old-client-cert-callback",
3556 },
3557 })
3558 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -04003559 testType: serverTest,
3560 name: "ClientAuth-Server",
3561 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003562 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003563 Certificates: []Certificate{rsaCertificate},
3564 },
3565 flags: []string{"-require-any-client-certificate"},
3566 })
Steven Valdez143e8b32016-07-11 13:19:03 -04003567 tests = append(tests, testCase{
3568 testType: serverTest,
3569 name: "ClientAuth-Server-TLS13",
3570 config: Config{
3571 MaxVersion: VersionTLS13,
3572 Certificates: []Certificate{rsaCertificate},
3573 },
3574 flags: []string{"-require-any-client-certificate"},
3575 })
David Benjamin760b1dd2015-05-15 23:33:48 -04003576
David Benjamin4c3ddf72016-06-29 18:13:53 -04003577 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -04003578 tests = append(tests, testCase{
3579 testType: serverTest,
3580 name: "Basic-Server-RSA",
3581 config: Config{
3582 MaxVersion: VersionTLS12,
3583 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3584 },
3585 flags: []string{
3586 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3587 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3588 },
3589 })
3590 tests = append(tests, testCase{
3591 testType: serverTest,
3592 name: "Basic-Server-ECDHE-RSA",
3593 config: Config{
3594 MaxVersion: VersionTLS12,
3595 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3596 },
3597 flags: []string{
3598 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3599 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3600 },
3601 })
3602 tests = append(tests, testCase{
3603 testType: serverTest,
3604 name: "Basic-Server-ECDHE-ECDSA",
3605 config: Config{
3606 MaxVersion: VersionTLS12,
3607 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3608 },
3609 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -07003610 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3611 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -04003612 },
3613 })
3614
David Benjamin760b1dd2015-05-15 23:33:48 -04003615 // No session ticket support; server doesn't send NewSessionTicket.
3616 tests = append(tests, testCase{
3617 name: "SessionTicketsDisabled-Client",
3618 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003619 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003620 SessionTicketsDisabled: true,
3621 },
3622 })
3623 tests = append(tests, testCase{
3624 testType: serverTest,
3625 name: "SessionTicketsDisabled-Server",
3626 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003627 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003628 SessionTicketsDisabled: true,
3629 },
3630 })
3631
3632 // Skip ServerKeyExchange in PSK key exchange if there's no
3633 // identity hint.
3634 tests = append(tests, testCase{
3635 name: "EmptyPSKHint-Client",
3636 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003637 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003638 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3639 PreSharedKey: []byte("secret"),
3640 },
3641 flags: []string{"-psk", "secret"},
3642 })
3643 tests = append(tests, testCase{
3644 testType: serverTest,
3645 name: "EmptyPSKHint-Server",
3646 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003647 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003648 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3649 PreSharedKey: []byte("secret"),
3650 },
3651 flags: []string{"-psk", "secret"},
3652 })
3653
David Benjamin4c3ddf72016-06-29 18:13:53 -04003654 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003655 tests = append(tests, testCase{
3656 testType: clientTest,
3657 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -04003658 config: Config{
3659 MaxVersion: VersionTLS12,
3660 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003661 flags: []string{
3662 "-enable-ocsp-stapling",
3663 "-expect-ocsp-response",
3664 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +01003665 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003666 },
Paul Lietar62be8ac2015-09-16 10:03:30 +01003667 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003668 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003669 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003670 testType: serverTest,
3671 name: "OCSPStapling-Server",
3672 config: Config{
3673 MaxVersion: VersionTLS12,
3674 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003675 expectedOCSPResponse: testOCSPResponse,
3676 flags: []string{
3677 "-ocsp-response",
3678 base64.StdEncoding.EncodeToString(testOCSPResponse),
3679 },
Paul Lietar62be8ac2015-09-16 10:03:30 +01003680 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003681 })
David Benjamin942f4ed2016-07-16 19:03:49 +03003682 tests = append(tests, testCase{
3683 testType: clientTest,
3684 name: "OCSPStapling-Client-TLS13",
3685 config: Config{
3686 MaxVersion: VersionTLS13,
3687 },
3688 flags: []string{
3689 "-enable-ocsp-stapling",
3690 "-expect-ocsp-response",
3691 base64.StdEncoding.EncodeToString(testOCSPResponse),
3692 "-verify-peer",
3693 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04003694 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +03003695 })
3696 tests = append(tests, testCase{
3697 testType: serverTest,
3698 name: "OCSPStapling-Server-TLS13",
3699 config: Config{
3700 MaxVersion: VersionTLS13,
3701 },
3702 expectedOCSPResponse: testOCSPResponse,
3703 flags: []string{
3704 "-ocsp-response",
3705 base64.StdEncoding.EncodeToString(testOCSPResponse),
3706 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04003707 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +03003708 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003709
David Benjamin4c3ddf72016-06-29 18:13:53 -04003710 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -04003711 for _, vers := range tlsVersions {
3712 if config.protocol == dtls && !vers.hasDTLS {
3713 continue
3714 }
David Benjaminbb9e36e2016-08-03 14:14:47 -04003715 for _, testType := range []testType{clientTest, serverTest} {
3716 suffix := "-Client"
3717 if testType == serverTest {
3718 suffix = "-Server"
3719 }
3720 suffix += "-" + vers.name
3721
3722 flag := "-verify-peer"
3723 if testType == serverTest {
3724 flag = "-require-any-client-certificate"
3725 }
3726
3727 tests = append(tests, testCase{
3728 testType: testType,
3729 name: "CertificateVerificationSucceed" + suffix,
3730 config: Config{
3731 MaxVersion: vers.version,
3732 Certificates: []Certificate{rsaCertificate},
3733 },
3734 flags: []string{
3735 flag,
3736 "-expect-verify-result",
3737 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04003738 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -04003739 })
3740 tests = append(tests, testCase{
3741 testType: testType,
3742 name: "CertificateVerificationFail" + suffix,
3743 config: Config{
3744 MaxVersion: vers.version,
3745 Certificates: []Certificate{rsaCertificate},
3746 },
3747 flags: []string{
3748 flag,
3749 "-verify-fail",
3750 },
3751 shouldFail: true,
3752 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
3753 })
3754 }
3755
3756 // By default, the client is in a soft fail mode where the peer
3757 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -04003758 tests = append(tests, testCase{
3759 testType: clientTest,
3760 name: "CertificateVerificationSoftFail-" + vers.name,
3761 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -04003762 MaxVersion: vers.version,
3763 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -04003764 },
3765 flags: []string{
3766 "-verify-fail",
3767 "-expect-verify-result",
3768 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04003769 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -04003770 })
3771 }
Paul Lietar8f1c2682015-08-18 12:21:54 +01003772
David Benjamin1d4f4c02016-07-26 18:03:08 -04003773 tests = append(tests, testCase{
3774 name: "ShimSendAlert",
3775 flags: []string{"-send-alert"},
3776 shimWritesFirst: true,
3777 shouldFail: true,
3778 expectedLocalError: "remote error: decompression failure",
3779 })
3780
David Benjamin582ba042016-07-07 12:33:25 -07003781 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -04003782 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003783 name: "Renegotiate-Client",
3784 config: Config{
3785 MaxVersion: VersionTLS12,
3786 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04003787 renegotiate: 1,
3788 flags: []string{
3789 "-renegotiate-freely",
3790 "-expect-total-renegotiations", "1",
3791 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003792 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04003793
David Benjamin47921102016-07-28 11:29:18 -04003794 tests = append(tests, testCase{
3795 name: "SendHalfHelloRequest",
3796 config: Config{
3797 MaxVersion: VersionTLS12,
3798 Bugs: ProtocolBugs{
3799 PackHelloRequestWithFinished: config.packHandshakeFlight,
3800 },
3801 },
3802 sendHalfHelloRequest: true,
3803 flags: []string{"-renegotiate-ignore"},
3804 shouldFail: true,
3805 expectedError: ":UNEXPECTED_RECORD:",
3806 })
3807
David Benjamin760b1dd2015-05-15 23:33:48 -04003808 // NPN on client and server; results in post-handshake message.
3809 tests = append(tests, testCase{
3810 name: "NPN-Client",
3811 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003812 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003813 NextProtos: []string{"foo"},
3814 },
3815 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -04003816 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -04003817 expectedNextProto: "foo",
3818 expectedNextProtoType: npn,
3819 })
3820 tests = append(tests, testCase{
3821 testType: serverTest,
3822 name: "NPN-Server",
3823 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003824 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003825 NextProtos: []string{"bar"},
3826 },
3827 flags: []string{
3828 "-advertise-npn", "\x03foo\x03bar\x03baz",
3829 "-expect-next-proto", "bar",
3830 },
David Benjaminf8fcdf32016-06-08 15:56:13 -04003831 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -04003832 expectedNextProto: "bar",
3833 expectedNextProtoType: npn,
3834 })
3835
3836 // TODO(davidben): Add tests for when False Start doesn't trigger.
3837
3838 // Client does False Start and negotiates NPN.
3839 tests = append(tests, testCase{
3840 name: "FalseStart",
3841 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003842 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003843 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3844 NextProtos: []string{"foo"},
3845 Bugs: ProtocolBugs{
3846 ExpectFalseStart: true,
3847 },
3848 },
3849 flags: []string{
3850 "-false-start",
3851 "-select-next-proto", "foo",
3852 },
3853 shimWritesFirst: true,
3854 resumeSession: true,
3855 })
3856
3857 // Client does False Start and negotiates ALPN.
3858 tests = append(tests, testCase{
3859 name: "FalseStart-ALPN",
3860 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003861 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003862 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3863 NextProtos: []string{"foo"},
3864 Bugs: ProtocolBugs{
3865 ExpectFalseStart: true,
3866 },
3867 },
3868 flags: []string{
3869 "-false-start",
3870 "-advertise-alpn", "\x03foo",
3871 },
3872 shimWritesFirst: true,
3873 resumeSession: true,
3874 })
3875
3876 // Client does False Start but doesn't explicitly call
3877 // SSL_connect.
3878 tests = append(tests, testCase{
3879 name: "FalseStart-Implicit",
3880 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003881 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003882 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3883 NextProtos: []string{"foo"},
3884 },
3885 flags: []string{
3886 "-implicit-handshake",
3887 "-false-start",
3888 "-advertise-alpn", "\x03foo",
3889 },
3890 })
3891
3892 // False Start without session tickets.
3893 tests = append(tests, testCase{
3894 name: "FalseStart-SessionTicketsDisabled",
3895 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003896 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003897 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3898 NextProtos: []string{"foo"},
3899 SessionTicketsDisabled: true,
3900 Bugs: ProtocolBugs{
3901 ExpectFalseStart: true,
3902 },
3903 },
3904 flags: []string{
3905 "-false-start",
3906 "-select-next-proto", "foo",
3907 },
3908 shimWritesFirst: true,
3909 })
3910
Adam Langleydf759b52016-07-11 15:24:37 -07003911 tests = append(tests, testCase{
3912 name: "FalseStart-CECPQ1",
3913 config: Config{
3914 MaxVersion: VersionTLS12,
3915 CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
3916 NextProtos: []string{"foo"},
3917 Bugs: ProtocolBugs{
3918 ExpectFalseStart: true,
3919 },
3920 },
3921 flags: []string{
3922 "-false-start",
3923 "-cipher", "DEFAULT:kCECPQ1",
3924 "-select-next-proto", "foo",
3925 },
3926 shimWritesFirst: true,
3927 resumeSession: true,
3928 })
3929
David Benjamin760b1dd2015-05-15 23:33:48 -04003930 // Server parses a V2ClientHello.
3931 tests = append(tests, testCase{
3932 testType: serverTest,
3933 name: "SendV2ClientHello",
3934 config: Config{
3935 // Choose a cipher suite that does not involve
3936 // elliptic curves, so no extensions are
3937 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -07003938 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -07003939 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -04003940 Bugs: ProtocolBugs{
3941 SendV2ClientHello: true,
3942 },
3943 },
3944 })
3945
Nick Harper60a85cb2016-09-23 16:25:11 -07003946 // Test Channel ID
3947 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -07003948 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -07003949 continue
3950 }
3951 // Client sends a Channel ID.
3952 tests = append(tests, testCase{
3953 name: "ChannelID-Client-" + ver.name,
3954 config: Config{
3955 MaxVersion: ver.version,
3956 RequestChannelID: true,
3957 },
3958 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
3959 resumeSession: true,
3960 expectChannelID: true,
3961 })
David Benjamin760b1dd2015-05-15 23:33:48 -04003962
Nick Harper60a85cb2016-09-23 16:25:11 -07003963 // Server accepts a Channel ID.
3964 tests = append(tests, testCase{
3965 testType: serverTest,
3966 name: "ChannelID-Server-" + ver.name,
3967 config: Config{
3968 MaxVersion: ver.version,
3969 ChannelID: channelIDKey,
3970 },
3971 flags: []string{
3972 "-expect-channel-id",
3973 base64.StdEncoding.EncodeToString(channelIDBytes),
3974 },
3975 resumeSession: true,
3976 expectChannelID: true,
3977 })
3978
3979 tests = append(tests, testCase{
3980 testType: serverTest,
3981 name: "InvalidChannelIDSignature-" + ver.name,
3982 config: Config{
3983 MaxVersion: ver.version,
3984 ChannelID: channelIDKey,
3985 Bugs: ProtocolBugs{
3986 InvalidChannelIDSignature: true,
3987 },
3988 },
3989 flags: []string{"-enable-channel-id"},
3990 shouldFail: true,
3991 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
3992 })
3993 }
David Benjamin30789da2015-08-29 22:56:45 -04003994
David Benjaminf8fcdf32016-06-08 15:56:13 -04003995 // Channel ID and NPN at the same time, to ensure their relative
3996 // ordering is correct.
3997 tests = append(tests, testCase{
3998 name: "ChannelID-NPN-Client",
3999 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04004000 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -04004001 RequestChannelID: true,
4002 NextProtos: []string{"foo"},
4003 },
4004 flags: []string{
4005 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4006 "-select-next-proto", "foo",
4007 },
4008 resumeSession: true,
4009 expectChannelID: true,
4010 expectedNextProto: "foo",
4011 expectedNextProtoType: npn,
4012 })
4013 tests = append(tests, testCase{
4014 testType: serverTest,
4015 name: "ChannelID-NPN-Server",
4016 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04004017 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -04004018 ChannelID: channelIDKey,
4019 NextProtos: []string{"bar"},
4020 },
4021 flags: []string{
4022 "-expect-channel-id",
4023 base64.StdEncoding.EncodeToString(channelIDBytes),
4024 "-advertise-npn", "\x03foo\x03bar\x03baz",
4025 "-expect-next-proto", "bar",
4026 },
4027 resumeSession: true,
4028 expectChannelID: true,
4029 expectedNextProto: "bar",
4030 expectedNextProtoType: npn,
4031 })
4032
David Benjamin30789da2015-08-29 22:56:45 -04004033 // Bidirectional shutdown with the runner initiating.
4034 tests = append(tests, testCase{
4035 name: "Shutdown-Runner",
4036 config: Config{
4037 Bugs: ProtocolBugs{
4038 ExpectCloseNotify: true,
4039 },
4040 },
4041 flags: []string{"-check-close-notify"},
4042 })
4043
4044 // Bidirectional shutdown with the shim initiating. The runner,
4045 // in the meantime, sends garbage before the close_notify which
4046 // the shim must ignore.
4047 tests = append(tests, testCase{
4048 name: "Shutdown-Shim",
4049 config: Config{
David Benjamine8e84b92016-08-03 15:39:47 -04004050 MaxVersion: VersionTLS12,
David Benjamin30789da2015-08-29 22:56:45 -04004051 Bugs: ProtocolBugs{
4052 ExpectCloseNotify: true,
4053 },
4054 },
4055 shimShutsDown: true,
4056 sendEmptyRecords: 1,
4057 sendWarningAlerts: 1,
4058 flags: []string{"-check-close-notify"},
4059 })
David Benjamin760b1dd2015-05-15 23:33:48 -04004060 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -04004061 // TODO(davidben): DTLS 1.3 will want a similar thing for
4062 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -04004063 tests = append(tests, testCase{
4064 name: "SkipHelloVerifyRequest",
4065 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04004066 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04004067 Bugs: ProtocolBugs{
4068 SkipHelloVerifyRequest: true,
4069 },
4070 },
4071 })
4072 }
4073
David Benjamin760b1dd2015-05-15 23:33:48 -04004074 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -07004075 test.protocol = config.protocol
4076 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -05004077 test.name += "-DTLS"
4078 }
David Benjamin582ba042016-07-07 12:33:25 -07004079 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -05004080 test.name += "-Async"
4081 test.flags = append(test.flags, "-async")
4082 } else {
4083 test.name += "-Sync"
4084 }
David Benjamin582ba042016-07-07 12:33:25 -07004085 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -05004086 test.name += "-SplitHandshakeRecords"
4087 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -07004088 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -05004089 test.config.Bugs.MaxPacketLength = 256
4090 test.flags = append(test.flags, "-mtu", "256")
4091 }
4092 }
David Benjamin582ba042016-07-07 12:33:25 -07004093 if config.packHandshakeFlight {
4094 test.name += "-PackHandshakeFlight"
4095 test.config.Bugs.PackHandshakeFlight = true
4096 }
David Benjamin760b1dd2015-05-15 23:33:48 -04004097 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -04004098 }
David Benjamin43ec06f2014-08-05 02:28:57 -04004099}
4100
Adam Langley524e7172015-02-20 16:04:00 -08004101func addDDoSCallbackTests() {
4102 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -08004103 for _, resume := range []bool{false, true} {
4104 suffix := "Resume"
4105 if resume {
4106 suffix = "No" + suffix
4107 }
4108
4109 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04004110 testType: serverTest,
4111 name: "Server-DDoS-OK-" + suffix,
4112 config: Config{
4113 MaxVersion: VersionTLS12,
4114 },
Adam Langley524e7172015-02-20 16:04:00 -08004115 flags: []string{"-install-ddos-callback"},
4116 resumeSession: resume,
4117 })
Steven Valdez4aa154e2016-07-29 14:32:55 -04004118 testCases = append(testCases, testCase{
4119 testType: serverTest,
4120 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4121 config: Config{
4122 MaxVersion: VersionTLS13,
4123 },
4124 flags: []string{"-install-ddos-callback"},
4125 resumeSession: resume,
4126 })
Adam Langley524e7172015-02-20 16:04:00 -08004127
4128 failFlag := "-fail-ddos-callback"
4129 if resume {
4130 failFlag = "-fail-second-ddos-callback"
4131 }
4132 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04004133 testType: serverTest,
4134 name: "Server-DDoS-Reject-" + suffix,
4135 config: Config{
4136 MaxVersion: VersionTLS12,
4137 },
David Benjamin2c66e072016-09-16 15:58:00 -04004138 flags: []string{"-install-ddos-callback", failFlag},
4139 resumeSession: resume,
4140 shouldFail: true,
4141 expectedError: ":CONNECTION_REJECTED:",
4142 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -08004143 })
Steven Valdez4aa154e2016-07-29 14:32:55 -04004144 testCases = append(testCases, testCase{
4145 testType: serverTest,
4146 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4147 config: Config{
4148 MaxVersion: VersionTLS13,
4149 },
David Benjamin2c66e072016-09-16 15:58:00 -04004150 flags: []string{"-install-ddos-callback", failFlag},
4151 resumeSession: resume,
4152 shouldFail: true,
4153 expectedError: ":CONNECTION_REJECTED:",
4154 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -04004155 })
Adam Langley524e7172015-02-20 16:04:00 -08004156 }
4157}
4158
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004159func addVersionNegotiationTests() {
4160 for i, shimVers := range tlsVersions {
4161 // Assemble flags to disable all newer versions on the shim.
4162 var flags []string
4163 for _, vers := range tlsVersions[i+1:] {
4164 flags = append(flags, vers.flag)
4165 }
4166
Steven Valdezfdd10992016-09-15 16:27:05 -04004167 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004168 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -05004169 protocols := []protocol{tls}
4170 if runnerVers.hasDTLS && shimVers.hasDTLS {
4171 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004172 }
David Benjamin8b8c0062014-11-23 02:47:52 -05004173 for _, protocol := range protocols {
4174 expectedVersion := shimVers.version
4175 if runnerVers.version < shimVers.version {
4176 expectedVersion = runnerVers.version
4177 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004178
David Benjamin8b8c0062014-11-23 02:47:52 -05004179 suffix := shimVers.name + "-" + runnerVers.name
4180 if protocol == dtls {
4181 suffix += "-DTLS"
4182 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004183
David Benjamin1eb367c2014-12-12 18:17:51 -05004184 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4185
David Benjaminb1dd8cd2016-09-26 19:20:48 -04004186 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -05004187 clientVers := shimVers.version
4188 if clientVers > VersionTLS10 {
4189 clientVers = VersionTLS10
4190 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -04004191 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -07004192 serverVers := expectedVersion
4193 if expectedVersion >= VersionTLS13 {
4194 serverVers = VersionTLS10
4195 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -04004196 serverVers = versionToWire(serverVers, protocol == dtls)
4197
David Benjamin8b8c0062014-11-23 02:47:52 -05004198 testCases = append(testCases, testCase{
4199 protocol: protocol,
4200 testType: clientTest,
4201 name: "VersionNegotiation-Client-" + suffix,
4202 config: Config{
4203 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -05004204 Bugs: ProtocolBugs{
4205 ExpectInitialRecordVersion: clientVers,
4206 },
David Benjamin8b8c0062014-11-23 02:47:52 -05004207 },
4208 flags: flags,
4209 expectedVersion: expectedVersion,
4210 })
David Benjamin1eb367c2014-12-12 18:17:51 -05004211 testCases = append(testCases, testCase{
4212 protocol: protocol,
4213 testType: clientTest,
4214 name: "VersionNegotiation-Client2-" + suffix,
4215 config: Config{
4216 MaxVersion: runnerVers.version,
4217 Bugs: ProtocolBugs{
4218 ExpectInitialRecordVersion: clientVers,
4219 },
4220 },
4221 flags: []string{"-max-version", shimVersFlag},
4222 expectedVersion: expectedVersion,
4223 })
David Benjamin8b8c0062014-11-23 02:47:52 -05004224
4225 testCases = append(testCases, testCase{
4226 protocol: protocol,
4227 testType: serverTest,
4228 name: "VersionNegotiation-Server-" + suffix,
4229 config: Config{
4230 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -05004231 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -07004232 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -05004233 },
David Benjamin8b8c0062014-11-23 02:47:52 -05004234 },
4235 flags: flags,
4236 expectedVersion: expectedVersion,
4237 })
David Benjamin1eb367c2014-12-12 18:17:51 -05004238 testCases = append(testCases, testCase{
4239 protocol: protocol,
4240 testType: serverTest,
4241 name: "VersionNegotiation-Server2-" + suffix,
4242 config: Config{
4243 MaxVersion: runnerVers.version,
4244 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -07004245 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -05004246 },
4247 },
4248 flags: []string{"-max-version", shimVersFlag},
4249 expectedVersion: expectedVersion,
4250 })
David Benjamin8b8c0062014-11-23 02:47:52 -05004251 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004252 }
4253 }
David Benjamin95c69562016-06-29 18:15:03 -04004254
Steven Valdezfdd10992016-09-15 16:27:05 -04004255 // Test the version extension at all versions.
4256 for _, vers := range tlsVersions {
4257 protocols := []protocol{tls}
4258 if vers.hasDTLS {
4259 protocols = append(protocols, dtls)
4260 }
4261 for _, protocol := range protocols {
4262 suffix := vers.name
4263 if protocol == dtls {
4264 suffix += "-DTLS"
4265 }
4266
4267 wireVersion := versionToWire(vers.version, protocol == dtls)
4268 testCases = append(testCases, testCase{
4269 protocol: protocol,
4270 testType: serverTest,
4271 name: "VersionNegotiationExtension-" + suffix,
4272 config: Config{
4273 Bugs: ProtocolBugs{
4274 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4275 },
4276 },
4277 expectedVersion: vers.version,
4278 })
4279 }
4280
4281 }
4282
4283 // If all versions are unknown, negotiation fails.
4284 testCases = append(testCases, testCase{
4285 testType: serverTest,
4286 name: "NoSupportedVersions",
4287 config: Config{
4288 Bugs: ProtocolBugs{
4289 SendSupportedVersions: []uint16{0x1111},
4290 },
4291 },
4292 shouldFail: true,
4293 expectedError: ":UNSUPPORTED_PROTOCOL:",
4294 })
4295 testCases = append(testCases, testCase{
4296 protocol: dtls,
4297 testType: serverTest,
4298 name: "NoSupportedVersions-DTLS",
4299 config: Config{
4300 Bugs: ProtocolBugs{
4301 SendSupportedVersions: []uint16{0x1111},
4302 },
4303 },
4304 shouldFail: true,
4305 expectedError: ":UNSUPPORTED_PROTOCOL:",
4306 })
4307
4308 testCases = append(testCases, testCase{
4309 testType: serverTest,
4310 name: "ClientHelloVersionTooHigh",
4311 config: Config{
4312 MaxVersion: VersionTLS13,
4313 Bugs: ProtocolBugs{
4314 SendClientVersion: 0x0304,
4315 OmitSupportedVersions: true,
4316 },
4317 },
4318 expectedVersion: VersionTLS12,
4319 })
4320
4321 testCases = append(testCases, testCase{
4322 testType: serverTest,
4323 name: "ConflictingVersionNegotiation",
4324 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -04004325 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -04004326 SendClientVersion: VersionTLS12,
4327 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -04004328 },
4329 },
David Benjaminad75a662016-09-30 15:42:59 -04004330 // The extension takes precedence over the ClientHello version.
4331 expectedVersion: VersionTLS11,
4332 })
4333
4334 testCases = append(testCases, testCase{
4335 testType: serverTest,
4336 name: "ConflictingVersionNegotiation-2",
4337 config: Config{
4338 Bugs: ProtocolBugs{
4339 SendClientVersion: VersionTLS11,
4340 SendSupportedVersions: []uint16{VersionTLS12},
4341 },
4342 },
4343 // The extension takes precedence over the ClientHello version.
4344 expectedVersion: VersionTLS12,
4345 })
4346
4347 testCases = append(testCases, testCase{
4348 testType: serverTest,
4349 name: "RejectFinalTLS13",
4350 config: Config{
4351 Bugs: ProtocolBugs{
4352 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4353 },
4354 },
4355 // We currently implement a draft TLS 1.3 version. Ensure that
4356 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -04004357 expectedVersion: VersionTLS12,
4358 })
4359
Brian Smithf85d3232016-10-28 10:34:06 -10004360 // Test that the maximum version is selected regardless of the
4361 // client-sent order.
4362 testCases = append(testCases, testCase{
4363 testType: serverTest,
4364 name: "IgnoreClientVersionOrder",
4365 config: Config{
4366 Bugs: ProtocolBugs{
4367 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4368 },
4369 },
4370 expectedVersion: VersionTLS13,
4371 })
4372
David Benjamin95c69562016-06-29 18:15:03 -04004373 // Test for version tolerance.
4374 testCases = append(testCases, testCase{
4375 testType: serverTest,
4376 name: "MinorVersionTolerance",
4377 config: Config{
4378 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -04004379 SendClientVersion: 0x03ff,
4380 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -04004381 },
4382 },
Steven Valdezfdd10992016-09-15 16:27:05 -04004383 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -04004384 })
4385 testCases = append(testCases, testCase{
4386 testType: serverTest,
4387 name: "MajorVersionTolerance",
4388 config: Config{
4389 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -04004390 SendClientVersion: 0x0400,
4391 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -04004392 },
4393 },
David Benjaminad75a662016-09-30 15:42:59 -04004394 // TLS 1.3 must be negotiated with the supported_versions
4395 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -04004396 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -04004397 })
David Benjaminad75a662016-09-30 15:42:59 -04004398 testCases = append(testCases, testCase{
4399 testType: serverTest,
4400 name: "VersionTolerance-TLS13",
4401 config: Config{
4402 Bugs: ProtocolBugs{
4403 // Although TLS 1.3 does not use
4404 // ClientHello.version, it still tolerates high
4405 // values there.
4406 SendClientVersion: 0x0400,
4407 },
4408 },
4409 expectedVersion: VersionTLS13,
4410 })
Steven Valdezfdd10992016-09-15 16:27:05 -04004411
David Benjamin95c69562016-06-29 18:15:03 -04004412 testCases = append(testCases, testCase{
4413 protocol: dtls,
4414 testType: serverTest,
4415 name: "MinorVersionTolerance-DTLS",
4416 config: Config{
4417 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -04004418 SendClientVersion: 0xfe00,
4419 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -04004420 },
4421 },
4422 expectedVersion: VersionTLS12,
4423 })
4424 testCases = append(testCases, testCase{
4425 protocol: dtls,
4426 testType: serverTest,
4427 name: "MajorVersionTolerance-DTLS",
4428 config: Config{
4429 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -04004430 SendClientVersion: 0xfdff,
4431 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -04004432 },
4433 },
4434 expectedVersion: VersionTLS12,
4435 })
4436
4437 // Test that versions below 3.0 are rejected.
4438 testCases = append(testCases, testCase{
4439 testType: serverTest,
4440 name: "VersionTooLow",
4441 config: Config{
4442 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -04004443 SendClientVersion: 0x0200,
4444 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -04004445 },
4446 },
4447 shouldFail: true,
4448 expectedError: ":UNSUPPORTED_PROTOCOL:",
4449 })
4450 testCases = append(testCases, testCase{
4451 protocol: dtls,
4452 testType: serverTest,
4453 name: "VersionTooLow-DTLS",
4454 config: Config{
4455 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -04004456 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -04004457 },
4458 },
4459 shouldFail: true,
4460 expectedError: ":UNSUPPORTED_PROTOCOL:",
4461 })
David Benjamin1f61f0d2016-07-10 12:20:35 -04004462
David Benjamin2dc02042016-09-19 19:57:37 -04004463 testCases = append(testCases, testCase{
4464 name: "ServerBogusVersion",
4465 config: Config{
4466 Bugs: ProtocolBugs{
4467 SendServerHelloVersion: 0x1234,
4468 },
4469 },
4470 shouldFail: true,
4471 expectedError: ":UNSUPPORTED_PROTOCOL:",
4472 })
4473
David Benjamin1f61f0d2016-07-10 12:20:35 -04004474 // Test TLS 1.3's downgrade signal.
4475 testCases = append(testCases, testCase{
4476 name: "Downgrade-TLS12-Client",
4477 config: Config{
4478 Bugs: ProtocolBugs{
4479 NegotiateVersion: VersionTLS12,
4480 },
4481 },
David Benjamin592b5322016-09-30 15:15:01 -04004482 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -04004483 // TODO(davidben): This test should fail once TLS 1.3 is final
4484 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -04004485 })
4486 testCases = append(testCases, testCase{
4487 testType: serverTest,
4488 name: "Downgrade-TLS12-Server",
4489 config: Config{
4490 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -04004491 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -04004492 },
4493 },
David Benjamin592b5322016-09-30 15:15:01 -04004494 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -04004495 // TODO(davidben): This test should fail once TLS 1.3 is final
4496 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -04004497 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004498}
4499
David Benjaminaccb4542014-12-12 23:44:33 -05004500func addMinimumVersionTests() {
4501 for i, shimVers := range tlsVersions {
4502 // Assemble flags to disable all older versions on the shim.
4503 var flags []string
4504 for _, vers := range tlsVersions[:i] {
4505 flags = append(flags, vers.flag)
4506 }
4507
4508 for _, runnerVers := range tlsVersions {
4509 protocols := []protocol{tls}
4510 if runnerVers.hasDTLS && shimVers.hasDTLS {
4511 protocols = append(protocols, dtls)
4512 }
4513 for _, protocol := range protocols {
4514 suffix := shimVers.name + "-" + runnerVers.name
4515 if protocol == dtls {
4516 suffix += "-DTLS"
4517 }
4518 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4519
David Benjaminaccb4542014-12-12 23:44:33 -05004520 var expectedVersion uint16
4521 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -04004522 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -05004523 if runnerVers.version >= shimVers.version {
4524 expectedVersion = runnerVers.version
4525 } else {
4526 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -04004527 expectedError = ":UNSUPPORTED_PROTOCOL:"
4528 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -05004529 }
4530
4531 testCases = append(testCases, testCase{
4532 protocol: protocol,
4533 testType: clientTest,
4534 name: "MinimumVersion-Client-" + suffix,
4535 config: Config{
4536 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -04004537 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -04004538 // Ensure the server does not decline to
4539 // select a version (versions extension) or
4540 // cipher (some ciphers depend on versions).
4541 NegotiateVersion: runnerVers.version,
4542 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -04004543 },
David Benjaminaccb4542014-12-12 23:44:33 -05004544 },
David Benjamin87909c02014-12-13 01:55:01 -05004545 flags: flags,
4546 expectedVersion: expectedVersion,
4547 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -04004548 expectedError: expectedError,
4549 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -05004550 })
4551 testCases = append(testCases, testCase{
4552 protocol: protocol,
4553 testType: clientTest,
4554 name: "MinimumVersion-Client2-" + suffix,
4555 config: Config{
4556 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -04004557 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -04004558 // Ensure the server does not decline to
4559 // select a version (versions extension) or
4560 // cipher (some ciphers depend on versions).
4561 NegotiateVersion: runnerVers.version,
4562 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -04004563 },
David Benjaminaccb4542014-12-12 23:44:33 -05004564 },
David Benjamin87909c02014-12-13 01:55:01 -05004565 flags: []string{"-min-version", shimVersFlag},
4566 expectedVersion: expectedVersion,
4567 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -04004568 expectedError: expectedError,
4569 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -05004570 })
4571
4572 testCases = append(testCases, testCase{
4573 protocol: protocol,
4574 testType: serverTest,
4575 name: "MinimumVersion-Server-" + suffix,
4576 config: Config{
4577 MaxVersion: runnerVers.version,
4578 },
David Benjamin87909c02014-12-13 01:55:01 -05004579 flags: flags,
4580 expectedVersion: expectedVersion,
4581 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -04004582 expectedError: expectedError,
4583 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -05004584 })
4585 testCases = append(testCases, testCase{
4586 protocol: protocol,
4587 testType: serverTest,
4588 name: "MinimumVersion-Server2-" + suffix,
4589 config: Config{
4590 MaxVersion: runnerVers.version,
4591 },
David Benjamin87909c02014-12-13 01:55:01 -05004592 flags: []string{"-min-version", shimVersFlag},
4593 expectedVersion: expectedVersion,
4594 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -04004595 expectedError: expectedError,
4596 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -05004597 })
4598 }
4599 }
4600 }
4601}
4602
David Benjamine78bfde2014-09-06 12:45:15 -04004603func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -04004604 // TODO(davidben): Extensions, where applicable, all move their server
4605 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4606 // tests for both. Also test interaction with 0-RTT when implemented.
4607
David Benjamin97d17d92016-07-14 16:12:00 -04004608 // Repeat extensions tests all versions except SSL 3.0.
4609 for _, ver := range tlsVersions {
4610 if ver.version == VersionSSL30 {
4611 continue
4612 }
4613
David Benjamin97d17d92016-07-14 16:12:00 -04004614 // Test that duplicate extensions are rejected.
4615 testCases = append(testCases, testCase{
4616 testType: clientTest,
4617 name: "DuplicateExtensionClient-" + ver.name,
4618 config: Config{
4619 MaxVersion: ver.version,
4620 Bugs: ProtocolBugs{
4621 DuplicateExtension: true,
4622 },
David Benjamine78bfde2014-09-06 12:45:15 -04004623 },
David Benjamin97d17d92016-07-14 16:12:00 -04004624 shouldFail: true,
4625 expectedLocalError: "remote error: error decoding message",
4626 })
4627 testCases = append(testCases, testCase{
4628 testType: serverTest,
4629 name: "DuplicateExtensionServer-" + ver.name,
4630 config: Config{
4631 MaxVersion: ver.version,
4632 Bugs: ProtocolBugs{
4633 DuplicateExtension: true,
4634 },
David Benjamine78bfde2014-09-06 12:45:15 -04004635 },
David Benjamin97d17d92016-07-14 16:12:00 -04004636 shouldFail: true,
4637 expectedLocalError: "remote error: error decoding message",
4638 })
4639
4640 // Test SNI.
4641 testCases = append(testCases, testCase{
4642 testType: clientTest,
4643 name: "ServerNameExtensionClient-" + ver.name,
4644 config: Config{
4645 MaxVersion: ver.version,
4646 Bugs: ProtocolBugs{
4647 ExpectServerName: "example.com",
4648 },
David Benjamine78bfde2014-09-06 12:45:15 -04004649 },
David Benjamin97d17d92016-07-14 16:12:00 -04004650 flags: []string{"-host-name", "example.com"},
4651 })
4652 testCases = append(testCases, testCase{
4653 testType: clientTest,
4654 name: "ServerNameExtensionClientMismatch-" + ver.name,
4655 config: Config{
4656 MaxVersion: ver.version,
4657 Bugs: ProtocolBugs{
4658 ExpectServerName: "mismatch.com",
4659 },
David Benjamine78bfde2014-09-06 12:45:15 -04004660 },
David Benjamin97d17d92016-07-14 16:12:00 -04004661 flags: []string{"-host-name", "example.com"},
4662 shouldFail: true,
4663 expectedLocalError: "tls: unexpected server name",
4664 })
4665 testCases = append(testCases, testCase{
4666 testType: clientTest,
4667 name: "ServerNameExtensionClientMissing-" + ver.name,
4668 config: Config{
4669 MaxVersion: ver.version,
4670 Bugs: ProtocolBugs{
4671 ExpectServerName: "missing.com",
4672 },
David Benjamine78bfde2014-09-06 12:45:15 -04004673 },
David Benjamin97d17d92016-07-14 16:12:00 -04004674 shouldFail: true,
4675 expectedLocalError: "tls: unexpected server name",
4676 })
4677 testCases = append(testCases, testCase{
4678 testType: serverTest,
4679 name: "ServerNameExtensionServer-" + ver.name,
4680 config: Config{
4681 MaxVersion: ver.version,
4682 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -04004683 },
David Benjamin97d17d92016-07-14 16:12:00 -04004684 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -04004685 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004686 })
4687
4688 // Test ALPN.
4689 testCases = append(testCases, testCase{
4690 testType: clientTest,
4691 name: "ALPNClient-" + ver.name,
4692 config: Config{
4693 MaxVersion: ver.version,
4694 NextProtos: []string{"foo"},
4695 },
4696 flags: []string{
4697 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4698 "-expect-alpn", "foo",
4699 },
4700 expectedNextProto: "foo",
4701 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004702 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004703 })
4704 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -04004705 testType: clientTest,
4706 name: "ALPNClient-Mismatch-" + ver.name,
4707 config: Config{
4708 MaxVersion: ver.version,
4709 Bugs: ProtocolBugs{
4710 SendALPN: "baz",
4711 },
4712 },
4713 flags: []string{
4714 "-advertise-alpn", "\x03foo\x03bar",
4715 },
4716 shouldFail: true,
4717 expectedError: ":INVALID_ALPN_PROTOCOL:",
4718 expectedLocalError: "remote error: illegal parameter",
4719 })
4720 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -04004721 testType: serverTest,
4722 name: "ALPNServer-" + ver.name,
4723 config: Config{
4724 MaxVersion: ver.version,
4725 NextProtos: []string{"foo", "bar", "baz"},
4726 },
4727 flags: []string{
4728 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4729 "-select-alpn", "foo",
4730 },
4731 expectedNextProto: "foo",
4732 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004733 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004734 })
4735 testCases = append(testCases, testCase{
4736 testType: serverTest,
4737 name: "ALPNServer-Decline-" + ver.name,
4738 config: Config{
4739 MaxVersion: ver.version,
4740 NextProtos: []string{"foo", "bar", "baz"},
4741 },
4742 flags: []string{"-decline-alpn"},
4743 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004744 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004745 })
4746
David Benjamin25fe85b2016-08-09 20:00:32 -04004747 // Test ALPN in async mode as well to ensure that extensions callbacks are only
4748 // called once.
4749 testCases = append(testCases, testCase{
4750 testType: serverTest,
4751 name: "ALPNServer-Async-" + ver.name,
4752 config: Config{
4753 MaxVersion: ver.version,
4754 NextProtos: []string{"foo", "bar", "baz"},
4755 },
4756 flags: []string{
4757 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4758 "-select-alpn", "foo",
4759 "-async",
4760 },
4761 expectedNextProto: "foo",
4762 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004763 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -04004764 })
4765
David Benjamin97d17d92016-07-14 16:12:00 -04004766 var emptyString string
4767 testCases = append(testCases, testCase{
4768 testType: clientTest,
4769 name: "ALPNClient-EmptyProtocolName-" + ver.name,
4770 config: Config{
4771 MaxVersion: ver.version,
4772 NextProtos: []string{""},
4773 Bugs: ProtocolBugs{
4774 // A server returning an empty ALPN protocol
4775 // should be rejected.
4776 ALPNProtocol: &emptyString,
4777 },
4778 },
4779 flags: []string{
4780 "-advertise-alpn", "\x03foo",
4781 },
4782 shouldFail: true,
4783 expectedError: ":PARSE_TLSEXT:",
4784 })
4785 testCases = append(testCases, testCase{
4786 testType: serverTest,
4787 name: "ALPNServer-EmptyProtocolName-" + ver.name,
4788 config: Config{
4789 MaxVersion: ver.version,
4790 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -07004791 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -04004792 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -07004793 },
David Benjamin97d17d92016-07-14 16:12:00 -04004794 flags: []string{
4795 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -04004796 },
David Benjamin97d17d92016-07-14 16:12:00 -04004797 shouldFail: true,
4798 expectedError: ":PARSE_TLSEXT:",
4799 })
4800
4801 // Test NPN and the interaction with ALPN.
4802 if ver.version < VersionTLS13 {
4803 // Test that the server prefers ALPN over NPN.
4804 testCases = append(testCases, testCase{
4805 testType: serverTest,
4806 name: "ALPNServer-Preferred-" + ver.name,
4807 config: Config{
4808 MaxVersion: ver.version,
4809 NextProtos: []string{"foo", "bar", "baz"},
4810 },
4811 flags: []string{
4812 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4813 "-select-alpn", "foo",
4814 "-advertise-npn", "\x03foo\x03bar\x03baz",
4815 },
4816 expectedNextProto: "foo",
4817 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004818 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004819 })
4820 testCases = append(testCases, testCase{
4821 testType: serverTest,
4822 name: "ALPNServer-Preferred-Swapped-" + ver.name,
4823 config: Config{
4824 MaxVersion: ver.version,
4825 NextProtos: []string{"foo", "bar", "baz"},
4826 Bugs: ProtocolBugs{
4827 SwapNPNAndALPN: true,
4828 },
4829 },
4830 flags: []string{
4831 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4832 "-select-alpn", "foo",
4833 "-advertise-npn", "\x03foo\x03bar\x03baz",
4834 },
4835 expectedNextProto: "foo",
4836 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004837 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004838 })
4839
4840 // Test that negotiating both NPN and ALPN is forbidden.
4841 testCases = append(testCases, testCase{
4842 name: "NegotiateALPNAndNPN-" + ver.name,
4843 config: Config{
4844 MaxVersion: ver.version,
4845 NextProtos: []string{"foo", "bar", "baz"},
4846 Bugs: ProtocolBugs{
4847 NegotiateALPNAndNPN: true,
4848 },
4849 },
4850 flags: []string{
4851 "-advertise-alpn", "\x03foo",
4852 "-select-next-proto", "foo",
4853 },
4854 shouldFail: true,
4855 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4856 })
4857 testCases = append(testCases, testCase{
4858 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
4859 config: Config{
4860 MaxVersion: ver.version,
4861 NextProtos: []string{"foo", "bar", "baz"},
4862 Bugs: ProtocolBugs{
4863 NegotiateALPNAndNPN: true,
4864 SwapNPNAndALPN: true,
4865 },
4866 },
4867 flags: []string{
4868 "-advertise-alpn", "\x03foo",
4869 "-select-next-proto", "foo",
4870 },
4871 shouldFail: true,
4872 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4873 })
4874
4875 // Test that NPN can be disabled with SSL_OP_DISABLE_NPN.
4876 testCases = append(testCases, testCase{
4877 name: "DisableNPN-" + ver.name,
4878 config: Config{
4879 MaxVersion: ver.version,
4880 NextProtos: []string{"foo"},
4881 },
4882 flags: []string{
4883 "-select-next-proto", "foo",
4884 "-disable-npn",
4885 },
4886 expectNoNextProto: true,
4887 })
4888 }
4889
4890 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -04004891
4892 // Resume with a corrupt ticket.
4893 testCases = append(testCases, testCase{
4894 testType: serverTest,
4895 name: "CorruptTicket-" + ver.name,
4896 config: Config{
4897 MaxVersion: ver.version,
4898 Bugs: ProtocolBugs{
4899 CorruptTicket: true,
4900 },
4901 },
4902 resumeSession: true,
4903 expectResumeRejected: true,
4904 })
4905 // Test the ticket callback, with and without renewal.
4906 testCases = append(testCases, testCase{
4907 testType: serverTest,
4908 name: "TicketCallback-" + ver.name,
4909 config: Config{
4910 MaxVersion: ver.version,
4911 },
4912 resumeSession: true,
4913 flags: []string{"-use-ticket-callback"},
4914 })
4915 testCases = append(testCases, testCase{
4916 testType: serverTest,
4917 name: "TicketCallback-Renew-" + ver.name,
4918 config: Config{
4919 MaxVersion: ver.version,
4920 Bugs: ProtocolBugs{
4921 ExpectNewTicket: true,
4922 },
4923 },
4924 flags: []string{"-use-ticket-callback", "-renew-ticket"},
4925 resumeSession: true,
4926 })
4927
4928 // Test that the ticket callback is only called once when everything before
4929 // it in the ClientHello is asynchronous. This corrupts the ticket so
4930 // certificate selection callbacks run.
4931 testCases = append(testCases, testCase{
4932 testType: serverTest,
4933 name: "TicketCallback-SingleCall-" + ver.name,
4934 config: Config{
4935 MaxVersion: ver.version,
4936 Bugs: ProtocolBugs{
4937 CorruptTicket: true,
4938 },
4939 },
4940 resumeSession: true,
4941 expectResumeRejected: true,
4942 flags: []string{
4943 "-use-ticket-callback",
4944 "-async",
4945 },
4946 })
4947
4948 // Resume with an oversized session id.
David Benjamin97d17d92016-07-14 16:12:00 -04004949 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -04004950 testCases = append(testCases, testCase{
4951 testType: serverTest,
4952 name: "OversizedSessionId-" + ver.name,
4953 config: Config{
4954 MaxVersion: ver.version,
4955 Bugs: ProtocolBugs{
4956 OversizedSessionId: true,
4957 },
4958 },
4959 resumeSession: true,
4960 shouldFail: true,
4961 expectedError: ":DECODE_ERROR:",
4962 })
4963 }
4964
4965 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
4966 // are ignored.
4967 if ver.hasDTLS {
4968 testCases = append(testCases, testCase{
4969 protocol: dtls,
4970 name: "SRTP-Client-" + ver.name,
4971 config: Config{
4972 MaxVersion: ver.version,
4973 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
4974 },
4975 flags: []string{
4976 "-srtp-profiles",
4977 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
4978 },
4979 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
4980 })
4981 testCases = append(testCases, testCase{
4982 protocol: dtls,
4983 testType: serverTest,
4984 name: "SRTP-Server-" + ver.name,
4985 config: Config{
4986 MaxVersion: ver.version,
4987 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
4988 },
4989 flags: []string{
4990 "-srtp-profiles",
4991 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
4992 },
4993 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
4994 })
4995 // Test that the MKI is ignored.
4996 testCases = append(testCases, testCase{
4997 protocol: dtls,
4998 testType: serverTest,
4999 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5000 config: Config{
5001 MaxVersion: ver.version,
5002 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5003 Bugs: ProtocolBugs{
5004 SRTPMasterKeyIdentifer: "bogus",
5005 },
5006 },
5007 flags: []string{
5008 "-srtp-profiles",
5009 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5010 },
5011 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5012 })
5013 // Test that SRTP isn't negotiated on the server if there were
5014 // no matching profiles.
5015 testCases = append(testCases, testCase{
5016 protocol: dtls,
5017 testType: serverTest,
5018 name: "SRTP-Server-NoMatch-" + ver.name,
5019 config: Config{
5020 MaxVersion: ver.version,
5021 SRTPProtectionProfiles: []uint16{100, 101, 102},
5022 },
5023 flags: []string{
5024 "-srtp-profiles",
5025 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5026 },
5027 expectedSRTPProtectionProfile: 0,
5028 })
5029 // Test that the server returning an invalid SRTP profile is
5030 // flagged as an error by the client.
5031 testCases = append(testCases, testCase{
5032 protocol: dtls,
5033 name: "SRTP-Client-NoMatch-" + ver.name,
5034 config: Config{
5035 MaxVersion: ver.version,
5036 Bugs: ProtocolBugs{
5037 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5038 },
5039 },
5040 flags: []string{
5041 "-srtp-profiles",
5042 "SRTP_AES128_CM_SHA1_80",
5043 },
5044 shouldFail: true,
5045 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5046 })
5047 }
5048
5049 // Test SCT list.
5050 testCases = append(testCases, testCase{
5051 name: "SignedCertificateTimestampList-Client-" + ver.name,
5052 testType: clientTest,
5053 config: Config{
5054 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -04005055 },
David Benjamin97d17d92016-07-14 16:12:00 -04005056 flags: []string{
5057 "-enable-signed-cert-timestamps",
5058 "-expect-signed-cert-timestamps",
5059 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -07005060 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04005061 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04005062 })
David Benjamindaa88502016-10-04 16:32:16 -04005063
5064 // The SCT extension did not specify that it must only be sent on resumption as it
5065 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -04005066 testCases = append(testCases, testCase{
5067 name: "SendSCTListOnResume-" + ver.name,
5068 config: Config{
5069 MaxVersion: ver.version,
5070 Bugs: ProtocolBugs{
5071 SendSCTListOnResume: []byte("bogus"),
5072 },
David Benjamind98452d2015-06-16 14:16:23 -04005073 },
David Benjamin97d17d92016-07-14 16:12:00 -04005074 flags: []string{
5075 "-enable-signed-cert-timestamps",
5076 "-expect-signed-cert-timestamps",
5077 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -07005078 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04005079 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04005080 })
David Benjamindaa88502016-10-04 16:32:16 -04005081
David Benjamin97d17d92016-07-14 16:12:00 -04005082 testCases = append(testCases, testCase{
5083 name: "SignedCertificateTimestampList-Server-" + ver.name,
5084 testType: serverTest,
5085 config: Config{
5086 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -05005087 },
David Benjamin97d17d92016-07-14 16:12:00 -04005088 flags: []string{
5089 "-signed-cert-timestamps",
5090 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -05005091 },
David Benjamin97d17d92016-07-14 16:12:00 -04005092 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -04005093 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04005094 })
5095 }
David Benjamin4c3ddf72016-06-29 18:13:53 -04005096
Paul Lietar4fac72e2015-09-09 13:44:55 +01005097 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -07005098 testType: clientTest,
5099 name: "ClientHelloPadding",
5100 config: Config{
5101 Bugs: ProtocolBugs{
5102 RequireClientHelloSize: 512,
5103 },
5104 },
5105 // This hostname just needs to be long enough to push the
5106 // ClientHello into F5's danger zone between 256 and 511 bytes
5107 // long.
5108 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5109 })
David Benjaminc7ce9772015-10-09 19:32:41 -04005110
5111 // Extensions should not function in SSL 3.0.
5112 testCases = append(testCases, testCase{
5113 testType: serverTest,
5114 name: "SSLv3Extensions-NoALPN",
5115 config: Config{
5116 MaxVersion: VersionSSL30,
5117 NextProtos: []string{"foo", "bar", "baz"},
5118 },
5119 flags: []string{
5120 "-select-alpn", "foo",
5121 },
5122 expectNoNextProto: true,
5123 })
5124
5125 // Test session tickets separately as they follow a different codepath.
5126 testCases = append(testCases, testCase{
5127 testType: serverTest,
5128 name: "SSLv3Extensions-NoTickets",
5129 config: Config{
5130 MaxVersion: VersionSSL30,
5131 Bugs: ProtocolBugs{
5132 // Historically, session tickets in SSL 3.0
5133 // failed in different ways depending on whether
5134 // the client supported renegotiation_info.
5135 NoRenegotiationInfo: true,
5136 },
5137 },
5138 resumeSession: true,
5139 })
5140 testCases = append(testCases, testCase{
5141 testType: serverTest,
5142 name: "SSLv3Extensions-NoTickets2",
5143 config: Config{
5144 MaxVersion: VersionSSL30,
5145 },
5146 resumeSession: true,
5147 })
5148
5149 // But SSL 3.0 does send and process renegotiation_info.
5150 testCases = append(testCases, testCase{
5151 testType: serverTest,
5152 name: "SSLv3Extensions-RenegotiationInfo",
5153 config: Config{
5154 MaxVersion: VersionSSL30,
5155 Bugs: ProtocolBugs{
5156 RequireRenegotiationInfo: true,
5157 },
5158 },
5159 })
5160 testCases = append(testCases, testCase{
5161 testType: serverTest,
5162 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5163 config: Config{
5164 MaxVersion: VersionSSL30,
5165 Bugs: ProtocolBugs{
5166 NoRenegotiationInfo: true,
5167 SendRenegotiationSCSV: true,
5168 RequireRenegotiationInfo: true,
5169 },
5170 },
5171 })
Steven Valdez143e8b32016-07-11 13:19:03 -04005172
5173 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5174 // in ServerHello.
5175 testCases = append(testCases, testCase{
5176 name: "NPN-Forbidden-TLS13",
5177 config: Config{
5178 MaxVersion: VersionTLS13,
5179 NextProtos: []string{"foo"},
5180 Bugs: ProtocolBugs{
5181 NegotiateNPNAtAllVersions: true,
5182 },
5183 },
5184 flags: []string{"-select-next-proto", "foo"},
5185 shouldFail: true,
5186 expectedError: ":ERROR_PARSING_EXTENSION:",
5187 })
5188 testCases = append(testCases, testCase{
5189 name: "EMS-Forbidden-TLS13",
5190 config: Config{
5191 MaxVersion: VersionTLS13,
5192 Bugs: ProtocolBugs{
5193 NegotiateEMSAtAllVersions: true,
5194 },
5195 },
5196 shouldFail: true,
5197 expectedError: ":ERROR_PARSING_EXTENSION:",
5198 })
5199 testCases = append(testCases, testCase{
5200 name: "RenegotiationInfo-Forbidden-TLS13",
5201 config: Config{
5202 MaxVersion: VersionTLS13,
5203 Bugs: ProtocolBugs{
5204 NegotiateRenegotiationInfoAtAllVersions: true,
5205 },
5206 },
5207 shouldFail: true,
5208 expectedError: ":ERROR_PARSING_EXTENSION:",
5209 })
5210 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04005211 name: "Ticket-Forbidden-TLS13",
5212 config: Config{
5213 MaxVersion: VersionTLS12,
5214 },
5215 resumeConfig: &Config{
5216 MaxVersion: VersionTLS13,
5217 Bugs: ProtocolBugs{
5218 AdvertiseTicketExtension: true,
5219 },
5220 },
5221 resumeSession: true,
5222 shouldFail: true,
5223 expectedError: ":ERROR_PARSING_EXTENSION:",
5224 })
5225
5226 // Test that illegal extensions in TLS 1.3 are declined by the server if
5227 // offered in ClientHello. The runner's server will fail if this occurs,
5228 // so we exercise the offering path. (EMS and Renegotiation Info are
5229 // implicit in every test.)
5230 testCases = append(testCases, testCase{
5231 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -04005232 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -04005233 config: Config{
5234 MaxVersion: VersionTLS13,
5235 NextProtos: []string{"bar"},
5236 },
5237 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5238 })
David Benjamin196df5b2016-09-21 16:23:27 -04005239
David Benjamindaa88502016-10-04 16:32:16 -04005240 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5241 // tolerated.
5242 testCases = append(testCases, testCase{
5243 name: "SendOCSPResponseOnResume-TLS12",
5244 config: Config{
5245 MaxVersion: VersionTLS12,
5246 Bugs: ProtocolBugs{
5247 SendOCSPResponseOnResume: []byte("bogus"),
5248 },
5249 },
5250 flags: []string{
5251 "-enable-ocsp-stapling",
5252 "-expect-ocsp-response",
5253 base64.StdEncoding.EncodeToString(testOCSPResponse),
5254 },
5255 resumeSession: true,
5256 })
5257
5258 // Beginning TLS 1.3, enforce this does not happen.
5259 testCases = append(testCases, testCase{
5260 name: "SendOCSPResponseOnResume-TLS13",
5261 config: Config{
5262 MaxVersion: VersionTLS13,
5263 Bugs: ProtocolBugs{
5264 SendOCSPResponseOnResume: []byte("bogus"),
5265 },
5266 },
5267 flags: []string{
5268 "-enable-ocsp-stapling",
5269 "-expect-ocsp-response",
5270 base64.StdEncoding.EncodeToString(testOCSPResponse),
5271 },
5272 resumeSession: true,
5273 shouldFail: true,
5274 expectedError: ":ERROR_PARSING_EXTENSION:",
5275 })
David Benjamine78bfde2014-09-06 12:45:15 -04005276}
5277
David Benjamin01fe8202014-09-24 15:21:44 -04005278func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -04005279 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -04005280 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -04005281 // SSL 3.0 does not have tickets and TLS 1.3 does not
5282 // have session IDs, so skip their cross-resumption
5283 // tests.
5284 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5285 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5286 continue
Nick Harper1fd39d82016-06-14 18:14:35 -07005287 }
5288
David Benjamin8b8c0062014-11-23 02:47:52 -05005289 protocols := []protocol{tls}
5290 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5291 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -05005292 }
David Benjamin8b8c0062014-11-23 02:47:52 -05005293 for _, protocol := range protocols {
5294 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5295 if protocol == dtls {
5296 suffix += "-DTLS"
5297 }
5298
David Benjaminece3de92015-03-16 18:02:20 -04005299 if sessionVers.version == resumeVers.version {
5300 testCases = append(testCases, testCase{
5301 protocol: protocol,
5302 name: "Resume-Client" + suffix,
5303 resumeSession: true,
5304 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005305 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -04005306 Bugs: ProtocolBugs{
5307 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5308 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5309 },
David Benjamin8b8c0062014-11-23 02:47:52 -05005310 },
David Benjaminece3de92015-03-16 18:02:20 -04005311 expectedVersion: sessionVers.version,
5312 expectedResumeVersion: resumeVers.version,
5313 })
5314 } else {
David Benjamin405da482016-08-08 17:25:07 -04005315 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5316
5317 // Offering a TLS 1.3 session sends an empty session ID, so
5318 // there is no way to convince a non-lookahead client the
5319 // session was resumed. It will appear to the client that a
5320 // stray ChangeCipherSpec was sent.
5321 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5322 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -04005323 }
5324
David Benjaminece3de92015-03-16 18:02:20 -04005325 testCases = append(testCases, testCase{
5326 protocol: protocol,
5327 name: "Resume-Client-Mismatch" + suffix,
5328 resumeSession: true,
5329 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005330 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -05005331 },
David Benjaminece3de92015-03-16 18:02:20 -04005332 expectedVersion: sessionVers.version,
5333 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005334 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -04005335 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -04005336 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -04005337 },
5338 },
5339 expectedResumeVersion: resumeVers.version,
5340 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -04005341 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -04005342 })
5343 }
David Benjamin8b8c0062014-11-23 02:47:52 -05005344
5345 testCases = append(testCases, testCase{
5346 protocol: protocol,
5347 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -05005348 resumeSession: true,
5349 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005350 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -05005351 },
5352 expectedVersion: sessionVers.version,
5353 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005354 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -05005355 },
5356 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -07005357 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -05005358 expectedResumeVersion: resumeVers.version,
5359 })
5360
David Benjamin8b8c0062014-11-23 02:47:52 -05005361 testCases = append(testCases, testCase{
5362 protocol: protocol,
5363 testType: serverTest,
5364 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -05005365 resumeSession: true,
5366 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005367 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -05005368 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -07005369 expectedVersion: sessionVers.version,
5370 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -05005371 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005372 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -04005373 Bugs: ProtocolBugs{
5374 SendBothTickets: true,
5375 },
David Benjamin8b8c0062014-11-23 02:47:52 -05005376 },
5377 expectedResumeVersion: resumeVers.version,
5378 })
5379 }
David Benjamin01fe8202014-09-24 15:21:44 -04005380 }
5381 }
David Benjaminece3de92015-03-16 18:02:20 -04005382
Steven Valdezb6b6ff32016-10-26 11:56:35 -04005383 // Sessions with disabled ciphers are not resumed.
5384 testCases = append(testCases, testCase{
5385 testType: serverTest,
5386 name: "Resume-Server-CipherMismatch",
5387 resumeSession: true,
5388 config: Config{
5389 MaxVersion: VersionTLS12,
5390 },
5391 flags: []string{"-cipher", "AES128", "-resume-cipher", "AES256"},
5392 shouldFail: false,
5393 expectResumeRejected: true,
5394 })
5395
5396 testCases = append(testCases, testCase{
5397 testType: serverTest,
5398 name: "Resume-Server-CipherMismatch-TLS13",
5399 resumeSession: true,
5400 config: Config{
5401 MaxVersion: VersionTLS13,
5402 },
5403 flags: []string{"-cipher", "AES128", "-resume-cipher", "AES256"},
5404 shouldFail: false,
5405 expectResumeRejected: true,
5406 })
5407
David Benjaminece3de92015-03-16 18:02:20 -04005408 testCases = append(testCases, testCase{
5409 name: "Resume-Client-CipherMismatch",
5410 resumeSession: true,
5411 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07005412 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -04005413 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5414 },
5415 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07005416 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -04005417 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5418 Bugs: ProtocolBugs{
5419 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
5420 },
5421 },
5422 shouldFail: true,
5423 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
5424 })
Steven Valdez4aa154e2016-07-29 14:32:55 -04005425
5426 testCases = append(testCases, testCase{
5427 name: "Resume-Client-CipherMismatch-TLS13",
5428 resumeSession: true,
5429 config: Config{
5430 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -04005431 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -04005432 },
5433 resumeConfig: &Config{
5434 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -04005435 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -04005436 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -04005437 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -04005438 },
5439 },
5440 shouldFail: true,
5441 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
5442 })
David Benjamin01fe8202014-09-24 15:21:44 -04005443}
5444
Adam Langley2ae77d22014-10-28 17:29:33 -07005445func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -04005446 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -04005447 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005448 testType: serverTest,
5449 name: "Renegotiate-Server-Forbidden",
5450 config: Config{
5451 MaxVersion: VersionTLS12,
5452 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005453 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -04005454 shouldFail: true,
5455 expectedError: ":NO_RENEGOTIATION:",
5456 expectedLocalError: "remote error: no renegotiation",
5457 })
Adam Langley5021b222015-06-12 18:27:58 -07005458 // The server shouldn't echo the renegotiation extension unless
5459 // requested by the client.
5460 testCases = append(testCases, testCase{
5461 testType: serverTest,
5462 name: "Renegotiate-Server-NoExt",
5463 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005464 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -07005465 Bugs: ProtocolBugs{
5466 NoRenegotiationInfo: true,
5467 RequireRenegotiationInfo: true,
5468 },
5469 },
5470 shouldFail: true,
5471 expectedLocalError: "renegotiation extension missing",
5472 })
5473 // The renegotiation SCSV should be sufficient for the server to echo
5474 // the extension.
5475 testCases = append(testCases, testCase{
5476 testType: serverTest,
5477 name: "Renegotiate-Server-NoExt-SCSV",
5478 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005479 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -07005480 Bugs: ProtocolBugs{
5481 NoRenegotiationInfo: true,
5482 SendRenegotiationSCSV: true,
5483 RequireRenegotiationInfo: true,
5484 },
5485 },
5486 })
Adam Langleycf2d4f42014-10-28 19:06:14 -07005487 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -04005488 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -04005489 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005490 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -04005491 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -04005492 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -04005493 },
5494 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005495 renegotiate: 1,
5496 flags: []string{
5497 "-renegotiate-freely",
5498 "-expect-total-renegotiations", "1",
5499 },
David Benjamincdea40c2015-03-19 14:09:43 -04005500 })
5501 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -07005502 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005503 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005504 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005505 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005506 Bugs: ProtocolBugs{
5507 EmptyRenegotiationInfo: true,
5508 },
5509 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005510 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -07005511 shouldFail: true,
5512 expectedError: ":RENEGOTIATION_MISMATCH:",
5513 })
5514 testCases = append(testCases, testCase{
5515 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005516 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005517 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005518 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005519 Bugs: ProtocolBugs{
5520 BadRenegotiationInfo: true,
5521 },
5522 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005523 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -07005524 shouldFail: true,
5525 expectedError: ":RENEGOTIATION_MISMATCH:",
5526 })
5527 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -05005528 name: "Renegotiate-Client-Downgrade",
5529 renegotiate: 1,
5530 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005531 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -05005532 Bugs: ProtocolBugs{
5533 NoRenegotiationInfoAfterInitial: true,
5534 },
5535 },
5536 flags: []string{"-renegotiate-freely"},
5537 shouldFail: true,
5538 expectedError: ":RENEGOTIATION_MISMATCH:",
5539 })
5540 testCases = append(testCases, testCase{
5541 name: "Renegotiate-Client-Upgrade",
5542 renegotiate: 1,
5543 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005544 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -05005545 Bugs: ProtocolBugs{
5546 NoRenegotiationInfoInInitial: true,
5547 },
5548 },
5549 flags: []string{"-renegotiate-freely"},
5550 shouldFail: true,
5551 expectedError: ":RENEGOTIATION_MISMATCH:",
5552 })
5553 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -04005554 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005555 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -04005556 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005557 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -04005558 Bugs: ProtocolBugs{
5559 NoRenegotiationInfo: true,
5560 },
5561 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005562 flags: []string{
5563 "-renegotiate-freely",
5564 "-expect-total-renegotiations", "1",
5565 },
David Benjamincff0b902015-05-15 23:09:47 -04005566 })
David Benjamine7e36aa2016-08-08 12:39:41 -04005567
5568 // Test that the server may switch ciphers on renegotiation without
5569 // problems.
David Benjamincff0b902015-05-15 23:09:47 -04005570 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -07005571 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005572 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005573 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07005574 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -07005575 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -07005576 },
5577 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005578 flags: []string{
5579 "-renegotiate-freely",
5580 "-expect-total-renegotiations", "1",
5581 },
Adam Langleycf2d4f42014-10-28 19:06:14 -07005582 })
5583 testCases = append(testCases, testCase{
5584 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005585 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005586 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07005587 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005588 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5589 },
Matt Braithwaite07e78062016-08-21 14:50:43 -07005590 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005591 flags: []string{
5592 "-renegotiate-freely",
5593 "-expect-total-renegotiations", "1",
5594 },
David Benjaminb16346b2015-04-08 19:16:58 -04005595 })
David Benjamine7e36aa2016-08-08 12:39:41 -04005596
5597 // Test that the server may not switch versions on renegotiation.
5598 testCases = append(testCases, testCase{
5599 name: "Renegotiate-Client-SwitchVersion",
5600 config: Config{
5601 MaxVersion: VersionTLS12,
5602 // Pick a cipher which exists at both versions.
5603 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
5604 Bugs: ProtocolBugs{
5605 NegotiateVersionOnRenego: VersionTLS11,
5606 },
5607 },
5608 renegotiate: 1,
5609 flags: []string{
5610 "-renegotiate-freely",
5611 "-expect-total-renegotiations", "1",
5612 },
5613 shouldFail: true,
5614 expectedError: ":WRONG_SSL_VERSION:",
5615 })
5616
David Benjaminb16346b2015-04-08 19:16:58 -04005617 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -05005618 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005619 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -05005620 config: Config{
5621 MaxVersion: VersionTLS10,
5622 Bugs: ProtocolBugs{
5623 RequireSameRenegoClientVersion: true,
5624 },
5625 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005626 flags: []string{
5627 "-renegotiate-freely",
5628 "-expect-total-renegotiations", "1",
5629 },
David Benjaminc44b1df2014-11-23 12:11:01 -05005630 })
Adam Langleyb558c4c2015-07-08 12:16:38 -07005631 testCases = append(testCases, testCase{
5632 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005633 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -07005634 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07005635 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -07005636 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5637 NextProtos: []string{"foo"},
5638 },
5639 flags: []string{
5640 "-false-start",
5641 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005642 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -04005643 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -07005644 },
5645 shimWritesFirst: true,
5646 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005647
5648 // Client-side renegotiation controls.
5649 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005650 name: "Renegotiate-Client-Forbidden-1",
5651 config: Config{
5652 MaxVersion: VersionTLS12,
5653 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005654 renegotiate: 1,
5655 shouldFail: true,
5656 expectedError: ":NO_RENEGOTIATION:",
5657 expectedLocalError: "remote error: no renegotiation",
5658 })
5659 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005660 name: "Renegotiate-Client-Once-1",
5661 config: Config{
5662 MaxVersion: VersionTLS12,
5663 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005664 renegotiate: 1,
5665 flags: []string{
5666 "-renegotiate-once",
5667 "-expect-total-renegotiations", "1",
5668 },
5669 })
5670 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005671 name: "Renegotiate-Client-Freely-1",
5672 config: Config{
5673 MaxVersion: VersionTLS12,
5674 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005675 renegotiate: 1,
5676 flags: []string{
5677 "-renegotiate-freely",
5678 "-expect-total-renegotiations", "1",
5679 },
5680 })
5681 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005682 name: "Renegotiate-Client-Once-2",
5683 config: Config{
5684 MaxVersion: VersionTLS12,
5685 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005686 renegotiate: 2,
5687 flags: []string{"-renegotiate-once"},
5688 shouldFail: true,
5689 expectedError: ":NO_RENEGOTIATION:",
5690 expectedLocalError: "remote error: no renegotiation",
5691 })
5692 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005693 name: "Renegotiate-Client-Freely-2",
5694 config: Config{
5695 MaxVersion: VersionTLS12,
5696 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005697 renegotiate: 2,
5698 flags: []string{
5699 "-renegotiate-freely",
5700 "-expect-total-renegotiations", "2",
5701 },
5702 })
Adam Langley27a0d082015-11-03 13:34:10 -08005703 testCases = append(testCases, testCase{
5704 name: "Renegotiate-Client-NoIgnore",
5705 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005706 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -08005707 Bugs: ProtocolBugs{
5708 SendHelloRequestBeforeEveryAppDataRecord: true,
5709 },
5710 },
5711 shouldFail: true,
5712 expectedError: ":NO_RENEGOTIATION:",
5713 })
5714 testCases = append(testCases, testCase{
5715 name: "Renegotiate-Client-Ignore",
5716 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005717 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -08005718 Bugs: ProtocolBugs{
5719 SendHelloRequestBeforeEveryAppDataRecord: true,
5720 },
5721 },
5722 flags: []string{
5723 "-renegotiate-ignore",
5724 "-expect-total-renegotiations", "0",
5725 },
5726 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04005727
David Benjamin34941c02016-10-08 11:45:31 -04005728 // Renegotiation is not allowed at SSL 3.0.
5729 testCases = append(testCases, testCase{
5730 name: "Renegotiate-Client-SSL3",
5731 config: Config{
5732 MaxVersion: VersionSSL30,
5733 },
5734 renegotiate: 1,
5735 flags: []string{
5736 "-renegotiate-freely",
5737 "-expect-total-renegotiations", "1",
5738 },
5739 shouldFail: true,
5740 expectedError: ":NO_RENEGOTIATION:",
5741 expectedLocalError: "remote error: no renegotiation",
5742 })
5743
David Benjamin397c8e62016-07-08 14:14:36 -07005744 // Stray HelloRequests during the handshake are ignored in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -07005745 testCases = append(testCases, testCase{
5746 name: "StrayHelloRequest",
5747 config: Config{
5748 MaxVersion: VersionTLS12,
5749 Bugs: ProtocolBugs{
5750 SendHelloRequestBeforeEveryHandshakeMessage: true,
5751 },
5752 },
5753 })
5754 testCases = append(testCases, testCase{
5755 name: "StrayHelloRequest-Packed",
5756 config: Config{
5757 MaxVersion: VersionTLS12,
5758 Bugs: ProtocolBugs{
5759 PackHandshakeFlight: true,
5760 SendHelloRequestBeforeEveryHandshakeMessage: true,
5761 },
5762 },
5763 })
5764
David Benjamin12d2c482016-07-24 10:56:51 -04005765 // Test renegotiation works if HelloRequest and server Finished come in
5766 // the same record.
5767 testCases = append(testCases, testCase{
5768 name: "Renegotiate-Client-Packed",
5769 config: Config{
5770 MaxVersion: VersionTLS12,
5771 Bugs: ProtocolBugs{
5772 PackHandshakeFlight: true,
5773 PackHelloRequestWithFinished: true,
5774 },
5775 },
5776 renegotiate: 1,
5777 flags: []string{
5778 "-renegotiate-freely",
5779 "-expect-total-renegotiations", "1",
5780 },
5781 })
5782
David Benjamin397c8e62016-07-08 14:14:36 -07005783 // Renegotiation is forbidden in TLS 1.3.
5784 testCases = append(testCases, testCase{
5785 name: "Renegotiate-Client-TLS13",
5786 config: Config{
5787 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04005788 Bugs: ProtocolBugs{
5789 SendHelloRequestBeforeEveryAppDataRecord: true,
5790 },
David Benjamin397c8e62016-07-08 14:14:36 -07005791 },
David Benjamin397c8e62016-07-08 14:14:36 -07005792 flags: []string{
5793 "-renegotiate-freely",
5794 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -04005795 shouldFail: true,
5796 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -07005797 })
5798
5799 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
5800 testCases = append(testCases, testCase{
5801 name: "StrayHelloRequest-TLS13",
5802 config: Config{
5803 MaxVersion: VersionTLS13,
5804 Bugs: ProtocolBugs{
5805 SendHelloRequestBeforeEveryHandshakeMessage: true,
5806 },
5807 },
5808 shouldFail: true,
5809 expectedError: ":UNEXPECTED_MESSAGE:",
5810 })
Adam Langley2ae77d22014-10-28 17:29:33 -07005811}
5812
David Benjamin5e961c12014-11-07 01:48:35 -05005813func addDTLSReplayTests() {
5814 // Test that sequence number replays are detected.
5815 testCases = append(testCases, testCase{
5816 protocol: dtls,
5817 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -04005818 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -05005819 replayWrites: true,
5820 })
5821
David Benjamin8e6db492015-07-25 18:29:23 -04005822 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -05005823 // than the retransmit window.
5824 testCases = append(testCases, testCase{
5825 protocol: dtls,
5826 name: "DTLS-Replay-LargeGaps",
5827 config: Config{
5828 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -04005829 SequenceNumberMapping: func(in uint64) uint64 {
5830 return in * 127
5831 },
David Benjamin5e961c12014-11-07 01:48:35 -05005832 },
5833 },
David Benjamin8e6db492015-07-25 18:29:23 -04005834 messageCount: 200,
5835 replayWrites: true,
5836 })
5837
5838 // Test the incoming sequence number changing non-monotonically.
5839 testCases = append(testCases, testCase{
5840 protocol: dtls,
5841 name: "DTLS-Replay-NonMonotonic",
5842 config: Config{
5843 Bugs: ProtocolBugs{
5844 SequenceNumberMapping: func(in uint64) uint64 {
5845 return in ^ 31
5846 },
5847 },
5848 },
5849 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -05005850 replayWrites: true,
5851 })
5852}
5853
Nick Harper60edffd2016-06-21 15:19:24 -07005854var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -05005855 name string
Nick Harper60edffd2016-06-21 15:19:24 -07005856 id signatureAlgorithm
5857 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -05005858}{
Nick Harper60edffd2016-06-21 15:19:24 -07005859 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
5860 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
5861 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
5862 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -07005863 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
David Benjamin33863262016-07-08 17:20:12 -07005864 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
5865 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
5866 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -04005867 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
5868 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
5869 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin5208fd42016-07-13 21:43:25 -04005870 // Tests for key types prior to TLS 1.2.
5871 {"RSA", 0, testCertRSA},
5872 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -05005873}
5874
Nick Harper60edffd2016-06-21 15:19:24 -07005875const fakeSigAlg1 signatureAlgorithm = 0x2a01
5876const fakeSigAlg2 signatureAlgorithm = 0xff01
5877
5878func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -04005879 // Not all ciphers involve a signature. Advertise a list which gives all
5880 // versions a signing cipher.
5881 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -04005882 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -04005883 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
5884 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
5885 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
5886 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
5887 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
5888 }
5889
David Benjaminca3d5452016-07-14 12:51:01 -04005890 var allAlgorithms []signatureAlgorithm
5891 for _, alg := range testSignatureAlgorithms {
5892 if alg.id != 0 {
5893 allAlgorithms = append(allAlgorithms, alg.id)
5894 }
5895 }
5896
Nick Harper60edffd2016-06-21 15:19:24 -07005897 // Make sure each signature algorithm works. Include some fake values in
5898 // the list and ensure they're ignored.
5899 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -07005900 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -04005901 if (ver.version < VersionTLS12) != (alg.id == 0) {
5902 continue
5903 }
5904
5905 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
5906 // or remove it in C.
5907 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -07005908 continue
5909 }
Nick Harper60edffd2016-06-21 15:19:24 -07005910
David Benjamin3ef76972016-10-17 17:59:54 -04005911 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -07005912 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -04005913 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -04005914 shouldSignFail = true
5915 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -04005916 }
Steven Valdez54ed58e2016-08-18 14:03:49 -04005917 // RSA-PKCS1 does not exist in TLS 1.3.
5918 if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
David Benjamin3ef76972016-10-17 17:59:54 -04005919 shouldSignFail = true
5920 shouldVerifyFail = true
5921 }
5922
5923 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
5924 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
5925 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -04005926 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -04005927
5928 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -04005929 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -04005930 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -04005931 }
5932 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -04005933 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -07005934 }
David Benjamin000800a2014-11-14 01:43:59 -05005935
David Benjamin1fb125c2016-07-08 18:52:12 -07005936 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -05005937
David Benjamin7a41d372016-07-09 11:21:54 -07005938 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04005939 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -07005940 config: Config{
5941 MaxVersion: ver.version,
5942 ClientAuth: RequireAnyClientCert,
5943 VerifySignatureAlgorithms: []signatureAlgorithm{
5944 fakeSigAlg1,
5945 alg.id,
5946 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -07005947 },
David Benjamin7a41d372016-07-09 11:21:54 -07005948 },
5949 flags: []string{
5950 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
5951 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
5952 "-enable-all-curves",
5953 },
David Benjamin3ef76972016-10-17 17:59:54 -04005954 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -07005955 expectedError: signError,
5956 expectedPeerSignatureAlgorithm: alg.id,
5957 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -04005958
David Benjamin7a41d372016-07-09 11:21:54 -07005959 testCases = append(testCases, testCase{
5960 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -04005961 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -07005962 config: Config{
5963 MaxVersion: ver.version,
5964 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
5965 SignSignatureAlgorithms: []signatureAlgorithm{
5966 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -04005967 },
David Benjamin7a41d372016-07-09 11:21:54 -07005968 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -04005969 SkipECDSACurveCheck: shouldVerifyFail,
5970 IgnoreSignatureVersionChecks: shouldVerifyFail,
5971 // Some signature algorithms may not be advertised.
5972 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -04005973 },
David Benjamin7a41d372016-07-09 11:21:54 -07005974 },
5975 flags: []string{
5976 "-require-any-client-certificate",
5977 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
5978 "-enable-all-curves",
5979 },
David Benjamin3ef76972016-10-17 17:59:54 -04005980 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -07005981 expectedError: verifyError,
5982 })
David Benjamin1fb125c2016-07-08 18:52:12 -07005983
5984 testCases = append(testCases, testCase{
5985 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -04005986 name: "ServerAuth-Sign" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -07005987 config: Config{
David Benjamin5208fd42016-07-13 21:43:25 -04005988 MaxVersion: ver.version,
5989 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -07005990 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -07005991 fakeSigAlg1,
5992 alg.id,
5993 fakeSigAlg2,
5994 },
5995 },
5996 flags: []string{
5997 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
5998 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
5999 "-enable-all-curves",
6000 },
David Benjamin3ef76972016-10-17 17:59:54 -04006001 shouldFail: shouldSignFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006002 expectedError: signError,
David Benjamin1fb125c2016-07-08 18:52:12 -07006003 expectedPeerSignatureAlgorithm: alg.id,
6004 })
6005
6006 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04006007 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -07006008 config: Config{
6009 MaxVersion: ver.version,
6010 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -04006011 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -07006012 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -07006013 alg.id,
6014 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006015 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -04006016 SkipECDSACurveCheck: shouldVerifyFail,
6017 IgnoreSignatureVersionChecks: shouldVerifyFail,
6018 // Some signature algorithms may not be advertised.
6019 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006020 },
David Benjamin1fb125c2016-07-08 18:52:12 -07006021 },
6022 flags: []string{
6023 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6024 "-enable-all-curves",
6025 },
David Benjamin3ef76972016-10-17 17:59:54 -04006026 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006027 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -07006028 })
David Benjamin5208fd42016-07-13 21:43:25 -04006029
David Benjamin3ef76972016-10-17 17:59:54 -04006030 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -04006031 testCases = append(testCases, testCase{
6032 testType: serverTest,
6033 name: "ClientAuth-InvalidSignature" + suffix,
6034 config: Config{
6035 MaxVersion: ver.version,
6036 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6037 SignSignatureAlgorithms: []signatureAlgorithm{
6038 alg.id,
6039 },
6040 Bugs: ProtocolBugs{
6041 InvalidSignature: true,
6042 },
6043 },
6044 flags: []string{
6045 "-require-any-client-certificate",
6046 "-enable-all-curves",
6047 },
6048 shouldFail: true,
6049 expectedError: ":BAD_SIGNATURE:",
6050 })
6051
6052 testCases = append(testCases, testCase{
6053 name: "ServerAuth-InvalidSignature" + suffix,
6054 config: Config{
6055 MaxVersion: ver.version,
6056 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6057 CipherSuites: signingCiphers,
6058 SignSignatureAlgorithms: []signatureAlgorithm{
6059 alg.id,
6060 },
6061 Bugs: ProtocolBugs{
6062 InvalidSignature: true,
6063 },
6064 },
6065 flags: []string{"-enable-all-curves"},
6066 shouldFail: true,
6067 expectedError: ":BAD_SIGNATURE:",
6068 })
6069 }
David Benjaminca3d5452016-07-14 12:51:01 -04006070
David Benjamin3ef76972016-10-17 17:59:54 -04006071 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -04006072 testCases = append(testCases, testCase{
6073 name: "ClientAuth-Sign-Negotiate" + suffix,
6074 config: Config{
6075 MaxVersion: ver.version,
6076 ClientAuth: RequireAnyClientCert,
6077 VerifySignatureAlgorithms: allAlgorithms,
6078 },
6079 flags: []string{
6080 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6081 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6082 "-enable-all-curves",
6083 "-signing-prefs", strconv.Itoa(int(alg.id)),
6084 },
6085 expectedPeerSignatureAlgorithm: alg.id,
6086 })
6087
6088 testCases = append(testCases, testCase{
6089 testType: serverTest,
6090 name: "ServerAuth-Sign-Negotiate" + suffix,
6091 config: Config{
6092 MaxVersion: ver.version,
6093 CipherSuites: signingCiphers,
6094 VerifySignatureAlgorithms: allAlgorithms,
6095 },
6096 flags: []string{
6097 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6098 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6099 "-enable-all-curves",
6100 "-signing-prefs", strconv.Itoa(int(alg.id)),
6101 },
6102 expectedPeerSignatureAlgorithm: alg.id,
6103 })
6104 }
David Benjamin1fb125c2016-07-08 18:52:12 -07006105 }
David Benjamin000800a2014-11-14 01:43:59 -05006106 }
6107
Nick Harper60edffd2016-06-21 15:19:24 -07006108 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -05006109 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04006110 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -05006111 config: Config{
6112 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -04006113 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -07006114 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006115 signatureECDSAWithP521AndSHA512,
6116 signatureRSAPKCS1WithSHA384,
6117 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -05006118 },
6119 },
6120 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -07006121 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6122 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -05006123 },
Nick Harper60edffd2016-06-21 15:19:24 -07006124 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -05006125 })
6126
6127 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04006128 name: "ClientAuth-SignatureType-TLS13",
6129 config: Config{
6130 ClientAuth: RequireAnyClientCert,
6131 MaxVersion: VersionTLS13,
6132 VerifySignatureAlgorithms: []signatureAlgorithm{
6133 signatureECDSAWithP521AndSHA512,
6134 signatureRSAPKCS1WithSHA384,
6135 signatureRSAPSSWithSHA384,
6136 signatureECDSAWithSHA1,
6137 },
6138 },
6139 flags: []string{
6140 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6141 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6142 },
6143 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6144 })
6145
6146 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -05006147 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -04006148 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -05006149 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006150 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -05006151 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -07006152 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006153 signatureECDSAWithP521AndSHA512,
6154 signatureRSAPKCS1WithSHA384,
6155 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -05006156 },
6157 },
Nick Harper60edffd2016-06-21 15:19:24 -07006158 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -05006159 })
6160
Steven Valdez143e8b32016-07-11 13:19:03 -04006161 testCases = append(testCases, testCase{
6162 testType: serverTest,
6163 name: "ServerAuth-SignatureType-TLS13",
6164 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04006165 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04006166 VerifySignatureAlgorithms: []signatureAlgorithm{
6167 signatureECDSAWithP521AndSHA512,
6168 signatureRSAPKCS1WithSHA384,
6169 signatureRSAPSSWithSHA384,
6170 signatureECDSAWithSHA1,
6171 },
6172 },
6173 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6174 })
6175
David Benjamina95e9f32016-07-08 16:28:04 -07006176 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -07006177 testCases = append(testCases, testCase{
6178 testType: serverTest,
6179 name: "Verify-ClientAuth-SignatureType",
6180 config: Config{
6181 MaxVersion: VersionTLS12,
6182 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -07006183 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -07006184 signatureRSAPKCS1WithSHA256,
6185 },
6186 Bugs: ProtocolBugs{
6187 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6188 },
6189 },
6190 flags: []string{
6191 "-require-any-client-certificate",
6192 },
6193 shouldFail: true,
6194 expectedError: ":WRONG_SIGNATURE_TYPE:",
6195 })
6196
6197 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04006198 testType: serverTest,
6199 name: "Verify-ClientAuth-SignatureType-TLS13",
6200 config: Config{
6201 MaxVersion: VersionTLS13,
6202 Certificates: []Certificate{rsaCertificate},
6203 SignSignatureAlgorithms: []signatureAlgorithm{
6204 signatureRSAPSSWithSHA256,
6205 },
6206 Bugs: ProtocolBugs{
6207 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6208 },
6209 },
6210 flags: []string{
6211 "-require-any-client-certificate",
6212 },
6213 shouldFail: true,
6214 expectedError: ":WRONG_SIGNATURE_TYPE:",
6215 })
6216
6217 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04006218 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -07006219 config: Config{
6220 MaxVersion: VersionTLS12,
6221 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -07006222 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -07006223 signatureRSAPKCS1WithSHA256,
6224 },
6225 Bugs: ProtocolBugs{
6226 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6227 },
6228 },
6229 shouldFail: true,
6230 expectedError: ":WRONG_SIGNATURE_TYPE:",
6231 })
6232
Steven Valdez143e8b32016-07-11 13:19:03 -04006233 testCases = append(testCases, testCase{
6234 name: "Verify-ServerAuth-SignatureType-TLS13",
6235 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04006236 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04006237 SignSignatureAlgorithms: []signatureAlgorithm{
6238 signatureRSAPSSWithSHA256,
6239 },
6240 Bugs: ProtocolBugs{
6241 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6242 },
6243 },
6244 shouldFail: true,
6245 expectedError: ":WRONG_SIGNATURE_TYPE:",
6246 })
6247
David Benjamin51dd7d62016-07-08 16:07:01 -07006248 // Test that, if the list is missing, the peer falls back to SHA-1 in
6249 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -05006250 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -04006251 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -05006252 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006253 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -05006254 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006255 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006256 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -05006257 },
6258 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -07006259 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -05006260 },
6261 },
6262 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -07006263 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6264 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -05006265 },
6266 })
6267
6268 testCases = append(testCases, testCase{
6269 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -04006270 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -05006271 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -04006272 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -07006273 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006274 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -05006275 },
6276 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -07006277 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -05006278 },
6279 },
David Benjaminee32bea2016-08-17 13:36:44 -04006280 flags: []string{
6281 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6282 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6283 },
6284 })
6285
6286 testCases = append(testCases, testCase{
6287 name: "ClientAuth-SHA1-Fallback-ECDSA",
6288 config: Config{
6289 MaxVersion: VersionTLS12,
6290 ClientAuth: RequireAnyClientCert,
6291 VerifySignatureAlgorithms: []signatureAlgorithm{
6292 signatureECDSAWithSHA1,
6293 },
6294 Bugs: ProtocolBugs{
6295 NoSignatureAlgorithms: true,
6296 },
6297 },
6298 flags: []string{
6299 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6300 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6301 },
6302 })
6303
6304 testCases = append(testCases, testCase{
6305 testType: serverTest,
6306 name: "ServerAuth-SHA1-Fallback-ECDSA",
6307 config: Config{
6308 MaxVersion: VersionTLS12,
6309 VerifySignatureAlgorithms: []signatureAlgorithm{
6310 signatureECDSAWithSHA1,
6311 },
6312 Bugs: ProtocolBugs{
6313 NoSignatureAlgorithms: true,
6314 },
6315 },
6316 flags: []string{
6317 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6318 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6319 },
David Benjamin000800a2014-11-14 01:43:59 -05006320 })
David Benjamin72dc7832015-03-16 17:49:43 -04006321
David Benjamin51dd7d62016-07-08 16:07:01 -07006322 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04006323 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -07006324 config: Config{
6325 MaxVersion: VersionTLS13,
6326 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006327 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -07006328 signatureRSAPKCS1WithSHA1,
6329 },
6330 Bugs: ProtocolBugs{
6331 NoSignatureAlgorithms: true,
6332 },
6333 },
6334 flags: []string{
6335 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6336 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6337 },
David Benjamin48901652016-08-01 12:12:47 -04006338 shouldFail: true,
6339 // An empty CertificateRequest signature algorithm list is a
6340 // syntax error in TLS 1.3.
6341 expectedError: ":DECODE_ERROR:",
6342 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -07006343 })
6344
6345 testCases = append(testCases, testCase{
6346 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -04006347 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -07006348 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04006349 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -07006350 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -07006351 signatureRSAPKCS1WithSHA1,
6352 },
6353 Bugs: ProtocolBugs{
6354 NoSignatureAlgorithms: true,
6355 },
6356 },
6357 shouldFail: true,
6358 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6359 })
6360
David Benjaminb62d2872016-07-18 14:55:02 +02006361 // Test that hash preferences are enforced. BoringSSL does not implement
6362 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -04006363 testCases = append(testCases, testCase{
6364 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -04006365 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -04006366 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006367 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -04006368 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -07006369 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006370 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -04006371 },
6372 Bugs: ProtocolBugs{
6373 IgnorePeerSignatureAlgorithmPreferences: true,
6374 },
6375 },
6376 flags: []string{"-require-any-client-certificate"},
6377 shouldFail: true,
6378 expectedError: ":WRONG_SIGNATURE_TYPE:",
6379 })
6380
6381 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04006382 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -04006383 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006384 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -04006385 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -07006386 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006387 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -04006388 },
6389 Bugs: ProtocolBugs{
6390 IgnorePeerSignatureAlgorithmPreferences: true,
6391 },
6392 },
6393 shouldFail: true,
6394 expectedError: ":WRONG_SIGNATURE_TYPE:",
6395 })
David Benjaminb62d2872016-07-18 14:55:02 +02006396 testCases = append(testCases, testCase{
6397 testType: serverTest,
6398 name: "ClientAuth-Enforced-TLS13",
6399 config: Config{
6400 MaxVersion: VersionTLS13,
6401 Certificates: []Certificate{rsaCertificate},
6402 SignSignatureAlgorithms: []signatureAlgorithm{
6403 signatureRSAPKCS1WithMD5,
6404 },
6405 Bugs: ProtocolBugs{
6406 IgnorePeerSignatureAlgorithmPreferences: true,
6407 IgnoreSignatureVersionChecks: true,
6408 },
6409 },
6410 flags: []string{"-require-any-client-certificate"},
6411 shouldFail: true,
6412 expectedError: ":WRONG_SIGNATURE_TYPE:",
6413 })
6414
6415 testCases = append(testCases, testCase{
6416 name: "ServerAuth-Enforced-TLS13",
6417 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04006418 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +02006419 SignSignatureAlgorithms: []signatureAlgorithm{
6420 signatureRSAPKCS1WithMD5,
6421 },
6422 Bugs: ProtocolBugs{
6423 IgnorePeerSignatureAlgorithmPreferences: true,
6424 IgnoreSignatureVersionChecks: true,
6425 },
6426 },
6427 shouldFail: true,
6428 expectedError: ":WRONG_SIGNATURE_TYPE:",
6429 })
Steven Valdez0d62f262015-09-04 12:41:04 -04006430
6431 // Test that the agreed upon digest respects the client preferences and
6432 // the server digests.
6433 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -04006434 name: "NoCommonAlgorithms-Digests",
6435 config: Config{
6436 MaxVersion: VersionTLS12,
6437 ClientAuth: RequireAnyClientCert,
6438 VerifySignatureAlgorithms: []signatureAlgorithm{
6439 signatureRSAPKCS1WithSHA512,
6440 signatureRSAPKCS1WithSHA1,
6441 },
6442 },
6443 flags: []string{
6444 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6445 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6446 "-digest-prefs", "SHA256",
6447 },
6448 shouldFail: true,
6449 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6450 })
6451 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -07006452 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -04006453 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006454 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -04006455 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006456 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006457 signatureRSAPKCS1WithSHA512,
6458 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -04006459 },
6460 },
6461 flags: []string{
6462 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6463 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -04006464 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -04006465 },
David Benjaminca3d5452016-07-14 12:51:01 -04006466 shouldFail: true,
6467 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6468 })
6469 testCases = append(testCases, testCase{
6470 name: "NoCommonAlgorithms-TLS13",
6471 config: Config{
6472 MaxVersion: VersionTLS13,
6473 ClientAuth: RequireAnyClientCert,
6474 VerifySignatureAlgorithms: []signatureAlgorithm{
6475 signatureRSAPSSWithSHA512,
6476 signatureRSAPSSWithSHA384,
6477 },
6478 },
6479 flags: []string{
6480 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6481 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6482 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
6483 },
David Benjaminea9a0d52016-07-08 15:52:59 -07006484 shouldFail: true,
6485 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -04006486 })
6487 testCases = append(testCases, testCase{
6488 name: "Agree-Digest-SHA256",
6489 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006490 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -04006491 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006492 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006493 signatureRSAPKCS1WithSHA1,
6494 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -04006495 },
6496 },
6497 flags: []string{
6498 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6499 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -04006500 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -04006501 },
Nick Harper60edffd2016-06-21 15:19:24 -07006502 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -04006503 })
6504 testCases = append(testCases, testCase{
6505 name: "Agree-Digest-SHA1",
6506 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006507 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -04006508 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006509 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006510 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -04006511 },
6512 },
6513 flags: []string{
6514 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6515 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -04006516 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -04006517 },
Nick Harper60edffd2016-06-21 15:19:24 -07006518 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -04006519 })
6520 testCases = append(testCases, testCase{
6521 name: "Agree-Digest-Default",
6522 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006523 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -04006524 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006525 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006526 signatureRSAPKCS1WithSHA256,
6527 signatureECDSAWithP256AndSHA256,
6528 signatureRSAPKCS1WithSHA1,
6529 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -04006530 },
6531 },
6532 flags: []string{
6533 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6534 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6535 },
Nick Harper60edffd2016-06-21 15:19:24 -07006536 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -04006537 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04006538
David Benjaminca3d5452016-07-14 12:51:01 -04006539 // Test that the signing preference list may include extra algorithms
6540 // without negotiation problems.
6541 testCases = append(testCases, testCase{
6542 testType: serverTest,
6543 name: "FilterExtraAlgorithms",
6544 config: Config{
6545 MaxVersion: VersionTLS12,
6546 VerifySignatureAlgorithms: []signatureAlgorithm{
6547 signatureRSAPKCS1WithSHA256,
6548 },
6549 },
6550 flags: []string{
6551 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6552 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6553 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
6554 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
6555 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
6556 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
6557 },
6558 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
6559 })
6560
David Benjamin4c3ddf72016-06-29 18:13:53 -04006561 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
6562 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -04006563 testCases = append(testCases, testCase{
6564 name: "CheckLeafCurve",
6565 config: Config{
6566 MaxVersion: VersionTLS12,
6567 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -07006568 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -04006569 },
6570 flags: []string{"-p384-only"},
6571 shouldFail: true,
6572 expectedError: ":BAD_ECC_CERT:",
6573 })
David Benjamin75ea5bb2016-07-08 17:43:29 -07006574
6575 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
6576 testCases = append(testCases, testCase{
6577 name: "CheckLeafCurve-TLS13",
6578 config: Config{
6579 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -07006580 Certificates: []Certificate{ecdsaP256Certificate},
6581 },
6582 flags: []string{"-p384-only"},
6583 })
David Benjamin1fb125c2016-07-08 18:52:12 -07006584
6585 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
6586 testCases = append(testCases, testCase{
6587 name: "ECDSACurveMismatch-Verify-TLS12",
6588 config: Config{
6589 MaxVersion: VersionTLS12,
6590 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
6591 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -07006592 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -07006593 signatureECDSAWithP384AndSHA384,
6594 },
6595 },
6596 })
6597
6598 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
6599 testCases = append(testCases, testCase{
6600 name: "ECDSACurveMismatch-Verify-TLS13",
6601 config: Config{
6602 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -07006603 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -07006604 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -07006605 signatureECDSAWithP384AndSHA384,
6606 },
6607 Bugs: ProtocolBugs{
6608 SkipECDSACurveCheck: true,
6609 },
6610 },
6611 shouldFail: true,
6612 expectedError: ":WRONG_SIGNATURE_TYPE:",
6613 })
6614
6615 // Signature algorithm selection in TLS 1.3 should take the curve into
6616 // account.
6617 testCases = append(testCases, testCase{
6618 testType: serverTest,
6619 name: "ECDSACurveMismatch-Sign-TLS13",
6620 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04006621 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -07006622 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -07006623 signatureECDSAWithP384AndSHA384,
6624 signatureECDSAWithP256AndSHA256,
6625 },
6626 },
6627 flags: []string{
6628 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6629 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6630 },
6631 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6632 })
David Benjamin7944a9f2016-07-12 22:27:01 -04006633
6634 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
6635 // server does not attempt to sign in that case.
6636 testCases = append(testCases, testCase{
6637 testType: serverTest,
6638 name: "RSA-PSS-Large",
6639 config: Config{
6640 MaxVersion: VersionTLS13,
6641 VerifySignatureAlgorithms: []signatureAlgorithm{
6642 signatureRSAPSSWithSHA512,
6643 },
6644 },
6645 flags: []string{
6646 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
6647 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
6648 },
6649 shouldFail: true,
6650 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6651 })
David Benjamin57e929f2016-08-30 00:30:38 -04006652
6653 // Test that RSA-PSS is enabled by default for TLS 1.2.
6654 testCases = append(testCases, testCase{
6655 testType: clientTest,
6656 name: "RSA-PSS-Default-Verify",
6657 config: Config{
6658 MaxVersion: VersionTLS12,
6659 SignSignatureAlgorithms: []signatureAlgorithm{
6660 signatureRSAPSSWithSHA256,
6661 },
6662 },
6663 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
6664 })
6665
6666 testCases = append(testCases, testCase{
6667 testType: serverTest,
6668 name: "RSA-PSS-Default-Sign",
6669 config: Config{
6670 MaxVersion: VersionTLS12,
6671 VerifySignatureAlgorithms: []signatureAlgorithm{
6672 signatureRSAPSSWithSHA256,
6673 },
6674 },
6675 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
6676 })
David Benjamin000800a2014-11-14 01:43:59 -05006677}
6678
David Benjamin83f90402015-01-27 01:09:43 -05006679// timeouts is the retransmit schedule for BoringSSL. It doubles and
6680// caps at 60 seconds. On the 13th timeout, it gives up.
6681var timeouts = []time.Duration{
6682 1 * time.Second,
6683 2 * time.Second,
6684 4 * time.Second,
6685 8 * time.Second,
6686 16 * time.Second,
6687 32 * time.Second,
6688 60 * time.Second,
6689 60 * time.Second,
6690 60 * time.Second,
6691 60 * time.Second,
6692 60 * time.Second,
6693 60 * time.Second,
6694 60 * time.Second,
6695}
6696
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -07006697// shortTimeouts is an alternate set of timeouts which would occur if the
6698// initial timeout duration was set to 250ms.
6699var shortTimeouts = []time.Duration{
6700 250 * time.Millisecond,
6701 500 * time.Millisecond,
6702 1 * time.Second,
6703 2 * time.Second,
6704 4 * time.Second,
6705 8 * time.Second,
6706 16 * time.Second,
6707 32 * time.Second,
6708 60 * time.Second,
6709 60 * time.Second,
6710 60 * time.Second,
6711 60 * time.Second,
6712 60 * time.Second,
6713}
6714
David Benjamin83f90402015-01-27 01:09:43 -05006715func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -04006716 // These tests work by coordinating some behavior on both the shim and
6717 // the runner.
6718 //
6719 // TimeoutSchedule configures the runner to send a series of timeout
6720 // opcodes to the shim (see packetAdaptor) immediately before reading
6721 // each peer handshake flight N. The timeout opcode both simulates a
6722 // timeout in the shim and acts as a synchronization point to help the
6723 // runner bracket each handshake flight.
6724 //
6725 // We assume the shim does not read from the channel eagerly. It must
6726 // first wait until it has sent flight N and is ready to receive
6727 // handshake flight N+1. At this point, it will process the timeout
6728 // opcode. It must then immediately respond with a timeout ACK and act
6729 // as if the shim was idle for the specified amount of time.
6730 //
6731 // The runner then drops all packets received before the ACK and
6732 // continues waiting for flight N. This ordering results in one attempt
6733 // at sending flight N to be dropped. For the test to complete, the
6734 // shim must send flight N again, testing that the shim implements DTLS
6735 // retransmit on a timeout.
6736
Steven Valdez143e8b32016-07-11 13:19:03 -04006737 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -04006738 // likely be more epochs to cross and the final message's retransmit may
6739 // be more complex.
6740
David Benjamin585d7a42016-06-02 14:58:00 -04006741 for _, async := range []bool{true, false} {
6742 var tests []testCase
6743
6744 // Test that this is indeed the timeout schedule. Stress all
6745 // four patterns of handshake.
6746 for i := 1; i < len(timeouts); i++ {
6747 number := strconv.Itoa(i)
6748 tests = append(tests, testCase{
6749 protocol: dtls,
6750 name: "DTLS-Retransmit-Client-" + number,
6751 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006752 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -04006753 Bugs: ProtocolBugs{
6754 TimeoutSchedule: timeouts[:i],
6755 },
6756 },
6757 resumeSession: true,
6758 })
6759 tests = append(tests, testCase{
6760 protocol: dtls,
6761 testType: serverTest,
6762 name: "DTLS-Retransmit-Server-" + number,
6763 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006764 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -04006765 Bugs: ProtocolBugs{
6766 TimeoutSchedule: timeouts[:i],
6767 },
6768 },
6769 resumeSession: true,
6770 })
6771 }
6772
6773 // Test that exceeding the timeout schedule hits a read
6774 // timeout.
6775 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -05006776 protocol: dtls,
David Benjamin585d7a42016-06-02 14:58:00 -04006777 name: "DTLS-Retransmit-Timeout",
David Benjamin83f90402015-01-27 01:09:43 -05006778 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006779 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -05006780 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -04006781 TimeoutSchedule: timeouts,
David Benjamin83f90402015-01-27 01:09:43 -05006782 },
6783 },
6784 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -04006785 shouldFail: true,
6786 expectedError: ":READ_TIMEOUT_EXPIRED:",
David Benjamin83f90402015-01-27 01:09:43 -05006787 })
David Benjamin585d7a42016-06-02 14:58:00 -04006788
6789 if async {
6790 // Test that timeout handling has a fudge factor, due to API
6791 // problems.
6792 tests = append(tests, testCase{
6793 protocol: dtls,
6794 name: "DTLS-Retransmit-Fudge",
6795 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006796 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -04006797 Bugs: ProtocolBugs{
6798 TimeoutSchedule: []time.Duration{
6799 timeouts[0] - 10*time.Millisecond,
6800 },
6801 },
6802 },
6803 resumeSession: true,
6804 })
6805 }
6806
6807 // Test that the final Finished retransmitting isn't
6808 // duplicated if the peer badly fragments everything.
6809 tests = append(tests, testCase{
6810 testType: serverTest,
6811 protocol: dtls,
6812 name: "DTLS-Retransmit-Fragmented",
6813 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006814 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -04006815 Bugs: ProtocolBugs{
6816 TimeoutSchedule: []time.Duration{timeouts[0]},
6817 MaxHandshakeRecordLength: 2,
6818 },
6819 },
6820 })
6821
6822 // Test the timeout schedule when a shorter initial timeout duration is set.
6823 tests = append(tests, testCase{
6824 protocol: dtls,
6825 name: "DTLS-Retransmit-Short-Client",
6826 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006827 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -04006828 Bugs: ProtocolBugs{
6829 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
6830 },
6831 },
6832 resumeSession: true,
6833 flags: []string{"-initial-timeout-duration-ms", "250"},
6834 })
6835 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -05006836 protocol: dtls,
6837 testType: serverTest,
David Benjamin585d7a42016-06-02 14:58:00 -04006838 name: "DTLS-Retransmit-Short-Server",
David Benjamin83f90402015-01-27 01:09:43 -05006839 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006840 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -05006841 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -04006842 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
David Benjamin83f90402015-01-27 01:09:43 -05006843 },
6844 },
6845 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -04006846 flags: []string{"-initial-timeout-duration-ms", "250"},
David Benjamin83f90402015-01-27 01:09:43 -05006847 })
David Benjamin585d7a42016-06-02 14:58:00 -04006848
6849 for _, test := range tests {
6850 if async {
6851 test.name += "-Async"
6852 test.flags = append(test.flags, "-async")
6853 }
6854
6855 testCases = append(testCases, test)
6856 }
David Benjamin83f90402015-01-27 01:09:43 -05006857 }
David Benjamin83f90402015-01-27 01:09:43 -05006858}
6859
David Benjaminc565ebb2015-04-03 04:06:36 -04006860func addExportKeyingMaterialTests() {
6861 for _, vers := range tlsVersions {
6862 if vers.version == VersionSSL30 {
6863 continue
6864 }
6865 testCases = append(testCases, testCase{
6866 name: "ExportKeyingMaterial-" + vers.name,
6867 config: Config{
6868 MaxVersion: vers.version,
6869 },
6870 exportKeyingMaterial: 1024,
6871 exportLabel: "label",
6872 exportContext: "context",
6873 useExportContext: true,
6874 })
6875 testCases = append(testCases, testCase{
6876 name: "ExportKeyingMaterial-NoContext-" + vers.name,
6877 config: Config{
6878 MaxVersion: vers.version,
6879 },
6880 exportKeyingMaterial: 1024,
6881 })
6882 testCases = append(testCases, testCase{
6883 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
6884 config: Config{
6885 MaxVersion: vers.version,
6886 },
6887 exportKeyingMaterial: 1024,
6888 useExportContext: true,
6889 })
6890 testCases = append(testCases, testCase{
6891 name: "ExportKeyingMaterial-Small-" + vers.name,
6892 config: Config{
6893 MaxVersion: vers.version,
6894 },
6895 exportKeyingMaterial: 1,
6896 exportLabel: "label",
6897 exportContext: "context",
6898 useExportContext: true,
6899 })
6900 }
6901 testCases = append(testCases, testCase{
6902 name: "ExportKeyingMaterial-SSL3",
6903 config: Config{
6904 MaxVersion: VersionSSL30,
6905 },
6906 exportKeyingMaterial: 1024,
6907 exportLabel: "label",
6908 exportContext: "context",
6909 useExportContext: true,
6910 shouldFail: true,
6911 expectedError: "failed to export keying material",
6912 })
6913}
6914
Adam Langleyaf0e32c2015-06-03 09:57:23 -07006915func addTLSUniqueTests() {
6916 for _, isClient := range []bool{false, true} {
6917 for _, isResumption := range []bool{false, true} {
6918 for _, hasEMS := range []bool{false, true} {
6919 var suffix string
6920 if isResumption {
6921 suffix = "Resume-"
6922 } else {
6923 suffix = "Full-"
6924 }
6925
6926 if hasEMS {
6927 suffix += "EMS-"
6928 } else {
6929 suffix += "NoEMS-"
6930 }
6931
6932 if isClient {
6933 suffix += "Client"
6934 } else {
6935 suffix += "Server"
6936 }
6937
6938 test := testCase{
6939 name: "TLSUnique-" + suffix,
6940 testTLSUnique: true,
6941 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006942 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -07006943 Bugs: ProtocolBugs{
6944 NoExtendedMasterSecret: !hasEMS,
6945 },
6946 },
6947 }
6948
6949 if isResumption {
6950 test.resumeSession = true
6951 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006952 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -07006953 Bugs: ProtocolBugs{
6954 NoExtendedMasterSecret: !hasEMS,
6955 },
6956 }
6957 }
6958
6959 if isResumption && !hasEMS {
6960 test.shouldFail = true
6961 test.expectedError = "failed to get tls-unique"
6962 }
6963
6964 testCases = append(testCases, test)
6965 }
6966 }
6967 }
6968}
6969
Adam Langley09505632015-07-30 18:10:13 -07006970func addCustomExtensionTests() {
6971 expectedContents := "custom extension"
6972 emptyString := ""
6973
6974 for _, isClient := range []bool{false, true} {
6975 suffix := "Server"
6976 flag := "-enable-server-custom-extension"
6977 testType := serverTest
6978 if isClient {
6979 suffix = "Client"
6980 flag = "-enable-client-custom-extension"
6981 testType = clientTest
6982 }
6983
6984 testCases = append(testCases, testCase{
6985 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -04006986 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -07006987 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006988 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -04006989 Bugs: ProtocolBugs{
6990 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -07006991 ExpectedCustomExtension: &expectedContents,
6992 },
6993 },
6994 flags: []string{flag},
6995 })
Steven Valdez143e8b32016-07-11 13:19:03 -04006996 testCases = append(testCases, testCase{
6997 testType: testType,
6998 name: "CustomExtensions-" + suffix + "-TLS13",
6999 config: Config{
7000 MaxVersion: VersionTLS13,
7001 Bugs: ProtocolBugs{
7002 CustomExtension: expectedContents,
7003 ExpectedCustomExtension: &expectedContents,
7004 },
7005 },
7006 flags: []string{flag},
7007 })
Adam Langley09505632015-07-30 18:10:13 -07007008
7009 // If the parse callback fails, the handshake should also fail.
7010 testCases = append(testCases, testCase{
7011 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -04007012 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -07007013 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007014 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -04007015 Bugs: ProtocolBugs{
7016 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -07007017 ExpectedCustomExtension: &expectedContents,
7018 },
7019 },
David Benjamin399e7c92015-07-30 23:01:27 -04007020 flags: []string{flag},
7021 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -07007022 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7023 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007024 testCases = append(testCases, testCase{
7025 testType: testType,
7026 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
7027 config: Config{
7028 MaxVersion: VersionTLS13,
7029 Bugs: ProtocolBugs{
7030 CustomExtension: expectedContents + "foo",
7031 ExpectedCustomExtension: &expectedContents,
7032 },
7033 },
7034 flags: []string{flag},
7035 shouldFail: true,
7036 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7037 })
Adam Langley09505632015-07-30 18:10:13 -07007038
7039 // If the add callback fails, the handshake should also fail.
7040 testCases = append(testCases, testCase{
7041 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -04007042 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -07007043 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007044 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -04007045 Bugs: ProtocolBugs{
7046 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -07007047 ExpectedCustomExtension: &expectedContents,
7048 },
7049 },
David Benjamin399e7c92015-07-30 23:01:27 -04007050 flags: []string{flag, "-custom-extension-fail-add"},
7051 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -07007052 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7053 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007054 testCases = append(testCases, testCase{
7055 testType: testType,
7056 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
7057 config: Config{
7058 MaxVersion: VersionTLS13,
7059 Bugs: ProtocolBugs{
7060 CustomExtension: expectedContents,
7061 ExpectedCustomExtension: &expectedContents,
7062 },
7063 },
7064 flags: []string{flag, "-custom-extension-fail-add"},
7065 shouldFail: true,
7066 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7067 })
Adam Langley09505632015-07-30 18:10:13 -07007068
7069 // If the add callback returns zero, no extension should be
7070 // added.
7071 skipCustomExtension := expectedContents
7072 if isClient {
7073 // For the case where the client skips sending the
7074 // custom extension, the server must not “echo” it.
7075 skipCustomExtension = ""
7076 }
7077 testCases = append(testCases, testCase{
7078 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -04007079 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -07007080 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007081 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -04007082 Bugs: ProtocolBugs{
7083 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -07007084 ExpectedCustomExtension: &emptyString,
7085 },
7086 },
7087 flags: []string{flag, "-custom-extension-skip"},
7088 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007089 testCases = append(testCases, testCase{
7090 testType: testType,
7091 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
7092 config: Config{
7093 MaxVersion: VersionTLS13,
7094 Bugs: ProtocolBugs{
7095 CustomExtension: skipCustomExtension,
7096 ExpectedCustomExtension: &emptyString,
7097 },
7098 },
7099 flags: []string{flag, "-custom-extension-skip"},
7100 })
Adam Langley09505632015-07-30 18:10:13 -07007101 }
7102
7103 // The custom extension add callback should not be called if the client
7104 // doesn't send the extension.
7105 testCases = append(testCases, testCase{
7106 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -04007107 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -07007108 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007109 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -04007110 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -07007111 ExpectedCustomExtension: &emptyString,
7112 },
7113 },
7114 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7115 })
Adam Langley2deb9842015-08-07 11:15:37 -07007116
Steven Valdez143e8b32016-07-11 13:19:03 -04007117 testCases = append(testCases, testCase{
7118 testType: serverTest,
7119 name: "CustomExtensions-NotCalled-Server-TLS13",
7120 config: Config{
7121 MaxVersion: VersionTLS13,
7122 Bugs: ProtocolBugs{
7123 ExpectedCustomExtension: &emptyString,
7124 },
7125 },
7126 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7127 })
7128
Adam Langley2deb9842015-08-07 11:15:37 -07007129 // Test an unknown extension from the server.
7130 testCases = append(testCases, testCase{
7131 testType: clientTest,
7132 name: "UnknownExtension-Client",
7133 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007134 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -07007135 Bugs: ProtocolBugs{
7136 CustomExtension: expectedContents,
7137 },
7138 },
David Benjamin0c40a962016-08-01 12:05:50 -04007139 shouldFail: true,
7140 expectedError: ":UNEXPECTED_EXTENSION:",
7141 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -07007142 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007143 testCases = append(testCases, testCase{
7144 testType: clientTest,
7145 name: "UnknownExtension-Client-TLS13",
7146 config: Config{
7147 MaxVersion: VersionTLS13,
7148 Bugs: ProtocolBugs{
7149 CustomExtension: expectedContents,
7150 },
7151 },
David Benjamin0c40a962016-08-01 12:05:50 -04007152 shouldFail: true,
7153 expectedError: ":UNEXPECTED_EXTENSION:",
7154 expectedLocalError: "remote error: unsupported extension",
7155 })
David Benjamin490469f2016-10-05 22:44:38 -04007156 testCases = append(testCases, testCase{
7157 testType: clientTest,
7158 name: "UnknownUnencryptedExtension-Client-TLS13",
7159 config: Config{
7160 MaxVersion: VersionTLS13,
7161 Bugs: ProtocolBugs{
7162 CustomUnencryptedExtension: expectedContents,
7163 },
7164 },
7165 shouldFail: true,
7166 expectedError: ":UNEXPECTED_EXTENSION:",
7167 // The shim must send an alert, but alerts at this point do not
7168 // get successfully decrypted by the runner.
7169 expectedLocalError: "local error: bad record MAC",
7170 })
7171 testCases = append(testCases, testCase{
7172 testType: clientTest,
7173 name: "UnexpectedUnencryptedExtension-Client-TLS13",
7174 config: Config{
7175 MaxVersion: VersionTLS13,
7176 Bugs: ProtocolBugs{
7177 SendUnencryptedALPN: "foo",
7178 },
7179 },
7180 flags: []string{
7181 "-advertise-alpn", "\x03foo\x03bar",
7182 },
7183 shouldFail: true,
7184 expectedError: ":UNEXPECTED_EXTENSION:",
7185 // The shim must send an alert, but alerts at this point do not
7186 // get successfully decrypted by the runner.
7187 expectedLocalError: "local error: bad record MAC",
7188 })
David Benjamin0c40a962016-08-01 12:05:50 -04007189
7190 // Test a known but unoffered extension from the server.
7191 testCases = append(testCases, testCase{
7192 testType: clientTest,
7193 name: "UnofferedExtension-Client",
7194 config: Config{
7195 MaxVersion: VersionTLS12,
7196 Bugs: ProtocolBugs{
7197 SendALPN: "alpn",
7198 },
7199 },
7200 shouldFail: true,
7201 expectedError: ":UNEXPECTED_EXTENSION:",
7202 expectedLocalError: "remote error: unsupported extension",
7203 })
7204 testCases = append(testCases, testCase{
7205 testType: clientTest,
7206 name: "UnofferedExtension-Client-TLS13",
7207 config: Config{
7208 MaxVersion: VersionTLS13,
7209 Bugs: ProtocolBugs{
7210 SendALPN: "alpn",
7211 },
7212 },
7213 shouldFail: true,
7214 expectedError: ":UNEXPECTED_EXTENSION:",
7215 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -04007216 })
Adam Langley09505632015-07-30 18:10:13 -07007217}
7218
David Benjaminb36a3952015-12-01 18:53:13 -05007219func addRSAClientKeyExchangeTests() {
7220 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
7221 testCases = append(testCases, testCase{
7222 testType: serverTest,
7223 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
7224 config: Config{
7225 // Ensure the ClientHello version and final
7226 // version are different, to detect if the
7227 // server uses the wrong one.
7228 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -07007229 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -05007230 Bugs: ProtocolBugs{
7231 BadRSAClientKeyExchange: bad,
7232 },
7233 },
7234 shouldFail: true,
7235 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7236 })
7237 }
David Benjamine63d9d72016-09-19 18:27:34 -04007238
7239 // The server must compare whatever was in ClientHello.version for the
7240 // RSA premaster.
7241 testCases = append(testCases, testCase{
7242 testType: serverTest,
7243 name: "SendClientVersion-RSA",
7244 config: Config{
7245 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
7246 Bugs: ProtocolBugs{
7247 SendClientVersion: 0x1234,
7248 },
7249 },
7250 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7251 })
David Benjaminb36a3952015-12-01 18:53:13 -05007252}
7253
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007254var testCurves = []struct {
7255 name string
7256 id CurveID
7257}{
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007258 {"P-256", CurveP256},
7259 {"P-384", CurveP384},
7260 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -05007261 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007262}
7263
Steven Valdez5440fe02016-07-18 12:40:30 -04007264const bogusCurve = 0x1234
7265
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007266func addCurveTests() {
7267 for _, curve := range testCurves {
7268 testCases = append(testCases, testCase{
7269 name: "CurveTest-Client-" + curve.name,
7270 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007271 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007272 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7273 CurvePreferences: []CurveID{curve.id},
7274 },
David Benjamin5c4e8572016-08-19 17:44:53 -04007275 flags: []string{
7276 "-enable-all-curves",
7277 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7278 },
Steven Valdez5440fe02016-07-18 12:40:30 -04007279 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007280 })
7281 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04007282 name: "CurveTest-Client-" + curve.name + "-TLS13",
7283 config: Config{
7284 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007285 CurvePreferences: []CurveID{curve.id},
7286 },
David Benjamin5c4e8572016-08-19 17:44:53 -04007287 flags: []string{
7288 "-enable-all-curves",
7289 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7290 },
Steven Valdez5440fe02016-07-18 12:40:30 -04007291 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -04007292 })
7293 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007294 testType: serverTest,
7295 name: "CurveTest-Server-" + curve.name,
7296 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007297 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007298 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7299 CurvePreferences: []CurveID{curve.id},
7300 },
David Benjamin5c4e8572016-08-19 17:44:53 -04007301 flags: []string{
7302 "-enable-all-curves",
7303 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7304 },
Steven Valdez5440fe02016-07-18 12:40:30 -04007305 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007306 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007307 testCases = append(testCases, testCase{
7308 testType: serverTest,
7309 name: "CurveTest-Server-" + curve.name + "-TLS13",
7310 config: Config{
7311 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007312 CurvePreferences: []CurveID{curve.id},
7313 },
David Benjamin5c4e8572016-08-19 17:44:53 -04007314 flags: []string{
7315 "-enable-all-curves",
7316 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7317 },
Steven Valdez5440fe02016-07-18 12:40:30 -04007318 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -04007319 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007320 }
David Benjamin241ae832016-01-15 03:04:54 -05007321
7322 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -05007323 testCases = append(testCases, testCase{
7324 testType: serverTest,
7325 name: "UnknownCurve",
7326 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04007327 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -05007328 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7329 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7330 },
7331 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04007332
Steven Valdez803c77a2016-09-06 14:13:43 -04007333 // The server must be tolerant to bogus curves.
7334 testCases = append(testCases, testCase{
7335 testType: serverTest,
7336 name: "UnknownCurve-TLS13",
7337 config: Config{
7338 MaxVersion: VersionTLS13,
7339 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7340 },
7341 })
7342
David Benjamin4c3ddf72016-06-29 18:13:53 -04007343 // The server must not consider ECDHE ciphers when there are no
7344 // supported curves.
7345 testCases = append(testCases, testCase{
7346 testType: serverTest,
7347 name: "NoSupportedCurves",
7348 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007349 MaxVersion: VersionTLS12,
7350 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7351 Bugs: ProtocolBugs{
7352 NoSupportedCurves: true,
7353 },
7354 },
7355 shouldFail: true,
7356 expectedError: ":NO_SHARED_CIPHER:",
7357 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007358 testCases = append(testCases, testCase{
7359 testType: serverTest,
7360 name: "NoSupportedCurves-TLS13",
7361 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04007362 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007363 Bugs: ProtocolBugs{
7364 NoSupportedCurves: true,
7365 },
7366 },
7367 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -04007368 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -04007369 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04007370
7371 // The server must fall back to another cipher when there are no
7372 // supported curves.
7373 testCases = append(testCases, testCase{
7374 testType: serverTest,
7375 name: "NoCommonCurves",
7376 config: Config{
7377 MaxVersion: VersionTLS12,
7378 CipherSuites: []uint16{
7379 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
7380 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
7381 },
7382 CurvePreferences: []CurveID{CurveP224},
7383 },
7384 expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
7385 })
7386
7387 // The client must reject bogus curves and disabled curves.
7388 testCases = append(testCases, testCase{
7389 name: "BadECDHECurve",
7390 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007391 MaxVersion: VersionTLS12,
7392 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7393 Bugs: ProtocolBugs{
7394 SendCurve: bogusCurve,
7395 },
7396 },
7397 shouldFail: true,
7398 expectedError: ":WRONG_CURVE:",
7399 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007400 testCases = append(testCases, testCase{
7401 name: "BadECDHECurve-TLS13",
7402 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04007403 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007404 Bugs: ProtocolBugs{
7405 SendCurve: bogusCurve,
7406 },
7407 },
7408 shouldFail: true,
7409 expectedError: ":WRONG_CURVE:",
7410 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04007411
7412 testCases = append(testCases, testCase{
7413 name: "UnsupportedCurve",
7414 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007415 MaxVersion: VersionTLS12,
7416 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7417 CurvePreferences: []CurveID{CurveP256},
7418 Bugs: ProtocolBugs{
7419 IgnorePeerCurvePreferences: true,
7420 },
7421 },
7422 flags: []string{"-p384-only"},
7423 shouldFail: true,
7424 expectedError: ":WRONG_CURVE:",
7425 })
7426
David Benjamin4f921572016-07-17 14:20:10 +02007427 testCases = append(testCases, testCase{
7428 // TODO(davidben): Add a TLS 1.3 version where
7429 // HelloRetryRequest requests an unsupported curve.
7430 name: "UnsupportedCurve-ServerHello-TLS13",
7431 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04007432 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +02007433 CurvePreferences: []CurveID{CurveP384},
7434 Bugs: ProtocolBugs{
7435 SendCurve: CurveP256,
7436 },
7437 },
7438 flags: []string{"-p384-only"},
7439 shouldFail: true,
7440 expectedError: ":WRONG_CURVE:",
7441 })
7442
David Benjamin4c3ddf72016-06-29 18:13:53 -04007443 // Test invalid curve points.
7444 testCases = append(testCases, testCase{
7445 name: "InvalidECDHPoint-Client",
7446 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007447 MaxVersion: VersionTLS12,
7448 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7449 CurvePreferences: []CurveID{CurveP256},
7450 Bugs: ProtocolBugs{
7451 InvalidECDHPoint: true,
7452 },
7453 },
7454 shouldFail: true,
7455 expectedError: ":INVALID_ENCODING:",
7456 })
7457 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04007458 name: "InvalidECDHPoint-Client-TLS13",
7459 config: Config{
7460 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007461 CurvePreferences: []CurveID{CurveP256},
7462 Bugs: ProtocolBugs{
7463 InvalidECDHPoint: true,
7464 },
7465 },
7466 shouldFail: true,
7467 expectedError: ":INVALID_ENCODING:",
7468 })
7469 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007470 testType: serverTest,
7471 name: "InvalidECDHPoint-Server",
7472 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007473 MaxVersion: VersionTLS12,
7474 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7475 CurvePreferences: []CurveID{CurveP256},
7476 Bugs: ProtocolBugs{
7477 InvalidECDHPoint: true,
7478 },
7479 },
7480 shouldFail: true,
7481 expectedError: ":INVALID_ENCODING:",
7482 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007483 testCases = append(testCases, testCase{
7484 testType: serverTest,
7485 name: "InvalidECDHPoint-Server-TLS13",
7486 config: Config{
7487 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007488 CurvePreferences: []CurveID{CurveP256},
7489 Bugs: ProtocolBugs{
7490 InvalidECDHPoint: true,
7491 },
7492 },
7493 shouldFail: true,
7494 expectedError: ":INVALID_ENCODING:",
7495 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007496}
7497
Matt Braithwaite54217e42016-06-13 13:03:47 -07007498func addCECPQ1Tests() {
7499 testCases = append(testCases, testCase{
7500 testType: clientTest,
7501 name: "CECPQ1-Client-BadX25519Part",
7502 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007503 MaxVersion: VersionTLS12,
Matt Braithwaite54217e42016-06-13 13:03:47 -07007504 MinVersion: VersionTLS12,
7505 CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
7506 Bugs: ProtocolBugs{
7507 CECPQ1BadX25519Part: true,
7508 },
7509 },
7510 flags: []string{"-cipher", "kCECPQ1"},
7511 shouldFail: true,
7512 expectedLocalError: "local error: bad record MAC",
7513 })
7514 testCases = append(testCases, testCase{
7515 testType: clientTest,
7516 name: "CECPQ1-Client-BadNewhopePart",
7517 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007518 MaxVersion: VersionTLS12,
Matt Braithwaite54217e42016-06-13 13:03:47 -07007519 MinVersion: VersionTLS12,
7520 CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
7521 Bugs: ProtocolBugs{
7522 CECPQ1BadNewhopePart: true,
7523 },
7524 },
7525 flags: []string{"-cipher", "kCECPQ1"},
7526 shouldFail: true,
7527 expectedLocalError: "local error: bad record MAC",
7528 })
7529 testCases = append(testCases, testCase{
7530 testType: serverTest,
7531 name: "CECPQ1-Server-BadX25519Part",
7532 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007533 MaxVersion: VersionTLS12,
Matt Braithwaite54217e42016-06-13 13:03:47 -07007534 MinVersion: VersionTLS12,
7535 CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
7536 Bugs: ProtocolBugs{
7537 CECPQ1BadX25519Part: true,
7538 },
7539 },
7540 flags: []string{"-cipher", "kCECPQ1"},
7541 shouldFail: true,
7542 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7543 })
7544 testCases = append(testCases, testCase{
7545 testType: serverTest,
7546 name: "CECPQ1-Server-BadNewhopePart",
7547 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007548 MaxVersion: VersionTLS12,
Matt Braithwaite54217e42016-06-13 13:03:47 -07007549 MinVersion: VersionTLS12,
7550 CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
7551 Bugs: ProtocolBugs{
7552 CECPQ1BadNewhopePart: true,
7553 },
7554 },
7555 flags: []string{"-cipher", "kCECPQ1"},
7556 shouldFail: true,
7557 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7558 })
7559}
7560
David Benjamin5c4e8572016-08-19 17:44:53 -04007561func addDHEGroupSizeTests() {
David Benjamin4cc36ad2015-12-19 14:23:26 -05007562 testCases = append(testCases, testCase{
David Benjamin5c4e8572016-08-19 17:44:53 -04007563 name: "DHEGroupSize-Client",
David Benjamin4cc36ad2015-12-19 14:23:26 -05007564 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007565 MaxVersion: VersionTLS12,
David Benjamin4cc36ad2015-12-19 14:23:26 -05007566 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
7567 Bugs: ProtocolBugs{
7568 // This is a 1234-bit prime number, generated
7569 // with:
7570 // openssl gendh 1234 | openssl asn1parse -i
7571 DHGroupPrime: bigFromHex("0215C589A86BE450D1255A86D7A08877A70E124C11F0C75E476BA6A2186B1C830D4A132555973F2D5881D5F737BB800B7F417C01EC5960AEBF79478F8E0BBB6A021269BD10590C64C57F50AD8169D5488B56EE38DC5E02DA1A16ED3B5F41FEB2AD184B78A31F3A5B2BEC8441928343DA35DE3D4F89F0D4CEDE0034045084A0D1E6182E5EF7FCA325DD33CE81BE7FA87D43613E8FA7A1457099AB53"),
7572 },
7573 },
David Benjamin9e68f192016-06-30 14:55:33 -04007574 flags: []string{"-expect-dhe-group-size", "1234"},
David Benjamin4cc36ad2015-12-19 14:23:26 -05007575 })
7576 testCases = append(testCases, testCase{
7577 testType: serverTest,
David Benjamin5c4e8572016-08-19 17:44:53 -04007578 name: "DHEGroupSize-Server",
David Benjamin4cc36ad2015-12-19 14:23:26 -05007579 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007580 MaxVersion: VersionTLS12,
David Benjamin4cc36ad2015-12-19 14:23:26 -05007581 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
7582 },
7583 // bssl_shim as a server configures a 2048-bit DHE group.
David Benjamin9e68f192016-06-30 14:55:33 -04007584 flags: []string{"-expect-dhe-group-size", "2048"},
David Benjamin4cc36ad2015-12-19 14:23:26 -05007585 })
David Benjamin4cc36ad2015-12-19 14:23:26 -05007586}
7587
David Benjaminc9ae27c2016-06-24 22:56:37 -04007588func addTLS13RecordTests() {
7589 testCases = append(testCases, testCase{
7590 name: "TLS13-RecordPadding",
7591 config: Config{
7592 MaxVersion: VersionTLS13,
7593 MinVersion: VersionTLS13,
7594 Bugs: ProtocolBugs{
7595 RecordPadding: 10,
7596 },
7597 },
7598 })
7599
7600 testCases = append(testCases, testCase{
7601 name: "TLS13-EmptyRecords",
7602 config: Config{
7603 MaxVersion: VersionTLS13,
7604 MinVersion: VersionTLS13,
7605 Bugs: ProtocolBugs{
7606 OmitRecordContents: true,
7607 },
7608 },
7609 shouldFail: true,
7610 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7611 })
7612
7613 testCases = append(testCases, testCase{
7614 name: "TLS13-OnlyPadding",
7615 config: Config{
7616 MaxVersion: VersionTLS13,
7617 MinVersion: VersionTLS13,
7618 Bugs: ProtocolBugs{
7619 OmitRecordContents: true,
7620 RecordPadding: 10,
7621 },
7622 },
7623 shouldFail: true,
7624 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7625 })
7626
7627 testCases = append(testCases, testCase{
7628 name: "TLS13-WrongOuterRecord",
7629 config: Config{
7630 MaxVersion: VersionTLS13,
7631 MinVersion: VersionTLS13,
7632 Bugs: ProtocolBugs{
7633 OuterRecordType: recordTypeHandshake,
7634 },
7635 },
7636 shouldFail: true,
7637 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
7638 })
7639}
7640
Steven Valdez5b986082016-09-01 12:29:49 -04007641func addSessionTicketTests() {
7642 testCases = append(testCases, testCase{
7643 // In TLS 1.2 and below, empty NewSessionTicket messages
7644 // mean the server changed its mind on sending a ticket.
7645 name: "SendEmptySessionTicket",
7646 config: Config{
7647 MaxVersion: VersionTLS12,
7648 Bugs: ProtocolBugs{
7649 SendEmptySessionTicket: true,
7650 },
7651 },
7652 flags: []string{"-expect-no-session"},
7653 })
7654
7655 // Test that the server ignores unknown PSK modes.
7656 testCases = append(testCases, testCase{
7657 testType: serverTest,
7658 name: "TLS13-SendUnknownModeSessionTicket-Server",
7659 config: Config{
7660 MaxVersion: VersionTLS13,
7661 Bugs: ProtocolBugs{
7662 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
7663 SendPSKAuthModes: []byte{0x1a, pskAuthMode, 0x2a},
7664 },
7665 },
7666 resumeSession: true,
7667 expectedResumeVersion: VersionTLS13,
7668 })
7669
7670 // Test that the server declines sessions with no matching key exchange mode.
7671 testCases = append(testCases, testCase{
7672 testType: serverTest,
7673 name: "TLS13-SendBadKEModeSessionTicket-Server",
7674 config: Config{
7675 MaxVersion: VersionTLS13,
7676 Bugs: ProtocolBugs{
7677 SendPSKKeyExchangeModes: []byte{0x1a},
7678 },
7679 },
7680 resumeSession: true,
7681 expectResumeRejected: true,
7682 })
7683
7684 // Test that the server declines sessions with no matching auth mode.
7685 testCases = append(testCases, testCase{
7686 testType: serverTest,
7687 name: "TLS13-SendBadAuthModeSessionTicket-Server",
7688 config: Config{
7689 MaxVersion: VersionTLS13,
7690 Bugs: ProtocolBugs{
7691 SendPSKAuthModes: []byte{0x1a},
7692 },
7693 },
7694 resumeSession: true,
7695 expectResumeRejected: true,
7696 })
7697
7698 // Test that the client ignores unknown PSK modes.
7699 testCases = append(testCases, testCase{
7700 testType: clientTest,
7701 name: "TLS13-SendUnknownModeSessionTicket-Client",
7702 config: Config{
7703 MaxVersion: VersionTLS13,
7704 Bugs: ProtocolBugs{
7705 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
7706 SendPSKAuthModes: []byte{0x1a, pskAuthMode, 0x2a},
7707 },
7708 },
7709 resumeSession: true,
7710 expectedResumeVersion: VersionTLS13,
7711 })
7712
7713 // Test that the client ignores tickets with no matching key exchange mode.
7714 testCases = append(testCases, testCase{
7715 testType: clientTest,
7716 name: "TLS13-SendBadKEModeSessionTicket-Client",
7717 config: Config{
7718 MaxVersion: VersionTLS13,
7719 Bugs: ProtocolBugs{
7720 SendPSKKeyExchangeModes: []byte{0x1a},
7721 },
7722 },
7723 flags: []string{"-expect-no-session"},
7724 })
7725
7726 // Test that the client ignores tickets with no matching auth mode.
7727 testCases = append(testCases, testCase{
7728 testType: clientTest,
7729 name: "TLS13-SendBadAuthModeSessionTicket-Client",
7730 config: Config{
7731 MaxVersion: VersionTLS13,
7732 Bugs: ProtocolBugs{
7733 SendPSKAuthModes: []byte{0x1a},
7734 },
7735 },
7736 flags: []string{"-expect-no-session"},
7737 })
7738}
7739
David Benjamin82261be2016-07-07 14:32:50 -07007740func addChangeCipherSpecTests() {
7741 // Test missing ChangeCipherSpecs.
7742 testCases = append(testCases, testCase{
7743 name: "SkipChangeCipherSpec-Client",
7744 config: Config{
7745 MaxVersion: VersionTLS12,
7746 Bugs: ProtocolBugs{
7747 SkipChangeCipherSpec: true,
7748 },
7749 },
7750 shouldFail: true,
7751 expectedError: ":UNEXPECTED_RECORD:",
7752 })
7753 testCases = append(testCases, testCase{
7754 testType: serverTest,
7755 name: "SkipChangeCipherSpec-Server",
7756 config: Config{
7757 MaxVersion: VersionTLS12,
7758 Bugs: ProtocolBugs{
7759 SkipChangeCipherSpec: true,
7760 },
7761 },
7762 shouldFail: true,
7763 expectedError: ":UNEXPECTED_RECORD:",
7764 })
7765 testCases = append(testCases, testCase{
7766 testType: serverTest,
7767 name: "SkipChangeCipherSpec-Server-NPN",
7768 config: Config{
7769 MaxVersion: VersionTLS12,
7770 NextProtos: []string{"bar"},
7771 Bugs: ProtocolBugs{
7772 SkipChangeCipherSpec: true,
7773 },
7774 },
7775 flags: []string{
7776 "-advertise-npn", "\x03foo\x03bar\x03baz",
7777 },
7778 shouldFail: true,
7779 expectedError: ":UNEXPECTED_RECORD:",
7780 })
7781
7782 // Test synchronization between the handshake and ChangeCipherSpec.
7783 // Partial post-CCS handshake messages before ChangeCipherSpec should be
7784 // rejected. Test both with and without handshake packing to handle both
7785 // when the partial post-CCS message is in its own record and when it is
7786 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -07007787 for _, packed := range []bool{false, true} {
7788 var suffix string
7789 if packed {
7790 suffix = "-Packed"
7791 }
7792
7793 testCases = append(testCases, testCase{
7794 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
7795 config: Config{
7796 MaxVersion: VersionTLS12,
7797 Bugs: ProtocolBugs{
7798 FragmentAcrossChangeCipherSpec: true,
7799 PackHandshakeFlight: packed,
7800 },
7801 },
7802 shouldFail: true,
7803 expectedError: ":UNEXPECTED_RECORD:",
7804 })
7805 testCases = append(testCases, testCase{
7806 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
7807 config: Config{
7808 MaxVersion: VersionTLS12,
7809 },
7810 resumeSession: true,
7811 resumeConfig: &Config{
7812 MaxVersion: VersionTLS12,
7813 Bugs: ProtocolBugs{
7814 FragmentAcrossChangeCipherSpec: true,
7815 PackHandshakeFlight: packed,
7816 },
7817 },
7818 shouldFail: true,
7819 expectedError: ":UNEXPECTED_RECORD:",
7820 })
7821 testCases = append(testCases, testCase{
7822 testType: serverTest,
7823 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
7824 config: Config{
7825 MaxVersion: VersionTLS12,
7826 Bugs: ProtocolBugs{
7827 FragmentAcrossChangeCipherSpec: true,
7828 PackHandshakeFlight: packed,
7829 },
7830 },
7831 shouldFail: true,
7832 expectedError: ":UNEXPECTED_RECORD:",
7833 })
7834 testCases = append(testCases, testCase{
7835 testType: serverTest,
7836 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
7837 config: Config{
7838 MaxVersion: VersionTLS12,
7839 },
7840 resumeSession: true,
7841 resumeConfig: &Config{
7842 MaxVersion: VersionTLS12,
7843 Bugs: ProtocolBugs{
7844 FragmentAcrossChangeCipherSpec: true,
7845 PackHandshakeFlight: packed,
7846 },
7847 },
7848 shouldFail: true,
7849 expectedError: ":UNEXPECTED_RECORD:",
7850 })
7851 testCases = append(testCases, testCase{
7852 testType: serverTest,
7853 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
7854 config: Config{
7855 MaxVersion: VersionTLS12,
7856 NextProtos: []string{"bar"},
7857 Bugs: ProtocolBugs{
7858 FragmentAcrossChangeCipherSpec: true,
7859 PackHandshakeFlight: packed,
7860 },
7861 },
7862 flags: []string{
7863 "-advertise-npn", "\x03foo\x03bar\x03baz",
7864 },
7865 shouldFail: true,
7866 expectedError: ":UNEXPECTED_RECORD:",
7867 })
7868 }
7869
David Benjamin61672812016-07-14 23:10:43 -04007870 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
7871 // messages in the handshake queue. Do this by testing the server
7872 // reading the client Finished, reversing the flight so Finished comes
7873 // first.
7874 testCases = append(testCases, testCase{
7875 protocol: dtls,
7876 testType: serverTest,
7877 name: "SendUnencryptedFinished-DTLS",
7878 config: Config{
7879 MaxVersion: VersionTLS12,
7880 Bugs: ProtocolBugs{
7881 SendUnencryptedFinished: true,
7882 ReverseHandshakeFragments: true,
7883 },
7884 },
7885 shouldFail: true,
7886 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
7887 })
7888
Steven Valdez143e8b32016-07-11 13:19:03 -04007889 // Test synchronization between encryption changes and the handshake in
7890 // TLS 1.3, where ChangeCipherSpec is implicit.
7891 testCases = append(testCases, testCase{
7892 name: "PartialEncryptedExtensionsWithServerHello",
7893 config: Config{
7894 MaxVersion: VersionTLS13,
7895 Bugs: ProtocolBugs{
7896 PartialEncryptedExtensionsWithServerHello: true,
7897 },
7898 },
7899 shouldFail: true,
7900 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
7901 })
7902 testCases = append(testCases, testCase{
7903 testType: serverTest,
7904 name: "PartialClientFinishedWithClientHello",
7905 config: Config{
7906 MaxVersion: VersionTLS13,
7907 Bugs: ProtocolBugs{
7908 PartialClientFinishedWithClientHello: true,
7909 },
7910 },
7911 shouldFail: true,
7912 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
7913 })
7914
David Benjamin82261be2016-07-07 14:32:50 -07007915 // Test that early ChangeCipherSpecs are handled correctly.
7916 testCases = append(testCases, testCase{
7917 testType: serverTest,
7918 name: "EarlyChangeCipherSpec-server-1",
7919 config: Config{
7920 MaxVersion: VersionTLS12,
7921 Bugs: ProtocolBugs{
7922 EarlyChangeCipherSpec: 1,
7923 },
7924 },
7925 shouldFail: true,
7926 expectedError: ":UNEXPECTED_RECORD:",
7927 })
7928 testCases = append(testCases, testCase{
7929 testType: serverTest,
7930 name: "EarlyChangeCipherSpec-server-2",
7931 config: Config{
7932 MaxVersion: VersionTLS12,
7933 Bugs: ProtocolBugs{
7934 EarlyChangeCipherSpec: 2,
7935 },
7936 },
7937 shouldFail: true,
7938 expectedError: ":UNEXPECTED_RECORD:",
7939 })
7940 testCases = append(testCases, testCase{
7941 protocol: dtls,
7942 name: "StrayChangeCipherSpec",
7943 config: Config{
7944 // TODO(davidben): Once DTLS 1.3 exists, test
7945 // that stray ChangeCipherSpec messages are
7946 // rejected.
7947 MaxVersion: VersionTLS12,
7948 Bugs: ProtocolBugs{
7949 StrayChangeCipherSpec: true,
7950 },
7951 },
7952 })
7953
7954 // Test that the contents of ChangeCipherSpec are checked.
7955 testCases = append(testCases, testCase{
7956 name: "BadChangeCipherSpec-1",
7957 config: Config{
7958 MaxVersion: VersionTLS12,
7959 Bugs: ProtocolBugs{
7960 BadChangeCipherSpec: []byte{2},
7961 },
7962 },
7963 shouldFail: true,
7964 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
7965 })
7966 testCases = append(testCases, testCase{
7967 name: "BadChangeCipherSpec-2",
7968 config: Config{
7969 MaxVersion: VersionTLS12,
7970 Bugs: ProtocolBugs{
7971 BadChangeCipherSpec: []byte{1, 1},
7972 },
7973 },
7974 shouldFail: true,
7975 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
7976 })
7977 testCases = append(testCases, testCase{
7978 protocol: dtls,
7979 name: "BadChangeCipherSpec-DTLS-1",
7980 config: Config{
7981 MaxVersion: VersionTLS12,
7982 Bugs: ProtocolBugs{
7983 BadChangeCipherSpec: []byte{2},
7984 },
7985 },
7986 shouldFail: true,
7987 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
7988 })
7989 testCases = append(testCases, testCase{
7990 protocol: dtls,
7991 name: "BadChangeCipherSpec-DTLS-2",
7992 config: Config{
7993 MaxVersion: VersionTLS12,
7994 Bugs: ProtocolBugs{
7995 BadChangeCipherSpec: []byte{1, 1},
7996 },
7997 },
7998 shouldFail: true,
7999 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8000 })
8001}
8002
David Benjamincd2c8062016-09-09 11:28:16 -04008003type perMessageTest struct {
8004 messageType uint8
8005 test testCase
8006}
8007
8008// makePerMessageTests returns a series of test templates which cover each
8009// message in the TLS handshake. These may be used with bugs like
8010// WrongMessageType to fully test a per-message bug.
8011func makePerMessageTests() []perMessageTest {
8012 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -04008013 for _, protocol := range []protocol{tls, dtls} {
8014 var suffix string
8015 if protocol == dtls {
8016 suffix = "-DTLS"
8017 }
8018
David Benjamincd2c8062016-09-09 11:28:16 -04008019 ret = append(ret, perMessageTest{
8020 messageType: typeClientHello,
8021 test: testCase{
8022 protocol: protocol,
8023 testType: serverTest,
8024 name: "ClientHello" + suffix,
8025 config: Config{
8026 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008027 },
8028 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008029 })
8030
8031 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -04008032 ret = append(ret, perMessageTest{
8033 messageType: typeHelloVerifyRequest,
8034 test: testCase{
8035 protocol: protocol,
8036 name: "HelloVerifyRequest" + suffix,
8037 config: Config{
8038 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008039 },
8040 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008041 })
8042 }
8043
David Benjamincd2c8062016-09-09 11:28:16 -04008044 ret = append(ret, perMessageTest{
8045 messageType: typeServerHello,
8046 test: testCase{
8047 protocol: protocol,
8048 name: "ServerHello" + suffix,
8049 config: Config{
8050 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008051 },
8052 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008053 })
8054
David Benjamincd2c8062016-09-09 11:28:16 -04008055 ret = append(ret, perMessageTest{
8056 messageType: typeCertificate,
8057 test: testCase{
8058 protocol: protocol,
8059 name: "ServerCertificate" + suffix,
8060 config: Config{
8061 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008062 },
8063 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008064 })
8065
David Benjamincd2c8062016-09-09 11:28:16 -04008066 ret = append(ret, perMessageTest{
8067 messageType: typeCertificateStatus,
8068 test: testCase{
8069 protocol: protocol,
8070 name: "CertificateStatus" + suffix,
8071 config: Config{
8072 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008073 },
David Benjamincd2c8062016-09-09 11:28:16 -04008074 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008075 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008076 })
8077
David Benjamincd2c8062016-09-09 11:28:16 -04008078 ret = append(ret, perMessageTest{
8079 messageType: typeServerKeyExchange,
8080 test: testCase{
8081 protocol: protocol,
8082 name: "ServerKeyExchange" + suffix,
8083 config: Config{
8084 MaxVersion: VersionTLS12,
8085 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008086 },
8087 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008088 })
8089
David Benjamincd2c8062016-09-09 11:28:16 -04008090 ret = append(ret, perMessageTest{
8091 messageType: typeCertificateRequest,
8092 test: testCase{
8093 protocol: protocol,
8094 name: "CertificateRequest" + suffix,
8095 config: Config{
8096 MaxVersion: VersionTLS12,
8097 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008098 },
8099 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008100 })
8101
David Benjamincd2c8062016-09-09 11:28:16 -04008102 ret = append(ret, perMessageTest{
8103 messageType: typeServerHelloDone,
8104 test: testCase{
8105 protocol: protocol,
8106 name: "ServerHelloDone" + suffix,
8107 config: Config{
8108 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008109 },
8110 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008111 })
8112
David Benjamincd2c8062016-09-09 11:28:16 -04008113 ret = append(ret, perMessageTest{
8114 messageType: typeCertificate,
8115 test: testCase{
8116 testType: serverTest,
8117 protocol: protocol,
8118 name: "ClientCertificate" + suffix,
8119 config: Config{
8120 Certificates: []Certificate{rsaCertificate},
8121 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008122 },
David Benjamincd2c8062016-09-09 11:28:16 -04008123 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008124 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008125 })
8126
David Benjamincd2c8062016-09-09 11:28:16 -04008127 ret = append(ret, perMessageTest{
8128 messageType: typeCertificateVerify,
8129 test: testCase{
8130 testType: serverTest,
8131 protocol: protocol,
8132 name: "CertificateVerify" + suffix,
8133 config: Config{
8134 Certificates: []Certificate{rsaCertificate},
8135 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008136 },
David Benjamincd2c8062016-09-09 11:28:16 -04008137 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008138 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008139 })
8140
David Benjamincd2c8062016-09-09 11:28:16 -04008141 ret = append(ret, perMessageTest{
8142 messageType: typeClientKeyExchange,
8143 test: testCase{
8144 testType: serverTest,
8145 protocol: protocol,
8146 name: "ClientKeyExchange" + suffix,
8147 config: Config{
8148 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008149 },
8150 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008151 })
8152
8153 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -04008154 ret = append(ret, perMessageTest{
8155 messageType: typeNextProtocol,
8156 test: testCase{
8157 testType: serverTest,
8158 protocol: protocol,
8159 name: "NextProtocol" + suffix,
8160 config: Config{
8161 MaxVersion: VersionTLS12,
8162 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008163 },
David Benjamincd2c8062016-09-09 11:28:16 -04008164 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008165 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008166 })
8167
David Benjamincd2c8062016-09-09 11:28:16 -04008168 ret = append(ret, perMessageTest{
8169 messageType: typeChannelID,
8170 test: testCase{
8171 testType: serverTest,
8172 protocol: protocol,
8173 name: "ChannelID" + suffix,
8174 config: Config{
8175 MaxVersion: VersionTLS12,
8176 ChannelID: channelIDKey,
8177 },
8178 flags: []string{
8179 "-expect-channel-id",
8180 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -04008181 },
8182 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008183 })
8184 }
8185
David Benjamincd2c8062016-09-09 11:28:16 -04008186 ret = append(ret, perMessageTest{
8187 messageType: typeFinished,
8188 test: testCase{
8189 testType: serverTest,
8190 protocol: protocol,
8191 name: "ClientFinished" + suffix,
8192 config: Config{
8193 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008194 },
8195 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008196 })
8197
David Benjamincd2c8062016-09-09 11:28:16 -04008198 ret = append(ret, perMessageTest{
8199 messageType: typeNewSessionTicket,
8200 test: testCase{
8201 protocol: protocol,
8202 name: "NewSessionTicket" + suffix,
8203 config: Config{
8204 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008205 },
8206 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008207 })
8208
David Benjamincd2c8062016-09-09 11:28:16 -04008209 ret = append(ret, perMessageTest{
8210 messageType: typeFinished,
8211 test: testCase{
8212 protocol: protocol,
8213 name: "ServerFinished" + suffix,
8214 config: Config{
8215 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008216 },
8217 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008218 })
8219
8220 }
David Benjamincd2c8062016-09-09 11:28:16 -04008221
8222 ret = append(ret, perMessageTest{
8223 messageType: typeClientHello,
8224 test: testCase{
8225 testType: serverTest,
8226 name: "TLS13-ClientHello",
8227 config: Config{
8228 MaxVersion: VersionTLS13,
8229 },
8230 },
8231 })
8232
8233 ret = append(ret, perMessageTest{
8234 messageType: typeServerHello,
8235 test: testCase{
8236 name: "TLS13-ServerHello",
8237 config: Config{
8238 MaxVersion: VersionTLS13,
8239 },
8240 },
8241 })
8242
8243 ret = append(ret, perMessageTest{
8244 messageType: typeEncryptedExtensions,
8245 test: testCase{
8246 name: "TLS13-EncryptedExtensions",
8247 config: Config{
8248 MaxVersion: VersionTLS13,
8249 },
8250 },
8251 })
8252
8253 ret = append(ret, perMessageTest{
8254 messageType: typeCertificateRequest,
8255 test: testCase{
8256 name: "TLS13-CertificateRequest",
8257 config: Config{
8258 MaxVersion: VersionTLS13,
8259 ClientAuth: RequireAnyClientCert,
8260 },
8261 },
8262 })
8263
8264 ret = append(ret, perMessageTest{
8265 messageType: typeCertificate,
8266 test: testCase{
8267 name: "TLS13-ServerCertificate",
8268 config: Config{
8269 MaxVersion: VersionTLS13,
8270 },
8271 },
8272 })
8273
8274 ret = append(ret, perMessageTest{
8275 messageType: typeCertificateVerify,
8276 test: testCase{
8277 name: "TLS13-ServerCertificateVerify",
8278 config: Config{
8279 MaxVersion: VersionTLS13,
8280 },
8281 },
8282 })
8283
8284 ret = append(ret, perMessageTest{
8285 messageType: typeFinished,
8286 test: testCase{
8287 name: "TLS13-ServerFinished",
8288 config: Config{
8289 MaxVersion: VersionTLS13,
8290 },
8291 },
8292 })
8293
8294 ret = append(ret, perMessageTest{
8295 messageType: typeCertificate,
8296 test: testCase{
8297 testType: serverTest,
8298 name: "TLS13-ClientCertificate",
8299 config: Config{
8300 Certificates: []Certificate{rsaCertificate},
8301 MaxVersion: VersionTLS13,
8302 },
8303 flags: []string{"-require-any-client-certificate"},
8304 },
8305 })
8306
8307 ret = append(ret, perMessageTest{
8308 messageType: typeCertificateVerify,
8309 test: testCase{
8310 testType: serverTest,
8311 name: "TLS13-ClientCertificateVerify",
8312 config: Config{
8313 Certificates: []Certificate{rsaCertificate},
8314 MaxVersion: VersionTLS13,
8315 },
8316 flags: []string{"-require-any-client-certificate"},
8317 },
8318 })
8319
8320 ret = append(ret, perMessageTest{
8321 messageType: typeFinished,
8322 test: testCase{
8323 testType: serverTest,
8324 name: "TLS13-ClientFinished",
8325 config: Config{
8326 MaxVersion: VersionTLS13,
8327 },
8328 },
8329 })
8330
8331 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -04008332}
8333
David Benjamincd2c8062016-09-09 11:28:16 -04008334func addWrongMessageTypeTests() {
8335 for _, t := range makePerMessageTests() {
8336 t.test.name = "WrongMessageType-" + t.test.name
8337 t.test.config.Bugs.SendWrongMessageType = t.messageType
8338 t.test.shouldFail = true
8339 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
8340 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -04008341
David Benjamincd2c8062016-09-09 11:28:16 -04008342 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
8343 // In TLS 1.3, a bad ServerHello means the client sends
8344 // an unencrypted alert while the server expects
8345 // encryption, so the alert is not readable by runner.
8346 t.test.expectedLocalError = "local error: bad record MAC"
8347 }
Steven Valdez143e8b32016-07-11 13:19:03 -04008348
David Benjamincd2c8062016-09-09 11:28:16 -04008349 testCases = append(testCases, t.test)
8350 }
Steven Valdez143e8b32016-07-11 13:19:03 -04008351}
8352
David Benjamin639846e2016-09-09 11:41:18 -04008353func addTrailingMessageDataTests() {
8354 for _, t := range makePerMessageTests() {
8355 t.test.name = "TrailingMessageData-" + t.test.name
8356 t.test.config.Bugs.SendTrailingMessageData = t.messageType
8357 t.test.shouldFail = true
8358 t.test.expectedError = ":DECODE_ERROR:"
8359 t.test.expectedLocalError = "remote error: error decoding message"
8360
8361 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
8362 // In TLS 1.3, a bad ServerHello means the client sends
8363 // an unencrypted alert while the server expects
8364 // encryption, so the alert is not readable by runner.
8365 t.test.expectedLocalError = "local error: bad record MAC"
8366 }
8367
8368 if t.messageType == typeFinished {
8369 // Bad Finished messages read as the verify data having
8370 // the wrong length.
8371 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
8372 t.test.expectedLocalError = "remote error: error decrypting message"
8373 }
8374
8375 testCases = append(testCases, t.test)
8376 }
8377}
8378
Steven Valdez143e8b32016-07-11 13:19:03 -04008379func addTLS13HandshakeTests() {
8380 testCases = append(testCases, testCase{
8381 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -04008382 name: "NegotiatePSKResumption-TLS13",
8383 config: Config{
8384 MaxVersion: VersionTLS13,
8385 Bugs: ProtocolBugs{
8386 NegotiatePSKResumption: true,
8387 },
8388 },
8389 resumeSession: true,
8390 shouldFail: true,
8391 expectedError: ":UNEXPECTED_EXTENSION:",
8392 })
8393
8394 testCases = append(testCases, testCase{
8395 testType: clientTest,
8396 name: "OmitServerHelloSignatureAlgorithms",
8397 config: Config{
8398 MaxVersion: VersionTLS13,
8399 Bugs: ProtocolBugs{
8400 OmitServerHelloSignatureAlgorithms: true,
8401 },
8402 },
8403 shouldFail: true,
8404 expectedError: ":UNEXPECTED_EXTENSION:",
8405 })
8406
8407 testCases = append(testCases, testCase{
8408 testType: clientTest,
8409 name: "IncludeServerHelloSignatureAlgorithms",
8410 config: Config{
8411 MaxVersion: VersionTLS13,
8412 Bugs: ProtocolBugs{
8413 IncludeServerHelloSignatureAlgorithms: true,
8414 },
8415 },
8416 resumeSession: true,
8417 shouldFail: true,
8418 expectedError: ":UNEXPECTED_EXTENSION:",
8419 })
8420
8421 testCases = append(testCases, testCase{
8422 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -04008423 name: "MissingKeyShare-Client",
8424 config: Config{
8425 MaxVersion: VersionTLS13,
8426 Bugs: ProtocolBugs{
8427 MissingKeyShare: true,
8428 },
8429 },
8430 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -04008431 expectedError: ":UNEXPECTED_EXTENSION:",
Steven Valdez143e8b32016-07-11 13:19:03 -04008432 })
8433
8434 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -04008435 testType: serverTest,
8436 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -04008437 config: Config{
8438 MaxVersion: VersionTLS13,
8439 Bugs: ProtocolBugs{
8440 MissingKeyShare: true,
8441 },
8442 },
8443 shouldFail: true,
8444 expectedError: ":MISSING_KEY_SHARE:",
8445 })
8446
8447 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04008448 testType: serverTest,
8449 name: "DuplicateKeyShares",
8450 config: Config{
8451 MaxVersion: VersionTLS13,
8452 Bugs: ProtocolBugs{
8453 DuplicateKeyShares: true,
8454 },
8455 },
David Benjamin7e1f9842016-09-20 19:24:40 -04008456 shouldFail: true,
8457 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -04008458 })
8459
8460 testCases = append(testCases, testCase{
8461 testType: clientTest,
8462 name: "EmptyEncryptedExtensions",
8463 config: Config{
8464 MaxVersion: VersionTLS13,
8465 Bugs: ProtocolBugs{
8466 EmptyEncryptedExtensions: true,
8467 },
8468 },
8469 shouldFail: true,
8470 expectedLocalError: "remote error: error decoding message",
8471 })
8472
8473 testCases = append(testCases, testCase{
8474 testType: clientTest,
8475 name: "EncryptedExtensionsWithKeyShare",
8476 config: Config{
8477 MaxVersion: VersionTLS13,
8478 Bugs: ProtocolBugs{
8479 EncryptedExtensionsWithKeyShare: true,
8480 },
8481 },
8482 shouldFail: true,
8483 expectedLocalError: "remote error: unsupported extension",
8484 })
Steven Valdez5440fe02016-07-18 12:40:30 -04008485
8486 testCases = append(testCases, testCase{
8487 testType: serverTest,
8488 name: "SendHelloRetryRequest",
8489 config: Config{
8490 MaxVersion: VersionTLS13,
8491 // Require a HelloRetryRequest for every curve.
8492 DefaultCurves: []CurveID{},
8493 },
8494 expectedCurveID: CurveX25519,
8495 })
8496
8497 testCases = append(testCases, testCase{
8498 testType: serverTest,
8499 name: "SendHelloRetryRequest-2",
8500 config: Config{
8501 MaxVersion: VersionTLS13,
8502 DefaultCurves: []CurveID{CurveP384},
8503 },
8504 // Although the ClientHello did not predict our preferred curve,
8505 // we always select it whether it is predicted or not.
8506 expectedCurveID: CurveX25519,
8507 })
8508
8509 testCases = append(testCases, testCase{
8510 name: "UnknownCurve-HelloRetryRequest",
8511 config: Config{
8512 MaxVersion: VersionTLS13,
8513 // P-384 requires HelloRetryRequest in BoringSSL.
8514 CurvePreferences: []CurveID{CurveP384},
8515 Bugs: ProtocolBugs{
8516 SendHelloRetryRequestCurve: bogusCurve,
8517 },
8518 },
8519 shouldFail: true,
8520 expectedError: ":WRONG_CURVE:",
8521 })
8522
8523 testCases = append(testCases, testCase{
8524 name: "DisabledCurve-HelloRetryRequest",
8525 config: Config{
8526 MaxVersion: VersionTLS13,
8527 CurvePreferences: []CurveID{CurveP256},
8528 Bugs: ProtocolBugs{
8529 IgnorePeerCurvePreferences: true,
8530 },
8531 },
8532 flags: []string{"-p384-only"},
8533 shouldFail: true,
8534 expectedError: ":WRONG_CURVE:",
8535 })
8536
8537 testCases = append(testCases, testCase{
8538 name: "UnnecessaryHelloRetryRequest",
8539 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -04008540 MaxVersion: VersionTLS13,
8541 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -04008542 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -04008543 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -04008544 },
8545 },
8546 shouldFail: true,
8547 expectedError: ":WRONG_CURVE:",
8548 })
8549
8550 testCases = append(testCases, testCase{
8551 name: "SecondHelloRetryRequest",
8552 config: Config{
8553 MaxVersion: VersionTLS13,
8554 // P-384 requires HelloRetryRequest in BoringSSL.
8555 CurvePreferences: []CurveID{CurveP384},
8556 Bugs: ProtocolBugs{
8557 SecondHelloRetryRequest: true,
8558 },
8559 },
8560 shouldFail: true,
8561 expectedError: ":UNEXPECTED_MESSAGE:",
8562 })
8563
8564 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -04008565 name: "HelloRetryRequest-Empty",
8566 config: Config{
8567 MaxVersion: VersionTLS13,
8568 Bugs: ProtocolBugs{
8569 AlwaysSendHelloRetryRequest: true,
8570 },
8571 },
8572 shouldFail: true,
8573 expectedError: ":DECODE_ERROR:",
8574 })
8575
8576 testCases = append(testCases, testCase{
8577 name: "HelloRetryRequest-DuplicateCurve",
8578 config: Config{
8579 MaxVersion: VersionTLS13,
8580 // P-384 requires a HelloRetryRequest against BoringSSL's default
8581 // configuration. Assert this ExpectMissingKeyShare.
8582 CurvePreferences: []CurveID{CurveP384},
8583 Bugs: ProtocolBugs{
8584 ExpectMissingKeyShare: true,
8585 DuplicateHelloRetryRequestExtensions: true,
8586 },
8587 },
8588 shouldFail: true,
8589 expectedError: ":DUPLICATE_EXTENSION:",
8590 expectedLocalError: "remote error: illegal parameter",
8591 })
8592
8593 testCases = append(testCases, testCase{
8594 name: "HelloRetryRequest-Cookie",
8595 config: Config{
8596 MaxVersion: VersionTLS13,
8597 Bugs: ProtocolBugs{
8598 SendHelloRetryRequestCookie: []byte("cookie"),
8599 },
8600 },
8601 })
8602
8603 testCases = append(testCases, testCase{
8604 name: "HelloRetryRequest-DuplicateCookie",
8605 config: Config{
8606 MaxVersion: VersionTLS13,
8607 Bugs: ProtocolBugs{
8608 SendHelloRetryRequestCookie: []byte("cookie"),
8609 DuplicateHelloRetryRequestExtensions: true,
8610 },
8611 },
8612 shouldFail: true,
8613 expectedError: ":DUPLICATE_EXTENSION:",
8614 expectedLocalError: "remote error: illegal parameter",
8615 })
8616
8617 testCases = append(testCases, testCase{
8618 name: "HelloRetryRequest-EmptyCookie",
8619 config: Config{
8620 MaxVersion: VersionTLS13,
8621 Bugs: ProtocolBugs{
8622 SendHelloRetryRequestCookie: []byte{},
8623 },
8624 },
8625 shouldFail: true,
8626 expectedError: ":DECODE_ERROR:",
8627 })
8628
8629 testCases = append(testCases, testCase{
8630 name: "HelloRetryRequest-Cookie-Curve",
8631 config: Config{
8632 MaxVersion: VersionTLS13,
8633 // P-384 requires HelloRetryRequest in BoringSSL.
8634 CurvePreferences: []CurveID{CurveP384},
8635 Bugs: ProtocolBugs{
8636 SendHelloRetryRequestCookie: []byte("cookie"),
8637 ExpectMissingKeyShare: true,
8638 },
8639 },
8640 })
8641
8642 testCases = append(testCases, testCase{
8643 name: "HelloRetryRequest-Unknown",
8644 config: Config{
8645 MaxVersion: VersionTLS13,
8646 Bugs: ProtocolBugs{
8647 CustomHelloRetryRequestExtension: "extension",
8648 },
8649 },
8650 shouldFail: true,
8651 expectedError: ":UNEXPECTED_EXTENSION:",
8652 expectedLocalError: "remote error: unsupported extension",
8653 })
8654
8655 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -04008656 testType: serverTest,
8657 name: "SecondClientHelloMissingKeyShare",
8658 config: Config{
8659 MaxVersion: VersionTLS13,
8660 DefaultCurves: []CurveID{},
8661 Bugs: ProtocolBugs{
8662 SecondClientHelloMissingKeyShare: true,
8663 },
8664 },
8665 shouldFail: true,
8666 expectedError: ":MISSING_KEY_SHARE:",
8667 })
8668
8669 testCases = append(testCases, testCase{
8670 testType: serverTest,
8671 name: "SecondClientHelloWrongCurve",
8672 config: Config{
8673 MaxVersion: VersionTLS13,
8674 DefaultCurves: []CurveID{},
8675 Bugs: ProtocolBugs{
8676 MisinterpretHelloRetryRequestCurve: CurveP521,
8677 },
8678 },
8679 shouldFail: true,
8680 expectedError: ":WRONG_CURVE:",
8681 })
8682
8683 testCases = append(testCases, testCase{
8684 name: "HelloRetryRequestVersionMismatch",
8685 config: Config{
8686 MaxVersion: VersionTLS13,
8687 // P-384 requires HelloRetryRequest in BoringSSL.
8688 CurvePreferences: []CurveID{CurveP384},
8689 Bugs: ProtocolBugs{
8690 SendServerHelloVersion: 0x0305,
8691 },
8692 },
8693 shouldFail: true,
8694 expectedError: ":WRONG_VERSION_NUMBER:",
8695 })
8696
8697 testCases = append(testCases, testCase{
8698 name: "HelloRetryRequestCurveMismatch",
8699 config: Config{
8700 MaxVersion: VersionTLS13,
8701 // P-384 requires HelloRetryRequest in BoringSSL.
8702 CurvePreferences: []CurveID{CurveP384},
8703 Bugs: ProtocolBugs{
8704 // Send P-384 (correct) in the HelloRetryRequest.
8705 SendHelloRetryRequestCurve: CurveP384,
8706 // But send P-256 in the ServerHello.
8707 SendCurve: CurveP256,
8708 },
8709 },
8710 shouldFail: true,
8711 expectedError: ":WRONG_CURVE:",
8712 })
8713
8714 // Test the server selecting a curve that requires a HelloRetryRequest
8715 // without sending it.
8716 testCases = append(testCases, testCase{
8717 name: "SkipHelloRetryRequest",
8718 config: Config{
8719 MaxVersion: VersionTLS13,
8720 // P-384 requires HelloRetryRequest in BoringSSL.
8721 CurvePreferences: []CurveID{CurveP384},
8722 Bugs: ProtocolBugs{
8723 SkipHelloRetryRequest: true,
8724 },
8725 },
8726 shouldFail: true,
8727 expectedError: ":WRONG_CURVE:",
8728 })
David Benjamin8a8349b2016-08-18 02:32:23 -04008729
8730 testCases = append(testCases, testCase{
8731 name: "TLS13-RequestContextInHandshake",
8732 config: Config{
8733 MaxVersion: VersionTLS13,
8734 MinVersion: VersionTLS13,
8735 ClientAuth: RequireAnyClientCert,
8736 Bugs: ProtocolBugs{
8737 SendRequestContext: []byte("request context"),
8738 },
8739 },
8740 flags: []string{
8741 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
8742 "-key-file", path.Join(*resourceDir, rsaKeyFile),
8743 },
8744 shouldFail: true,
8745 expectedError: ":DECODE_ERROR:",
8746 })
David Benjamin7e1f9842016-09-20 19:24:40 -04008747
8748 testCases = append(testCases, testCase{
8749 testType: serverTest,
8750 name: "TLS13-TrailingKeyShareData",
8751 config: Config{
8752 MaxVersion: VersionTLS13,
8753 Bugs: ProtocolBugs{
8754 TrailingKeyShareData: true,
8755 },
8756 },
8757 shouldFail: true,
8758 expectedError: ":DECODE_ERROR:",
8759 })
David Benjamin7f78df42016-10-05 22:33:19 -04008760
8761 testCases = append(testCases, testCase{
8762 name: "TLS13-AlwaysSelectPSKIdentity",
8763 config: Config{
8764 MaxVersion: VersionTLS13,
8765 Bugs: ProtocolBugs{
8766 AlwaysSelectPSKIdentity: true,
8767 },
8768 },
8769 shouldFail: true,
8770 expectedError: ":UNEXPECTED_EXTENSION:",
8771 })
8772
8773 testCases = append(testCases, testCase{
8774 name: "TLS13-InvalidPSKIdentity",
8775 config: Config{
8776 MaxVersion: VersionTLS13,
8777 Bugs: ProtocolBugs{
8778 SelectPSKIdentityOnResume: 1,
8779 },
8780 },
8781 resumeSession: true,
8782 shouldFail: true,
8783 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
8784 })
David Benjamin1286bee2016-10-07 15:25:06 -04008785
8786 // Test that unknown NewSessionTicket extensions are tolerated.
8787 testCases = append(testCases, testCase{
8788 name: "TLS13-CustomTicketExtension",
8789 config: Config{
8790 MaxVersion: VersionTLS13,
8791 Bugs: ProtocolBugs{
8792 CustomTicketExtension: "1234",
8793 },
8794 },
8795 })
Steven Valdez143e8b32016-07-11 13:19:03 -04008796}
8797
David Benjaminf3fbade2016-09-19 13:08:16 -04008798func addPeekTests() {
8799 // Test SSL_peek works, including on empty records.
8800 testCases = append(testCases, testCase{
8801 name: "Peek-Basic",
8802 sendEmptyRecords: 1,
8803 flags: []string{"-peek-then-read"},
8804 })
8805
8806 // Test SSL_peek can drive the initial handshake.
8807 testCases = append(testCases, testCase{
8808 name: "Peek-ImplicitHandshake",
8809 flags: []string{
8810 "-peek-then-read",
8811 "-implicit-handshake",
8812 },
8813 })
8814
8815 // Test SSL_peek can discover and drive a renegotiation.
8816 testCases = append(testCases, testCase{
8817 name: "Peek-Renegotiate",
8818 config: Config{
8819 MaxVersion: VersionTLS12,
8820 },
8821 renegotiate: 1,
8822 flags: []string{
8823 "-peek-then-read",
8824 "-renegotiate-freely",
8825 "-expect-total-renegotiations", "1",
8826 },
8827 })
8828
8829 // Test SSL_peek can discover a close_notify.
8830 testCases = append(testCases, testCase{
8831 name: "Peek-Shutdown",
8832 config: Config{
8833 Bugs: ProtocolBugs{
8834 ExpectCloseNotify: true,
8835 },
8836 },
8837 flags: []string{
8838 "-peek-then-read",
8839 "-check-close-notify",
8840 },
8841 })
8842
8843 // Test SSL_peek can discover an alert.
8844 testCases = append(testCases, testCase{
8845 name: "Peek-Alert",
8846 config: Config{
8847 Bugs: ProtocolBugs{
8848 SendSpuriousAlert: alertRecordOverflow,
8849 },
8850 },
8851 flags: []string{"-peek-then-read"},
8852 shouldFail: true,
8853 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
8854 })
8855
8856 // Test SSL_peek can handle KeyUpdate.
8857 testCases = append(testCases, testCase{
8858 name: "Peek-KeyUpdate",
8859 config: Config{
8860 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -04008861 },
Steven Valdezc4aa7272016-10-03 12:25:56 -04008862 sendKeyUpdates: 1,
8863 keyUpdateRequest: keyUpdateNotRequested,
8864 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -04008865 })
8866}
8867
Adam Langley7c803a62015-06-15 15:35:05 -07008868func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -07008869 defer wg.Done()
8870
8871 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -08008872 var err error
8873
8874 if *mallocTest < 0 {
8875 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -07008876 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -08008877 } else {
8878 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
8879 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -07008880 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -08008881 if err != nil {
8882 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
8883 }
8884 break
8885 }
8886 }
8887 }
Adam Langley95c29f32014-06-20 12:00:00 -07008888 statusChan <- statusMsg{test: test, err: err}
8889 }
8890}
8891
8892type statusMsg struct {
8893 test *testCase
8894 started bool
8895 err error
8896}
8897
David Benjamin5f237bc2015-02-11 17:14:15 -05008898func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +02008899 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -07008900
David Benjamin5f237bc2015-02-11 17:14:15 -05008901 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -07008902 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -05008903 if !*pipe {
8904 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -05008905 var erase string
8906 for i := 0; i < lineLen; i++ {
8907 erase += "\b \b"
8908 }
8909 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -05008910 }
8911
Adam Langley95c29f32014-06-20 12:00:00 -07008912 if msg.started {
8913 started++
8914 } else {
8915 done++
David Benjamin5f237bc2015-02-11 17:14:15 -05008916
8917 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +02008918 if msg.err == errUnimplemented {
8919 if *pipe {
8920 // Print each test instead of a status line.
8921 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
8922 }
8923 unimplemented++
8924 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
8925 } else {
8926 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
8927 failed++
8928 testOutput.addResult(msg.test.name, "FAIL")
8929 }
David Benjamin5f237bc2015-02-11 17:14:15 -05008930 } else {
8931 if *pipe {
8932 // Print each test instead of a status line.
8933 fmt.Printf("PASSED (%s)\n", msg.test.name)
8934 }
8935 testOutput.addResult(msg.test.name, "PASS")
8936 }
Adam Langley95c29f32014-06-20 12:00:00 -07008937 }
8938
David Benjamin5f237bc2015-02-11 17:14:15 -05008939 if !*pipe {
8940 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +02008941 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -05008942 lineLen = len(line)
8943 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -07008944 }
Adam Langley95c29f32014-06-20 12:00:00 -07008945 }
David Benjamin5f237bc2015-02-11 17:14:15 -05008946
8947 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -07008948}
8949
8950func main() {
Adam Langley95c29f32014-06-20 12:00:00 -07008951 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -07008952 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -07008953 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -07008954
Adam Langley7c803a62015-06-15 15:35:05 -07008955 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -07008956 addCipherSuiteTests()
8957 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -07008958 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -07008959 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -04008960 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -08008961 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -04008962 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -05008963 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -04008964 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -04008965 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -07008966 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -07008967 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -05008968 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -07008969 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -05008970 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -04008971 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -07008972 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -07008973 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -05008974 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -05008975 addCurveTests()
Matt Braithwaite54217e42016-06-13 13:03:47 -07008976 addCECPQ1Tests()
David Benjamin5c4e8572016-08-19 17:44:53 -04008977 addDHEGroupSizeTests()
Steven Valdez5b986082016-09-01 12:29:49 -04008978 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -04008979 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -07008980 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -07008981 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -04008982 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -04008983 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -04008984 addTLS13HandshakeTests()
David Benjaminf3fbade2016-09-19 13:08:16 -04008985 addPeekTests()
Adam Langley95c29f32014-06-20 12:00:00 -07008986
8987 var wg sync.WaitGroup
8988
Adam Langley7c803a62015-06-15 15:35:05 -07008989 statusChan := make(chan statusMsg, *numWorkers)
8990 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -05008991 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -07008992
EKRf71d7ed2016-08-06 13:25:12 -07008993 if len(*shimConfigFile) != 0 {
8994 encoded, err := ioutil.ReadFile(*shimConfigFile)
8995 if err != nil {
8996 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
8997 os.Exit(1)
8998 }
8999
9000 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
9001 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
9002 os.Exit(1)
9003 }
9004 }
9005
David Benjamin025b3d32014-07-01 19:53:04 -04009006 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -07009007
Adam Langley7c803a62015-06-15 15:35:05 -07009008 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -07009009 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -07009010 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -07009011 }
9012
David Benjamin270f0a72016-03-17 14:41:36 -04009013 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -04009014 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -04009015 matched := true
9016 if len(*testToRun) != 0 {
9017 var err error
9018 matched, err = filepath.Match(*testToRun, testCases[i].name)
9019 if err != nil {
9020 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
9021 os.Exit(1)
9022 }
9023 }
9024
EKRf71d7ed2016-08-06 13:25:12 -07009025 if !*includeDisabled {
9026 for pattern := range shimConfig.DisabledTests {
9027 isDisabled, err := filepath.Match(pattern, testCases[i].name)
9028 if err != nil {
9029 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
9030 os.Exit(1)
9031 }
9032
9033 if isDisabled {
9034 matched = false
9035 break
9036 }
9037 }
9038 }
9039
David Benjamin17e12922016-07-28 18:04:43 -04009040 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -04009041 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -04009042 testChan <- &testCases[i]
Adam Langley95c29f32014-06-20 12:00:00 -07009043 }
9044 }
David Benjamin17e12922016-07-28 18:04:43 -04009045
David Benjamin270f0a72016-03-17 14:41:36 -04009046 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -07009047 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -04009048 os.Exit(1)
9049 }
Adam Langley95c29f32014-06-20 12:00:00 -07009050
9051 close(testChan)
9052 wg.Wait()
9053 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -05009054 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -07009055
9056 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -05009057
9058 if *jsonOutput != "" {
9059 if err := testOutput.writeTo(*jsonOutput); err != nil {
9060 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
9061 }
9062 }
David Benjamin2ab7a862015-04-04 17:02:18 -04009063
EKR842ae6c2016-07-27 09:22:05 +02009064 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
9065 os.Exit(1)
9066 }
9067
9068 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -04009069 os.Exit(1)
9070 }
Adam Langley95c29f32014-06-20 12:00:00 -07009071}