blob: 19ec131069486d490ca5bf8323f52be7bb717040 [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -07001// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -040013// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -070014
Adam Langleydc7e9c42015-09-29 15:21:04 -070015package runner
Adam Langley95c29f32014-06-20 12:00:00 -070016
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -040019 "crypto/ecdsa"
20 "crypto/elliptic"
David Benjamin407a10c2014-07-16 12:58:59 -040021 "crypto/x509"
David Benjamin2561dc32014-08-24 01:25:27 -040022 "encoding/base64"
EKRf71d7ed2016-08-06 13:25:12 -070023 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -040024 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +020025 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -070026 "flag"
27 "fmt"
28 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -070029 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -070030 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -070031 "net"
32 "os"
33 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -040034 "path"
David Benjamin17e12922016-07-28 18:04:43 -040035 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -040036 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -080037 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -070038 "strings"
39 "sync"
40 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -050041 "time"
Adam Langley95c29f32014-06-20 12:00:00 -070042)
43
Adam Langley69a01602014-11-17 17:26:55 -080044var (
EKR842ae6c2016-07-27 09:22:05 +020045 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
46 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
47 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
48 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
49 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
50 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
51 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
52 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -040053 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +020054 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
55 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
56 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
57 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
58 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
59 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
60 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
61 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +020062 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -070063 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
64 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
Adam Langley69a01602014-11-17 17:26:55 -080065)
Adam Langley95c29f32014-06-20 12:00:00 -070066
EKRf71d7ed2016-08-06 13:25:12 -070067// ShimConfigurations is used with the “json” package and represents a shim
68// config file.
69type ShimConfiguration struct {
70 // DisabledTests maps from a glob-based pattern to a freeform string.
71 // The glob pattern is used to exclude tests from being run and the
72 // freeform string is unparsed but expected to explain why the test is
73 // disabled.
74 DisabledTests map[string]string
75
76 // ErrorMap maps from expected error strings to the correct error
77 // string for the shim in question. For example, it might map
78 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
79 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
80 ErrorMap map[string]string
81}
82
83var shimConfig ShimConfiguration
84
David Benjamin33863262016-07-08 17:20:12 -070085type testCert int
86
David Benjamin025b3d32014-07-01 19:53:04 -040087const (
David Benjamin33863262016-07-08 17:20:12 -070088 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -040089 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +090090 testCertRSAChain
David Benjamin33863262016-07-08 17:20:12 -070091 testCertECDSAP256
92 testCertECDSAP384
93 testCertECDSAP521
94)
95
96const (
97 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -040098 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +090099 rsaChainCertificateFile = "rsa_chain_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700100 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
101 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
102 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400103)
104
105const (
David Benjamina08e49d2014-08-24 01:46:07 -0400106 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400107 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900108 rsaChainKeyFile = "rsa_chain_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700109 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
110 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
111 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400112 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400113)
114
David Benjamin7944a9f2016-07-12 22:27:01 -0400115var (
116 rsaCertificate Certificate
117 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900118 rsaChainCertificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400119 ecdsaP256Certificate Certificate
120 ecdsaP384Certificate Certificate
121 ecdsaP521Certificate Certificate
122)
David Benjamin33863262016-07-08 17:20:12 -0700123
124var testCerts = []struct {
125 id testCert
126 certFile, keyFile string
127 cert *Certificate
128}{
129 {
130 id: testCertRSA,
131 certFile: rsaCertificateFile,
132 keyFile: rsaKeyFile,
133 cert: &rsaCertificate,
134 },
135 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400136 id: testCertRSA1024,
137 certFile: rsa1024CertificateFile,
138 keyFile: rsa1024KeyFile,
139 cert: &rsa1024Certificate,
140 },
141 {
David Benjamin2c516452016-11-15 10:16:54 +0900142 id: testCertRSAChain,
143 certFile: rsaChainCertificateFile,
144 keyFile: rsaChainKeyFile,
145 cert: &rsaChainCertificate,
146 },
147 {
David Benjamin33863262016-07-08 17:20:12 -0700148 id: testCertECDSAP256,
149 certFile: ecdsaP256CertificateFile,
150 keyFile: ecdsaP256KeyFile,
151 cert: &ecdsaP256Certificate,
152 },
153 {
154 id: testCertECDSAP384,
155 certFile: ecdsaP384CertificateFile,
156 keyFile: ecdsaP384KeyFile,
157 cert: &ecdsaP384Certificate,
158 },
159 {
160 id: testCertECDSAP521,
161 certFile: ecdsaP521CertificateFile,
162 keyFile: ecdsaP521KeyFile,
163 cert: &ecdsaP521Certificate,
164 },
165}
166
David Benjamina08e49d2014-08-24 01:46:07 -0400167var channelIDKey *ecdsa.PrivateKey
168var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700169
David Benjamin61f95272014-11-25 01:55:35 -0500170var testOCSPResponse = []byte{1, 2, 3, 4}
171var testSCTList = []byte{5, 6, 7, 8}
172
Steven Valdeza833c352016-11-01 13:39:36 -0400173var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
174var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, 4}, testSCTList...)
175
Adam Langley95c29f32014-06-20 12:00:00 -0700176func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700177 for i := range testCerts {
178 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
179 if err != nil {
180 panic(err)
181 }
182 cert.OCSPStaple = testOCSPResponse
183 cert.SignedCertificateTimestampList = testSCTList
184 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700185 }
David Benjamina08e49d2014-08-24 01:46:07 -0400186
Adam Langley7c803a62015-06-15 15:35:05 -0700187 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400188 if err != nil {
189 panic(err)
190 }
191 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
192 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
193 panic("bad key type")
194 }
195 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
196 if err != nil {
197 panic(err)
198 }
199 if channelIDKey.Curve != elliptic.P256() {
200 panic("bad curve")
201 }
202
203 channelIDBytes = make([]byte, 64)
204 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
205 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700206}
207
David Benjamin33863262016-07-08 17:20:12 -0700208func getRunnerCertificate(t testCert) Certificate {
209 for _, cert := range testCerts {
210 if cert.id == t {
211 return *cert.cert
212 }
213 }
214 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700215}
216
David Benjamin33863262016-07-08 17:20:12 -0700217func getShimCertificate(t testCert) string {
218 for _, cert := range testCerts {
219 if cert.id == t {
220 return cert.certFile
221 }
222 }
223 panic("Unknown test certificate")
224}
225
226func getShimKey(t testCert) string {
227 for _, cert := range testCerts {
228 if cert.id == t {
229 return cert.keyFile
230 }
231 }
232 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700233}
234
David Benjamin025b3d32014-07-01 19:53:04 -0400235type testType int
236
237const (
238 clientTest testType = iota
239 serverTest
240)
241
David Benjamin6fd297b2014-08-11 18:43:38 -0400242type protocol int
243
244const (
245 tls protocol = iota
246 dtls
247)
248
David Benjaminfc7b0862014-09-06 13:21:53 -0400249const (
250 alpn = 1
251 npn = 2
252)
253
Adam Langley95c29f32014-06-20 12:00:00 -0700254type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400255 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400256 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700257 name string
258 config Config
259 shouldFail bool
260 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700261 // expectedLocalError, if not empty, contains a substring that must be
262 // found in the local error.
263 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400264 // expectedVersion, if non-zero, specifies the TLS version that must be
265 // negotiated.
266 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400267 // expectedResumeVersion, if non-zero, specifies the TLS version that
268 // must be negotiated on resumption. If zero, expectedVersion is used.
269 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400270 // expectedCipher, if non-zero, specifies the TLS cipher suite that
271 // should be negotiated.
272 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400273 // expectChannelID controls whether the connection should have
274 // negotiated a Channel ID with channelIDKey.
275 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400276 // expectedNextProto controls whether the connection should
277 // negotiate a next protocol via NPN or ALPN.
278 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400279 // expectNoNextProto, if true, means that no next protocol should be
280 // negotiated.
281 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400282 // expectedNextProtoType, if non-zero, is the expected next
283 // protocol negotiation mechanism.
284 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500285 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
286 // should be negotiated. If zero, none should be negotiated.
287 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100288 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
289 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100290 // expectedSCTList, if not nil, is the expected SCT list to be received.
291 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700292 // expectedPeerSignatureAlgorithm, if not zero, is the signature
293 // algorithm that the peer should have used in the handshake.
294 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400295 // expectedCurveID, if not zero, is the curve that the handshake should
296 // have used.
297 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700298 // messageLen is the length, in bytes, of the test message that will be
299 // sent.
300 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400301 // messageCount is the number of test messages that will be sent.
302 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400303 // certFile is the path to the certificate to use for the server.
304 certFile string
305 // keyFile is the path to the private key to use for the server.
306 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400307 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400308 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400309 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400310 // resumeRenewedSession controls whether a third connection should be
311 // tested which attempts to resume the second connection's session.
312 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700313 // expectResumeRejected, if true, specifies that the attempted
314 // resumption must be rejected by the client. This is only valid for a
315 // serverTest.
316 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400317 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500318 // resumption. Unless newSessionsOnResume is set,
319 // SessionTicketKey, ServerSessionCache, and
320 // ClientSessionCache are copied from the initial connection's
321 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400322 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500323 // newSessionsOnResume, if true, will cause resumeConfig to
324 // use a different session resumption context.
325 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400326 // noSessionCache, if true, will cause the server to run without a
327 // session cache.
328 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400329 // sendPrefix sends a prefix on the socket before actually performing a
330 // handshake.
331 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400332 // shimWritesFirst controls whether the shim sends an initial "hello"
333 // message before doing a roundtrip with the runner.
334 shimWritesFirst bool
David Benjamin30789da2015-08-29 22:56:45 -0400335 // shimShutsDown, if true, runs a test where the shim shuts down the
336 // connection immediately after the handshake rather than echoing
337 // messages from the runner.
338 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400339 // renegotiate indicates the number of times the connection should be
340 // renegotiated during the exchange.
341 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400342 // sendHalfHelloRequest, if true, causes the server to send half a
343 // HelloRequest when the handshake completes.
344 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700345 // renegotiateCiphers is a list of ciphersuite ids that will be
346 // switched in just before renegotiation.
347 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500348 // replayWrites, if true, configures the underlying transport
349 // to replay every write it makes in DTLS tests.
350 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500351 // damageFirstWrite, if true, configures the underlying transport to
352 // damage the final byte of the first application data write.
353 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400354 // exportKeyingMaterial, if non-zero, configures the test to exchange
355 // keying material and verify they match.
356 exportKeyingMaterial int
357 exportLabel string
358 exportContext string
359 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400360 // flags, if not empty, contains a list of command-line flags that will
361 // be passed to the shim program.
362 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700363 // testTLSUnique, if true, causes the shim to send the tls-unique value
364 // which will be compared against the expected value.
365 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400366 // sendEmptyRecords is the number of consecutive empty records to send
367 // before and after the test message.
368 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400369 // sendWarningAlerts is the number of consecutive warning alerts to send
370 // before and after the test message.
371 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400372 // sendKeyUpdates is the number of consecutive key updates to send
373 // before and after the test message.
374 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400375 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
376 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400377 // expectMessageDropped, if true, means the test message is expected to
378 // be dropped by the client rather than echoed back.
379 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900380 // expectPeerCertificate, if not nil, is the certificate chain the peer
381 // is expected to send.
382 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700383}
384
Adam Langley7c803a62015-06-15 15:35:05 -0700385var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700386
David Benjaminc07afb72016-09-22 10:18:58 -0400387func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500388 if len(data) == 0 {
389 return
390 }
391
392 protocol := "tls"
393 if test.protocol == dtls {
394 protocol = "dtls"
395 }
396
397 side := "client"
398 if test.testType == serverTest {
399 side = "server"
400 }
401
402 dir := path.Join(*transcriptDir, protocol, side)
403 if err := os.MkdirAll(dir, 0755); err != nil {
404 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
405 return
406 }
407
David Benjaminc07afb72016-09-22 10:18:58 -0400408 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500409 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
410 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
411 }
412}
413
David Benjamin3ed59772016-03-08 12:50:21 -0500414// A timeoutConn implements an idle timeout on each Read and Write operation.
415type timeoutConn struct {
416 net.Conn
417 timeout time.Duration
418}
419
420func (t *timeoutConn) Read(b []byte) (int, error) {
421 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
422 return 0, err
423 }
424 return t.Conn.Read(b)
425}
426
427func (t *timeoutConn) Write(b []byte) (int, error) {
428 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
429 return 0, err
430 }
431 return t.Conn.Write(b)
432}
433
David Benjaminc07afb72016-09-22 10:18:58 -0400434func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400435 if !test.noSessionCache {
436 if config.ClientSessionCache == nil {
437 config.ClientSessionCache = NewLRUClientSessionCache(1)
438 }
439 if config.ServerSessionCache == nil {
440 config.ServerSessionCache = NewLRUServerSessionCache(1)
441 }
442 }
443 if test.testType == clientTest {
444 if len(config.Certificates) == 0 {
445 config.Certificates = []Certificate{rsaCertificate}
446 }
447 } else {
448 // Supply a ServerName to ensure a constant session cache key,
449 // rather than falling back to net.Conn.RemoteAddr.
450 if len(config.ServerName) == 0 {
451 config.ServerName = "test"
452 }
453 }
454 if *fuzzer {
455 config.Bugs.NullAllCiphers = true
456 }
David Benjamin01a90572016-09-22 00:11:43 -0400457 if *deterministic {
458 config.Time = func() time.Time { return time.Unix(1234, 1234) }
459 }
David Benjamine54af062016-08-08 19:21:18 -0400460
David Benjamin01784b42016-06-07 18:00:52 -0400461 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500462
David Benjamin6fd297b2014-08-11 18:43:38 -0400463 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500464 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
465 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500466 }
467
David Benjamin9867b7d2016-03-01 23:25:48 -0500468 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500469 local, peer := "client", "server"
470 if test.testType == clientTest {
471 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500472 }
David Benjaminebda9b32015-11-02 15:33:18 -0500473 connDebug := &recordingConn{
474 Conn: conn,
475 isDatagram: test.protocol == dtls,
476 local: local,
477 peer: peer,
478 }
479 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500480 if *flagDebug {
481 defer connDebug.WriteTo(os.Stdout)
482 }
483 if len(*transcriptDir) != 0 {
484 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400485 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500486 }()
487 }
David Benjaminebda9b32015-11-02 15:33:18 -0500488
489 if config.Bugs.PacketAdaptor != nil {
490 config.Bugs.PacketAdaptor.debug = connDebug
491 }
492 }
493
494 if test.replayWrites {
495 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400496 }
497
David Benjamin3ed59772016-03-08 12:50:21 -0500498 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500499 if test.damageFirstWrite {
500 connDamage = newDamageAdaptor(conn)
501 conn = connDamage
502 }
503
David Benjamin6fd297b2014-08-11 18:43:38 -0400504 if test.sendPrefix != "" {
505 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
506 return err
507 }
David Benjamin98e882e2014-08-08 13:24:34 -0400508 }
509
David Benjamin1d5c83e2014-07-22 19:20:02 -0400510 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400511 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400512 if test.protocol == dtls {
513 tlsConn = DTLSServer(conn, config)
514 } else {
515 tlsConn = Server(conn, config)
516 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400517 } else {
518 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400519 if test.protocol == dtls {
520 tlsConn = DTLSClient(conn, config)
521 } else {
522 tlsConn = Client(conn, config)
523 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400524 }
David Benjamin30789da2015-08-29 22:56:45 -0400525 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400526
Adam Langley95c29f32014-06-20 12:00:00 -0700527 if err := tlsConn.Handshake(); err != nil {
528 return err
529 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700530
David Benjamin01fe8202014-09-24 15:21:44 -0400531 // TODO(davidben): move all per-connection expectations into a dedicated
532 // expectations struct that can be specified separately for the two
533 // legs.
534 expectedVersion := test.expectedVersion
535 if isResume && test.expectedResumeVersion != 0 {
536 expectedVersion = test.expectedResumeVersion
537 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700538 connState := tlsConn.ConnectionState()
539 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400540 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400541 }
542
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700543 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400544 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
545 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700546 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
547 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
548 }
David Benjamin90da8c82015-04-20 14:57:57 -0400549
David Benjamina08e49d2014-08-24 01:46:07 -0400550 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700551 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400552 if channelID == nil {
553 return fmt.Errorf("no channel ID negotiated")
554 }
555 if channelID.Curve != channelIDKey.Curve ||
556 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
557 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
558 return fmt.Errorf("incorrect channel ID")
559 }
560 }
561
David Benjaminae2888f2014-09-06 12:58:58 -0400562 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700563 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400564 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
565 }
566 }
567
David Benjaminc7ce9772015-10-09 19:32:41 -0400568 if test.expectNoNextProto {
569 if actual := connState.NegotiatedProtocol; actual != "" {
570 return fmt.Errorf("got unexpected next proto %s", actual)
571 }
572 }
573
David Benjaminfc7b0862014-09-06 13:21:53 -0400574 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700575 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400576 return fmt.Errorf("next proto type mismatch")
577 }
578 }
579
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700580 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500581 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
582 }
583
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100584 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300585 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100586 }
587
Paul Lietar4fac72e2015-09-09 13:44:55 +0100588 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
589 return fmt.Errorf("SCT list mismatch")
590 }
591
Nick Harper60edffd2016-06-21 15:19:24 -0700592 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
593 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400594 }
595
Steven Valdez5440fe02016-07-18 12:40:30 -0400596 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
597 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
598 }
599
David Benjamin2c516452016-11-15 10:16:54 +0900600 if test.expectPeerCertificate != nil {
601 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
602 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
603 }
604 for i, cert := range connState.PeerCertificates {
605 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
606 return fmt.Errorf("peer certificate %d did not match", i+1)
607 }
608 }
609 }
610
David Benjaminc565ebb2015-04-03 04:06:36 -0400611 if test.exportKeyingMaterial > 0 {
612 actual := make([]byte, test.exportKeyingMaterial)
613 if _, err := io.ReadFull(tlsConn, actual); err != nil {
614 return err
615 }
616 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
617 if err != nil {
618 return err
619 }
620 if !bytes.Equal(actual, expected) {
621 return fmt.Errorf("keying material mismatch")
622 }
623 }
624
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700625 if test.testTLSUnique {
626 var peersValue [12]byte
627 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
628 return err
629 }
630 expected := tlsConn.ConnectionState().TLSUnique
631 if !bytes.Equal(peersValue[:], expected) {
632 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
633 }
634 }
635
David Benjamine58c4f52014-08-24 03:47:07 -0400636 if test.shimWritesFirst {
637 var buf [5]byte
638 _, err := io.ReadFull(tlsConn, buf[:])
639 if err != nil {
640 return err
641 }
642 if string(buf[:]) != "hello" {
643 return fmt.Errorf("bad initial message")
644 }
645 }
646
Steven Valdez32635b82016-08-16 11:25:03 -0400647 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400648 if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil {
David Benjamin7f0965a2016-09-30 15:14:01 -0400649 return err
650 }
Steven Valdez32635b82016-08-16 11:25:03 -0400651 }
652
David Benjamina8ebe222015-06-06 03:04:39 -0400653 for i := 0; i < test.sendEmptyRecords; i++ {
654 tlsConn.Write(nil)
655 }
656
David Benjamin24f346d2015-06-06 03:28:08 -0400657 for i := 0; i < test.sendWarningAlerts; i++ {
658 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
659 }
660
David Benjamin47921102016-07-28 11:29:18 -0400661 if test.sendHalfHelloRequest {
662 tlsConn.SendHalfHelloRequest()
663 }
664
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400665 if test.renegotiate > 0 {
Adam Langleycf2d4f42014-10-28 19:06:14 -0700666 if test.renegotiateCiphers != nil {
667 config.CipherSuites = test.renegotiateCiphers
668 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400669 for i := 0; i < test.renegotiate; i++ {
670 if err := tlsConn.Renegotiate(); err != nil {
671 return err
672 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700673 }
674 } else if test.renegotiateCiphers != nil {
675 panic("renegotiateCiphers without renegotiate")
676 }
677
David Benjamin5fa3eba2015-01-22 16:35:40 -0500678 if test.damageFirstWrite {
679 connDamage.setDamage(true)
680 tlsConn.Write([]byte("DAMAGED WRITE"))
681 connDamage.setDamage(false)
682 }
683
David Benjamin8e6db492015-07-25 18:29:23 -0400684 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700685 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400686 if test.protocol == dtls {
687 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
688 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700689 // Read until EOF.
690 _, err := io.Copy(ioutil.Discard, tlsConn)
691 return err
692 }
David Benjamin4417d052015-04-05 04:17:25 -0400693 if messageLen == 0 {
694 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700695 }
Adam Langley95c29f32014-06-20 12:00:00 -0700696
David Benjamin8e6db492015-07-25 18:29:23 -0400697 messageCount := test.messageCount
698 if messageCount == 0 {
699 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400700 }
701
David Benjamin8e6db492015-07-25 18:29:23 -0400702 for j := 0; j < messageCount; j++ {
703 testMessage := make([]byte, messageLen)
704 for i := range testMessage {
705 testMessage[i] = 0x42 ^ byte(j)
David Benjamin6fd297b2014-08-11 18:43:38 -0400706 }
David Benjamin8e6db492015-07-25 18:29:23 -0400707 tlsConn.Write(testMessage)
Adam Langley95c29f32014-06-20 12:00:00 -0700708
Steven Valdez32635b82016-08-16 11:25:03 -0400709 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400710 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400711 }
712
David Benjamin8e6db492015-07-25 18:29:23 -0400713 for i := 0; i < test.sendEmptyRecords; i++ {
714 tlsConn.Write(nil)
715 }
716
717 for i := 0; i < test.sendWarningAlerts; i++ {
718 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
719 }
720
David Benjamin4f75aaf2015-09-01 16:53:10 -0400721 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400722 // The shim will not respond.
723 continue
724 }
725
David Benjamin8e6db492015-07-25 18:29:23 -0400726 buf := make([]byte, len(testMessage))
727 if test.protocol == dtls {
728 bufTmp := make([]byte, len(buf)+1)
729 n, err := tlsConn.Read(bufTmp)
730 if err != nil {
731 return err
732 }
733 if n != len(buf) {
734 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
735 }
736 copy(buf, bufTmp)
737 } else {
738 _, err := io.ReadFull(tlsConn, buf)
739 if err != nil {
740 return err
741 }
742 }
743
744 for i, v := range buf {
745 if v != testMessage[i]^0xff {
746 return fmt.Errorf("bad reply contents at byte %d", i)
747 }
Adam Langley95c29f32014-06-20 12:00:00 -0700748 }
749 }
750
751 return nil
752}
753
David Benjamin325b5c32014-07-01 19:40:31 -0400754func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400755 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700756 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400757 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700758 }
David Benjamin325b5c32014-07-01 19:40:31 -0400759 valgrindArgs = append(valgrindArgs, path)
760 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700761
David Benjamin325b5c32014-07-01 19:40:31 -0400762 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700763}
764
David Benjamin325b5c32014-07-01 19:40:31 -0400765func gdbOf(path string, args ...string) *exec.Cmd {
766 xtermArgs := []string{"-e", "gdb", "--args"}
767 xtermArgs = append(xtermArgs, path)
768 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700769
David Benjamin325b5c32014-07-01 19:40:31 -0400770 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700771}
772
David Benjamind16bf342015-12-18 00:53:12 -0500773func lldbOf(path string, args ...string) *exec.Cmd {
774 xtermArgs := []string{"-e", "lldb", "--"}
775 xtermArgs = append(xtermArgs, path)
776 xtermArgs = append(xtermArgs, args...)
777
778 return exec.Command("xterm", xtermArgs...)
779}
780
EKR842ae6c2016-07-27 09:22:05 +0200781var (
782 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
783 errUnimplemented = errors.New("child process does not implement needed flags")
784)
Adam Langley69a01602014-11-17 17:26:55 -0800785
David Benjamin87c8a642015-02-21 01:54:29 -0500786// accept accepts a connection from listener, unless waitChan signals a process
787// exit first.
788func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
789 type connOrError struct {
790 conn net.Conn
791 err error
792 }
793 connChan := make(chan connOrError, 1)
794 go func() {
795 conn, err := listener.Accept()
796 connChan <- connOrError{conn, err}
797 close(connChan)
798 }()
799 select {
800 case result := <-connChan:
801 return result.conn, result.err
802 case childErr := <-waitChan:
803 waitChan <- childErr
804 return nil, fmt.Errorf("child exited early: %s", childErr)
805 }
806}
807
EKRf71d7ed2016-08-06 13:25:12 -0700808func translateExpectedError(errorStr string) string {
809 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
810 return translated
811 }
812
813 if *looseErrors {
814 return ""
815 }
816
817 return errorStr
818}
819
Adam Langley7c803a62015-06-15 15:35:05 -0700820func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400821 // Help debugging panics on the Go side.
822 defer func() {
823 if r := recover(); r != nil {
824 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
825 panic(r)
826 }
827 }()
828
Adam Langley38311732014-10-16 19:04:35 -0700829 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
830 panic("Error expected without shouldFail in " + test.name)
831 }
832
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700833 if test.expectResumeRejected && !test.resumeSession {
834 panic("expectResumeRejected without resumeSession in " + test.name)
835 }
836
David Benjamin87c8a642015-02-21 01:54:29 -0500837 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
838 if err != nil {
839 panic(err)
840 }
841 defer func() {
842 if listener != nil {
843 listener.Close()
844 }
845 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700846
David Benjamin87c8a642015-02-21 01:54:29 -0500847 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400848 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400849 flags = append(flags, "-server")
850
David Benjamin025b3d32014-07-01 19:53:04 -0400851 flags = append(flags, "-key-file")
852 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700853 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400854 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700855 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400856 }
857
858 flags = append(flags, "-cert-file")
859 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700860 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400861 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700862 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400863 }
864 }
David Benjamin5a593af2014-08-11 19:51:50 -0400865
David Benjamin6fd297b2014-08-11 18:43:38 -0400866 if test.protocol == dtls {
867 flags = append(flags, "-dtls")
868 }
869
David Benjamin46662482016-08-17 00:51:00 -0400870 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400871 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400872 resumeCount++
873 if test.resumeRenewedSession {
874 resumeCount++
875 }
876 }
877
878 if resumeCount > 0 {
879 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400880 }
881
David Benjamine58c4f52014-08-24 03:47:07 -0400882 if test.shimWritesFirst {
883 flags = append(flags, "-shim-writes-first")
884 }
885
David Benjamin30789da2015-08-29 22:56:45 -0400886 if test.shimShutsDown {
887 flags = append(flags, "-shim-shuts-down")
888 }
889
David Benjaminc565ebb2015-04-03 04:06:36 -0400890 if test.exportKeyingMaterial > 0 {
891 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
892 flags = append(flags, "-export-label", test.exportLabel)
893 flags = append(flags, "-export-context", test.exportContext)
894 if test.useExportContext {
895 flags = append(flags, "-use-export-context")
896 }
897 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700898 if test.expectResumeRejected {
899 flags = append(flags, "-expect-session-miss")
900 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400901
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700902 if test.testTLSUnique {
903 flags = append(flags, "-tls-unique")
904 }
905
David Benjamin025b3d32014-07-01 19:53:04 -0400906 flags = append(flags, test.flags...)
907
908 var shim *exec.Cmd
909 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700910 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700911 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700912 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500913 } else if *useLLDB {
914 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400915 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700916 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400917 }
David Benjamin025b3d32014-07-01 19:53:04 -0400918 shim.Stdin = os.Stdin
919 var stdoutBuf, stderrBuf bytes.Buffer
920 shim.Stdout = &stdoutBuf
921 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800922 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500923 shim.Env = os.Environ()
924 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800925 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400926 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800927 }
928 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
929 }
David Benjamin025b3d32014-07-01 19:53:04 -0400930
931 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700932 panic(err)
933 }
David Benjamin87c8a642015-02-21 01:54:29 -0500934 waitChan := make(chan error, 1)
935 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700936
937 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700938
David Benjamin7a4aaa42016-09-20 17:58:14 -0400939 if *deterministic {
940 config.Rand = &deterministicRand{}
941 }
942
David Benjamin87c8a642015-02-21 01:54:29 -0500943 conn, err := acceptOrWait(listener, waitChan)
944 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400945 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500946 conn.Close()
947 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500948
David Benjamin46662482016-08-17 00:51:00 -0400949 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400950 var resumeConfig Config
951 if test.resumeConfig != nil {
952 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400953 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500954 resumeConfig.SessionTicketKey = config.SessionTicketKey
955 resumeConfig.ClientSessionCache = config.ClientSessionCache
956 resumeConfig.ServerSessionCache = config.ServerSessionCache
957 }
David Benjamin2e045a92016-06-08 13:09:56 -0400958 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400959 } else {
960 resumeConfig = config
961 }
David Benjamin87c8a642015-02-21 01:54:29 -0500962 var connResume net.Conn
963 connResume, err = acceptOrWait(listener, waitChan)
964 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400965 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500966 connResume.Close()
967 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400968 }
969
David Benjamin87c8a642015-02-21 01:54:29 -0500970 // Close the listener now. This is to avoid hangs should the shim try to
971 // open more connections than expected.
972 listener.Close()
973 listener = nil
974
975 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400976 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800977 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200978 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
979 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800980 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200981 case 89:
982 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400983 case 99:
984 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800985 }
986 }
Adam Langley95c29f32014-06-20 12:00:00 -0700987
David Benjamin9bea3492016-03-02 10:59:16 -0500988 // Account for Windows line endings.
989 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
990 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500991
992 // Separate the errors from the shim and those from tools like
993 // AddressSanitizer.
994 var extraStderr string
995 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
996 stderr = stderrParts[0]
997 extraStderr = stderrParts[1]
998 }
999
Adam Langley95c29f32014-06-20 12:00:00 -07001000 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -07001001 expectedError := translateExpectedError(test.expectedError)
1002 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +02001003
Adam Langleyac61fa32014-06-23 12:03:11 -07001004 localError := "none"
1005 if err != nil {
1006 localError = err.Error()
1007 }
1008 if len(test.expectedLocalError) != 0 {
1009 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1010 }
Adam Langley95c29f32014-06-20 12:00:00 -07001011
1012 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -07001013 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -07001014 if childErr != nil {
1015 childError = childErr.Error()
1016 }
1017
1018 var msg string
1019 switch {
1020 case failed && !test.shouldFail:
1021 msg = "unexpected failure"
1022 case !failed && test.shouldFail:
1023 msg = "unexpected success"
1024 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -07001025 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -07001026 default:
1027 panic("internal error")
1028 }
1029
David Benjamin9aafb642016-09-20 19:36:53 -04001030 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -07001031 }
1032
David Benjamind2ba8892016-09-20 19:41:04 -04001033 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -05001034 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -07001035 }
1036
David Benjamind2ba8892016-09-20 19:41:04 -04001037 if *useValgrind && isValgrindError {
1038 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1039 }
1040
Adam Langley95c29f32014-06-20 12:00:00 -07001041 return nil
1042}
1043
1044var tlsVersions = []struct {
1045 name string
1046 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -04001047 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -05001048 hasDTLS bool
Adam Langley95c29f32014-06-20 12:00:00 -07001049}{
David Benjamin8b8c0062014-11-23 02:47:52 -05001050 {"SSL3", VersionSSL30, "-no-ssl3", false},
1051 {"TLS1", VersionTLS10, "-no-tls1", true},
1052 {"TLS11", VersionTLS11, "-no-tls11", false},
1053 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -04001054 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -07001055}
1056
1057var testCipherSuites = []struct {
1058 name string
1059 id uint16
1060}{
1061 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -04001062 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -07001063 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001064 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -04001065 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -07001066 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001067 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -04001068 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1069 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001070 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -04001071 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
1072 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001073 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -07001074 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1075 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001076 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1077 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -07001078 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001079 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -05001080 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamine3203922015-12-09 21:21:31 -05001081 {"ECDHE-ECDSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD},
Adam Langley95c29f32014-06-20 12:00:00 -07001082 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -07001083 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001084 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -04001085 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -07001086 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -04001087 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -05001088 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamine3203922015-12-09 21:21:31 -05001089 {"ECDHE-RSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD},
Matt Braithwaite053931e2016-05-25 12:06:05 -07001090 {"CECPQ1-RSA-CHACHA20-POLY1305-SHA256", TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256},
1091 {"CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256", TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
1092 {"CECPQ1-RSA-AES256-GCM-SHA384", TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
1093 {"CECPQ1-ECDSA-AES256-GCM-SHA384", TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384},
David Benjamin48cae082014-10-27 01:06:24 -04001094 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1095 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -07001096 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1097 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -05001098 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -04001099 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1100 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1101 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -07001102 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -07001103}
1104
David Benjamin8b8c0062014-11-23 02:47:52 -05001105func hasComponent(suiteName, component string) bool {
1106 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1107}
1108
David Benjaminf7768e42014-08-31 02:06:47 -04001109func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -05001110 return hasComponent(suiteName, "GCM") ||
1111 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -04001112 hasComponent(suiteName, "SHA384") ||
1113 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -05001114}
1115
Nick Harper1fd39d82016-06-14 18:14:35 -07001116func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -04001117 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -07001118}
1119
David Benjamin8b8c0062014-11-23 02:47:52 -05001120func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -07001121 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -04001122}
1123
Adam Langleya7997f12015-05-14 17:38:50 -07001124func bigFromHex(hex string) *big.Int {
1125 ret, ok := new(big.Int).SetString(hex, 16)
1126 if !ok {
1127 panic("failed to parse hex number 0x" + hex)
1128 }
1129 return ret
1130}
1131
Adam Langley7c803a62015-06-15 15:35:05 -07001132func addBasicTests() {
1133 basicTests := []testCase{
1134 {
Adam Langley7c803a62015-06-15 15:35:05 -07001135 name: "NoFallbackSCSV",
1136 config: Config{
1137 Bugs: ProtocolBugs{
1138 FailIfNotFallbackSCSV: true,
1139 },
1140 },
1141 shouldFail: true,
1142 expectedLocalError: "no fallback SCSV found",
1143 },
1144 {
1145 name: "SendFallbackSCSV",
1146 config: Config{
1147 Bugs: ProtocolBugs{
1148 FailIfNotFallbackSCSV: true,
1149 },
1150 },
1151 flags: []string{"-fallback-scsv"},
1152 },
1153 {
1154 name: "ClientCertificateTypes",
1155 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001156 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001157 ClientAuth: RequestClientCert,
1158 ClientCertificateTypes: []byte{
1159 CertTypeDSSSign,
1160 CertTypeRSASign,
1161 CertTypeECDSASign,
1162 },
1163 },
1164 flags: []string{
1165 "-expect-certificate-types",
1166 base64.StdEncoding.EncodeToString([]byte{
1167 CertTypeDSSSign,
1168 CertTypeRSASign,
1169 CertTypeECDSASign,
1170 }),
1171 },
1172 },
1173 {
Adam Langley7c803a62015-06-15 15:35:05 -07001174 name: "UnauthenticatedECDH",
1175 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001176 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001177 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1178 Bugs: ProtocolBugs{
1179 UnauthenticatedECDH: true,
1180 },
1181 },
1182 shouldFail: true,
1183 expectedError: ":UNEXPECTED_MESSAGE:",
1184 },
1185 {
1186 name: "SkipCertificateStatus",
1187 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001188 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001189 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1190 Bugs: ProtocolBugs{
1191 SkipCertificateStatus: true,
1192 },
1193 },
1194 flags: []string{
1195 "-enable-ocsp-stapling",
1196 },
1197 },
1198 {
1199 name: "SkipServerKeyExchange",
1200 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001201 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001202 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1203 Bugs: ProtocolBugs{
1204 SkipServerKeyExchange: true,
1205 },
1206 },
1207 shouldFail: true,
1208 expectedError: ":UNEXPECTED_MESSAGE:",
1209 },
1210 {
Adam Langley7c803a62015-06-15 15:35:05 -07001211 testType: serverTest,
1212 name: "Alert",
1213 config: Config{
1214 Bugs: ProtocolBugs{
1215 SendSpuriousAlert: alertRecordOverflow,
1216 },
1217 },
1218 shouldFail: true,
1219 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1220 },
1221 {
1222 protocol: dtls,
1223 testType: serverTest,
1224 name: "Alert-DTLS",
1225 config: Config{
1226 Bugs: ProtocolBugs{
1227 SendSpuriousAlert: alertRecordOverflow,
1228 },
1229 },
1230 shouldFail: true,
1231 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1232 },
1233 {
1234 testType: serverTest,
1235 name: "FragmentAlert",
1236 config: Config{
1237 Bugs: ProtocolBugs{
1238 FragmentAlert: true,
1239 SendSpuriousAlert: alertRecordOverflow,
1240 },
1241 },
1242 shouldFail: true,
1243 expectedError: ":BAD_ALERT:",
1244 },
1245 {
1246 protocol: dtls,
1247 testType: serverTest,
1248 name: "FragmentAlert-DTLS",
1249 config: Config{
1250 Bugs: ProtocolBugs{
1251 FragmentAlert: true,
1252 SendSpuriousAlert: alertRecordOverflow,
1253 },
1254 },
1255 shouldFail: true,
1256 expectedError: ":BAD_ALERT:",
1257 },
1258 {
1259 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -05001260 name: "DoubleAlert",
1261 config: Config{
1262 Bugs: ProtocolBugs{
1263 DoubleAlert: true,
1264 SendSpuriousAlert: alertRecordOverflow,
1265 },
1266 },
1267 shouldFail: true,
1268 expectedError: ":BAD_ALERT:",
1269 },
1270 {
1271 protocol: dtls,
1272 testType: serverTest,
1273 name: "DoubleAlert-DTLS",
1274 config: Config{
1275 Bugs: ProtocolBugs{
1276 DoubleAlert: true,
1277 SendSpuriousAlert: alertRecordOverflow,
1278 },
1279 },
1280 shouldFail: true,
1281 expectedError: ":BAD_ALERT:",
1282 },
1283 {
Adam Langley7c803a62015-06-15 15:35:05 -07001284 name: "SkipNewSessionTicket",
1285 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001286 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001287 Bugs: ProtocolBugs{
1288 SkipNewSessionTicket: true,
1289 },
1290 },
1291 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -05001292 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -07001293 },
1294 {
1295 testType: serverTest,
1296 name: "FallbackSCSV",
1297 config: Config{
1298 MaxVersion: VersionTLS11,
1299 Bugs: ProtocolBugs{
1300 SendFallbackSCSV: true,
1301 },
1302 },
1303 shouldFail: true,
1304 expectedError: ":INAPPROPRIATE_FALLBACK:",
1305 },
1306 {
1307 testType: serverTest,
1308 name: "FallbackSCSV-VersionMatch",
1309 config: Config{
1310 Bugs: ProtocolBugs{
1311 SendFallbackSCSV: true,
1312 },
1313 },
1314 },
1315 {
1316 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -04001317 name: "FallbackSCSV-VersionMatch-TLS12",
1318 config: Config{
1319 MaxVersion: VersionTLS12,
1320 Bugs: ProtocolBugs{
1321 SendFallbackSCSV: true,
1322 },
1323 },
1324 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1325 },
1326 {
1327 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -07001328 name: "FragmentedClientVersion",
1329 config: Config{
1330 Bugs: ProtocolBugs{
1331 MaxHandshakeRecordLength: 1,
1332 FragmentClientVersion: true,
1333 },
1334 },
Nick Harper1fd39d82016-06-14 18:14:35 -07001335 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -07001336 },
1337 {
Adam Langley7c803a62015-06-15 15:35:05 -07001338 testType: serverTest,
1339 name: "HttpGET",
1340 sendPrefix: "GET / HTTP/1.0\n",
1341 shouldFail: true,
1342 expectedError: ":HTTP_REQUEST:",
1343 },
1344 {
1345 testType: serverTest,
1346 name: "HttpPOST",
1347 sendPrefix: "POST / HTTP/1.0\n",
1348 shouldFail: true,
1349 expectedError: ":HTTP_REQUEST:",
1350 },
1351 {
1352 testType: serverTest,
1353 name: "HttpHEAD",
1354 sendPrefix: "HEAD / HTTP/1.0\n",
1355 shouldFail: true,
1356 expectedError: ":HTTP_REQUEST:",
1357 },
1358 {
1359 testType: serverTest,
1360 name: "HttpPUT",
1361 sendPrefix: "PUT / HTTP/1.0\n",
1362 shouldFail: true,
1363 expectedError: ":HTTP_REQUEST:",
1364 },
1365 {
1366 testType: serverTest,
1367 name: "HttpCONNECT",
1368 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1369 shouldFail: true,
1370 expectedError: ":HTTPS_PROXY_REQUEST:",
1371 },
1372 {
1373 testType: serverTest,
1374 name: "Garbage",
1375 sendPrefix: "blah",
1376 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -04001377 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -07001378 },
1379 {
Adam Langley7c803a62015-06-15 15:35:05 -07001380 name: "RSAEphemeralKey",
1381 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001382 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001383 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1384 Bugs: ProtocolBugs{
1385 RSAEphemeralKey: true,
1386 },
1387 },
1388 shouldFail: true,
1389 expectedError: ":UNEXPECTED_MESSAGE:",
1390 },
1391 {
1392 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -04001393 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -07001394 shouldFail: true,
1395 expectedError: ":WRONG_SSL_VERSION:",
1396 },
1397 {
1398 protocol: dtls,
1399 name: "DisableEverything-DTLS",
1400 flags: []string{"-no-tls12", "-no-tls1"},
1401 shouldFail: true,
1402 expectedError: ":WRONG_SSL_VERSION:",
1403 },
1404 {
Adam Langley7c803a62015-06-15 15:35:05 -07001405 protocol: dtls,
1406 testType: serverTest,
1407 name: "MTU",
1408 config: Config{
1409 Bugs: ProtocolBugs{
1410 MaxPacketLength: 256,
1411 },
1412 },
1413 flags: []string{"-mtu", "256"},
1414 },
1415 {
1416 protocol: dtls,
1417 testType: serverTest,
1418 name: "MTUExceeded",
1419 config: Config{
1420 Bugs: ProtocolBugs{
1421 MaxPacketLength: 255,
1422 },
1423 },
1424 flags: []string{"-mtu", "256"},
1425 shouldFail: true,
1426 expectedLocalError: "dtls: exceeded maximum packet length",
1427 },
1428 {
1429 name: "CertMismatchRSA",
1430 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001431 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001432 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -07001433 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley7c803a62015-06-15 15:35:05 -07001434 Bugs: ProtocolBugs{
1435 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1436 },
1437 },
1438 shouldFail: true,
1439 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1440 },
1441 {
1442 name: "CertMismatchECDSA",
1443 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001444 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001445 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -07001446 Certificates: []Certificate{rsaCertificate},
Adam Langley7c803a62015-06-15 15:35:05 -07001447 Bugs: ProtocolBugs{
1448 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1449 },
1450 },
1451 shouldFail: true,
1452 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1453 },
1454 {
1455 name: "EmptyCertificateList",
1456 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04001457 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001458 Bugs: ProtocolBugs{
1459 EmptyCertificateList: true,
1460 },
1461 },
1462 shouldFail: true,
1463 expectedError: ":DECODE_ERROR:",
1464 },
1465 {
David Benjamin9ec1c752016-07-14 12:45:01 -04001466 name: "EmptyCertificateList-TLS13",
1467 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04001468 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -04001469 Bugs: ProtocolBugs{
1470 EmptyCertificateList: true,
1471 },
1472 },
1473 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -04001474 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -04001475 },
1476 {
Adam Langley7c803a62015-06-15 15:35:05 -07001477 name: "TLSFatalBadPackets",
1478 damageFirstWrite: true,
1479 shouldFail: true,
1480 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1481 },
1482 {
1483 protocol: dtls,
1484 name: "DTLSIgnoreBadPackets",
1485 damageFirstWrite: true,
1486 },
1487 {
1488 protocol: dtls,
1489 name: "DTLSIgnoreBadPackets-Async",
1490 damageFirstWrite: true,
1491 flags: []string{"-async"},
1492 },
1493 {
David Benjamin4cf369b2015-08-22 01:35:43 -04001494 name: "AppDataBeforeHandshake",
1495 config: Config{
1496 Bugs: ProtocolBugs{
1497 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1498 },
1499 },
1500 shouldFail: true,
1501 expectedError: ":UNEXPECTED_RECORD:",
1502 },
1503 {
1504 name: "AppDataBeforeHandshake-Empty",
1505 config: Config{
1506 Bugs: ProtocolBugs{
1507 AppDataBeforeHandshake: []byte{},
1508 },
1509 },
1510 shouldFail: true,
1511 expectedError: ":UNEXPECTED_RECORD:",
1512 },
1513 {
1514 protocol: dtls,
1515 name: "AppDataBeforeHandshake-DTLS",
1516 config: Config{
1517 Bugs: ProtocolBugs{
1518 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1519 },
1520 },
1521 shouldFail: true,
1522 expectedError: ":UNEXPECTED_RECORD:",
1523 },
1524 {
1525 protocol: dtls,
1526 name: "AppDataBeforeHandshake-DTLS-Empty",
1527 config: Config{
1528 Bugs: ProtocolBugs{
1529 AppDataBeforeHandshake: []byte{},
1530 },
1531 },
1532 shouldFail: true,
1533 expectedError: ":UNEXPECTED_RECORD:",
1534 },
1535 {
Adam Langley7c803a62015-06-15 15:35:05 -07001536 name: "AppDataAfterChangeCipherSpec",
1537 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001538 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001539 Bugs: ProtocolBugs{
1540 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1541 },
1542 },
1543 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -05001544 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -07001545 },
1546 {
David Benjamin4cf369b2015-08-22 01:35:43 -04001547 name: "AppDataAfterChangeCipherSpec-Empty",
1548 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001549 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -04001550 Bugs: ProtocolBugs{
1551 AppDataAfterChangeCipherSpec: []byte{},
1552 },
1553 },
1554 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -05001555 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -04001556 },
1557 {
Adam Langley7c803a62015-06-15 15:35:05 -07001558 protocol: dtls,
1559 name: "AppDataAfterChangeCipherSpec-DTLS",
1560 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001561 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001562 Bugs: ProtocolBugs{
1563 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1564 },
1565 },
1566 // BoringSSL's DTLS implementation will drop the out-of-order
1567 // application data.
1568 },
1569 {
David Benjamin4cf369b2015-08-22 01:35:43 -04001570 protocol: dtls,
1571 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1572 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001573 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -04001574 Bugs: ProtocolBugs{
1575 AppDataAfterChangeCipherSpec: []byte{},
1576 },
1577 },
1578 // BoringSSL's DTLS implementation will drop the out-of-order
1579 // application data.
1580 },
1581 {
Adam Langley7c803a62015-06-15 15:35:05 -07001582 name: "AlertAfterChangeCipherSpec",
1583 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001584 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001585 Bugs: ProtocolBugs{
1586 AlertAfterChangeCipherSpec: alertRecordOverflow,
1587 },
1588 },
1589 shouldFail: true,
1590 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1591 },
1592 {
1593 protocol: dtls,
1594 name: "AlertAfterChangeCipherSpec-DTLS",
1595 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001596 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001597 Bugs: ProtocolBugs{
1598 AlertAfterChangeCipherSpec: alertRecordOverflow,
1599 },
1600 },
1601 shouldFail: true,
1602 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1603 },
1604 {
1605 protocol: dtls,
1606 name: "ReorderHandshakeFragments-Small-DTLS",
1607 config: Config{
1608 Bugs: ProtocolBugs{
1609 ReorderHandshakeFragments: true,
1610 // Small enough that every handshake message is
1611 // fragmented.
1612 MaxHandshakeRecordLength: 2,
1613 },
1614 },
1615 },
1616 {
1617 protocol: dtls,
1618 name: "ReorderHandshakeFragments-Large-DTLS",
1619 config: Config{
1620 Bugs: ProtocolBugs{
1621 ReorderHandshakeFragments: true,
1622 // Large enough that no handshake message is
1623 // fragmented.
1624 MaxHandshakeRecordLength: 2048,
1625 },
1626 },
1627 },
1628 {
1629 protocol: dtls,
1630 name: "MixCompleteMessageWithFragments-DTLS",
1631 config: Config{
1632 Bugs: ProtocolBugs{
1633 ReorderHandshakeFragments: true,
1634 MixCompleteMessageWithFragments: true,
1635 MaxHandshakeRecordLength: 2,
1636 },
1637 },
1638 },
1639 {
1640 name: "SendInvalidRecordType",
1641 config: Config{
1642 Bugs: ProtocolBugs{
1643 SendInvalidRecordType: true,
1644 },
1645 },
1646 shouldFail: true,
1647 expectedError: ":UNEXPECTED_RECORD:",
1648 },
1649 {
1650 protocol: dtls,
1651 name: "SendInvalidRecordType-DTLS",
1652 config: Config{
1653 Bugs: ProtocolBugs{
1654 SendInvalidRecordType: true,
1655 },
1656 },
1657 shouldFail: true,
1658 expectedError: ":UNEXPECTED_RECORD:",
1659 },
1660 {
1661 name: "FalseStart-SkipServerSecondLeg",
1662 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001663 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001664 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1665 NextProtos: []string{"foo"},
1666 Bugs: ProtocolBugs{
1667 SkipNewSessionTicket: true,
1668 SkipChangeCipherSpec: true,
1669 SkipFinished: true,
1670 ExpectFalseStart: true,
1671 },
1672 },
1673 flags: []string{
1674 "-false-start",
1675 "-handshake-never-done",
1676 "-advertise-alpn", "\x03foo",
1677 },
1678 shimWritesFirst: true,
1679 shouldFail: true,
1680 expectedError: ":UNEXPECTED_RECORD:",
1681 },
1682 {
1683 name: "FalseStart-SkipServerSecondLeg-Implicit",
1684 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001685 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001686 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1687 NextProtos: []string{"foo"},
1688 Bugs: ProtocolBugs{
1689 SkipNewSessionTicket: true,
1690 SkipChangeCipherSpec: true,
1691 SkipFinished: true,
1692 },
1693 },
1694 flags: []string{
1695 "-implicit-handshake",
1696 "-false-start",
1697 "-handshake-never-done",
1698 "-advertise-alpn", "\x03foo",
1699 },
1700 shouldFail: true,
1701 expectedError: ":UNEXPECTED_RECORD:",
1702 },
1703 {
1704 testType: serverTest,
1705 name: "FailEarlyCallback",
1706 flags: []string{"-fail-early-callback"},
1707 shouldFail: true,
1708 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -04001709 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -07001710 },
1711 {
Adam Langley7c803a62015-06-15 15:35:05 -07001712 protocol: dtls,
1713 name: "FragmentMessageTypeMismatch-DTLS",
1714 config: Config{
1715 Bugs: ProtocolBugs{
1716 MaxHandshakeRecordLength: 2,
1717 FragmentMessageTypeMismatch: true,
1718 },
1719 },
1720 shouldFail: true,
1721 expectedError: ":FRAGMENT_MISMATCH:",
1722 },
1723 {
1724 protocol: dtls,
1725 name: "FragmentMessageLengthMismatch-DTLS",
1726 config: Config{
1727 Bugs: ProtocolBugs{
1728 MaxHandshakeRecordLength: 2,
1729 FragmentMessageLengthMismatch: true,
1730 },
1731 },
1732 shouldFail: true,
1733 expectedError: ":FRAGMENT_MISMATCH:",
1734 },
1735 {
1736 protocol: dtls,
1737 name: "SplitFragments-Header-DTLS",
1738 config: Config{
1739 Bugs: ProtocolBugs{
1740 SplitFragments: 2,
1741 },
1742 },
1743 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -04001744 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -07001745 },
1746 {
1747 protocol: dtls,
1748 name: "SplitFragments-Boundary-DTLS",
1749 config: Config{
1750 Bugs: ProtocolBugs{
1751 SplitFragments: dtlsRecordHeaderLen,
1752 },
1753 },
1754 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -04001755 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -07001756 },
1757 {
1758 protocol: dtls,
1759 name: "SplitFragments-Body-DTLS",
1760 config: Config{
1761 Bugs: ProtocolBugs{
1762 SplitFragments: dtlsRecordHeaderLen + 1,
1763 },
1764 },
1765 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -04001766 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -07001767 },
1768 {
1769 protocol: dtls,
1770 name: "SendEmptyFragments-DTLS",
1771 config: Config{
1772 Bugs: ProtocolBugs{
1773 SendEmptyFragments: true,
1774 },
1775 },
1776 },
1777 {
David Benjaminbf82aed2016-03-01 22:57:40 -05001778 name: "BadFinished-Client",
1779 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001780 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -05001781 Bugs: ProtocolBugs{
1782 BadFinished: true,
1783 },
1784 },
1785 shouldFail: true,
1786 expectedError: ":DIGEST_CHECK_FAILED:",
1787 },
1788 {
Steven Valdez143e8b32016-07-11 13:19:03 -04001789 name: "BadFinished-Client-TLS13",
1790 config: Config{
1791 MaxVersion: VersionTLS13,
1792 Bugs: ProtocolBugs{
1793 BadFinished: true,
1794 },
1795 },
1796 shouldFail: true,
1797 expectedError: ":DIGEST_CHECK_FAILED:",
1798 },
1799 {
David Benjaminbf82aed2016-03-01 22:57:40 -05001800 testType: serverTest,
1801 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -07001802 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04001803 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001804 Bugs: ProtocolBugs{
1805 BadFinished: true,
1806 },
1807 },
1808 shouldFail: true,
1809 expectedError: ":DIGEST_CHECK_FAILED:",
1810 },
1811 {
Steven Valdez143e8b32016-07-11 13:19:03 -04001812 testType: serverTest,
1813 name: "BadFinished-Server-TLS13",
1814 config: Config{
1815 MaxVersion: VersionTLS13,
1816 Bugs: ProtocolBugs{
1817 BadFinished: true,
1818 },
1819 },
1820 shouldFail: true,
1821 expectedError: ":DIGEST_CHECK_FAILED:",
1822 },
1823 {
Adam Langley7c803a62015-06-15 15:35:05 -07001824 name: "FalseStart-BadFinished",
1825 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001826 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001827 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1828 NextProtos: []string{"foo"},
1829 Bugs: ProtocolBugs{
1830 BadFinished: true,
1831 ExpectFalseStart: true,
1832 },
1833 },
1834 flags: []string{
1835 "-false-start",
1836 "-handshake-never-done",
1837 "-advertise-alpn", "\x03foo",
1838 },
1839 shimWritesFirst: true,
1840 shouldFail: true,
1841 expectedError: ":DIGEST_CHECK_FAILED:",
1842 },
1843 {
1844 name: "NoFalseStart-NoALPN",
1845 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001846 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001847 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1848 Bugs: ProtocolBugs{
1849 ExpectFalseStart: true,
1850 AlertBeforeFalseStartTest: alertAccessDenied,
1851 },
1852 },
1853 flags: []string{
1854 "-false-start",
1855 },
1856 shimWritesFirst: true,
1857 shouldFail: true,
1858 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1859 expectedLocalError: "tls: peer did not false start: EOF",
1860 },
1861 {
1862 name: "NoFalseStart-NoAEAD",
1863 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001864 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001865 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1866 NextProtos: []string{"foo"},
1867 Bugs: ProtocolBugs{
1868 ExpectFalseStart: true,
1869 AlertBeforeFalseStartTest: alertAccessDenied,
1870 },
1871 },
1872 flags: []string{
1873 "-false-start",
1874 "-advertise-alpn", "\x03foo",
1875 },
1876 shimWritesFirst: true,
1877 shouldFail: true,
1878 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1879 expectedLocalError: "tls: peer did not false start: EOF",
1880 },
1881 {
1882 name: "NoFalseStart-RSA",
1883 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001884 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001885 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1886 NextProtos: []string{"foo"},
1887 Bugs: ProtocolBugs{
1888 ExpectFalseStart: true,
1889 AlertBeforeFalseStartTest: alertAccessDenied,
1890 },
1891 },
1892 flags: []string{
1893 "-false-start",
1894 "-advertise-alpn", "\x03foo",
1895 },
1896 shimWritesFirst: true,
1897 shouldFail: true,
1898 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1899 expectedLocalError: "tls: peer did not false start: EOF",
1900 },
1901 {
1902 name: "NoFalseStart-DHE_RSA",
1903 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07001904 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -07001905 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1906 NextProtos: []string{"foo"},
1907 Bugs: ProtocolBugs{
1908 ExpectFalseStart: true,
1909 AlertBeforeFalseStartTest: alertAccessDenied,
1910 },
1911 },
1912 flags: []string{
1913 "-false-start",
1914 "-advertise-alpn", "\x03foo",
1915 },
1916 shimWritesFirst: true,
1917 shouldFail: true,
1918 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1919 expectedLocalError: "tls: peer did not false start: EOF",
1920 },
1921 {
Adam Langley7c803a62015-06-15 15:35:05 -07001922 protocol: dtls,
1923 name: "SendSplitAlert-Sync",
1924 config: Config{
1925 Bugs: ProtocolBugs{
1926 SendSplitAlert: true,
1927 },
1928 },
1929 },
1930 {
1931 protocol: dtls,
1932 name: "SendSplitAlert-Async",
1933 config: Config{
1934 Bugs: ProtocolBugs{
1935 SendSplitAlert: true,
1936 },
1937 },
1938 flags: []string{"-async"},
1939 },
1940 {
1941 protocol: dtls,
1942 name: "PackDTLSHandshake",
1943 config: Config{
1944 Bugs: ProtocolBugs{
1945 MaxHandshakeRecordLength: 2,
1946 PackHandshakeFragments: 20,
1947 PackHandshakeRecords: 200,
1948 },
1949 },
1950 },
1951 {
Adam Langley7c803a62015-06-15 15:35:05 -07001952 name: "SendEmptyRecords-Pass",
1953 sendEmptyRecords: 32,
1954 },
1955 {
1956 name: "SendEmptyRecords",
1957 sendEmptyRecords: 33,
1958 shouldFail: true,
1959 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
1960 },
1961 {
1962 name: "SendEmptyRecords-Async",
1963 sendEmptyRecords: 33,
1964 flags: []string{"-async"},
1965 shouldFail: true,
1966 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
1967 },
1968 {
David Benjamine8e84b92016-08-03 15:39:47 -04001969 name: "SendWarningAlerts-Pass",
1970 config: Config{
1971 MaxVersion: VersionTLS12,
1972 },
Adam Langley7c803a62015-06-15 15:35:05 -07001973 sendWarningAlerts: 4,
1974 },
1975 {
David Benjamine8e84b92016-08-03 15:39:47 -04001976 protocol: dtls,
1977 name: "SendWarningAlerts-DTLS-Pass",
1978 config: Config{
1979 MaxVersion: VersionTLS12,
1980 },
Adam Langley7c803a62015-06-15 15:35:05 -07001981 sendWarningAlerts: 4,
1982 },
1983 {
David Benjamine8e84b92016-08-03 15:39:47 -04001984 name: "SendWarningAlerts-TLS13",
1985 config: Config{
1986 MaxVersion: VersionTLS13,
1987 },
1988 sendWarningAlerts: 4,
1989 shouldFail: true,
1990 expectedError: ":BAD_ALERT:",
1991 expectedLocalError: "remote error: error decoding message",
1992 },
1993 {
1994 name: "SendWarningAlerts",
1995 config: Config{
1996 MaxVersion: VersionTLS12,
1997 },
Adam Langley7c803a62015-06-15 15:35:05 -07001998 sendWarningAlerts: 5,
1999 shouldFail: true,
2000 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2001 },
2002 {
David Benjamine8e84b92016-08-03 15:39:47 -04002003 name: "SendWarningAlerts-Async",
2004 config: Config{
2005 MaxVersion: VersionTLS12,
2006 },
Adam Langley7c803a62015-06-15 15:35:05 -07002007 sendWarningAlerts: 5,
2008 flags: []string{"-async"},
2009 shouldFail: true,
2010 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2011 },
David Benjaminba4594a2015-06-18 18:36:15 -04002012 {
Steven Valdezc4aa7272016-10-03 12:25:56 -04002013 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -04002014 config: Config{
2015 MaxVersion: VersionTLS13,
2016 },
Steven Valdezc4aa7272016-10-03 12:25:56 -04002017 sendKeyUpdates: 33,
2018 keyUpdateRequest: keyUpdateNotRequested,
2019 shouldFail: true,
2020 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -04002021 },
2022 {
David Benjaminba4594a2015-06-18 18:36:15 -04002023 name: "EmptySessionID",
2024 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002025 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -04002026 SessionTicketsDisabled: true,
2027 },
2028 noSessionCache: true,
2029 flags: []string{"-expect-no-session"},
2030 },
David Benjamin30789da2015-08-29 22:56:45 -04002031 {
2032 name: "Unclean-Shutdown",
2033 config: Config{
2034 Bugs: ProtocolBugs{
2035 NoCloseNotify: true,
2036 ExpectCloseNotify: true,
2037 },
2038 },
2039 shimShutsDown: true,
2040 flags: []string{"-check-close-notify"},
2041 shouldFail: true,
2042 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2043 },
2044 {
2045 name: "Unclean-Shutdown-Ignored",
2046 config: Config{
2047 Bugs: ProtocolBugs{
2048 NoCloseNotify: true,
2049 },
2050 },
2051 shimShutsDown: true,
2052 },
David Benjamin4f75aaf2015-09-01 16:53:10 -04002053 {
David Benjaminfa214e42016-05-10 17:03:10 -04002054 name: "Unclean-Shutdown-Alert",
2055 config: Config{
2056 Bugs: ProtocolBugs{
2057 SendAlertOnShutdown: alertDecompressionFailure,
2058 ExpectCloseNotify: true,
2059 },
2060 },
2061 shimShutsDown: true,
2062 flags: []string{"-check-close-notify"},
2063 shouldFail: true,
2064 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2065 },
2066 {
David Benjamin4f75aaf2015-09-01 16:53:10 -04002067 name: "LargePlaintext",
2068 config: Config{
2069 Bugs: ProtocolBugs{
2070 SendLargeRecords: true,
2071 },
2072 },
2073 messageLen: maxPlaintext + 1,
2074 shouldFail: true,
2075 expectedError: ":DATA_LENGTH_TOO_LONG:",
2076 },
2077 {
2078 protocol: dtls,
2079 name: "LargePlaintext-DTLS",
2080 config: Config{
2081 Bugs: ProtocolBugs{
2082 SendLargeRecords: true,
2083 },
2084 },
2085 messageLen: maxPlaintext + 1,
2086 shouldFail: true,
2087 expectedError: ":DATA_LENGTH_TOO_LONG:",
2088 },
2089 {
2090 name: "LargeCiphertext",
2091 config: Config{
2092 Bugs: ProtocolBugs{
2093 SendLargeRecords: true,
2094 },
2095 },
2096 messageLen: maxPlaintext * 2,
2097 shouldFail: true,
2098 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2099 },
2100 {
2101 protocol: dtls,
2102 name: "LargeCiphertext-DTLS",
2103 config: Config{
2104 Bugs: ProtocolBugs{
2105 SendLargeRecords: true,
2106 },
2107 },
2108 messageLen: maxPlaintext * 2,
2109 // Unlike the other four cases, DTLS drops records which
2110 // are invalid before authentication, so the connection
2111 // does not fail.
2112 expectMessageDropped: true,
2113 },
David Benjamindd6fed92015-10-23 17:41:12 -04002114 {
David Benjaminef5dfd22015-12-06 13:17:07 -05002115 name: "BadHelloRequest-1",
2116 renegotiate: 1,
2117 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002118 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -05002119 Bugs: ProtocolBugs{
2120 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2121 },
2122 },
2123 flags: []string{
2124 "-renegotiate-freely",
2125 "-expect-total-renegotiations", "1",
2126 },
2127 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -04002128 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -05002129 },
2130 {
2131 name: "BadHelloRequest-2",
2132 renegotiate: 1,
2133 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002134 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -05002135 Bugs: ProtocolBugs{
2136 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2137 },
2138 },
2139 flags: []string{
2140 "-renegotiate-freely",
2141 "-expect-total-renegotiations", "1",
2142 },
2143 shouldFail: true,
2144 expectedError: ":BAD_HELLO_REQUEST:",
2145 },
David Benjaminef1b0092015-11-21 14:05:44 -05002146 {
2147 testType: serverTest,
2148 name: "SupportTicketsWithSessionID",
2149 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002150 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -05002151 SessionTicketsDisabled: true,
2152 },
David Benjamin4c3ddf72016-06-29 18:13:53 -04002153 resumeConfig: &Config{
2154 MaxVersion: VersionTLS12,
2155 },
David Benjaminef1b0092015-11-21 14:05:44 -05002156 resumeSession: true,
2157 },
David Benjamin02edcd02016-07-27 17:40:37 -04002158 {
2159 protocol: dtls,
2160 name: "DTLS-SendExtraFinished",
2161 config: Config{
2162 Bugs: ProtocolBugs{
2163 SendExtraFinished: true,
2164 },
2165 },
2166 shouldFail: true,
2167 expectedError: ":UNEXPECTED_RECORD:",
2168 },
2169 {
2170 protocol: dtls,
2171 name: "DTLS-SendExtraFinished-Reordered",
2172 config: Config{
2173 Bugs: ProtocolBugs{
2174 MaxHandshakeRecordLength: 2,
2175 ReorderHandshakeFragments: true,
2176 SendExtraFinished: true,
2177 },
2178 },
2179 shouldFail: true,
2180 expectedError: ":UNEXPECTED_RECORD:",
2181 },
David Benjamine97fb482016-07-29 09:23:07 -04002182 {
2183 testType: serverTest,
2184 name: "V2ClientHello-EmptyRecordPrefix",
2185 config: Config{
2186 // Choose a cipher suite that does not involve
2187 // elliptic curves, so no extensions are
2188 // involved.
2189 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -07002190 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -04002191 Bugs: ProtocolBugs{
2192 SendV2ClientHello: true,
2193 },
2194 },
2195 sendPrefix: string([]byte{
2196 byte(recordTypeHandshake),
2197 3, 1, // version
2198 0, 0, // length
2199 }),
2200 // A no-op empty record may not be sent before V2ClientHello.
2201 shouldFail: true,
2202 expectedError: ":WRONG_VERSION_NUMBER:",
2203 },
2204 {
2205 testType: serverTest,
2206 name: "V2ClientHello-WarningAlertPrefix",
2207 config: Config{
2208 // Choose a cipher suite that does not involve
2209 // elliptic curves, so no extensions are
2210 // involved.
2211 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -07002212 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -04002213 Bugs: ProtocolBugs{
2214 SendV2ClientHello: true,
2215 },
2216 },
2217 sendPrefix: string([]byte{
2218 byte(recordTypeAlert),
2219 3, 1, // version
2220 0, 2, // length
2221 alertLevelWarning, byte(alertDecompressionFailure),
2222 }),
2223 // A no-op warning alert may not be sent before V2ClientHello.
2224 shouldFail: true,
2225 expectedError: ":WRONG_VERSION_NUMBER:",
2226 },
Steven Valdez1dc53d22016-07-26 12:27:38 -04002227 {
Steven Valdezc4aa7272016-10-03 12:25:56 -04002228 name: "KeyUpdate",
Steven Valdez1dc53d22016-07-26 12:27:38 -04002229 config: Config{
2230 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -04002231 },
Steven Valdezc4aa7272016-10-03 12:25:56 -04002232 sendKeyUpdates: 1,
2233 keyUpdateRequest: keyUpdateNotRequested,
2234 },
2235 {
2236 name: "KeyUpdate-InvalidRequestMode",
2237 config: Config{
2238 MaxVersion: VersionTLS13,
2239 },
2240 sendKeyUpdates: 1,
2241 keyUpdateRequest: 42,
2242 shouldFail: true,
2243 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -04002244 },
David Benjaminabe94e32016-09-04 14:18:58 -04002245 {
2246 name: "SendSNIWarningAlert",
2247 config: Config{
2248 MaxVersion: VersionTLS12,
2249 Bugs: ProtocolBugs{
2250 SendSNIWarningAlert: true,
2251 },
2252 },
2253 },
David Benjaminc241d792016-09-09 10:34:20 -04002254 {
2255 testType: serverTest,
2256 name: "ExtraCompressionMethods-TLS12",
2257 config: Config{
2258 MaxVersion: VersionTLS12,
2259 Bugs: ProtocolBugs{
2260 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2261 },
2262 },
2263 },
2264 {
2265 testType: serverTest,
2266 name: "ExtraCompressionMethods-TLS13",
2267 config: Config{
2268 MaxVersion: VersionTLS13,
2269 Bugs: ProtocolBugs{
2270 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2271 },
2272 },
2273 shouldFail: true,
2274 expectedError: ":INVALID_COMPRESSION_LIST:",
2275 expectedLocalError: "remote error: illegal parameter",
2276 },
2277 {
2278 testType: serverTest,
2279 name: "NoNullCompression-TLS12",
2280 config: Config{
2281 MaxVersion: VersionTLS12,
2282 Bugs: ProtocolBugs{
2283 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2284 },
2285 },
2286 shouldFail: true,
2287 expectedError: ":NO_COMPRESSION_SPECIFIED:",
2288 expectedLocalError: "remote error: illegal parameter",
2289 },
2290 {
2291 testType: serverTest,
2292 name: "NoNullCompression-TLS13",
2293 config: Config{
2294 MaxVersion: VersionTLS13,
2295 Bugs: ProtocolBugs{
2296 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2297 },
2298 },
2299 shouldFail: true,
2300 expectedError: ":INVALID_COMPRESSION_LIST:",
2301 expectedLocalError: "remote error: illegal parameter",
2302 },
David Benjamin65ac9972016-09-02 21:35:25 -04002303 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -04002304 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -04002305 config: Config{
2306 MaxVersion: VersionTLS12,
2307 Bugs: ProtocolBugs{
2308 ExpectGREASE: true,
2309 },
2310 },
2311 flags: []string{"-enable-grease"},
2312 },
2313 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -04002314 name: "GREASE-Client-TLS13",
2315 config: Config{
2316 MaxVersion: VersionTLS13,
2317 Bugs: ProtocolBugs{
2318 ExpectGREASE: true,
2319 },
2320 },
2321 flags: []string{"-enable-grease"},
2322 },
2323 {
2324 testType: serverTest,
2325 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -04002326 config: Config{
2327 MaxVersion: VersionTLS13,
2328 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -04002329 // TLS 1.3 servers are expected to
2330 // always enable GREASE. TLS 1.3 is new,
2331 // so there is no existing ecosystem to
2332 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -04002333 ExpectGREASE: true,
2334 },
2335 },
David Benjamin65ac9972016-09-02 21:35:25 -04002336 },
Adam Langley7c803a62015-06-15 15:35:05 -07002337 }
Adam Langley7c803a62015-06-15 15:35:05 -07002338 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -04002339
2340 // Test that very large messages can be received.
2341 cert := rsaCertificate
2342 for i := 0; i < 50; i++ {
2343 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2344 }
2345 testCases = append(testCases, testCase{
2346 name: "LargeMessage",
2347 config: Config{
2348 Certificates: []Certificate{cert},
2349 },
2350 })
2351 testCases = append(testCases, testCase{
2352 protocol: dtls,
2353 name: "LargeMessage-DTLS",
2354 config: Config{
2355 Certificates: []Certificate{cert},
2356 },
2357 })
2358
2359 // They are rejected if the maximum certificate chain length is capped.
2360 testCases = append(testCases, testCase{
2361 name: "LargeMessage-Reject",
2362 config: Config{
2363 Certificates: []Certificate{cert},
2364 },
2365 flags: []string{"-max-cert-list", "16384"},
2366 shouldFail: true,
2367 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2368 })
2369 testCases = append(testCases, testCase{
2370 protocol: dtls,
2371 name: "LargeMessage-Reject-DTLS",
2372 config: Config{
2373 Certificates: []Certificate{cert},
2374 },
2375 flags: []string{"-max-cert-list", "16384"},
2376 shouldFail: true,
2377 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2378 })
Adam Langley7c803a62015-06-15 15:35:05 -07002379}
2380
Adam Langley95c29f32014-06-20 12:00:00 -07002381func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +02002382 const bogusCipher = 0xfe00
2383
Adam Langley95c29f32014-06-20 12:00:00 -07002384 for _, suite := range testCipherSuites {
David Benjamin48cae082014-10-27 01:06:24 -04002385 const psk = "12345"
2386 const pskIdentity = "luggage combo"
2387
Adam Langley95c29f32014-06-20 12:00:00 -07002388 var cert Certificate
David Benjamin025b3d32014-07-01 19:53:04 -04002389 var certFile string
2390 var keyFile string
David Benjamin8b8c0062014-11-23 02:47:52 -05002391 if hasComponent(suite.name, "ECDSA") {
David Benjamin33863262016-07-08 17:20:12 -07002392 cert = ecdsaP256Certificate
2393 certFile = ecdsaP256CertificateFile
2394 keyFile = ecdsaP256KeyFile
Adam Langley95c29f32014-06-20 12:00:00 -07002395 } else {
David Benjamin33863262016-07-08 17:20:12 -07002396 cert = rsaCertificate
David Benjamin025b3d32014-07-01 19:53:04 -04002397 certFile = rsaCertificateFile
2398 keyFile = rsaKeyFile
Adam Langley95c29f32014-06-20 12:00:00 -07002399 }
2400
David Benjamin48cae082014-10-27 01:06:24 -04002401 var flags []string
David Benjamin8b8c0062014-11-23 02:47:52 -05002402 if hasComponent(suite.name, "PSK") {
David Benjamin48cae082014-10-27 01:06:24 -04002403 flags = append(flags,
2404 "-psk", psk,
2405 "-psk-identity", pskIdentity)
2406 }
Matt Braithwaiteaf096752015-09-02 19:48:16 -07002407 if hasComponent(suite.name, "NULL") {
2408 // NULL ciphers must be explicitly enabled.
2409 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2410 }
Matt Braithwaite053931e2016-05-25 12:06:05 -07002411 if hasComponent(suite.name, "CECPQ1") {
2412 // CECPQ1 ciphers must be explicitly enabled.
2413 flags = append(flags, "-cipher", "DEFAULT:kCECPQ1")
2414 }
David Benjamin881f1962016-08-10 18:29:12 -04002415 if hasComponent(suite.name, "ECDHE-PSK") && hasComponent(suite.name, "GCM") {
2416 // ECDHE_PSK AES_GCM ciphers must be explicitly enabled
2417 // for now.
2418 flags = append(flags, "-cipher", suite.name)
2419 }
David Benjamin48cae082014-10-27 01:06:24 -04002420
Adam Langley95c29f32014-06-20 12:00:00 -07002421 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -04002422 for _, protocol := range []protocol{tls, dtls} {
2423 var prefix string
2424 if protocol == dtls {
2425 if !ver.hasDTLS {
2426 continue
2427 }
2428 prefix = "D"
2429 }
Adam Langley95c29f32014-06-20 12:00:00 -07002430
David Benjamin0407e762016-06-17 16:41:18 -04002431 var shouldServerFail, shouldClientFail bool
2432 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2433 // BoringSSL clients accept ECDHE on SSLv3, but
2434 // a BoringSSL server will never select it
2435 // because the extension is missing.
2436 shouldServerFail = true
2437 }
2438 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2439 shouldClientFail = true
2440 shouldServerFail = true
2441 }
David Benjamin54c217c2016-07-13 12:35:25 -04002442 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
Nick Harper1fd39d82016-06-14 18:14:35 -07002443 shouldClientFail = true
2444 shouldServerFail = true
2445 }
Steven Valdez803c77a2016-09-06 14:13:43 -04002446 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2447 shouldClientFail = true
2448 shouldServerFail = true
2449 }
David Benjamin0407e762016-06-17 16:41:18 -04002450 if !isDTLSCipher(suite.name) && protocol == dtls {
2451 shouldClientFail = true
2452 shouldServerFail = true
2453 }
David Benjamin4298d772015-12-19 00:18:25 -05002454
David Benjamin5ecb88b2016-10-04 17:51:35 -04002455 var sendCipherSuite uint16
David Benjamin0407e762016-06-17 16:41:18 -04002456 var expectedServerError, expectedClientError string
David Benjamin5ecb88b2016-10-04 17:51:35 -04002457 serverCipherSuites := []uint16{suite.id}
David Benjamin0407e762016-06-17 16:41:18 -04002458 if shouldServerFail {
2459 expectedServerError = ":NO_SHARED_CIPHER:"
2460 }
2461 if shouldClientFail {
2462 expectedClientError = ":WRONG_CIPHER_RETURNED:"
David Benjamin5ecb88b2016-10-04 17:51:35 -04002463 // Configure the server to select ciphers as normal but
2464 // select an incompatible cipher in ServerHello.
2465 serverCipherSuites = nil
2466 sendCipherSuite = suite.id
David Benjamin0407e762016-06-17 16:41:18 -04002467 }
David Benjamin025b3d32014-07-01 19:53:04 -04002468
David Benjamin6fd297b2014-08-11 18:43:38 -04002469 testCases = append(testCases, testCase{
2470 testType: serverTest,
David Benjamin0407e762016-06-17 16:41:18 -04002471 protocol: protocol,
2472
2473 name: prefix + ver.name + "-" + suite.name + "-server",
David Benjamin6fd297b2014-08-11 18:43:38 -04002474 config: Config{
David Benjamin48cae082014-10-27 01:06:24 -04002475 MinVersion: ver.version,
2476 MaxVersion: ver.version,
2477 CipherSuites: []uint16{suite.id},
2478 Certificates: []Certificate{cert},
2479 PreSharedKey: []byte(psk),
2480 PreSharedKeyIdentity: pskIdentity,
David Benjamin0407e762016-06-17 16:41:18 -04002481 Bugs: ProtocolBugs{
David Benjamin5ecb88b2016-10-04 17:51:35 -04002482 AdvertiseAllConfiguredCiphers: true,
David Benjamin0407e762016-06-17 16:41:18 -04002483 },
David Benjamin6fd297b2014-08-11 18:43:38 -04002484 },
2485 certFile: certFile,
2486 keyFile: keyFile,
David Benjamin48cae082014-10-27 01:06:24 -04002487 flags: flags,
Steven Valdez4aa154e2016-07-29 14:32:55 -04002488 resumeSession: true,
David Benjamin0407e762016-06-17 16:41:18 -04002489 shouldFail: shouldServerFail,
2490 expectedError: expectedServerError,
2491 })
2492
2493 testCases = append(testCases, testCase{
2494 testType: clientTest,
2495 protocol: protocol,
2496 name: prefix + ver.name + "-" + suite.name + "-client",
2497 config: Config{
2498 MinVersion: ver.version,
2499 MaxVersion: ver.version,
David Benjamin5ecb88b2016-10-04 17:51:35 -04002500 CipherSuites: serverCipherSuites,
David Benjamin0407e762016-06-17 16:41:18 -04002501 Certificates: []Certificate{cert},
2502 PreSharedKey: []byte(psk),
2503 PreSharedKeyIdentity: pskIdentity,
2504 Bugs: ProtocolBugs{
David Benjamin9acf0ca2016-06-25 00:01:28 -04002505 IgnorePeerCipherPreferences: shouldClientFail,
David Benjamin5ecb88b2016-10-04 17:51:35 -04002506 SendCipherSuite: sendCipherSuite,
David Benjamin0407e762016-06-17 16:41:18 -04002507 },
2508 },
2509 flags: flags,
Steven Valdez4aa154e2016-07-29 14:32:55 -04002510 resumeSession: true,
David Benjamin0407e762016-06-17 16:41:18 -04002511 shouldFail: shouldClientFail,
2512 expectedError: expectedClientError,
David Benjamin6fd297b2014-08-11 18:43:38 -04002513 })
David Benjamin2c99d282015-09-01 10:23:00 -04002514
Nick Harper1fd39d82016-06-14 18:14:35 -07002515 if !shouldClientFail {
2516 // Ensure the maximum record size is accepted.
2517 testCases = append(testCases, testCase{
David Benjamin231a4752016-11-10 10:46:00 -05002518 protocol: protocol,
2519 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
Nick Harper1fd39d82016-06-14 18:14:35 -07002520 config: Config{
2521 MinVersion: ver.version,
2522 MaxVersion: ver.version,
2523 CipherSuites: []uint16{suite.id},
2524 Certificates: []Certificate{cert},
2525 PreSharedKey: []byte(psk),
2526 PreSharedKeyIdentity: pskIdentity,
2527 },
2528 flags: flags,
2529 messageLen: maxPlaintext,
2530 })
David Benjamin231a4752016-11-10 10:46:00 -05002531
2532 // Test bad records for all ciphers. Bad records are fatal in TLS
2533 // and ignored in DTLS.
2534 var shouldFail bool
2535 var expectedError string
2536 if protocol == tls {
2537 shouldFail = true
2538 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2539 }
2540
2541 testCases = append(testCases, testCase{
2542 protocol: protocol,
2543 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2544 config: Config{
2545 MinVersion: ver.version,
2546 MaxVersion: ver.version,
2547 CipherSuites: []uint16{suite.id},
2548 Certificates: []Certificate{cert},
2549 PreSharedKey: []byte(psk),
2550 PreSharedKeyIdentity: pskIdentity,
2551 },
2552 flags: flags,
2553 damageFirstWrite: true,
2554 messageLen: maxPlaintext,
2555 shouldFail: shouldFail,
2556 expectedError: expectedError,
2557 })
Nick Harper1fd39d82016-06-14 18:14:35 -07002558 }
2559 }
David Benjamin2c99d282015-09-01 10:23:00 -04002560 }
Adam Langley95c29f32014-06-20 12:00:00 -07002561 }
Adam Langleya7997f12015-05-14 17:38:50 -07002562
2563 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002564 name: "NoSharedCipher",
2565 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002566 MaxVersion: VersionTLS12,
2567 CipherSuites: []uint16{},
2568 },
2569 shouldFail: true,
2570 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2571 })
2572
2573 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04002574 name: "NoSharedCipher-TLS13",
2575 config: Config{
2576 MaxVersion: VersionTLS13,
2577 CipherSuites: []uint16{},
2578 },
2579 shouldFail: true,
2580 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2581 })
2582
2583 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04002584 name: "UnsupportedCipherSuite",
2585 config: Config{
2586 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -07002587 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -04002588 Bugs: ProtocolBugs{
2589 IgnorePeerCipherPreferences: true,
2590 },
2591 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -07002592 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -04002593 shouldFail: true,
2594 expectedError: ":WRONG_CIPHER_RETURNED:",
2595 })
2596
2597 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +02002598 name: "ServerHelloBogusCipher",
2599 config: Config{
2600 MaxVersion: VersionTLS12,
2601 Bugs: ProtocolBugs{
2602 SendCipherSuite: bogusCipher,
2603 },
2604 },
2605 shouldFail: true,
2606 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2607 })
2608 testCases = append(testCases, testCase{
2609 name: "ServerHelloBogusCipher-TLS13",
2610 config: Config{
2611 MaxVersion: VersionTLS13,
2612 Bugs: ProtocolBugs{
2613 SendCipherSuite: bogusCipher,
2614 },
2615 },
2616 shouldFail: true,
2617 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2618 })
2619
2620 testCases = append(testCases, testCase{
Adam Langleya7997f12015-05-14 17:38:50 -07002621 name: "WeakDH",
2622 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002623 MaxVersion: VersionTLS12,
Adam Langleya7997f12015-05-14 17:38:50 -07002624 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2625 Bugs: ProtocolBugs{
2626 // This is a 1023-bit prime number, generated
2627 // with:
2628 // openssl gendh 1023 | openssl asn1parse -i
2629 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
2630 },
2631 },
2632 shouldFail: true,
David Benjamincd24a392015-11-11 13:23:05 -08002633 expectedError: ":BAD_DH_P_LENGTH:",
Adam Langleya7997f12015-05-14 17:38:50 -07002634 })
Adam Langleycef75832015-09-03 14:51:12 -07002635
David Benjamincd24a392015-11-11 13:23:05 -08002636 testCases = append(testCases, testCase{
2637 name: "SillyDH",
2638 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002639 MaxVersion: VersionTLS12,
David Benjamincd24a392015-11-11 13:23:05 -08002640 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2641 Bugs: ProtocolBugs{
2642 // This is a 4097-bit prime number, generated
2643 // with:
2644 // openssl gendh 4097 | openssl asn1parse -i
2645 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
2646 },
2647 },
2648 shouldFail: true,
2649 expectedError: ":DH_P_TOO_LONG:",
2650 })
2651
Adam Langleyc4f25ce2015-11-26 16:39:08 -08002652 // This test ensures that Diffie-Hellman public values are padded with
2653 // zeros so that they're the same length as the prime. This is to avoid
2654 // hitting a bug in yaSSL.
2655 testCases = append(testCases, testCase{
2656 testType: serverTest,
2657 name: "DHPublicValuePadded",
2658 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002659 MaxVersion: VersionTLS12,
Adam Langleyc4f25ce2015-11-26 16:39:08 -08002660 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2661 Bugs: ProtocolBugs{
2662 RequireDHPublicValueLen: (1025 + 7) / 8,
2663 },
2664 },
2665 flags: []string{"-use-sparse-dh-prime"},
2666 })
David Benjamincd24a392015-11-11 13:23:05 -08002667
David Benjamin241ae832016-01-15 03:04:54 -05002668 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -05002669 testCases = append(testCases, testCase{
2670 testType: serverTest,
2671 name: "UnknownCipher",
2672 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04002673 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -05002674 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -04002675 Bugs: ProtocolBugs{
2676 AdvertiseAllConfiguredCiphers: true,
2677 },
2678 },
2679 })
Steven Valdez803c77a2016-09-06 14:13:43 -04002680
2681 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -04002682 testCases = append(testCases, testCase{
2683 testType: serverTest,
2684 name: "UnknownCipher-TLS13",
2685 config: Config{
2686 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -04002687 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -04002688 Bugs: ProtocolBugs{
2689 AdvertiseAllConfiguredCiphers: true,
2690 },
David Benjamin241ae832016-01-15 03:04:54 -05002691 },
2692 })
2693
David Benjamin78679342016-09-16 19:42:05 -04002694 // Test empty ECDHE_PSK identity hints work as expected.
2695 testCases = append(testCases, testCase{
2696 name: "EmptyECDHEPSKHint",
2697 config: Config{
2698 MaxVersion: VersionTLS12,
2699 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2700 PreSharedKey: []byte("secret"),
2701 },
2702 flags: []string{"-psk", "secret"},
2703 })
2704
2705 // Test empty PSK identity hints work as expected, even if an explicit
2706 // ServerKeyExchange is sent.
2707 testCases = append(testCases, testCase{
2708 name: "ExplicitEmptyPSKHint",
2709 config: Config{
2710 MaxVersion: VersionTLS12,
2711 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2712 PreSharedKey: []byte("secret"),
2713 Bugs: ProtocolBugs{
2714 AlwaysSendPreSharedKeyIdentityHint: true,
2715 },
2716 },
2717 flags: []string{"-psk", "secret"},
2718 })
2719
Adam Langleycef75832015-09-03 14:51:12 -07002720 // versionSpecificCiphersTest specifies a test for the TLS 1.0 and TLS
2721 // 1.1 specific cipher suite settings. A server is setup with the given
2722 // cipher lists and then a connection is made for each member of
2723 // expectations. The cipher suite that the server selects must match
2724 // the specified one.
2725 var versionSpecificCiphersTest = []struct {
2726 ciphersDefault, ciphersTLS10, ciphersTLS11 string
2727 // expectations is a map from TLS version to cipher suite id.
2728 expectations map[uint16]uint16
2729 }{
2730 {
2731 // Test that the null case (where no version-specific ciphers are set)
2732 // works as expected.
Matt Braithwaite07e78062016-08-21 14:50:43 -07002733 "DES-CBC3-SHA:AES128-SHA", // default ciphers
2734 "", // no ciphers specifically for TLS ≥ 1.0
2735 "", // no ciphers specifically for TLS ≥ 1.1
Adam Langleycef75832015-09-03 14:51:12 -07002736 map[uint16]uint16{
Matt Braithwaite07e78062016-08-21 14:50:43 -07002737 VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
2738 VersionTLS10: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
2739 VersionTLS11: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
2740 VersionTLS12: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
Adam Langleycef75832015-09-03 14:51:12 -07002741 },
2742 },
2743 {
2744 // With ciphers_tls10 set, TLS 1.0, 1.1 and 1.2 should get a different
2745 // cipher.
Matt Braithwaite07e78062016-08-21 14:50:43 -07002746 "DES-CBC3-SHA:AES128-SHA", // default
2747 "AES128-SHA", // these ciphers for TLS ≥ 1.0
2748 "", // no ciphers specifically for TLS ≥ 1.1
Adam Langleycef75832015-09-03 14:51:12 -07002749 map[uint16]uint16{
Matt Braithwaite07e78062016-08-21 14:50:43 -07002750 VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
Adam Langleycef75832015-09-03 14:51:12 -07002751 VersionTLS10: TLS_RSA_WITH_AES_128_CBC_SHA,
2752 VersionTLS11: TLS_RSA_WITH_AES_128_CBC_SHA,
2753 VersionTLS12: TLS_RSA_WITH_AES_128_CBC_SHA,
2754 },
2755 },
2756 {
2757 // With ciphers_tls11 set, TLS 1.1 and 1.2 should get a different
2758 // cipher.
Matt Braithwaite07e78062016-08-21 14:50:43 -07002759 "DES-CBC3-SHA:AES128-SHA", // default
2760 "", // no ciphers specifically for TLS ≥ 1.0
2761 "AES128-SHA", // these ciphers for TLS ≥ 1.1
Adam Langleycef75832015-09-03 14:51:12 -07002762 map[uint16]uint16{
Matt Braithwaite07e78062016-08-21 14:50:43 -07002763 VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
2764 VersionTLS10: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
Adam Langleycef75832015-09-03 14:51:12 -07002765 VersionTLS11: TLS_RSA_WITH_AES_128_CBC_SHA,
2766 VersionTLS12: TLS_RSA_WITH_AES_128_CBC_SHA,
2767 },
2768 },
2769 {
2770 // With both ciphers_tls10 and ciphers_tls11 set, ciphers_tls11 should
2771 // mask ciphers_tls10 for TLS 1.1 and 1.2.
Matt Braithwaite07e78062016-08-21 14:50:43 -07002772 "DES-CBC3-SHA:AES128-SHA", // default
2773 "AES128-SHA", // these ciphers for TLS ≥ 1.0
2774 "AES256-SHA", // these ciphers for TLS ≥ 1.1
Adam Langleycef75832015-09-03 14:51:12 -07002775 map[uint16]uint16{
Matt Braithwaite07e78062016-08-21 14:50:43 -07002776 VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
Adam Langleycef75832015-09-03 14:51:12 -07002777 VersionTLS10: TLS_RSA_WITH_AES_128_CBC_SHA,
2778 VersionTLS11: TLS_RSA_WITH_AES_256_CBC_SHA,
2779 VersionTLS12: TLS_RSA_WITH_AES_256_CBC_SHA,
2780 },
2781 },
2782 }
2783
2784 for i, test := range versionSpecificCiphersTest {
2785 for version, expectedCipherSuite := range test.expectations {
2786 flags := []string{"-cipher", test.ciphersDefault}
2787 if len(test.ciphersTLS10) > 0 {
2788 flags = append(flags, "-cipher-tls10", test.ciphersTLS10)
2789 }
2790 if len(test.ciphersTLS11) > 0 {
2791 flags = append(flags, "-cipher-tls11", test.ciphersTLS11)
2792 }
2793
2794 testCases = append(testCases, testCase{
2795 testType: serverTest,
2796 name: fmt.Sprintf("VersionSpecificCiphersTest-%d-%x", i, version),
2797 config: Config{
2798 MaxVersion: version,
2799 MinVersion: version,
Matt Braithwaite07e78062016-08-21 14:50:43 -07002800 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA},
Adam Langleycef75832015-09-03 14:51:12 -07002801 },
2802 flags: flags,
2803 expectedCipher: expectedCipherSuite,
2804 })
2805 }
2806 }
Adam Langley95c29f32014-06-20 12:00:00 -07002807}
2808
2809func addBadECDSASignatureTests() {
2810 for badR := BadValue(1); badR < NumBadValues; badR++ {
2811 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -04002812 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -07002813 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2814 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04002815 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -07002816 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -07002817 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -07002818 Bugs: ProtocolBugs{
2819 BadECDSAR: badR,
2820 BadECDSAS: badS,
2821 },
2822 },
2823 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -05002824 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -07002825 })
Steven Valdez803c77a2016-09-06 14:13:43 -04002826 testCases = append(testCases, testCase{
2827 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2828 config: Config{
2829 MaxVersion: VersionTLS13,
2830 Certificates: []Certificate{ecdsaP256Certificate},
2831 Bugs: ProtocolBugs{
2832 BadECDSAR: badR,
2833 BadECDSAS: badS,
2834 },
2835 },
2836 shouldFail: true,
2837 expectedError: ":BAD_SIGNATURE:",
2838 })
Adam Langley95c29f32014-06-20 12:00:00 -07002839 }
2840 }
2841}
2842
Adam Langley80842bd2014-06-20 12:00:00 -07002843func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -04002844 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -07002845 name: "MaxCBCPadding",
2846 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002847 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -07002848 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2849 Bugs: ProtocolBugs{
2850 MaxPadding: true,
2851 },
2852 },
2853 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2854 })
David Benjamin025b3d32014-07-01 19:53:04 -04002855 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -07002856 name: "BadCBCPadding",
2857 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002858 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -07002859 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2860 Bugs: ProtocolBugs{
2861 PaddingFirstByteBad: true,
2862 },
2863 },
2864 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -05002865 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -07002866 })
2867 // OpenSSL previously had an issue where the first byte of padding in
2868 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -04002869 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -07002870 name: "BadCBCPadding255",
2871 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07002872 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -07002873 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2874 Bugs: ProtocolBugs{
2875 MaxPadding: true,
2876 PaddingFirstByteBadIf255: true,
2877 },
2878 },
2879 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2880 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -05002881 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -07002882 })
2883}
2884
Kenny Root7fdeaf12014-08-05 15:23:37 -07002885func addCBCSplittingTests() {
2886 testCases = append(testCases, testCase{
2887 name: "CBCRecordSplitting",
2888 config: Config{
2889 MaxVersion: VersionTLS10,
2890 MinVersion: VersionTLS10,
2891 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2892 },
David Benjaminac8302a2015-09-01 17:18:15 -04002893 messageLen: -1, // read until EOF
2894 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -07002895 flags: []string{
2896 "-async",
2897 "-write-different-record-sizes",
2898 "-cbc-record-splitting",
2899 },
David Benjamina8e3e0e2014-08-06 22:11:10 -04002900 })
2901 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -07002902 name: "CBCRecordSplittingPartialWrite",
2903 config: Config{
2904 MaxVersion: VersionTLS10,
2905 MinVersion: VersionTLS10,
2906 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2907 },
2908 messageLen: -1, // read until EOF
2909 flags: []string{
2910 "-async",
2911 "-write-different-record-sizes",
2912 "-cbc-record-splitting",
2913 "-partial-write",
2914 },
2915 })
2916}
2917
David Benjamin636293b2014-07-08 17:59:18 -04002918func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -04002919 // Add a dummy cert pool to stress certificate authority parsing.
2920 // TODO(davidben): Add tests that those values parse out correctly.
2921 certPool := x509.NewCertPool()
2922 cert, err := x509.ParseCertificate(rsaCertificate.Certificate[0])
2923 if err != nil {
2924 panic(err)
2925 }
2926 certPool.AddCert(cert)
2927
David Benjamin636293b2014-07-08 17:59:18 -04002928 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -04002929 testCases = append(testCases, testCase{
2930 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -04002931 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -04002932 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -04002933 MinVersion: ver.version,
2934 MaxVersion: ver.version,
2935 ClientAuth: RequireAnyClientCert,
2936 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -04002937 },
2938 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -07002939 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2940 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -04002941 },
2942 })
2943 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -04002944 testType: serverTest,
2945 name: ver.name + "-Server-ClientAuth-RSA",
2946 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -04002947 MinVersion: ver.version,
2948 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -04002949 Certificates: []Certificate{rsaCertificate},
2950 },
2951 flags: []string{"-require-any-client-certificate"},
2952 })
David Benjamine098ec22014-08-27 23:13:20 -04002953 if ver.version != VersionSSL30 {
2954 testCases = append(testCases, testCase{
2955 testType: serverTest,
2956 name: ver.name + "-Server-ClientAuth-ECDSA",
2957 config: Config{
2958 MinVersion: ver.version,
2959 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -07002960 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -04002961 },
2962 flags: []string{"-require-any-client-certificate"},
2963 })
2964 testCases = append(testCases, testCase{
2965 testType: clientTest,
2966 name: ver.name + "-Client-ClientAuth-ECDSA",
2967 config: Config{
2968 MinVersion: ver.version,
2969 MaxVersion: ver.version,
2970 ClientAuth: RequireAnyClientCert,
2971 ClientCAs: certPool,
2972 },
2973 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -07002974 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2975 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -04002976 },
2977 })
2978 }
Adam Langley37646832016-08-01 16:16:46 -07002979
2980 testCases = append(testCases, testCase{
2981 name: "NoClientCertificate-" + ver.name,
2982 config: Config{
2983 MinVersion: ver.version,
2984 MaxVersion: ver.version,
2985 ClientAuth: RequireAnyClientCert,
2986 },
2987 shouldFail: true,
2988 expectedLocalError: "client didn't provide a certificate",
2989 })
2990
2991 testCases = append(testCases, testCase{
2992 // Even if not configured to expect a certificate, OpenSSL will
2993 // return X509_V_OK as the verify_result.
2994 testType: serverTest,
2995 name: "NoClientCertificateRequested-Server-" + ver.name,
2996 config: Config{
2997 MinVersion: ver.version,
2998 MaxVersion: ver.version,
2999 },
3000 flags: []string{
3001 "-expect-verify-result",
3002 },
David Benjamin5d9ba812016-10-07 20:51:20 -04003003 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -07003004 })
3005
3006 testCases = append(testCases, testCase{
3007 // If a client certificate is not provided, OpenSSL will still
3008 // return X509_V_OK as the verify_result.
3009 testType: serverTest,
3010 name: "NoClientCertificate-Server-" + ver.name,
3011 config: Config{
3012 MinVersion: ver.version,
3013 MaxVersion: ver.version,
3014 },
3015 flags: []string{
3016 "-expect-verify-result",
3017 "-verify-peer",
3018 },
David Benjamin5d9ba812016-10-07 20:51:20 -04003019 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -07003020 })
3021
David Benjamin1db9e1b2016-10-07 20:51:43 -04003022 certificateRequired := "remote error: certificate required"
3023 if ver.version < VersionTLS13 {
3024 // Prior to TLS 1.3, the generic handshake_failure alert
3025 // was used.
3026 certificateRequired = "remote error: handshake failure"
3027 }
Adam Langley37646832016-08-01 16:16:46 -07003028 testCases = append(testCases, testCase{
3029 testType: serverTest,
3030 name: "RequireAnyClientCertificate-" + ver.name,
3031 config: Config{
3032 MinVersion: ver.version,
3033 MaxVersion: ver.version,
3034 },
David Benjamin1db9e1b2016-10-07 20:51:43 -04003035 flags: []string{"-require-any-client-certificate"},
3036 shouldFail: true,
3037 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3038 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -07003039 })
3040
3041 if ver.version != VersionSSL30 {
3042 testCases = append(testCases, testCase{
3043 testType: serverTest,
3044 name: "SkipClientCertificate-" + ver.name,
3045 config: Config{
3046 MinVersion: ver.version,
3047 MaxVersion: ver.version,
3048 Bugs: ProtocolBugs{
3049 SkipClientCertificate: true,
3050 },
3051 },
3052 // Setting SSL_VERIFY_PEER allows anonymous clients.
3053 flags: []string{"-verify-peer"},
3054 shouldFail: true,
3055 expectedError: ":UNEXPECTED_MESSAGE:",
3056 })
3057 }
David Benjamin636293b2014-07-08 17:59:18 -04003058 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003059
David Benjaminc032dfa2016-05-12 14:54:57 -04003060 // Client auth is only legal in certificate-based ciphers.
3061 testCases = append(testCases, testCase{
3062 testType: clientTest,
3063 name: "ClientAuth-PSK",
3064 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003065 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -04003066 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3067 PreSharedKey: []byte("secret"),
3068 ClientAuth: RequireAnyClientCert,
3069 },
3070 flags: []string{
3071 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3072 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3073 "-psk", "secret",
3074 },
3075 shouldFail: true,
3076 expectedError: ":UNEXPECTED_MESSAGE:",
3077 })
3078 testCases = append(testCases, testCase{
3079 testType: clientTest,
3080 name: "ClientAuth-ECDHE_PSK",
3081 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003082 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -04003083 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3084 PreSharedKey: []byte("secret"),
3085 ClientAuth: RequireAnyClientCert,
3086 },
3087 flags: []string{
3088 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3089 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3090 "-psk", "secret",
3091 },
3092 shouldFail: true,
3093 expectedError: ":UNEXPECTED_MESSAGE:",
3094 })
David Benjamin2f8935d2016-07-13 19:47:39 -04003095
3096 // Regression test for a bug where the client CA list, if explicitly
3097 // set to NULL, was mis-encoded.
3098 testCases = append(testCases, testCase{
3099 testType: serverTest,
3100 name: "Null-Client-CA-List",
3101 config: Config{
3102 MaxVersion: VersionTLS12,
3103 Certificates: []Certificate{rsaCertificate},
3104 },
3105 flags: []string{
3106 "-require-any-client-certificate",
3107 "-use-null-client-ca-list",
3108 },
3109 })
David Benjamin636293b2014-07-08 17:59:18 -04003110}
3111
Adam Langley75712922014-10-10 16:23:43 -07003112func addExtendedMasterSecretTests() {
3113 const expectEMSFlag = "-expect-extended-master-secret"
3114
3115 for _, with := range []bool{false, true} {
3116 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -07003117 if with {
3118 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -07003119 }
3120
3121 for _, isClient := range []bool{false, true} {
3122 suffix := "-Server"
3123 testType := serverTest
3124 if isClient {
3125 suffix = "-Client"
3126 testType = clientTest
3127 }
3128
3129 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -04003130 // In TLS 1.3, the extension is irrelevant and
3131 // always reports as enabled.
3132 var flags []string
3133 if with || ver.version >= VersionTLS13 {
3134 flags = []string{expectEMSFlag}
3135 }
3136
Adam Langley75712922014-10-10 16:23:43 -07003137 test := testCase{
3138 testType: testType,
3139 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3140 config: Config{
3141 MinVersion: ver.version,
3142 MaxVersion: ver.version,
3143 Bugs: ProtocolBugs{
3144 NoExtendedMasterSecret: !with,
3145 RequireExtendedMasterSecret: with,
3146 },
3147 },
David Benjamin48cae082014-10-27 01:06:24 -04003148 flags: flags,
3149 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -07003150 }
3151 if test.shouldFail {
3152 test.expectedLocalError = "extended master secret required but not supported by peer"
3153 }
3154 testCases = append(testCases, test)
3155 }
3156 }
3157 }
3158
Adam Langleyba5934b2015-06-02 10:50:35 -07003159 for _, isClient := range []bool{false, true} {
3160 for _, supportedInFirstConnection := range []bool{false, true} {
3161 for _, supportedInResumeConnection := range []bool{false, true} {
3162 boolToWord := func(b bool) string {
3163 if b {
3164 return "Yes"
3165 }
3166 return "No"
3167 }
3168 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3169 if isClient {
3170 suffix += "Client"
3171 } else {
3172 suffix += "Server"
3173 }
3174
3175 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003176 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -07003177 Bugs: ProtocolBugs{
3178 RequireExtendedMasterSecret: true,
3179 },
3180 }
3181
3182 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003183 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -07003184 Bugs: ProtocolBugs{
3185 NoExtendedMasterSecret: true,
3186 },
3187 }
3188
3189 test := testCase{
3190 name: "ExtendedMasterSecret-" + suffix,
3191 resumeSession: true,
3192 }
3193
3194 if !isClient {
3195 test.testType = serverTest
3196 }
3197
3198 if supportedInFirstConnection {
3199 test.config = supportedConfig
3200 } else {
3201 test.config = noSupportConfig
3202 }
3203
3204 if supportedInResumeConnection {
3205 test.resumeConfig = &supportedConfig
3206 } else {
3207 test.resumeConfig = &noSupportConfig
3208 }
3209
3210 switch suffix {
3211 case "YesToYes-Client", "YesToYes-Server":
3212 // When a session is resumed, it should
3213 // still be aware that its master
3214 // secret was generated via EMS and
3215 // thus it's safe to use tls-unique.
3216 test.flags = []string{expectEMSFlag}
3217 case "NoToYes-Server":
3218 // If an original connection did not
3219 // contain EMS, but a resumption
3220 // handshake does, then a server should
3221 // not resume the session.
3222 test.expectResumeRejected = true
3223 case "YesToNo-Server":
3224 // Resuming an EMS session without the
3225 // EMS extension should cause the
3226 // server to abort the connection.
3227 test.shouldFail = true
3228 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3229 case "NoToYes-Client":
3230 // A client should abort a connection
3231 // where the server resumed a non-EMS
3232 // session but echoed the EMS
3233 // extension.
3234 test.shouldFail = true
3235 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3236 case "YesToNo-Client":
3237 // A client should abort a connection
3238 // where the server didn't echo EMS
3239 // when the session used it.
3240 test.shouldFail = true
3241 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3242 }
3243
3244 testCases = append(testCases, test)
3245 }
3246 }
3247 }
David Benjamin163c9562016-08-29 23:14:17 -04003248
3249 // Switching EMS on renegotiation is forbidden.
3250 testCases = append(testCases, testCase{
3251 name: "ExtendedMasterSecret-Renego-NoEMS",
3252 config: Config{
3253 MaxVersion: VersionTLS12,
3254 Bugs: ProtocolBugs{
3255 NoExtendedMasterSecret: true,
3256 NoExtendedMasterSecretOnRenegotiation: true,
3257 },
3258 },
3259 renegotiate: 1,
3260 flags: []string{
3261 "-renegotiate-freely",
3262 "-expect-total-renegotiations", "1",
3263 },
3264 })
3265
3266 testCases = append(testCases, testCase{
3267 name: "ExtendedMasterSecret-Renego-Upgrade",
3268 config: Config{
3269 MaxVersion: VersionTLS12,
3270 Bugs: ProtocolBugs{
3271 NoExtendedMasterSecret: true,
3272 },
3273 },
3274 renegotiate: 1,
3275 flags: []string{
3276 "-renegotiate-freely",
3277 "-expect-total-renegotiations", "1",
3278 },
3279 shouldFail: true,
3280 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3281 })
3282
3283 testCases = append(testCases, testCase{
3284 name: "ExtendedMasterSecret-Renego-Downgrade",
3285 config: Config{
3286 MaxVersion: VersionTLS12,
3287 Bugs: ProtocolBugs{
3288 NoExtendedMasterSecretOnRenegotiation: true,
3289 },
3290 },
3291 renegotiate: 1,
3292 flags: []string{
3293 "-renegotiate-freely",
3294 "-expect-total-renegotiations", "1",
3295 },
3296 shouldFail: true,
3297 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3298 })
Adam Langley75712922014-10-10 16:23:43 -07003299}
3300
David Benjamin582ba042016-07-07 12:33:25 -07003301type stateMachineTestConfig struct {
3302 protocol protocol
3303 async bool
3304 splitHandshake, packHandshakeFlight bool
3305}
3306
David Benjamin43ec06f2014-08-05 02:28:57 -04003307// Adds tests that try to cover the range of the handshake state machine, under
3308// various conditions. Some of these are redundant with other tests, but they
3309// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -07003310func addAllStateMachineCoverageTests() {
3311 for _, async := range []bool{false, true} {
3312 for _, protocol := range []protocol{tls, dtls} {
3313 addStateMachineCoverageTests(stateMachineTestConfig{
3314 protocol: protocol,
3315 async: async,
3316 })
3317 addStateMachineCoverageTests(stateMachineTestConfig{
3318 protocol: protocol,
3319 async: async,
3320 splitHandshake: true,
3321 })
3322 if protocol == tls {
3323 addStateMachineCoverageTests(stateMachineTestConfig{
3324 protocol: protocol,
3325 async: async,
3326 packHandshakeFlight: true,
3327 })
3328 }
3329 }
3330 }
3331}
3332
3333func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -04003334 var tests []testCase
3335
3336 // Basic handshake, with resumption. Client and server,
3337 // session ID and session ticket.
3338 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003339 name: "Basic-Client",
3340 config: Config{
3341 MaxVersion: VersionTLS12,
3342 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003343 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -05003344 // Ensure session tickets are used, not session IDs.
3345 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -04003346 })
3347 tests = append(tests, testCase{
3348 name: "Basic-Client-RenewTicket",
3349 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003350 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003351 Bugs: ProtocolBugs{
3352 RenewTicketOnResume: true,
3353 },
3354 },
David Benjamin46662482016-08-17 00:51:00 -04003355 flags: []string{"-expect-ticket-renewal"},
3356 resumeSession: true,
3357 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -04003358 })
3359 tests = append(tests, testCase{
3360 name: "Basic-Client-NoTicket",
3361 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003362 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003363 SessionTicketsDisabled: true,
3364 },
3365 resumeSession: true,
3366 })
3367 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003368 name: "Basic-Client-Implicit",
3369 config: Config{
3370 MaxVersion: VersionTLS12,
3371 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003372 flags: []string{"-implicit-handshake"},
3373 resumeSession: true,
3374 })
3375 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -05003376 testType: serverTest,
3377 name: "Basic-Server",
3378 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003379 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -05003380 Bugs: ProtocolBugs{
3381 RequireSessionTickets: true,
3382 },
3383 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003384 resumeSession: true,
3385 })
3386 tests = append(tests, testCase{
3387 testType: serverTest,
3388 name: "Basic-Server-NoTickets",
3389 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003390 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003391 SessionTicketsDisabled: true,
3392 },
3393 resumeSession: true,
3394 })
3395 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003396 testType: serverTest,
3397 name: "Basic-Server-Implicit",
3398 config: Config{
3399 MaxVersion: VersionTLS12,
3400 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003401 flags: []string{"-implicit-handshake"},
3402 resumeSession: true,
3403 })
3404 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003405 testType: serverTest,
3406 name: "Basic-Server-EarlyCallback",
3407 config: Config{
3408 MaxVersion: VersionTLS12,
3409 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003410 flags: []string{"-use-early-callback"},
3411 resumeSession: true,
3412 })
3413
Steven Valdez143e8b32016-07-11 13:19:03 -04003414 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -04003415 if config.protocol == tls {
3416 tests = append(tests, testCase{
3417 name: "TLS13-1RTT-Client",
3418 config: Config{
3419 MaxVersion: VersionTLS13,
3420 MinVersion: VersionTLS13,
3421 },
David Benjamin46662482016-08-17 00:51:00 -04003422 resumeSession: true,
3423 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -04003424 })
3425
3426 tests = append(tests, testCase{
3427 testType: serverTest,
3428 name: "TLS13-1RTT-Server",
3429 config: Config{
3430 MaxVersion: VersionTLS13,
3431 MinVersion: VersionTLS13,
3432 },
David Benjamin46662482016-08-17 00:51:00 -04003433 resumeSession: true,
3434 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -04003435 })
3436
3437 tests = append(tests, testCase{
3438 name: "TLS13-HelloRetryRequest-Client",
3439 config: Config{
3440 MaxVersion: VersionTLS13,
3441 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -04003442 // P-384 requires a HelloRetryRequest against BoringSSL's default
3443 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -04003444 CurvePreferences: []CurveID{CurveP384},
3445 Bugs: ProtocolBugs{
3446 ExpectMissingKeyShare: true,
3447 },
3448 },
3449 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3450 resumeSession: true,
3451 })
3452
3453 tests = append(tests, testCase{
3454 testType: serverTest,
3455 name: "TLS13-HelloRetryRequest-Server",
3456 config: Config{
3457 MaxVersion: VersionTLS13,
3458 MinVersion: VersionTLS13,
3459 // Require a HelloRetryRequest for every curve.
3460 DefaultCurves: []CurveID{},
3461 },
3462 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3463 resumeSession: true,
3464 })
3465 }
Steven Valdez143e8b32016-07-11 13:19:03 -04003466
David Benjamin760b1dd2015-05-15 23:33:48 -04003467 // TLS client auth.
3468 tests = append(tests, testCase{
3469 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003470 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -05003471 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003472 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -05003473 ClientAuth: RequestClientCert,
3474 },
3475 })
3476 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003477 testType: serverTest,
3478 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -04003479 config: Config{
3480 MaxVersion: VersionTLS12,
3481 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003482 // Setting SSL_VERIFY_PEER allows anonymous clients.
3483 flags: []string{"-verify-peer"},
3484 })
David Benjamin582ba042016-07-07 12:33:25 -07003485 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003486 tests = append(tests, testCase{
3487 testType: clientTest,
3488 name: "ClientAuth-NoCertificate-Client-SSL3",
3489 config: Config{
3490 MaxVersion: VersionSSL30,
3491 ClientAuth: RequestClientCert,
3492 },
3493 })
3494 tests = append(tests, testCase{
3495 testType: serverTest,
3496 name: "ClientAuth-NoCertificate-Server-SSL3",
3497 config: Config{
3498 MaxVersion: VersionSSL30,
3499 },
3500 // Setting SSL_VERIFY_PEER allows anonymous clients.
3501 flags: []string{"-verify-peer"},
3502 })
Steven Valdez143e8b32016-07-11 13:19:03 -04003503 tests = append(tests, testCase{
3504 testType: clientTest,
3505 name: "ClientAuth-NoCertificate-Client-TLS13",
3506 config: Config{
3507 MaxVersion: VersionTLS13,
3508 ClientAuth: RequestClientCert,
3509 },
3510 })
3511 tests = append(tests, testCase{
3512 testType: serverTest,
3513 name: "ClientAuth-NoCertificate-Server-TLS13",
3514 config: Config{
3515 MaxVersion: VersionTLS13,
3516 },
3517 // Setting SSL_VERIFY_PEER allows anonymous clients.
3518 flags: []string{"-verify-peer"},
3519 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -05003520 }
3521 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -05003522 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -07003523 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -04003524 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003525 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003526 ClientAuth: RequireAnyClientCert,
3527 },
3528 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -07003529 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3530 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -04003531 },
3532 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -07003533 tests = append(tests, testCase{
3534 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -04003535 name: "ClientAuth-RSA-Client-TLS13",
3536 config: Config{
3537 MaxVersion: VersionTLS13,
3538 ClientAuth: RequireAnyClientCert,
3539 },
3540 flags: []string{
3541 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3542 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3543 },
3544 })
3545 tests = append(tests, testCase{
3546 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -07003547 name: "ClientAuth-ECDSA-Client",
3548 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003549 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -07003550 ClientAuth: RequireAnyClientCert,
3551 },
3552 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -07003553 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3554 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -07003555 },
3556 })
David Benjaminacb6dcc2016-03-10 09:15:01 -05003557 tests = append(tests, testCase{
3558 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -04003559 name: "ClientAuth-ECDSA-Client-TLS13",
3560 config: Config{
3561 MaxVersion: VersionTLS13,
3562 ClientAuth: RequireAnyClientCert,
3563 },
3564 flags: []string{
3565 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3566 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3567 },
3568 })
3569 tests = append(tests, testCase{
3570 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -04003571 name: "ClientAuth-NoCertificate-OldCallback",
3572 config: Config{
3573 MaxVersion: VersionTLS12,
3574 ClientAuth: RequestClientCert,
3575 },
3576 flags: []string{"-use-old-client-cert-callback"},
3577 })
3578 tests = append(tests, testCase{
3579 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -04003580 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3581 config: Config{
3582 MaxVersion: VersionTLS13,
3583 ClientAuth: RequestClientCert,
3584 },
3585 flags: []string{"-use-old-client-cert-callback"},
3586 })
3587 tests = append(tests, testCase{
3588 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -05003589 name: "ClientAuth-OldCallback",
3590 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003591 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -05003592 ClientAuth: RequireAnyClientCert,
3593 },
3594 flags: []string{
3595 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3596 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3597 "-use-old-client-cert-callback",
3598 },
3599 })
David Benjamin760b1dd2015-05-15 23:33:48 -04003600 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04003601 testType: clientTest,
3602 name: "ClientAuth-OldCallback-TLS13",
3603 config: Config{
3604 MaxVersion: VersionTLS13,
3605 ClientAuth: RequireAnyClientCert,
3606 },
3607 flags: []string{
3608 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3609 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3610 "-use-old-client-cert-callback",
3611 },
3612 })
3613 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -04003614 testType: serverTest,
3615 name: "ClientAuth-Server",
3616 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003617 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003618 Certificates: []Certificate{rsaCertificate},
3619 },
3620 flags: []string{"-require-any-client-certificate"},
3621 })
Steven Valdez143e8b32016-07-11 13:19:03 -04003622 tests = append(tests, testCase{
3623 testType: serverTest,
3624 name: "ClientAuth-Server-TLS13",
3625 config: Config{
3626 MaxVersion: VersionTLS13,
3627 Certificates: []Certificate{rsaCertificate},
3628 },
3629 flags: []string{"-require-any-client-certificate"},
3630 })
David Benjamin760b1dd2015-05-15 23:33:48 -04003631
David Benjamin4c3ddf72016-06-29 18:13:53 -04003632 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -04003633 tests = append(tests, testCase{
3634 testType: serverTest,
3635 name: "Basic-Server-RSA",
3636 config: Config{
3637 MaxVersion: VersionTLS12,
3638 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3639 },
3640 flags: []string{
3641 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3642 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3643 },
3644 })
3645 tests = append(tests, testCase{
3646 testType: serverTest,
3647 name: "Basic-Server-ECDHE-RSA",
3648 config: Config{
3649 MaxVersion: VersionTLS12,
3650 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3651 },
3652 flags: []string{
3653 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3654 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3655 },
3656 })
3657 tests = append(tests, testCase{
3658 testType: serverTest,
3659 name: "Basic-Server-ECDHE-ECDSA",
3660 config: Config{
3661 MaxVersion: VersionTLS12,
3662 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3663 },
3664 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -07003665 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3666 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -04003667 },
3668 })
3669
David Benjamin760b1dd2015-05-15 23:33:48 -04003670 // No session ticket support; server doesn't send NewSessionTicket.
3671 tests = append(tests, testCase{
3672 name: "SessionTicketsDisabled-Client",
3673 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003674 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003675 SessionTicketsDisabled: true,
3676 },
3677 })
3678 tests = append(tests, testCase{
3679 testType: serverTest,
3680 name: "SessionTicketsDisabled-Server",
3681 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003682 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003683 SessionTicketsDisabled: true,
3684 },
3685 })
3686
3687 // Skip ServerKeyExchange in PSK key exchange if there's no
3688 // identity hint.
3689 tests = append(tests, testCase{
3690 name: "EmptyPSKHint-Client",
3691 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003692 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003693 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3694 PreSharedKey: []byte("secret"),
3695 },
3696 flags: []string{"-psk", "secret"},
3697 })
3698 tests = append(tests, testCase{
3699 testType: serverTest,
3700 name: "EmptyPSKHint-Server",
3701 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003702 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003703 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3704 PreSharedKey: []byte("secret"),
3705 },
3706 flags: []string{"-psk", "secret"},
3707 })
3708
David Benjamin4c3ddf72016-06-29 18:13:53 -04003709 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003710 tests = append(tests, testCase{
3711 testType: clientTest,
3712 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -04003713 config: Config{
3714 MaxVersion: VersionTLS12,
3715 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003716 flags: []string{
3717 "-enable-ocsp-stapling",
3718 "-expect-ocsp-response",
3719 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +01003720 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003721 },
Paul Lietar62be8ac2015-09-16 10:03:30 +01003722 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003723 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003724 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003725 testType: serverTest,
3726 name: "OCSPStapling-Server",
3727 config: Config{
3728 MaxVersion: VersionTLS12,
3729 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003730 expectedOCSPResponse: testOCSPResponse,
3731 flags: []string{
3732 "-ocsp-response",
3733 base64.StdEncoding.EncodeToString(testOCSPResponse),
3734 },
Paul Lietar62be8ac2015-09-16 10:03:30 +01003735 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003736 })
David Benjamin942f4ed2016-07-16 19:03:49 +03003737 tests = append(tests, testCase{
3738 testType: clientTest,
3739 name: "OCSPStapling-Client-TLS13",
3740 config: Config{
3741 MaxVersion: VersionTLS13,
3742 },
3743 flags: []string{
3744 "-enable-ocsp-stapling",
3745 "-expect-ocsp-response",
3746 base64.StdEncoding.EncodeToString(testOCSPResponse),
3747 "-verify-peer",
3748 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04003749 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +03003750 })
3751 tests = append(tests, testCase{
3752 testType: serverTest,
3753 name: "OCSPStapling-Server-TLS13",
3754 config: Config{
3755 MaxVersion: VersionTLS13,
3756 },
3757 expectedOCSPResponse: testOCSPResponse,
3758 flags: []string{
3759 "-ocsp-response",
3760 base64.StdEncoding.EncodeToString(testOCSPResponse),
3761 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04003762 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +03003763 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +01003764
David Benjamin4c3ddf72016-06-29 18:13:53 -04003765 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -04003766 for _, vers := range tlsVersions {
3767 if config.protocol == dtls && !vers.hasDTLS {
3768 continue
3769 }
David Benjaminbb9e36e2016-08-03 14:14:47 -04003770 for _, testType := range []testType{clientTest, serverTest} {
3771 suffix := "-Client"
3772 if testType == serverTest {
3773 suffix = "-Server"
3774 }
3775 suffix += "-" + vers.name
3776
3777 flag := "-verify-peer"
3778 if testType == serverTest {
3779 flag = "-require-any-client-certificate"
3780 }
3781
3782 tests = append(tests, testCase{
3783 testType: testType,
3784 name: "CertificateVerificationSucceed" + suffix,
3785 config: Config{
3786 MaxVersion: vers.version,
3787 Certificates: []Certificate{rsaCertificate},
3788 },
3789 flags: []string{
3790 flag,
3791 "-expect-verify-result",
3792 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04003793 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -04003794 })
3795 tests = append(tests, testCase{
3796 testType: testType,
3797 name: "CertificateVerificationFail" + suffix,
3798 config: Config{
3799 MaxVersion: vers.version,
3800 Certificates: []Certificate{rsaCertificate},
3801 },
3802 flags: []string{
3803 flag,
3804 "-verify-fail",
3805 },
3806 shouldFail: true,
3807 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
3808 })
3809 }
3810
3811 // By default, the client is in a soft fail mode where the peer
3812 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -04003813 tests = append(tests, testCase{
3814 testType: clientTest,
3815 name: "CertificateVerificationSoftFail-" + vers.name,
3816 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -04003817 MaxVersion: vers.version,
3818 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -04003819 },
3820 flags: []string{
3821 "-verify-fail",
3822 "-expect-verify-result",
3823 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04003824 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -04003825 })
3826 }
Paul Lietar8f1c2682015-08-18 12:21:54 +01003827
David Benjamin1d4f4c02016-07-26 18:03:08 -04003828 tests = append(tests, testCase{
3829 name: "ShimSendAlert",
3830 flags: []string{"-send-alert"},
3831 shimWritesFirst: true,
3832 shouldFail: true,
3833 expectedLocalError: "remote error: decompression failure",
3834 })
3835
David Benjamin582ba042016-07-07 12:33:25 -07003836 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -04003837 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003838 name: "Renegotiate-Client",
3839 config: Config{
3840 MaxVersion: VersionTLS12,
3841 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04003842 renegotiate: 1,
3843 flags: []string{
3844 "-renegotiate-freely",
3845 "-expect-total-renegotiations", "1",
3846 },
David Benjamin760b1dd2015-05-15 23:33:48 -04003847 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04003848
David Benjamin47921102016-07-28 11:29:18 -04003849 tests = append(tests, testCase{
3850 name: "SendHalfHelloRequest",
3851 config: Config{
3852 MaxVersion: VersionTLS12,
3853 Bugs: ProtocolBugs{
3854 PackHelloRequestWithFinished: config.packHandshakeFlight,
3855 },
3856 },
3857 sendHalfHelloRequest: true,
3858 flags: []string{"-renegotiate-ignore"},
3859 shouldFail: true,
3860 expectedError: ":UNEXPECTED_RECORD:",
3861 })
3862
David Benjamin760b1dd2015-05-15 23:33:48 -04003863 // NPN on client and server; results in post-handshake message.
3864 tests = append(tests, testCase{
3865 name: "NPN-Client",
3866 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003867 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003868 NextProtos: []string{"foo"},
3869 },
3870 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -04003871 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -04003872 expectedNextProto: "foo",
3873 expectedNextProtoType: npn,
3874 })
3875 tests = append(tests, testCase{
3876 testType: serverTest,
3877 name: "NPN-Server",
3878 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04003879 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003880 NextProtos: []string{"bar"},
3881 },
3882 flags: []string{
3883 "-advertise-npn", "\x03foo\x03bar\x03baz",
3884 "-expect-next-proto", "bar",
3885 },
David Benjaminf8fcdf32016-06-08 15:56:13 -04003886 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -04003887 expectedNextProto: "bar",
3888 expectedNextProtoType: npn,
3889 })
3890
3891 // TODO(davidben): Add tests for when False Start doesn't trigger.
3892
3893 // Client does False Start and negotiates NPN.
3894 tests = append(tests, testCase{
3895 name: "FalseStart",
3896 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003897 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003898 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3899 NextProtos: []string{"foo"},
3900 Bugs: ProtocolBugs{
3901 ExpectFalseStart: true,
3902 },
3903 },
3904 flags: []string{
3905 "-false-start",
3906 "-select-next-proto", "foo",
3907 },
3908 shimWritesFirst: true,
3909 resumeSession: true,
3910 })
3911
3912 // Client does False Start and negotiates ALPN.
3913 tests = append(tests, testCase{
3914 name: "FalseStart-ALPN",
3915 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003916 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003917 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3918 NextProtos: []string{"foo"},
3919 Bugs: ProtocolBugs{
3920 ExpectFalseStart: true,
3921 },
3922 },
3923 flags: []string{
3924 "-false-start",
3925 "-advertise-alpn", "\x03foo",
3926 },
3927 shimWritesFirst: true,
3928 resumeSession: true,
3929 })
3930
3931 // Client does False Start but doesn't explicitly call
3932 // SSL_connect.
3933 tests = append(tests, testCase{
3934 name: "FalseStart-Implicit",
3935 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003936 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003937 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3938 NextProtos: []string{"foo"},
3939 },
3940 flags: []string{
3941 "-implicit-handshake",
3942 "-false-start",
3943 "-advertise-alpn", "\x03foo",
3944 },
3945 })
3946
3947 // False Start without session tickets.
3948 tests = append(tests, testCase{
3949 name: "FalseStart-SessionTicketsDisabled",
3950 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07003951 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04003952 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3953 NextProtos: []string{"foo"},
3954 SessionTicketsDisabled: true,
3955 Bugs: ProtocolBugs{
3956 ExpectFalseStart: true,
3957 },
3958 },
3959 flags: []string{
3960 "-false-start",
3961 "-select-next-proto", "foo",
3962 },
3963 shimWritesFirst: true,
3964 })
3965
Adam Langleydf759b52016-07-11 15:24:37 -07003966 tests = append(tests, testCase{
3967 name: "FalseStart-CECPQ1",
3968 config: Config{
3969 MaxVersion: VersionTLS12,
3970 CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
3971 NextProtos: []string{"foo"},
3972 Bugs: ProtocolBugs{
3973 ExpectFalseStart: true,
3974 },
3975 },
3976 flags: []string{
3977 "-false-start",
3978 "-cipher", "DEFAULT:kCECPQ1",
3979 "-select-next-proto", "foo",
3980 },
3981 shimWritesFirst: true,
3982 resumeSession: true,
3983 })
3984
David Benjamin760b1dd2015-05-15 23:33:48 -04003985 // Server parses a V2ClientHello.
3986 tests = append(tests, testCase{
3987 testType: serverTest,
3988 name: "SendV2ClientHello",
3989 config: Config{
3990 // Choose a cipher suite that does not involve
3991 // elliptic curves, so no extensions are
3992 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -07003993 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -07003994 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -04003995 Bugs: ProtocolBugs{
3996 SendV2ClientHello: true,
3997 },
3998 },
3999 })
4000
Nick Harper60a85cb2016-09-23 16:25:11 -07004001 // Test Channel ID
4002 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -07004003 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -07004004 continue
4005 }
4006 // Client sends a Channel ID.
4007 tests = append(tests, testCase{
4008 name: "ChannelID-Client-" + ver.name,
4009 config: Config{
4010 MaxVersion: ver.version,
4011 RequestChannelID: true,
4012 },
4013 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4014 resumeSession: true,
4015 expectChannelID: true,
4016 })
David Benjamin760b1dd2015-05-15 23:33:48 -04004017
Nick Harper60a85cb2016-09-23 16:25:11 -07004018 // Server accepts a Channel ID.
4019 tests = append(tests, testCase{
4020 testType: serverTest,
4021 name: "ChannelID-Server-" + ver.name,
4022 config: Config{
4023 MaxVersion: ver.version,
4024 ChannelID: channelIDKey,
4025 },
4026 flags: []string{
4027 "-expect-channel-id",
4028 base64.StdEncoding.EncodeToString(channelIDBytes),
4029 },
4030 resumeSession: true,
4031 expectChannelID: true,
4032 })
4033
4034 tests = append(tests, testCase{
4035 testType: serverTest,
4036 name: "InvalidChannelIDSignature-" + ver.name,
4037 config: Config{
4038 MaxVersion: ver.version,
4039 ChannelID: channelIDKey,
4040 Bugs: ProtocolBugs{
4041 InvalidChannelIDSignature: true,
4042 },
4043 },
4044 flags: []string{"-enable-channel-id"},
4045 shouldFail: true,
4046 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4047 })
4048 }
David Benjamin30789da2015-08-29 22:56:45 -04004049
David Benjaminf8fcdf32016-06-08 15:56:13 -04004050 // Channel ID and NPN at the same time, to ensure their relative
4051 // ordering is correct.
4052 tests = append(tests, testCase{
4053 name: "ChannelID-NPN-Client",
4054 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04004055 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -04004056 RequestChannelID: true,
4057 NextProtos: []string{"foo"},
4058 },
4059 flags: []string{
4060 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4061 "-select-next-proto", "foo",
4062 },
4063 resumeSession: true,
4064 expectChannelID: true,
4065 expectedNextProto: "foo",
4066 expectedNextProtoType: npn,
4067 })
4068 tests = append(tests, testCase{
4069 testType: serverTest,
4070 name: "ChannelID-NPN-Server",
4071 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04004072 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -04004073 ChannelID: channelIDKey,
4074 NextProtos: []string{"bar"},
4075 },
4076 flags: []string{
4077 "-expect-channel-id",
4078 base64.StdEncoding.EncodeToString(channelIDBytes),
4079 "-advertise-npn", "\x03foo\x03bar\x03baz",
4080 "-expect-next-proto", "bar",
4081 },
4082 resumeSession: true,
4083 expectChannelID: true,
4084 expectedNextProto: "bar",
4085 expectedNextProtoType: npn,
4086 })
4087
David Benjamin30789da2015-08-29 22:56:45 -04004088 // Bidirectional shutdown with the runner initiating.
4089 tests = append(tests, testCase{
4090 name: "Shutdown-Runner",
4091 config: Config{
4092 Bugs: ProtocolBugs{
4093 ExpectCloseNotify: true,
4094 },
4095 },
4096 flags: []string{"-check-close-notify"},
4097 })
4098
4099 // Bidirectional shutdown with the shim initiating. The runner,
4100 // in the meantime, sends garbage before the close_notify which
4101 // the shim must ignore.
4102 tests = append(tests, testCase{
4103 name: "Shutdown-Shim",
4104 config: Config{
David Benjamine8e84b92016-08-03 15:39:47 -04004105 MaxVersion: VersionTLS12,
David Benjamin30789da2015-08-29 22:56:45 -04004106 Bugs: ProtocolBugs{
4107 ExpectCloseNotify: true,
4108 },
4109 },
4110 shimShutsDown: true,
4111 sendEmptyRecords: 1,
4112 sendWarningAlerts: 1,
4113 flags: []string{"-check-close-notify"},
4114 })
David Benjamin760b1dd2015-05-15 23:33:48 -04004115 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -04004116 // TODO(davidben): DTLS 1.3 will want a similar thing for
4117 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -04004118 tests = append(tests, testCase{
4119 name: "SkipHelloVerifyRequest",
4120 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04004121 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -04004122 Bugs: ProtocolBugs{
4123 SkipHelloVerifyRequest: true,
4124 },
4125 },
4126 })
4127 }
4128
David Benjamin760b1dd2015-05-15 23:33:48 -04004129 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -07004130 test.protocol = config.protocol
4131 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -05004132 test.name += "-DTLS"
4133 }
David Benjamin582ba042016-07-07 12:33:25 -07004134 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -05004135 test.name += "-Async"
4136 test.flags = append(test.flags, "-async")
4137 } else {
4138 test.name += "-Sync"
4139 }
David Benjamin582ba042016-07-07 12:33:25 -07004140 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -05004141 test.name += "-SplitHandshakeRecords"
4142 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -07004143 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -05004144 test.config.Bugs.MaxPacketLength = 256
4145 test.flags = append(test.flags, "-mtu", "256")
4146 }
4147 }
David Benjamin582ba042016-07-07 12:33:25 -07004148 if config.packHandshakeFlight {
4149 test.name += "-PackHandshakeFlight"
4150 test.config.Bugs.PackHandshakeFlight = true
4151 }
David Benjamin760b1dd2015-05-15 23:33:48 -04004152 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -04004153 }
David Benjamin43ec06f2014-08-05 02:28:57 -04004154}
4155
Adam Langley524e7172015-02-20 16:04:00 -08004156func addDDoSCallbackTests() {
4157 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -08004158 for _, resume := range []bool{false, true} {
4159 suffix := "Resume"
4160 if resume {
4161 suffix = "No" + suffix
4162 }
4163
4164 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04004165 testType: serverTest,
4166 name: "Server-DDoS-OK-" + suffix,
4167 config: Config{
4168 MaxVersion: VersionTLS12,
4169 },
Adam Langley524e7172015-02-20 16:04:00 -08004170 flags: []string{"-install-ddos-callback"},
4171 resumeSession: resume,
4172 })
Steven Valdez4aa154e2016-07-29 14:32:55 -04004173 testCases = append(testCases, testCase{
4174 testType: serverTest,
4175 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4176 config: Config{
4177 MaxVersion: VersionTLS13,
4178 },
4179 flags: []string{"-install-ddos-callback"},
4180 resumeSession: resume,
4181 })
Adam Langley524e7172015-02-20 16:04:00 -08004182
4183 failFlag := "-fail-ddos-callback"
4184 if resume {
4185 failFlag = "-fail-second-ddos-callback"
4186 }
4187 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04004188 testType: serverTest,
4189 name: "Server-DDoS-Reject-" + suffix,
4190 config: Config{
4191 MaxVersion: VersionTLS12,
4192 },
David Benjamin2c66e072016-09-16 15:58:00 -04004193 flags: []string{"-install-ddos-callback", failFlag},
4194 resumeSession: resume,
4195 shouldFail: true,
4196 expectedError: ":CONNECTION_REJECTED:",
4197 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -08004198 })
Steven Valdez4aa154e2016-07-29 14:32:55 -04004199 testCases = append(testCases, testCase{
4200 testType: serverTest,
4201 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4202 config: Config{
4203 MaxVersion: VersionTLS13,
4204 },
David Benjamin2c66e072016-09-16 15:58:00 -04004205 flags: []string{"-install-ddos-callback", failFlag},
4206 resumeSession: resume,
4207 shouldFail: true,
4208 expectedError: ":CONNECTION_REJECTED:",
4209 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -04004210 })
Adam Langley524e7172015-02-20 16:04:00 -08004211 }
4212}
4213
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004214func addVersionNegotiationTests() {
4215 for i, shimVers := range tlsVersions {
4216 // Assemble flags to disable all newer versions on the shim.
4217 var flags []string
4218 for _, vers := range tlsVersions[i+1:] {
4219 flags = append(flags, vers.flag)
4220 }
4221
Steven Valdezfdd10992016-09-15 16:27:05 -04004222 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004223 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -05004224 protocols := []protocol{tls}
4225 if runnerVers.hasDTLS && shimVers.hasDTLS {
4226 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004227 }
David Benjamin8b8c0062014-11-23 02:47:52 -05004228 for _, protocol := range protocols {
4229 expectedVersion := shimVers.version
4230 if runnerVers.version < shimVers.version {
4231 expectedVersion = runnerVers.version
4232 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004233
David Benjamin8b8c0062014-11-23 02:47:52 -05004234 suffix := shimVers.name + "-" + runnerVers.name
4235 if protocol == dtls {
4236 suffix += "-DTLS"
4237 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004238
David Benjamin1eb367c2014-12-12 18:17:51 -05004239 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4240
David Benjaminb1dd8cd2016-09-26 19:20:48 -04004241 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -05004242 clientVers := shimVers.version
4243 if clientVers > VersionTLS10 {
4244 clientVers = VersionTLS10
4245 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -04004246 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -07004247 serverVers := expectedVersion
4248 if expectedVersion >= VersionTLS13 {
4249 serverVers = VersionTLS10
4250 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -04004251 serverVers = versionToWire(serverVers, protocol == dtls)
4252
David Benjamin8b8c0062014-11-23 02:47:52 -05004253 testCases = append(testCases, testCase{
4254 protocol: protocol,
4255 testType: clientTest,
4256 name: "VersionNegotiation-Client-" + suffix,
4257 config: Config{
4258 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -05004259 Bugs: ProtocolBugs{
4260 ExpectInitialRecordVersion: clientVers,
4261 },
David Benjamin8b8c0062014-11-23 02:47:52 -05004262 },
4263 flags: flags,
4264 expectedVersion: expectedVersion,
4265 })
David Benjamin1eb367c2014-12-12 18:17:51 -05004266 testCases = append(testCases, testCase{
4267 protocol: protocol,
4268 testType: clientTest,
4269 name: "VersionNegotiation-Client2-" + suffix,
4270 config: Config{
4271 MaxVersion: runnerVers.version,
4272 Bugs: ProtocolBugs{
4273 ExpectInitialRecordVersion: clientVers,
4274 },
4275 },
4276 flags: []string{"-max-version", shimVersFlag},
4277 expectedVersion: expectedVersion,
4278 })
David Benjamin8b8c0062014-11-23 02:47:52 -05004279
4280 testCases = append(testCases, testCase{
4281 protocol: protocol,
4282 testType: serverTest,
4283 name: "VersionNegotiation-Server-" + suffix,
4284 config: Config{
4285 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -05004286 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -07004287 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -05004288 },
David Benjamin8b8c0062014-11-23 02:47:52 -05004289 },
4290 flags: flags,
4291 expectedVersion: expectedVersion,
4292 })
David Benjamin1eb367c2014-12-12 18:17:51 -05004293 testCases = append(testCases, testCase{
4294 protocol: protocol,
4295 testType: serverTest,
4296 name: "VersionNegotiation-Server2-" + suffix,
4297 config: Config{
4298 MaxVersion: runnerVers.version,
4299 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -07004300 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -05004301 },
4302 },
4303 flags: []string{"-max-version", shimVersFlag},
4304 expectedVersion: expectedVersion,
4305 })
David Benjamin8b8c0062014-11-23 02:47:52 -05004306 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004307 }
4308 }
David Benjamin95c69562016-06-29 18:15:03 -04004309
Steven Valdezfdd10992016-09-15 16:27:05 -04004310 // Test the version extension at all versions.
4311 for _, vers := range tlsVersions {
4312 protocols := []protocol{tls}
4313 if vers.hasDTLS {
4314 protocols = append(protocols, dtls)
4315 }
4316 for _, protocol := range protocols {
4317 suffix := vers.name
4318 if protocol == dtls {
4319 suffix += "-DTLS"
4320 }
4321
4322 wireVersion := versionToWire(vers.version, protocol == dtls)
4323 testCases = append(testCases, testCase{
4324 protocol: protocol,
4325 testType: serverTest,
4326 name: "VersionNegotiationExtension-" + suffix,
4327 config: Config{
4328 Bugs: ProtocolBugs{
4329 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4330 },
4331 },
4332 expectedVersion: vers.version,
4333 })
4334 }
4335
4336 }
4337
4338 // If all versions are unknown, negotiation fails.
4339 testCases = append(testCases, testCase{
4340 testType: serverTest,
4341 name: "NoSupportedVersions",
4342 config: Config{
4343 Bugs: ProtocolBugs{
4344 SendSupportedVersions: []uint16{0x1111},
4345 },
4346 },
4347 shouldFail: true,
4348 expectedError: ":UNSUPPORTED_PROTOCOL:",
4349 })
4350 testCases = append(testCases, testCase{
4351 protocol: dtls,
4352 testType: serverTest,
4353 name: "NoSupportedVersions-DTLS",
4354 config: Config{
4355 Bugs: ProtocolBugs{
4356 SendSupportedVersions: []uint16{0x1111},
4357 },
4358 },
4359 shouldFail: true,
4360 expectedError: ":UNSUPPORTED_PROTOCOL:",
4361 })
4362
4363 testCases = append(testCases, testCase{
4364 testType: serverTest,
4365 name: "ClientHelloVersionTooHigh",
4366 config: Config{
4367 MaxVersion: VersionTLS13,
4368 Bugs: ProtocolBugs{
4369 SendClientVersion: 0x0304,
4370 OmitSupportedVersions: true,
4371 },
4372 },
4373 expectedVersion: VersionTLS12,
4374 })
4375
4376 testCases = append(testCases, testCase{
4377 testType: serverTest,
4378 name: "ConflictingVersionNegotiation",
4379 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -04004380 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -04004381 SendClientVersion: VersionTLS12,
4382 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -04004383 },
4384 },
David Benjaminad75a662016-09-30 15:42:59 -04004385 // The extension takes precedence over the ClientHello version.
4386 expectedVersion: VersionTLS11,
4387 })
4388
4389 testCases = append(testCases, testCase{
4390 testType: serverTest,
4391 name: "ConflictingVersionNegotiation-2",
4392 config: Config{
4393 Bugs: ProtocolBugs{
4394 SendClientVersion: VersionTLS11,
4395 SendSupportedVersions: []uint16{VersionTLS12},
4396 },
4397 },
4398 // The extension takes precedence over the ClientHello version.
4399 expectedVersion: VersionTLS12,
4400 })
4401
4402 testCases = append(testCases, testCase{
4403 testType: serverTest,
4404 name: "RejectFinalTLS13",
4405 config: Config{
4406 Bugs: ProtocolBugs{
4407 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4408 },
4409 },
4410 // We currently implement a draft TLS 1.3 version. Ensure that
4411 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -04004412 expectedVersion: VersionTLS12,
4413 })
4414
Brian Smithf85d3232016-10-28 10:34:06 -10004415 // Test that the maximum version is selected regardless of the
4416 // client-sent order.
4417 testCases = append(testCases, testCase{
4418 testType: serverTest,
4419 name: "IgnoreClientVersionOrder",
4420 config: Config{
4421 Bugs: ProtocolBugs{
4422 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4423 },
4424 },
4425 expectedVersion: VersionTLS13,
4426 })
4427
David Benjamin95c69562016-06-29 18:15:03 -04004428 // Test for version tolerance.
4429 testCases = append(testCases, testCase{
4430 testType: serverTest,
4431 name: "MinorVersionTolerance",
4432 config: Config{
4433 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -04004434 SendClientVersion: 0x03ff,
4435 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -04004436 },
4437 },
Steven Valdezfdd10992016-09-15 16:27:05 -04004438 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -04004439 })
4440 testCases = append(testCases, testCase{
4441 testType: serverTest,
4442 name: "MajorVersionTolerance",
4443 config: Config{
4444 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -04004445 SendClientVersion: 0x0400,
4446 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -04004447 },
4448 },
David Benjaminad75a662016-09-30 15:42:59 -04004449 // TLS 1.3 must be negotiated with the supported_versions
4450 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -04004451 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -04004452 })
David Benjaminad75a662016-09-30 15:42:59 -04004453 testCases = append(testCases, testCase{
4454 testType: serverTest,
4455 name: "VersionTolerance-TLS13",
4456 config: Config{
4457 Bugs: ProtocolBugs{
4458 // Although TLS 1.3 does not use
4459 // ClientHello.version, it still tolerates high
4460 // values there.
4461 SendClientVersion: 0x0400,
4462 },
4463 },
4464 expectedVersion: VersionTLS13,
4465 })
Steven Valdezfdd10992016-09-15 16:27:05 -04004466
David Benjamin95c69562016-06-29 18:15:03 -04004467 testCases = append(testCases, testCase{
4468 protocol: dtls,
4469 testType: serverTest,
4470 name: "MinorVersionTolerance-DTLS",
4471 config: Config{
4472 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -04004473 SendClientVersion: 0xfe00,
4474 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -04004475 },
4476 },
4477 expectedVersion: VersionTLS12,
4478 })
4479 testCases = append(testCases, testCase{
4480 protocol: dtls,
4481 testType: serverTest,
4482 name: "MajorVersionTolerance-DTLS",
4483 config: Config{
4484 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -04004485 SendClientVersion: 0xfdff,
4486 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -04004487 },
4488 },
4489 expectedVersion: VersionTLS12,
4490 })
4491
4492 // Test that versions below 3.0 are rejected.
4493 testCases = append(testCases, testCase{
4494 testType: serverTest,
4495 name: "VersionTooLow",
4496 config: Config{
4497 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -04004498 SendClientVersion: 0x0200,
4499 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -04004500 },
4501 },
4502 shouldFail: true,
4503 expectedError: ":UNSUPPORTED_PROTOCOL:",
4504 })
4505 testCases = append(testCases, testCase{
4506 protocol: dtls,
4507 testType: serverTest,
4508 name: "VersionTooLow-DTLS",
4509 config: Config{
4510 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -04004511 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -04004512 },
4513 },
4514 shouldFail: true,
4515 expectedError: ":UNSUPPORTED_PROTOCOL:",
4516 })
David Benjamin1f61f0d2016-07-10 12:20:35 -04004517
David Benjamin2dc02042016-09-19 19:57:37 -04004518 testCases = append(testCases, testCase{
4519 name: "ServerBogusVersion",
4520 config: Config{
4521 Bugs: ProtocolBugs{
4522 SendServerHelloVersion: 0x1234,
4523 },
4524 },
4525 shouldFail: true,
4526 expectedError: ":UNSUPPORTED_PROTOCOL:",
4527 })
4528
David Benjamin1f61f0d2016-07-10 12:20:35 -04004529 // Test TLS 1.3's downgrade signal.
4530 testCases = append(testCases, testCase{
4531 name: "Downgrade-TLS12-Client",
4532 config: Config{
4533 Bugs: ProtocolBugs{
4534 NegotiateVersion: VersionTLS12,
4535 },
4536 },
David Benjamin592b5322016-09-30 15:15:01 -04004537 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -04004538 // TODO(davidben): This test should fail once TLS 1.3 is final
4539 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -04004540 })
4541 testCases = append(testCases, testCase{
4542 testType: serverTest,
4543 name: "Downgrade-TLS12-Server",
4544 config: Config{
4545 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -04004546 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -04004547 },
4548 },
David Benjamin592b5322016-09-30 15:15:01 -04004549 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -04004550 // TODO(davidben): This test should fail once TLS 1.3 is final
4551 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -04004552 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -04004553}
4554
David Benjaminaccb4542014-12-12 23:44:33 -05004555func addMinimumVersionTests() {
4556 for i, shimVers := range tlsVersions {
4557 // Assemble flags to disable all older versions on the shim.
4558 var flags []string
4559 for _, vers := range tlsVersions[:i] {
4560 flags = append(flags, vers.flag)
4561 }
4562
4563 for _, runnerVers := range tlsVersions {
4564 protocols := []protocol{tls}
4565 if runnerVers.hasDTLS && shimVers.hasDTLS {
4566 protocols = append(protocols, dtls)
4567 }
4568 for _, protocol := range protocols {
4569 suffix := shimVers.name + "-" + runnerVers.name
4570 if protocol == dtls {
4571 suffix += "-DTLS"
4572 }
4573 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4574
David Benjaminaccb4542014-12-12 23:44:33 -05004575 var expectedVersion uint16
4576 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -04004577 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -05004578 if runnerVers.version >= shimVers.version {
4579 expectedVersion = runnerVers.version
4580 } else {
4581 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -04004582 expectedError = ":UNSUPPORTED_PROTOCOL:"
4583 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -05004584 }
4585
4586 testCases = append(testCases, testCase{
4587 protocol: protocol,
4588 testType: clientTest,
4589 name: "MinimumVersion-Client-" + suffix,
4590 config: Config{
4591 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -04004592 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -04004593 // Ensure the server does not decline to
4594 // select a version (versions extension) or
4595 // cipher (some ciphers depend on versions).
4596 NegotiateVersion: runnerVers.version,
4597 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -04004598 },
David Benjaminaccb4542014-12-12 23:44:33 -05004599 },
David Benjamin87909c02014-12-13 01:55:01 -05004600 flags: flags,
4601 expectedVersion: expectedVersion,
4602 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -04004603 expectedError: expectedError,
4604 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -05004605 })
4606 testCases = append(testCases, testCase{
4607 protocol: protocol,
4608 testType: clientTest,
4609 name: "MinimumVersion-Client2-" + suffix,
4610 config: Config{
4611 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -04004612 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -04004613 // Ensure the server does not decline to
4614 // select a version (versions extension) or
4615 // cipher (some ciphers depend on versions).
4616 NegotiateVersion: runnerVers.version,
4617 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -04004618 },
David Benjaminaccb4542014-12-12 23:44:33 -05004619 },
David Benjamin87909c02014-12-13 01:55:01 -05004620 flags: []string{"-min-version", shimVersFlag},
4621 expectedVersion: expectedVersion,
4622 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -04004623 expectedError: expectedError,
4624 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -05004625 })
4626
4627 testCases = append(testCases, testCase{
4628 protocol: protocol,
4629 testType: serverTest,
4630 name: "MinimumVersion-Server-" + suffix,
4631 config: Config{
4632 MaxVersion: runnerVers.version,
4633 },
David Benjamin87909c02014-12-13 01:55:01 -05004634 flags: flags,
4635 expectedVersion: expectedVersion,
4636 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -04004637 expectedError: expectedError,
4638 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -05004639 })
4640 testCases = append(testCases, testCase{
4641 protocol: protocol,
4642 testType: serverTest,
4643 name: "MinimumVersion-Server2-" + suffix,
4644 config: Config{
4645 MaxVersion: runnerVers.version,
4646 },
David Benjamin87909c02014-12-13 01:55:01 -05004647 flags: []string{"-min-version", shimVersFlag},
4648 expectedVersion: expectedVersion,
4649 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -04004650 expectedError: expectedError,
4651 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -05004652 })
4653 }
4654 }
4655 }
4656}
4657
David Benjamine78bfde2014-09-06 12:45:15 -04004658func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -04004659 // TODO(davidben): Extensions, where applicable, all move their server
4660 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4661 // tests for both. Also test interaction with 0-RTT when implemented.
4662
David Benjamin97d17d92016-07-14 16:12:00 -04004663 // Repeat extensions tests all versions except SSL 3.0.
4664 for _, ver := range tlsVersions {
4665 if ver.version == VersionSSL30 {
4666 continue
4667 }
4668
David Benjamin97d17d92016-07-14 16:12:00 -04004669 // Test that duplicate extensions are rejected.
4670 testCases = append(testCases, testCase{
4671 testType: clientTest,
4672 name: "DuplicateExtensionClient-" + ver.name,
4673 config: Config{
4674 MaxVersion: ver.version,
4675 Bugs: ProtocolBugs{
4676 DuplicateExtension: true,
4677 },
David Benjamine78bfde2014-09-06 12:45:15 -04004678 },
David Benjamin97d17d92016-07-14 16:12:00 -04004679 shouldFail: true,
4680 expectedLocalError: "remote error: error decoding message",
4681 })
4682 testCases = append(testCases, testCase{
4683 testType: serverTest,
4684 name: "DuplicateExtensionServer-" + ver.name,
4685 config: Config{
4686 MaxVersion: ver.version,
4687 Bugs: ProtocolBugs{
4688 DuplicateExtension: true,
4689 },
David Benjamine78bfde2014-09-06 12:45:15 -04004690 },
David Benjamin97d17d92016-07-14 16:12:00 -04004691 shouldFail: true,
4692 expectedLocalError: "remote error: error decoding message",
4693 })
4694
4695 // Test SNI.
4696 testCases = append(testCases, testCase{
4697 testType: clientTest,
4698 name: "ServerNameExtensionClient-" + ver.name,
4699 config: Config{
4700 MaxVersion: ver.version,
4701 Bugs: ProtocolBugs{
4702 ExpectServerName: "example.com",
4703 },
David Benjamine78bfde2014-09-06 12:45:15 -04004704 },
David Benjamin97d17d92016-07-14 16:12:00 -04004705 flags: []string{"-host-name", "example.com"},
4706 })
4707 testCases = append(testCases, testCase{
4708 testType: clientTest,
4709 name: "ServerNameExtensionClientMismatch-" + ver.name,
4710 config: Config{
4711 MaxVersion: ver.version,
4712 Bugs: ProtocolBugs{
4713 ExpectServerName: "mismatch.com",
4714 },
David Benjamine78bfde2014-09-06 12:45:15 -04004715 },
David Benjamin97d17d92016-07-14 16:12:00 -04004716 flags: []string{"-host-name", "example.com"},
4717 shouldFail: true,
4718 expectedLocalError: "tls: unexpected server name",
4719 })
4720 testCases = append(testCases, testCase{
4721 testType: clientTest,
4722 name: "ServerNameExtensionClientMissing-" + ver.name,
4723 config: Config{
4724 MaxVersion: ver.version,
4725 Bugs: ProtocolBugs{
4726 ExpectServerName: "missing.com",
4727 },
David Benjamine78bfde2014-09-06 12:45:15 -04004728 },
David Benjamin97d17d92016-07-14 16:12:00 -04004729 shouldFail: true,
4730 expectedLocalError: "tls: unexpected server name",
4731 })
4732 testCases = append(testCases, testCase{
4733 testType: serverTest,
4734 name: "ServerNameExtensionServer-" + ver.name,
4735 config: Config{
4736 MaxVersion: ver.version,
4737 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -04004738 },
David Benjamin97d17d92016-07-14 16:12:00 -04004739 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -04004740 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004741 })
4742
4743 // Test ALPN.
4744 testCases = append(testCases, testCase{
4745 testType: clientTest,
4746 name: "ALPNClient-" + ver.name,
4747 config: Config{
4748 MaxVersion: ver.version,
4749 NextProtos: []string{"foo"},
4750 },
4751 flags: []string{
4752 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4753 "-expect-alpn", "foo",
4754 },
4755 expectedNextProto: "foo",
4756 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004757 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004758 })
4759 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -04004760 testType: clientTest,
4761 name: "ALPNClient-Mismatch-" + ver.name,
4762 config: Config{
4763 MaxVersion: ver.version,
4764 Bugs: ProtocolBugs{
4765 SendALPN: "baz",
4766 },
4767 },
4768 flags: []string{
4769 "-advertise-alpn", "\x03foo\x03bar",
4770 },
4771 shouldFail: true,
4772 expectedError: ":INVALID_ALPN_PROTOCOL:",
4773 expectedLocalError: "remote error: illegal parameter",
4774 })
4775 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -04004776 testType: serverTest,
4777 name: "ALPNServer-" + ver.name,
4778 config: Config{
4779 MaxVersion: ver.version,
4780 NextProtos: []string{"foo", "bar", "baz"},
4781 },
4782 flags: []string{
4783 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4784 "-select-alpn", "foo",
4785 },
4786 expectedNextProto: "foo",
4787 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004788 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004789 })
4790 testCases = append(testCases, testCase{
4791 testType: serverTest,
4792 name: "ALPNServer-Decline-" + ver.name,
4793 config: Config{
4794 MaxVersion: ver.version,
4795 NextProtos: []string{"foo", "bar", "baz"},
4796 },
4797 flags: []string{"-decline-alpn"},
4798 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004799 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004800 })
4801
David Benjamin25fe85b2016-08-09 20:00:32 -04004802 // Test ALPN in async mode as well to ensure that extensions callbacks are only
4803 // called once.
4804 testCases = append(testCases, testCase{
4805 testType: serverTest,
4806 name: "ALPNServer-Async-" + ver.name,
4807 config: Config{
4808 MaxVersion: ver.version,
4809 NextProtos: []string{"foo", "bar", "baz"},
4810 },
4811 flags: []string{
4812 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4813 "-select-alpn", "foo",
4814 "-async",
4815 },
4816 expectedNextProto: "foo",
4817 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004818 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -04004819 })
4820
David Benjamin97d17d92016-07-14 16:12:00 -04004821 var emptyString string
4822 testCases = append(testCases, testCase{
4823 testType: clientTest,
4824 name: "ALPNClient-EmptyProtocolName-" + ver.name,
4825 config: Config{
4826 MaxVersion: ver.version,
4827 NextProtos: []string{""},
4828 Bugs: ProtocolBugs{
4829 // A server returning an empty ALPN protocol
4830 // should be rejected.
4831 ALPNProtocol: &emptyString,
4832 },
4833 },
4834 flags: []string{
4835 "-advertise-alpn", "\x03foo",
4836 },
4837 shouldFail: true,
4838 expectedError: ":PARSE_TLSEXT:",
4839 })
4840 testCases = append(testCases, testCase{
4841 testType: serverTest,
4842 name: "ALPNServer-EmptyProtocolName-" + ver.name,
4843 config: Config{
4844 MaxVersion: ver.version,
4845 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -07004846 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -04004847 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -07004848 },
David Benjamin97d17d92016-07-14 16:12:00 -04004849 flags: []string{
4850 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -04004851 },
David Benjamin97d17d92016-07-14 16:12:00 -04004852 shouldFail: true,
4853 expectedError: ":PARSE_TLSEXT:",
4854 })
4855
4856 // Test NPN and the interaction with ALPN.
4857 if ver.version < VersionTLS13 {
4858 // Test that the server prefers ALPN over NPN.
4859 testCases = append(testCases, testCase{
4860 testType: serverTest,
4861 name: "ALPNServer-Preferred-" + ver.name,
4862 config: Config{
4863 MaxVersion: ver.version,
4864 NextProtos: []string{"foo", "bar", "baz"},
4865 },
4866 flags: []string{
4867 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4868 "-select-alpn", "foo",
4869 "-advertise-npn", "\x03foo\x03bar\x03baz",
4870 },
4871 expectedNextProto: "foo",
4872 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004873 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004874 })
4875 testCases = append(testCases, testCase{
4876 testType: serverTest,
4877 name: "ALPNServer-Preferred-Swapped-" + ver.name,
4878 config: Config{
4879 MaxVersion: ver.version,
4880 NextProtos: []string{"foo", "bar", "baz"},
4881 Bugs: ProtocolBugs{
4882 SwapNPNAndALPN: true,
4883 },
4884 },
4885 flags: []string{
4886 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4887 "-select-alpn", "foo",
4888 "-advertise-npn", "\x03foo\x03bar\x03baz",
4889 },
4890 expectedNextProto: "foo",
4891 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -04004892 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04004893 })
4894
4895 // Test that negotiating both NPN and ALPN is forbidden.
4896 testCases = append(testCases, testCase{
4897 name: "NegotiateALPNAndNPN-" + ver.name,
4898 config: Config{
4899 MaxVersion: ver.version,
4900 NextProtos: []string{"foo", "bar", "baz"},
4901 Bugs: ProtocolBugs{
4902 NegotiateALPNAndNPN: true,
4903 },
4904 },
4905 flags: []string{
4906 "-advertise-alpn", "\x03foo",
4907 "-select-next-proto", "foo",
4908 },
4909 shouldFail: true,
4910 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4911 })
4912 testCases = append(testCases, testCase{
4913 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
4914 config: Config{
4915 MaxVersion: ver.version,
4916 NextProtos: []string{"foo", "bar", "baz"},
4917 Bugs: ProtocolBugs{
4918 NegotiateALPNAndNPN: true,
4919 SwapNPNAndALPN: true,
4920 },
4921 },
4922 flags: []string{
4923 "-advertise-alpn", "\x03foo",
4924 "-select-next-proto", "foo",
4925 },
4926 shouldFail: true,
4927 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4928 })
4929
4930 // Test that NPN can be disabled with SSL_OP_DISABLE_NPN.
4931 testCases = append(testCases, testCase{
4932 name: "DisableNPN-" + ver.name,
4933 config: Config{
4934 MaxVersion: ver.version,
4935 NextProtos: []string{"foo"},
4936 },
4937 flags: []string{
4938 "-select-next-proto", "foo",
4939 "-disable-npn",
4940 },
4941 expectNoNextProto: true,
4942 })
4943 }
4944
4945 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -04004946
4947 // Resume with a corrupt ticket.
4948 testCases = append(testCases, testCase{
4949 testType: serverTest,
4950 name: "CorruptTicket-" + ver.name,
4951 config: Config{
4952 MaxVersion: ver.version,
4953 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -04004954 FilterTicket: func(in []byte) ([]byte, error) {
4955 in[len(in)-1] ^= 1
4956 return in, nil
4957 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04004958 },
4959 },
4960 resumeSession: true,
4961 expectResumeRejected: true,
4962 })
4963 // Test the ticket callback, with and without renewal.
4964 testCases = append(testCases, testCase{
4965 testType: serverTest,
4966 name: "TicketCallback-" + ver.name,
4967 config: Config{
4968 MaxVersion: ver.version,
4969 },
4970 resumeSession: true,
4971 flags: []string{"-use-ticket-callback"},
4972 })
4973 testCases = append(testCases, testCase{
4974 testType: serverTest,
4975 name: "TicketCallback-Renew-" + ver.name,
4976 config: Config{
4977 MaxVersion: ver.version,
4978 Bugs: ProtocolBugs{
4979 ExpectNewTicket: true,
4980 },
4981 },
4982 flags: []string{"-use-ticket-callback", "-renew-ticket"},
4983 resumeSession: true,
4984 })
4985
4986 // Test that the ticket callback is only called once when everything before
4987 // it in the ClientHello is asynchronous. This corrupts the ticket so
4988 // certificate selection callbacks run.
4989 testCases = append(testCases, testCase{
4990 testType: serverTest,
4991 name: "TicketCallback-SingleCall-" + ver.name,
4992 config: Config{
4993 MaxVersion: ver.version,
4994 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -04004995 FilterTicket: func(in []byte) ([]byte, error) {
4996 in[len(in)-1] ^= 1
4997 return in, nil
4998 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04004999 },
5000 },
5001 resumeSession: true,
5002 expectResumeRejected: true,
5003 flags: []string{
5004 "-use-ticket-callback",
5005 "-async",
5006 },
5007 })
5008
5009 // Resume with an oversized session id.
David Benjamin97d17d92016-07-14 16:12:00 -04005010 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -04005011 testCases = append(testCases, testCase{
5012 testType: serverTest,
5013 name: "OversizedSessionId-" + ver.name,
5014 config: Config{
5015 MaxVersion: ver.version,
5016 Bugs: ProtocolBugs{
5017 OversizedSessionId: true,
5018 },
5019 },
5020 resumeSession: true,
5021 shouldFail: true,
5022 expectedError: ":DECODE_ERROR:",
5023 })
5024 }
5025
5026 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5027 // are ignored.
5028 if ver.hasDTLS {
5029 testCases = append(testCases, testCase{
5030 protocol: dtls,
5031 name: "SRTP-Client-" + ver.name,
5032 config: Config{
5033 MaxVersion: ver.version,
5034 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5035 },
5036 flags: []string{
5037 "-srtp-profiles",
5038 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5039 },
5040 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5041 })
5042 testCases = append(testCases, testCase{
5043 protocol: dtls,
5044 testType: serverTest,
5045 name: "SRTP-Server-" + ver.name,
5046 config: Config{
5047 MaxVersion: ver.version,
5048 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5049 },
5050 flags: []string{
5051 "-srtp-profiles",
5052 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5053 },
5054 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5055 })
5056 // Test that the MKI is ignored.
5057 testCases = append(testCases, testCase{
5058 protocol: dtls,
5059 testType: serverTest,
5060 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5061 config: Config{
5062 MaxVersion: ver.version,
5063 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5064 Bugs: ProtocolBugs{
5065 SRTPMasterKeyIdentifer: "bogus",
5066 },
5067 },
5068 flags: []string{
5069 "-srtp-profiles",
5070 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5071 },
5072 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5073 })
5074 // Test that SRTP isn't negotiated on the server if there were
5075 // no matching profiles.
5076 testCases = append(testCases, testCase{
5077 protocol: dtls,
5078 testType: serverTest,
5079 name: "SRTP-Server-NoMatch-" + ver.name,
5080 config: Config{
5081 MaxVersion: ver.version,
5082 SRTPProtectionProfiles: []uint16{100, 101, 102},
5083 },
5084 flags: []string{
5085 "-srtp-profiles",
5086 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5087 },
5088 expectedSRTPProtectionProfile: 0,
5089 })
5090 // Test that the server returning an invalid SRTP profile is
5091 // flagged as an error by the client.
5092 testCases = append(testCases, testCase{
5093 protocol: dtls,
5094 name: "SRTP-Client-NoMatch-" + ver.name,
5095 config: Config{
5096 MaxVersion: ver.version,
5097 Bugs: ProtocolBugs{
5098 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5099 },
5100 },
5101 flags: []string{
5102 "-srtp-profiles",
5103 "SRTP_AES128_CM_SHA1_80",
5104 },
5105 shouldFail: true,
5106 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5107 })
5108 }
5109
5110 // Test SCT list.
5111 testCases = append(testCases, testCase{
5112 name: "SignedCertificateTimestampList-Client-" + ver.name,
5113 testType: clientTest,
5114 config: Config{
5115 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -04005116 },
David Benjamin97d17d92016-07-14 16:12:00 -04005117 flags: []string{
5118 "-enable-signed-cert-timestamps",
5119 "-expect-signed-cert-timestamps",
5120 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -07005121 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04005122 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04005123 })
David Benjamindaa88502016-10-04 16:32:16 -04005124
5125 // The SCT extension did not specify that it must only be sent on resumption as it
5126 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -04005127 testCases = append(testCases, testCase{
5128 name: "SendSCTListOnResume-" + ver.name,
5129 config: Config{
5130 MaxVersion: ver.version,
5131 Bugs: ProtocolBugs{
5132 SendSCTListOnResume: []byte("bogus"),
5133 },
David Benjamind98452d2015-06-16 14:16:23 -04005134 },
David Benjamin97d17d92016-07-14 16:12:00 -04005135 flags: []string{
5136 "-enable-signed-cert-timestamps",
5137 "-expect-signed-cert-timestamps",
5138 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -07005139 },
Steven Valdez4aa154e2016-07-29 14:32:55 -04005140 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04005141 })
David Benjamindaa88502016-10-04 16:32:16 -04005142
David Benjamin97d17d92016-07-14 16:12:00 -04005143 testCases = append(testCases, testCase{
5144 name: "SignedCertificateTimestampList-Server-" + ver.name,
5145 testType: serverTest,
5146 config: Config{
5147 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -05005148 },
David Benjamin97d17d92016-07-14 16:12:00 -04005149 flags: []string{
5150 "-signed-cert-timestamps",
5151 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -05005152 },
David Benjamin97d17d92016-07-14 16:12:00 -04005153 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -04005154 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -04005155 })
5156 }
David Benjamin4c3ddf72016-06-29 18:13:53 -04005157
Paul Lietar4fac72e2015-09-09 13:44:55 +01005158 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -07005159 testType: clientTest,
5160 name: "ClientHelloPadding",
5161 config: Config{
5162 Bugs: ProtocolBugs{
5163 RequireClientHelloSize: 512,
5164 },
5165 },
5166 // This hostname just needs to be long enough to push the
5167 // ClientHello into F5's danger zone between 256 and 511 bytes
5168 // long.
5169 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5170 })
David Benjaminc7ce9772015-10-09 19:32:41 -04005171
5172 // Extensions should not function in SSL 3.0.
5173 testCases = append(testCases, testCase{
5174 testType: serverTest,
5175 name: "SSLv3Extensions-NoALPN",
5176 config: Config{
5177 MaxVersion: VersionSSL30,
5178 NextProtos: []string{"foo", "bar", "baz"},
5179 },
5180 flags: []string{
5181 "-select-alpn", "foo",
5182 },
5183 expectNoNextProto: true,
5184 })
5185
5186 // Test session tickets separately as they follow a different codepath.
5187 testCases = append(testCases, testCase{
5188 testType: serverTest,
5189 name: "SSLv3Extensions-NoTickets",
5190 config: Config{
5191 MaxVersion: VersionSSL30,
5192 Bugs: ProtocolBugs{
5193 // Historically, session tickets in SSL 3.0
5194 // failed in different ways depending on whether
5195 // the client supported renegotiation_info.
5196 NoRenegotiationInfo: true,
5197 },
5198 },
5199 resumeSession: true,
5200 })
5201 testCases = append(testCases, testCase{
5202 testType: serverTest,
5203 name: "SSLv3Extensions-NoTickets2",
5204 config: Config{
5205 MaxVersion: VersionSSL30,
5206 },
5207 resumeSession: true,
5208 })
5209
5210 // But SSL 3.0 does send and process renegotiation_info.
5211 testCases = append(testCases, testCase{
5212 testType: serverTest,
5213 name: "SSLv3Extensions-RenegotiationInfo",
5214 config: Config{
5215 MaxVersion: VersionSSL30,
5216 Bugs: ProtocolBugs{
5217 RequireRenegotiationInfo: true,
5218 },
5219 },
5220 })
5221 testCases = append(testCases, testCase{
5222 testType: serverTest,
5223 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5224 config: Config{
5225 MaxVersion: VersionSSL30,
5226 Bugs: ProtocolBugs{
5227 NoRenegotiationInfo: true,
5228 SendRenegotiationSCSV: true,
5229 RequireRenegotiationInfo: true,
5230 },
5231 },
5232 })
Steven Valdez143e8b32016-07-11 13:19:03 -04005233
5234 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5235 // in ServerHello.
5236 testCases = append(testCases, testCase{
5237 name: "NPN-Forbidden-TLS13",
5238 config: Config{
5239 MaxVersion: VersionTLS13,
5240 NextProtos: []string{"foo"},
5241 Bugs: ProtocolBugs{
5242 NegotiateNPNAtAllVersions: true,
5243 },
5244 },
5245 flags: []string{"-select-next-proto", "foo"},
5246 shouldFail: true,
5247 expectedError: ":ERROR_PARSING_EXTENSION:",
5248 })
5249 testCases = append(testCases, testCase{
5250 name: "EMS-Forbidden-TLS13",
5251 config: Config{
5252 MaxVersion: VersionTLS13,
5253 Bugs: ProtocolBugs{
5254 NegotiateEMSAtAllVersions: true,
5255 },
5256 },
5257 shouldFail: true,
5258 expectedError: ":ERROR_PARSING_EXTENSION:",
5259 })
5260 testCases = append(testCases, testCase{
5261 name: "RenegotiationInfo-Forbidden-TLS13",
5262 config: Config{
5263 MaxVersion: VersionTLS13,
5264 Bugs: ProtocolBugs{
5265 NegotiateRenegotiationInfoAtAllVersions: true,
5266 },
5267 },
5268 shouldFail: true,
5269 expectedError: ":ERROR_PARSING_EXTENSION:",
5270 })
5271 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04005272 name: "Ticket-Forbidden-TLS13",
5273 config: Config{
5274 MaxVersion: VersionTLS12,
5275 },
5276 resumeConfig: &Config{
5277 MaxVersion: VersionTLS13,
5278 Bugs: ProtocolBugs{
5279 AdvertiseTicketExtension: true,
5280 },
5281 },
5282 resumeSession: true,
5283 shouldFail: true,
5284 expectedError: ":ERROR_PARSING_EXTENSION:",
5285 })
5286
5287 // Test that illegal extensions in TLS 1.3 are declined by the server if
5288 // offered in ClientHello. The runner's server will fail if this occurs,
5289 // so we exercise the offering path. (EMS and Renegotiation Info are
5290 // implicit in every test.)
5291 testCases = append(testCases, testCase{
5292 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -04005293 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -04005294 config: Config{
5295 MaxVersion: VersionTLS13,
5296 NextProtos: []string{"bar"},
5297 },
5298 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5299 })
David Benjamin196df5b2016-09-21 16:23:27 -04005300
David Benjamindaa88502016-10-04 16:32:16 -04005301 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5302 // tolerated.
5303 testCases = append(testCases, testCase{
5304 name: "SendOCSPResponseOnResume-TLS12",
5305 config: Config{
5306 MaxVersion: VersionTLS12,
5307 Bugs: ProtocolBugs{
5308 SendOCSPResponseOnResume: []byte("bogus"),
5309 },
5310 },
5311 flags: []string{
5312 "-enable-ocsp-stapling",
5313 "-expect-ocsp-response",
5314 base64.StdEncoding.EncodeToString(testOCSPResponse),
5315 },
5316 resumeSession: true,
5317 })
5318
David Benjamindaa88502016-10-04 16:32:16 -04005319 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -04005320 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -04005321 config: Config{
5322 MaxVersion: VersionTLS13,
5323 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -04005324 SendExtensionOnCertificate: testOCSPExtension,
5325 },
5326 },
5327 shouldFail: true,
5328 expectedError: ":UNEXPECTED_EXTENSION:",
5329 })
5330
5331 testCases = append(testCases, testCase{
5332 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5333 config: Config{
5334 MaxVersion: VersionTLS13,
5335 Bugs: ProtocolBugs{
5336 SendExtensionOnCertificate: testSCTExtension,
5337 },
5338 },
5339 shouldFail: true,
5340 expectedError: ":UNEXPECTED_EXTENSION:",
5341 })
5342
5343 // Test that extensions on client certificates are never accepted.
5344 testCases = append(testCases, testCase{
5345 name: "SendExtensionOnClientCertificate-TLS13",
5346 testType: serverTest,
5347 config: Config{
5348 MaxVersion: VersionTLS13,
5349 Certificates: []Certificate{rsaCertificate},
5350 Bugs: ProtocolBugs{
5351 SendExtensionOnCertificate: testOCSPExtension,
5352 },
5353 },
5354 flags: []string{
5355 "-enable-ocsp-stapling",
5356 "-require-any-client-certificate",
5357 },
5358 shouldFail: true,
5359 expectedError: ":UNEXPECTED_EXTENSION:",
5360 })
5361
5362 testCases = append(testCases, testCase{
5363 name: "SendUnknownExtensionOnCertificate-TLS13",
5364 config: Config{
5365 MaxVersion: VersionTLS13,
5366 Bugs: ProtocolBugs{
5367 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5368 },
5369 },
5370 shouldFail: true,
5371 expectedError: ":UNEXPECTED_EXTENSION:",
5372 })
5373
5374 // Test that extensions on intermediates are allowed but ignored.
5375 testCases = append(testCases, testCase{
5376 name: "IgnoreExtensionsOnIntermediates-TLS13",
5377 config: Config{
5378 MaxVersion: VersionTLS13,
5379 Certificates: []Certificate{rsaChainCertificate},
5380 Bugs: ProtocolBugs{
5381 // Send different values on the intermediate. This tests
5382 // the intermediate's extensions do not override the
5383 // leaf's.
5384 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
5385 SendSCTOnIntermediates: []byte{1, 3, 3, 7},
David Benjamindaa88502016-10-04 16:32:16 -04005386 },
5387 },
5388 flags: []string{
5389 "-enable-ocsp-stapling",
5390 "-expect-ocsp-response",
5391 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -04005392 "-enable-signed-cert-timestamps",
5393 "-expect-signed-cert-timestamps",
5394 base64.StdEncoding.EncodeToString(testSCTList),
5395 },
5396 resumeSession: true,
5397 })
5398
5399 // Test that extensions are not sent on intermediates when configured
5400 // only for a leaf.
5401 testCases = append(testCases, testCase{
5402 testType: serverTest,
5403 name: "SendNoExtensionsOnIntermediate-TLS13",
5404 config: Config{
5405 MaxVersion: VersionTLS13,
5406 Bugs: ProtocolBugs{
5407 ExpectNoExtensionsOnIntermediate: true,
5408 },
5409 },
5410 flags: []string{
5411 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5412 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5413 "-ocsp-response",
5414 base64.StdEncoding.EncodeToString(testOCSPResponse),
5415 "-signed-cert-timestamps",
5416 base64.StdEncoding.EncodeToString(testSCTList),
5417 },
5418 })
5419
5420 // Test that extensions are not sent on client certificates.
5421 testCases = append(testCases, testCase{
5422 name: "SendNoClientCertificateExtensions-TLS13",
5423 config: Config{
5424 MaxVersion: VersionTLS13,
5425 ClientAuth: RequireAnyClientCert,
5426 },
5427 flags: []string{
5428 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5429 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5430 "-ocsp-response",
5431 base64.StdEncoding.EncodeToString(testOCSPResponse),
5432 "-signed-cert-timestamps",
5433 base64.StdEncoding.EncodeToString(testSCTList),
5434 },
5435 })
5436
5437 testCases = append(testCases, testCase{
5438 name: "SendDuplicateExtensionsOnCerts-TLS13",
5439 config: Config{
5440 MaxVersion: VersionTLS13,
5441 Bugs: ProtocolBugs{
5442 SendDuplicateCertExtensions: true,
5443 },
5444 },
5445 flags: []string{
5446 "-enable-ocsp-stapling",
5447 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -04005448 },
5449 resumeSession: true,
5450 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -04005451 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -04005452 })
David Benjamine78bfde2014-09-06 12:45:15 -04005453}
5454
David Benjamin01fe8202014-09-24 15:21:44 -04005455func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -04005456 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -04005457 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -04005458 // SSL 3.0 does not have tickets and TLS 1.3 does not
5459 // have session IDs, so skip their cross-resumption
5460 // tests.
5461 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5462 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5463 continue
Nick Harper1fd39d82016-06-14 18:14:35 -07005464 }
5465
David Benjamin8b8c0062014-11-23 02:47:52 -05005466 protocols := []protocol{tls}
5467 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5468 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -05005469 }
David Benjamin8b8c0062014-11-23 02:47:52 -05005470 for _, protocol := range protocols {
5471 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5472 if protocol == dtls {
5473 suffix += "-DTLS"
5474 }
5475
David Benjaminece3de92015-03-16 18:02:20 -04005476 if sessionVers.version == resumeVers.version {
5477 testCases = append(testCases, testCase{
5478 protocol: protocol,
5479 name: "Resume-Client" + suffix,
5480 resumeSession: true,
5481 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005482 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -04005483 Bugs: ProtocolBugs{
5484 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5485 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5486 },
David Benjamin8b8c0062014-11-23 02:47:52 -05005487 },
David Benjaminece3de92015-03-16 18:02:20 -04005488 expectedVersion: sessionVers.version,
5489 expectedResumeVersion: resumeVers.version,
5490 })
5491 } else {
David Benjamin405da482016-08-08 17:25:07 -04005492 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5493
5494 // Offering a TLS 1.3 session sends an empty session ID, so
5495 // there is no way to convince a non-lookahead client the
5496 // session was resumed. It will appear to the client that a
5497 // stray ChangeCipherSpec was sent.
5498 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5499 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -04005500 }
5501
David Benjaminece3de92015-03-16 18:02:20 -04005502 testCases = append(testCases, testCase{
5503 protocol: protocol,
5504 name: "Resume-Client-Mismatch" + suffix,
5505 resumeSession: true,
5506 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005507 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -05005508 },
David Benjaminece3de92015-03-16 18:02:20 -04005509 expectedVersion: sessionVers.version,
5510 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005511 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -04005512 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -04005513 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -04005514 },
5515 },
5516 expectedResumeVersion: resumeVers.version,
5517 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -04005518 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -04005519 })
5520 }
David Benjamin8b8c0062014-11-23 02:47:52 -05005521
5522 testCases = append(testCases, testCase{
5523 protocol: protocol,
5524 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -05005525 resumeSession: true,
5526 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005527 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -05005528 },
5529 expectedVersion: sessionVers.version,
5530 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005531 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -05005532 },
5533 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -07005534 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -05005535 expectedResumeVersion: resumeVers.version,
5536 })
5537
David Benjamin8b8c0062014-11-23 02:47:52 -05005538 testCases = append(testCases, testCase{
5539 protocol: protocol,
5540 testType: serverTest,
5541 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -05005542 resumeSession: true,
5543 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005544 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -05005545 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -07005546 expectedVersion: sessionVers.version,
5547 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -05005548 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04005549 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -04005550 Bugs: ProtocolBugs{
5551 SendBothTickets: true,
5552 },
David Benjamin8b8c0062014-11-23 02:47:52 -05005553 },
5554 expectedResumeVersion: resumeVers.version,
5555 })
5556 }
David Benjamin01fe8202014-09-24 15:21:44 -04005557 }
5558 }
David Benjaminece3de92015-03-16 18:02:20 -04005559
David Benjamin4199b0d2016-11-01 13:58:25 -04005560 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -04005561 testCases = append(testCases, testCase{
5562 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -04005563 name: "ShimTicketRewritable",
5564 resumeSession: true,
5565 config: Config{
5566 MaxVersion: VersionTLS12,
5567 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5568 Bugs: ProtocolBugs{
5569 FilterTicket: func(in []byte) ([]byte, error) {
5570 in, err := SetShimTicketVersion(in, VersionTLS12)
5571 if err != nil {
5572 return nil, err
5573 }
5574 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5575 },
5576 },
5577 },
5578 flags: []string{
5579 "-ticket-key",
5580 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5581 },
5582 })
5583
5584 // Resumptions are declined if the version does not match.
5585 testCases = append(testCases, testCase{
5586 testType: serverTest,
5587 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -04005588 resumeSession: true,
5589 config: Config{
5590 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -04005591 Bugs: ProtocolBugs{
5592 FilterTicket: func(in []byte) ([]byte, error) {
5593 return SetShimTicketVersion(in, VersionTLS13)
5594 },
5595 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -04005596 },
David Benjamin4199b0d2016-11-01 13:58:25 -04005597 flags: []string{
5598 "-ticket-key",
5599 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5600 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -04005601 expectResumeRejected: true,
5602 })
5603
5604 testCases = append(testCases, testCase{
5605 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -04005606 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -04005607 resumeSession: true,
5608 config: Config{
5609 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -04005610 Bugs: ProtocolBugs{
5611 FilterTicket: func(in []byte) ([]byte, error) {
5612 return SetShimTicketVersion(in, VersionTLS12)
5613 },
5614 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -04005615 },
David Benjamin4199b0d2016-11-01 13:58:25 -04005616 flags: []string{
5617 "-ticket-key",
5618 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5619 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -04005620 expectResumeRejected: true,
5621 })
5622
David Benjamin4199b0d2016-11-01 13:58:25 -04005623 // Resumptions are declined if the cipher is invalid or disabled.
5624 testCases = append(testCases, testCase{
5625 testType: serverTest,
5626 name: "Resume-Server-DeclineBadCipher",
5627 resumeSession: true,
5628 config: Config{
5629 MaxVersion: VersionTLS12,
5630 Bugs: ProtocolBugs{
5631 FilterTicket: func(in []byte) ([]byte, error) {
5632 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5633 },
5634 },
5635 },
5636 flags: []string{
5637 "-ticket-key",
5638 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5639 },
5640 expectResumeRejected: true,
5641 })
5642
5643 testCases = append(testCases, testCase{
5644 testType: serverTest,
5645 name: "Resume-Server-DeclineBadCipher-2",
5646 resumeSession: true,
5647 config: Config{
5648 MaxVersion: VersionTLS12,
5649 Bugs: ProtocolBugs{
5650 FilterTicket: func(in []byte) ([]byte, error) {
5651 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5652 },
5653 },
5654 },
5655 flags: []string{
5656 "-cipher", "AES128",
5657 "-ticket-key",
5658 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5659 },
5660 expectResumeRejected: true,
5661 })
5662
5663 testCases = append(testCases, testCase{
5664 testType: serverTest,
5665 name: "Resume-Server-DeclineBadCipher-TLS13",
5666 resumeSession: true,
5667 config: Config{
5668 MaxVersion: VersionTLS13,
5669 Bugs: ProtocolBugs{
5670 FilterTicket: func(in []byte) ([]byte, error) {
5671 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5672 },
5673 },
5674 },
5675 flags: []string{
5676 "-ticket-key",
5677 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5678 },
5679 expectResumeRejected: true,
5680 })
5681
David Benjamin4199b0d2016-11-01 13:58:25 -04005682 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -04005683 testCases = append(testCases, testCase{
5684 name: "Resume-Client-CipherMismatch",
5685 resumeSession: true,
5686 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07005687 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -04005688 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5689 },
5690 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07005691 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -04005692 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5693 Bugs: ProtocolBugs{
5694 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
5695 },
5696 },
5697 shouldFail: true,
5698 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
5699 })
Steven Valdez4aa154e2016-07-29 14:32:55 -04005700
5701 testCases = append(testCases, testCase{
5702 name: "Resume-Client-CipherMismatch-TLS13",
5703 resumeSession: true,
5704 config: Config{
5705 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -04005706 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -04005707 },
5708 resumeConfig: &Config{
5709 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -04005710 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -04005711 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -04005712 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -04005713 },
5714 },
5715 shouldFail: true,
5716 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
5717 })
Steven Valdeza833c352016-11-01 13:39:36 -04005718
5719 testCases = append(testCases, testCase{
5720 testType: serverTest,
5721 name: "Resume-Server-BinderWrongLength",
5722 resumeSession: true,
5723 config: Config{
5724 MaxVersion: VersionTLS13,
5725 Bugs: ProtocolBugs{
5726 SendShortPSKBinder: true,
5727 },
5728 },
5729 shouldFail: true,
5730 expectedLocalError: "remote error: error decrypting message",
5731 expectedError: ":DIGEST_CHECK_FAILED:",
5732 })
5733
5734 testCases = append(testCases, testCase{
5735 testType: serverTest,
5736 name: "Resume-Server-NoPSKBinder",
5737 resumeSession: true,
5738 config: Config{
5739 MaxVersion: VersionTLS13,
5740 Bugs: ProtocolBugs{
5741 SendNoPSKBinder: true,
5742 },
5743 },
5744 shouldFail: true,
5745 expectedLocalError: "remote error: error decoding message",
5746 expectedError: ":DECODE_ERROR:",
5747 })
5748
5749 testCases = append(testCases, testCase{
5750 testType: serverTest,
5751 name: "Resume-Server-InvalidPSKBinder",
5752 resumeSession: true,
5753 config: Config{
5754 MaxVersion: VersionTLS13,
5755 Bugs: ProtocolBugs{
5756 SendInvalidPSKBinder: true,
5757 },
5758 },
5759 shouldFail: true,
5760 expectedLocalError: "remote error: error decrypting message",
5761 expectedError: ":DIGEST_CHECK_FAILED:",
5762 })
5763
5764 testCases = append(testCases, testCase{
5765 testType: serverTest,
5766 name: "Resume-Server-PSKBinderFirstExtension",
5767 resumeSession: true,
5768 config: Config{
5769 MaxVersion: VersionTLS13,
5770 Bugs: ProtocolBugs{
5771 PSKBinderFirst: true,
5772 },
5773 },
5774 shouldFail: true,
5775 expectedLocalError: "remote error: illegal parameter",
5776 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
5777 })
David Benjamin01fe8202014-09-24 15:21:44 -04005778}
5779
Adam Langley2ae77d22014-10-28 17:29:33 -07005780func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -04005781 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -04005782 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005783 testType: serverTest,
5784 name: "Renegotiate-Server-Forbidden",
5785 config: Config{
5786 MaxVersion: VersionTLS12,
5787 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005788 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -04005789 shouldFail: true,
5790 expectedError: ":NO_RENEGOTIATION:",
5791 expectedLocalError: "remote error: no renegotiation",
5792 })
Adam Langley5021b222015-06-12 18:27:58 -07005793 // The server shouldn't echo the renegotiation extension unless
5794 // requested by the client.
5795 testCases = append(testCases, testCase{
5796 testType: serverTest,
5797 name: "Renegotiate-Server-NoExt",
5798 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005799 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -07005800 Bugs: ProtocolBugs{
5801 NoRenegotiationInfo: true,
5802 RequireRenegotiationInfo: true,
5803 },
5804 },
5805 shouldFail: true,
5806 expectedLocalError: "renegotiation extension missing",
5807 })
5808 // The renegotiation SCSV should be sufficient for the server to echo
5809 // the extension.
5810 testCases = append(testCases, testCase{
5811 testType: serverTest,
5812 name: "Renegotiate-Server-NoExt-SCSV",
5813 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005814 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -07005815 Bugs: ProtocolBugs{
5816 NoRenegotiationInfo: true,
5817 SendRenegotiationSCSV: true,
5818 RequireRenegotiationInfo: true,
5819 },
5820 },
5821 })
Adam Langleycf2d4f42014-10-28 19:06:14 -07005822 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -04005823 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -04005824 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005825 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -04005826 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -04005827 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -04005828 },
5829 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005830 renegotiate: 1,
5831 flags: []string{
5832 "-renegotiate-freely",
5833 "-expect-total-renegotiations", "1",
5834 },
David Benjamincdea40c2015-03-19 14:09:43 -04005835 })
5836 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -07005837 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005838 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005839 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005840 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005841 Bugs: ProtocolBugs{
5842 EmptyRenegotiationInfo: true,
5843 },
5844 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005845 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -07005846 shouldFail: true,
5847 expectedError: ":RENEGOTIATION_MISMATCH:",
5848 })
5849 testCases = append(testCases, testCase{
5850 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005851 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005852 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005853 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005854 Bugs: ProtocolBugs{
5855 BadRenegotiationInfo: true,
5856 },
5857 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005858 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -07005859 shouldFail: true,
5860 expectedError: ":RENEGOTIATION_MISMATCH:",
5861 })
5862 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -05005863 name: "Renegotiate-Client-Downgrade",
5864 renegotiate: 1,
5865 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005866 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -05005867 Bugs: ProtocolBugs{
5868 NoRenegotiationInfoAfterInitial: true,
5869 },
5870 },
5871 flags: []string{"-renegotiate-freely"},
5872 shouldFail: true,
5873 expectedError: ":RENEGOTIATION_MISMATCH:",
5874 })
5875 testCases = append(testCases, testCase{
5876 name: "Renegotiate-Client-Upgrade",
5877 renegotiate: 1,
5878 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005879 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -05005880 Bugs: ProtocolBugs{
5881 NoRenegotiationInfoInInitial: true,
5882 },
5883 },
5884 flags: []string{"-renegotiate-freely"},
5885 shouldFail: true,
5886 expectedError: ":RENEGOTIATION_MISMATCH:",
5887 })
5888 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -04005889 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005890 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -04005891 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005892 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -04005893 Bugs: ProtocolBugs{
5894 NoRenegotiationInfo: true,
5895 },
5896 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005897 flags: []string{
5898 "-renegotiate-freely",
5899 "-expect-total-renegotiations", "1",
5900 },
David Benjamincff0b902015-05-15 23:09:47 -04005901 })
David Benjamine7e36aa2016-08-08 12:39:41 -04005902
5903 // Test that the server may switch ciphers on renegotiation without
5904 // problems.
David Benjamincff0b902015-05-15 23:09:47 -04005905 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -07005906 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005907 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005908 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07005909 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -07005910 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -07005911 },
5912 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005913 flags: []string{
5914 "-renegotiate-freely",
5915 "-expect-total-renegotiations", "1",
5916 },
Adam Langleycf2d4f42014-10-28 19:06:14 -07005917 })
5918 testCases = append(testCases, testCase{
5919 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005920 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005921 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07005922 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -07005923 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5924 },
Matt Braithwaite07e78062016-08-21 14:50:43 -07005925 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005926 flags: []string{
5927 "-renegotiate-freely",
5928 "-expect-total-renegotiations", "1",
5929 },
David Benjaminb16346b2015-04-08 19:16:58 -04005930 })
David Benjamine7e36aa2016-08-08 12:39:41 -04005931
5932 // Test that the server may not switch versions on renegotiation.
5933 testCases = append(testCases, testCase{
5934 name: "Renegotiate-Client-SwitchVersion",
5935 config: Config{
5936 MaxVersion: VersionTLS12,
5937 // Pick a cipher which exists at both versions.
5938 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
5939 Bugs: ProtocolBugs{
5940 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -05005941 // Avoid failing early at the record layer.
5942 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -04005943 },
5944 },
5945 renegotiate: 1,
5946 flags: []string{
5947 "-renegotiate-freely",
5948 "-expect-total-renegotiations", "1",
5949 },
5950 shouldFail: true,
5951 expectedError: ":WRONG_SSL_VERSION:",
5952 })
5953
David Benjaminb16346b2015-04-08 19:16:58 -04005954 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -05005955 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005956 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -05005957 config: Config{
5958 MaxVersion: VersionTLS10,
5959 Bugs: ProtocolBugs{
5960 RequireSameRenegoClientVersion: true,
5961 },
5962 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005963 flags: []string{
5964 "-renegotiate-freely",
5965 "-expect-total-renegotiations", "1",
5966 },
David Benjaminc44b1df2014-11-23 12:11:01 -05005967 })
Adam Langleyb558c4c2015-07-08 12:16:38 -07005968 testCases = append(testCases, testCase{
5969 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005970 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -07005971 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07005972 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -07005973 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5974 NextProtos: []string{"foo"},
5975 },
5976 flags: []string{
5977 "-false-start",
5978 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005979 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -04005980 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -07005981 },
5982 shimWritesFirst: true,
5983 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005984
5985 // Client-side renegotiation controls.
5986 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005987 name: "Renegotiate-Client-Forbidden-1",
5988 config: Config{
5989 MaxVersion: VersionTLS12,
5990 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04005991 renegotiate: 1,
5992 shouldFail: true,
5993 expectedError: ":NO_RENEGOTIATION:",
5994 expectedLocalError: "remote error: no renegotiation",
5995 })
5996 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04005997 name: "Renegotiate-Client-Once-1",
5998 config: Config{
5999 MaxVersion: VersionTLS12,
6000 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04006001 renegotiate: 1,
6002 flags: []string{
6003 "-renegotiate-once",
6004 "-expect-total-renegotiations", "1",
6005 },
6006 })
6007 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006008 name: "Renegotiate-Client-Freely-1",
6009 config: Config{
6010 MaxVersion: VersionTLS12,
6011 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04006012 renegotiate: 1,
6013 flags: []string{
6014 "-renegotiate-freely",
6015 "-expect-total-renegotiations", "1",
6016 },
6017 })
6018 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006019 name: "Renegotiate-Client-Once-2",
6020 config: Config{
6021 MaxVersion: VersionTLS12,
6022 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04006023 renegotiate: 2,
6024 flags: []string{"-renegotiate-once"},
6025 shouldFail: true,
6026 expectedError: ":NO_RENEGOTIATION:",
6027 expectedLocalError: "remote error: no renegotiation",
6028 })
6029 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006030 name: "Renegotiate-Client-Freely-2",
6031 config: Config{
6032 MaxVersion: VersionTLS12,
6033 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -04006034 renegotiate: 2,
6035 flags: []string{
6036 "-renegotiate-freely",
6037 "-expect-total-renegotiations", "2",
6038 },
6039 })
Adam Langley27a0d082015-11-03 13:34:10 -08006040 testCases = append(testCases, testCase{
6041 name: "Renegotiate-Client-NoIgnore",
6042 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006043 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -08006044 Bugs: ProtocolBugs{
6045 SendHelloRequestBeforeEveryAppDataRecord: true,
6046 },
6047 },
6048 shouldFail: true,
6049 expectedError: ":NO_RENEGOTIATION:",
6050 })
6051 testCases = append(testCases, testCase{
6052 name: "Renegotiate-Client-Ignore",
6053 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006054 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -08006055 Bugs: ProtocolBugs{
6056 SendHelloRequestBeforeEveryAppDataRecord: true,
6057 },
6058 },
6059 flags: []string{
6060 "-renegotiate-ignore",
6061 "-expect-total-renegotiations", "0",
6062 },
6063 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04006064
David Benjamin34941c02016-10-08 11:45:31 -04006065 // Renegotiation is not allowed at SSL 3.0.
6066 testCases = append(testCases, testCase{
6067 name: "Renegotiate-Client-SSL3",
6068 config: Config{
6069 MaxVersion: VersionSSL30,
6070 },
6071 renegotiate: 1,
6072 flags: []string{
6073 "-renegotiate-freely",
6074 "-expect-total-renegotiations", "1",
6075 },
6076 shouldFail: true,
6077 expectedError: ":NO_RENEGOTIATION:",
6078 expectedLocalError: "remote error: no renegotiation",
6079 })
6080
David Benjamin397c8e62016-07-08 14:14:36 -07006081 // Stray HelloRequests during the handshake are ignored in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -07006082 testCases = append(testCases, testCase{
6083 name: "StrayHelloRequest",
6084 config: Config{
6085 MaxVersion: VersionTLS12,
6086 Bugs: ProtocolBugs{
6087 SendHelloRequestBeforeEveryHandshakeMessage: true,
6088 },
6089 },
6090 })
6091 testCases = append(testCases, testCase{
6092 name: "StrayHelloRequest-Packed",
6093 config: Config{
6094 MaxVersion: VersionTLS12,
6095 Bugs: ProtocolBugs{
6096 PackHandshakeFlight: true,
6097 SendHelloRequestBeforeEveryHandshakeMessage: true,
6098 },
6099 },
6100 })
6101
David Benjamin12d2c482016-07-24 10:56:51 -04006102 // Test renegotiation works if HelloRequest and server Finished come in
6103 // the same record.
6104 testCases = append(testCases, testCase{
6105 name: "Renegotiate-Client-Packed",
6106 config: Config{
6107 MaxVersion: VersionTLS12,
6108 Bugs: ProtocolBugs{
6109 PackHandshakeFlight: true,
6110 PackHelloRequestWithFinished: true,
6111 },
6112 },
6113 renegotiate: 1,
6114 flags: []string{
6115 "-renegotiate-freely",
6116 "-expect-total-renegotiations", "1",
6117 },
6118 })
6119
David Benjamin397c8e62016-07-08 14:14:36 -07006120 // Renegotiation is forbidden in TLS 1.3.
6121 testCases = append(testCases, testCase{
6122 name: "Renegotiate-Client-TLS13",
6123 config: Config{
6124 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04006125 Bugs: ProtocolBugs{
6126 SendHelloRequestBeforeEveryAppDataRecord: true,
6127 },
David Benjamin397c8e62016-07-08 14:14:36 -07006128 },
David Benjamin397c8e62016-07-08 14:14:36 -07006129 flags: []string{
6130 "-renegotiate-freely",
6131 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -04006132 shouldFail: true,
6133 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -07006134 })
6135
6136 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6137 testCases = append(testCases, testCase{
6138 name: "StrayHelloRequest-TLS13",
6139 config: Config{
6140 MaxVersion: VersionTLS13,
6141 Bugs: ProtocolBugs{
6142 SendHelloRequestBeforeEveryHandshakeMessage: true,
6143 },
6144 },
6145 shouldFail: true,
6146 expectedError: ":UNEXPECTED_MESSAGE:",
6147 })
Adam Langley2ae77d22014-10-28 17:29:33 -07006148}
6149
David Benjamin5e961c12014-11-07 01:48:35 -05006150func addDTLSReplayTests() {
6151 // Test that sequence number replays are detected.
6152 testCases = append(testCases, testCase{
6153 protocol: dtls,
6154 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -04006155 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -05006156 replayWrites: true,
6157 })
6158
David Benjamin8e6db492015-07-25 18:29:23 -04006159 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -05006160 // than the retransmit window.
6161 testCases = append(testCases, testCase{
6162 protocol: dtls,
6163 name: "DTLS-Replay-LargeGaps",
6164 config: Config{
6165 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -04006166 SequenceNumberMapping: func(in uint64) uint64 {
6167 return in * 127
6168 },
David Benjamin5e961c12014-11-07 01:48:35 -05006169 },
6170 },
David Benjamin8e6db492015-07-25 18:29:23 -04006171 messageCount: 200,
6172 replayWrites: true,
6173 })
6174
6175 // Test the incoming sequence number changing non-monotonically.
6176 testCases = append(testCases, testCase{
6177 protocol: dtls,
6178 name: "DTLS-Replay-NonMonotonic",
6179 config: Config{
6180 Bugs: ProtocolBugs{
6181 SequenceNumberMapping: func(in uint64) uint64 {
6182 return in ^ 31
6183 },
6184 },
6185 },
6186 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -05006187 replayWrites: true,
6188 })
6189}
6190
Nick Harper60edffd2016-06-21 15:19:24 -07006191var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -05006192 name string
Nick Harper60edffd2016-06-21 15:19:24 -07006193 id signatureAlgorithm
6194 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -05006195}{
Nick Harper60edffd2016-06-21 15:19:24 -07006196 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6197 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6198 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6199 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -07006200 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
David Benjamin33863262016-07-08 17:20:12 -07006201 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6202 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6203 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006204 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6205 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6206 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin5208fd42016-07-13 21:43:25 -04006207 // Tests for key types prior to TLS 1.2.
6208 {"RSA", 0, testCertRSA},
6209 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -05006210}
6211
Nick Harper60edffd2016-06-21 15:19:24 -07006212const fakeSigAlg1 signatureAlgorithm = 0x2a01
6213const fakeSigAlg2 signatureAlgorithm = 0xff01
6214
6215func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -04006216 // Not all ciphers involve a signature. Advertise a list which gives all
6217 // versions a signing cipher.
6218 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -04006219 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -04006220 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6221 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6222 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6223 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
6224 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
6225 }
6226
David Benjaminca3d5452016-07-14 12:51:01 -04006227 var allAlgorithms []signatureAlgorithm
6228 for _, alg := range testSignatureAlgorithms {
6229 if alg.id != 0 {
6230 allAlgorithms = append(allAlgorithms, alg.id)
6231 }
6232 }
6233
Nick Harper60edffd2016-06-21 15:19:24 -07006234 // Make sure each signature algorithm works. Include some fake values in
6235 // the list and ensure they're ignored.
6236 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -07006237 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -04006238 if (ver.version < VersionTLS12) != (alg.id == 0) {
6239 continue
6240 }
6241
6242 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6243 // or remove it in C.
6244 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -07006245 continue
6246 }
Nick Harper60edffd2016-06-21 15:19:24 -07006247
David Benjamin3ef76972016-10-17 17:59:54 -04006248 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -07006249 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006250 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -04006251 shouldSignFail = true
6252 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006253 }
Steven Valdez54ed58e2016-08-18 14:03:49 -04006254 // RSA-PKCS1 does not exist in TLS 1.3.
6255 if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
David Benjamin3ef76972016-10-17 17:59:54 -04006256 shouldSignFail = true
6257 shouldVerifyFail = true
6258 }
6259
6260 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6261 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6262 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -04006263 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006264
6265 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -04006266 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006267 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -04006268 }
6269 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006270 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -07006271 }
David Benjamin000800a2014-11-14 01:43:59 -05006272
David Benjamin1fb125c2016-07-08 18:52:12 -07006273 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -05006274
David Benjamin7a41d372016-07-09 11:21:54 -07006275 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04006276 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -07006277 config: Config{
6278 MaxVersion: ver.version,
6279 ClientAuth: RequireAnyClientCert,
6280 VerifySignatureAlgorithms: []signatureAlgorithm{
6281 fakeSigAlg1,
6282 alg.id,
6283 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -07006284 },
David Benjamin7a41d372016-07-09 11:21:54 -07006285 },
6286 flags: []string{
6287 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6288 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6289 "-enable-all-curves",
6290 },
David Benjamin3ef76972016-10-17 17:59:54 -04006291 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -07006292 expectedError: signError,
6293 expectedPeerSignatureAlgorithm: alg.id,
6294 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006295
David Benjamin7a41d372016-07-09 11:21:54 -07006296 testCases = append(testCases, testCase{
6297 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -04006298 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -07006299 config: Config{
6300 MaxVersion: ver.version,
6301 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6302 SignSignatureAlgorithms: []signatureAlgorithm{
6303 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006304 },
David Benjamin7a41d372016-07-09 11:21:54 -07006305 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -04006306 SkipECDSACurveCheck: shouldVerifyFail,
6307 IgnoreSignatureVersionChecks: shouldVerifyFail,
6308 // Some signature algorithms may not be advertised.
6309 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006310 },
David Benjamin7a41d372016-07-09 11:21:54 -07006311 },
6312 flags: []string{
6313 "-require-any-client-certificate",
6314 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6315 "-enable-all-curves",
6316 },
David Benjamin3ef76972016-10-17 17:59:54 -04006317 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -07006318 expectedError: verifyError,
6319 })
David Benjamin1fb125c2016-07-08 18:52:12 -07006320
6321 testCases = append(testCases, testCase{
6322 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -04006323 name: "ServerAuth-Sign" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -07006324 config: Config{
David Benjamin5208fd42016-07-13 21:43:25 -04006325 MaxVersion: ver.version,
6326 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -07006327 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -07006328 fakeSigAlg1,
6329 alg.id,
6330 fakeSigAlg2,
6331 },
6332 },
6333 flags: []string{
6334 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6335 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6336 "-enable-all-curves",
6337 },
David Benjamin3ef76972016-10-17 17:59:54 -04006338 shouldFail: shouldSignFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006339 expectedError: signError,
David Benjamin1fb125c2016-07-08 18:52:12 -07006340 expectedPeerSignatureAlgorithm: alg.id,
6341 })
6342
6343 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04006344 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -07006345 config: Config{
6346 MaxVersion: ver.version,
6347 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -04006348 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -07006349 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -07006350 alg.id,
6351 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006352 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -04006353 SkipECDSACurveCheck: shouldVerifyFail,
6354 IgnoreSignatureVersionChecks: shouldVerifyFail,
6355 // Some signature algorithms may not be advertised.
6356 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006357 },
David Benjamin1fb125c2016-07-08 18:52:12 -07006358 },
6359 flags: []string{
6360 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6361 "-enable-all-curves",
6362 },
David Benjamin3ef76972016-10-17 17:59:54 -04006363 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -04006364 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -07006365 })
David Benjamin5208fd42016-07-13 21:43:25 -04006366
David Benjamin3ef76972016-10-17 17:59:54 -04006367 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -04006368 testCases = append(testCases, testCase{
6369 testType: serverTest,
6370 name: "ClientAuth-InvalidSignature" + suffix,
6371 config: Config{
6372 MaxVersion: ver.version,
6373 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6374 SignSignatureAlgorithms: []signatureAlgorithm{
6375 alg.id,
6376 },
6377 Bugs: ProtocolBugs{
6378 InvalidSignature: true,
6379 },
6380 },
6381 flags: []string{
6382 "-require-any-client-certificate",
6383 "-enable-all-curves",
6384 },
6385 shouldFail: true,
6386 expectedError: ":BAD_SIGNATURE:",
6387 })
6388
6389 testCases = append(testCases, testCase{
6390 name: "ServerAuth-InvalidSignature" + suffix,
6391 config: Config{
6392 MaxVersion: ver.version,
6393 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6394 CipherSuites: signingCiphers,
6395 SignSignatureAlgorithms: []signatureAlgorithm{
6396 alg.id,
6397 },
6398 Bugs: ProtocolBugs{
6399 InvalidSignature: true,
6400 },
6401 },
6402 flags: []string{"-enable-all-curves"},
6403 shouldFail: true,
6404 expectedError: ":BAD_SIGNATURE:",
6405 })
6406 }
David Benjaminca3d5452016-07-14 12:51:01 -04006407
David Benjamin3ef76972016-10-17 17:59:54 -04006408 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -04006409 testCases = append(testCases, testCase{
6410 name: "ClientAuth-Sign-Negotiate" + suffix,
6411 config: Config{
6412 MaxVersion: ver.version,
6413 ClientAuth: RequireAnyClientCert,
6414 VerifySignatureAlgorithms: allAlgorithms,
6415 },
6416 flags: []string{
6417 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6418 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6419 "-enable-all-curves",
6420 "-signing-prefs", strconv.Itoa(int(alg.id)),
6421 },
6422 expectedPeerSignatureAlgorithm: alg.id,
6423 })
6424
6425 testCases = append(testCases, testCase{
6426 testType: serverTest,
6427 name: "ServerAuth-Sign-Negotiate" + suffix,
6428 config: Config{
6429 MaxVersion: ver.version,
6430 CipherSuites: signingCiphers,
6431 VerifySignatureAlgorithms: allAlgorithms,
6432 },
6433 flags: []string{
6434 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6435 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6436 "-enable-all-curves",
6437 "-signing-prefs", strconv.Itoa(int(alg.id)),
6438 },
6439 expectedPeerSignatureAlgorithm: alg.id,
6440 })
6441 }
David Benjamin1fb125c2016-07-08 18:52:12 -07006442 }
David Benjamin000800a2014-11-14 01:43:59 -05006443 }
6444
Nick Harper60edffd2016-06-21 15:19:24 -07006445 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -05006446 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04006447 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -05006448 config: Config{
6449 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -04006450 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -07006451 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006452 signatureECDSAWithP521AndSHA512,
6453 signatureRSAPKCS1WithSHA384,
6454 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -05006455 },
6456 },
6457 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -07006458 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6459 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -05006460 },
Nick Harper60edffd2016-06-21 15:19:24 -07006461 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -05006462 })
6463
6464 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04006465 name: "ClientAuth-SignatureType-TLS13",
6466 config: Config{
6467 ClientAuth: RequireAnyClientCert,
6468 MaxVersion: VersionTLS13,
6469 VerifySignatureAlgorithms: []signatureAlgorithm{
6470 signatureECDSAWithP521AndSHA512,
6471 signatureRSAPKCS1WithSHA384,
6472 signatureRSAPSSWithSHA384,
6473 signatureECDSAWithSHA1,
6474 },
6475 },
6476 flags: []string{
6477 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6478 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6479 },
6480 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6481 })
6482
6483 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -05006484 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -04006485 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -05006486 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006487 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -05006488 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -07006489 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006490 signatureECDSAWithP521AndSHA512,
6491 signatureRSAPKCS1WithSHA384,
6492 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -05006493 },
6494 },
Nick Harper60edffd2016-06-21 15:19:24 -07006495 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -05006496 })
6497
Steven Valdez143e8b32016-07-11 13:19:03 -04006498 testCases = append(testCases, testCase{
6499 testType: serverTest,
6500 name: "ServerAuth-SignatureType-TLS13",
6501 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04006502 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04006503 VerifySignatureAlgorithms: []signatureAlgorithm{
6504 signatureECDSAWithP521AndSHA512,
6505 signatureRSAPKCS1WithSHA384,
6506 signatureRSAPSSWithSHA384,
6507 signatureECDSAWithSHA1,
6508 },
6509 },
6510 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6511 })
6512
David Benjamina95e9f32016-07-08 16:28:04 -07006513 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -07006514 testCases = append(testCases, testCase{
6515 testType: serverTest,
6516 name: "Verify-ClientAuth-SignatureType",
6517 config: Config{
6518 MaxVersion: VersionTLS12,
6519 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -07006520 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -07006521 signatureRSAPKCS1WithSHA256,
6522 },
6523 Bugs: ProtocolBugs{
6524 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6525 },
6526 },
6527 flags: []string{
6528 "-require-any-client-certificate",
6529 },
6530 shouldFail: true,
6531 expectedError: ":WRONG_SIGNATURE_TYPE:",
6532 })
6533
6534 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04006535 testType: serverTest,
6536 name: "Verify-ClientAuth-SignatureType-TLS13",
6537 config: Config{
6538 MaxVersion: VersionTLS13,
6539 Certificates: []Certificate{rsaCertificate},
6540 SignSignatureAlgorithms: []signatureAlgorithm{
6541 signatureRSAPSSWithSHA256,
6542 },
6543 Bugs: ProtocolBugs{
6544 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6545 },
6546 },
6547 flags: []string{
6548 "-require-any-client-certificate",
6549 },
6550 shouldFail: true,
6551 expectedError: ":WRONG_SIGNATURE_TYPE:",
6552 })
6553
6554 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04006555 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -07006556 config: Config{
6557 MaxVersion: VersionTLS12,
6558 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -07006559 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -07006560 signatureRSAPKCS1WithSHA256,
6561 },
6562 Bugs: ProtocolBugs{
6563 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6564 },
6565 },
6566 shouldFail: true,
6567 expectedError: ":WRONG_SIGNATURE_TYPE:",
6568 })
6569
Steven Valdez143e8b32016-07-11 13:19:03 -04006570 testCases = append(testCases, testCase{
6571 name: "Verify-ServerAuth-SignatureType-TLS13",
6572 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04006573 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04006574 SignSignatureAlgorithms: []signatureAlgorithm{
6575 signatureRSAPSSWithSHA256,
6576 },
6577 Bugs: ProtocolBugs{
6578 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6579 },
6580 },
6581 shouldFail: true,
6582 expectedError: ":WRONG_SIGNATURE_TYPE:",
6583 })
6584
David Benjamin51dd7d62016-07-08 16:07:01 -07006585 // Test that, if the list is missing, the peer falls back to SHA-1 in
6586 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -05006587 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -04006588 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -05006589 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006590 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -05006591 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006592 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006593 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -05006594 },
6595 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -07006596 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -05006597 },
6598 },
6599 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -07006600 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6601 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -05006602 },
6603 })
6604
6605 testCases = append(testCases, testCase{
6606 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -04006607 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -05006608 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -04006609 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -07006610 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006611 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -05006612 },
6613 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -07006614 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -05006615 },
6616 },
David Benjaminee32bea2016-08-17 13:36:44 -04006617 flags: []string{
6618 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6619 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6620 },
6621 })
6622
6623 testCases = append(testCases, testCase{
6624 name: "ClientAuth-SHA1-Fallback-ECDSA",
6625 config: Config{
6626 MaxVersion: VersionTLS12,
6627 ClientAuth: RequireAnyClientCert,
6628 VerifySignatureAlgorithms: []signatureAlgorithm{
6629 signatureECDSAWithSHA1,
6630 },
6631 Bugs: ProtocolBugs{
6632 NoSignatureAlgorithms: true,
6633 },
6634 },
6635 flags: []string{
6636 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6637 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6638 },
6639 })
6640
6641 testCases = append(testCases, testCase{
6642 testType: serverTest,
6643 name: "ServerAuth-SHA1-Fallback-ECDSA",
6644 config: Config{
6645 MaxVersion: VersionTLS12,
6646 VerifySignatureAlgorithms: []signatureAlgorithm{
6647 signatureECDSAWithSHA1,
6648 },
6649 Bugs: ProtocolBugs{
6650 NoSignatureAlgorithms: true,
6651 },
6652 },
6653 flags: []string{
6654 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6655 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6656 },
David Benjamin000800a2014-11-14 01:43:59 -05006657 })
David Benjamin72dc7832015-03-16 17:49:43 -04006658
David Benjamin51dd7d62016-07-08 16:07:01 -07006659 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04006660 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -07006661 config: Config{
6662 MaxVersion: VersionTLS13,
6663 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006664 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -07006665 signatureRSAPKCS1WithSHA1,
6666 },
6667 Bugs: ProtocolBugs{
6668 NoSignatureAlgorithms: true,
6669 },
6670 },
6671 flags: []string{
6672 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6673 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6674 },
David Benjamin48901652016-08-01 12:12:47 -04006675 shouldFail: true,
6676 // An empty CertificateRequest signature algorithm list is a
6677 // syntax error in TLS 1.3.
6678 expectedError: ":DECODE_ERROR:",
6679 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -07006680 })
6681
6682 testCases = append(testCases, testCase{
6683 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -04006684 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -07006685 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04006686 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -07006687 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -07006688 signatureRSAPKCS1WithSHA1,
6689 },
6690 Bugs: ProtocolBugs{
6691 NoSignatureAlgorithms: true,
6692 },
6693 },
6694 shouldFail: true,
6695 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6696 })
6697
David Benjaminb62d2872016-07-18 14:55:02 +02006698 // Test that hash preferences are enforced. BoringSSL does not implement
6699 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -04006700 testCases = append(testCases, testCase{
6701 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -04006702 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -04006703 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006704 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -04006705 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -07006706 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006707 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -04006708 },
6709 Bugs: ProtocolBugs{
6710 IgnorePeerSignatureAlgorithmPreferences: true,
6711 },
6712 },
6713 flags: []string{"-require-any-client-certificate"},
6714 shouldFail: true,
6715 expectedError: ":WRONG_SIGNATURE_TYPE:",
6716 })
6717
6718 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -04006719 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -04006720 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006721 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -04006722 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -07006723 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006724 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -04006725 },
6726 Bugs: ProtocolBugs{
6727 IgnorePeerSignatureAlgorithmPreferences: true,
6728 },
6729 },
6730 shouldFail: true,
6731 expectedError: ":WRONG_SIGNATURE_TYPE:",
6732 })
David Benjaminb62d2872016-07-18 14:55:02 +02006733 testCases = append(testCases, testCase{
6734 testType: serverTest,
6735 name: "ClientAuth-Enforced-TLS13",
6736 config: Config{
6737 MaxVersion: VersionTLS13,
6738 Certificates: []Certificate{rsaCertificate},
6739 SignSignatureAlgorithms: []signatureAlgorithm{
6740 signatureRSAPKCS1WithMD5,
6741 },
6742 Bugs: ProtocolBugs{
6743 IgnorePeerSignatureAlgorithmPreferences: true,
6744 IgnoreSignatureVersionChecks: true,
6745 },
6746 },
6747 flags: []string{"-require-any-client-certificate"},
6748 shouldFail: true,
6749 expectedError: ":WRONG_SIGNATURE_TYPE:",
6750 })
6751
6752 testCases = append(testCases, testCase{
6753 name: "ServerAuth-Enforced-TLS13",
6754 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04006755 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +02006756 SignSignatureAlgorithms: []signatureAlgorithm{
6757 signatureRSAPKCS1WithMD5,
6758 },
6759 Bugs: ProtocolBugs{
6760 IgnorePeerSignatureAlgorithmPreferences: true,
6761 IgnoreSignatureVersionChecks: true,
6762 },
6763 },
6764 shouldFail: true,
6765 expectedError: ":WRONG_SIGNATURE_TYPE:",
6766 })
Steven Valdez0d62f262015-09-04 12:41:04 -04006767
6768 // Test that the agreed upon digest respects the client preferences and
6769 // the server digests.
6770 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -04006771 name: "NoCommonAlgorithms-Digests",
6772 config: Config{
6773 MaxVersion: VersionTLS12,
6774 ClientAuth: RequireAnyClientCert,
6775 VerifySignatureAlgorithms: []signatureAlgorithm{
6776 signatureRSAPKCS1WithSHA512,
6777 signatureRSAPKCS1WithSHA1,
6778 },
6779 },
6780 flags: []string{
6781 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6782 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6783 "-digest-prefs", "SHA256",
6784 },
6785 shouldFail: true,
6786 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6787 })
6788 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -07006789 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -04006790 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006791 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -04006792 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006793 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006794 signatureRSAPKCS1WithSHA512,
6795 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -04006796 },
6797 },
6798 flags: []string{
6799 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6800 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -04006801 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -04006802 },
David Benjaminca3d5452016-07-14 12:51:01 -04006803 shouldFail: true,
6804 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6805 })
6806 testCases = append(testCases, testCase{
6807 name: "NoCommonAlgorithms-TLS13",
6808 config: Config{
6809 MaxVersion: VersionTLS13,
6810 ClientAuth: RequireAnyClientCert,
6811 VerifySignatureAlgorithms: []signatureAlgorithm{
6812 signatureRSAPSSWithSHA512,
6813 signatureRSAPSSWithSHA384,
6814 },
6815 },
6816 flags: []string{
6817 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6818 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6819 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
6820 },
David Benjaminea9a0d52016-07-08 15:52:59 -07006821 shouldFail: true,
6822 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -04006823 })
6824 testCases = append(testCases, testCase{
6825 name: "Agree-Digest-SHA256",
6826 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006827 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -04006828 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006829 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006830 signatureRSAPKCS1WithSHA1,
6831 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -04006832 },
6833 },
6834 flags: []string{
6835 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6836 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -04006837 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -04006838 },
Nick Harper60edffd2016-06-21 15:19:24 -07006839 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -04006840 })
6841 testCases = append(testCases, testCase{
6842 name: "Agree-Digest-SHA1",
6843 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006844 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -04006845 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006846 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006847 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -04006848 },
6849 },
6850 flags: []string{
6851 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6852 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -04006853 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -04006854 },
Nick Harper60edffd2016-06-21 15:19:24 -07006855 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -04006856 })
6857 testCases = append(testCases, testCase{
6858 name: "Agree-Digest-Default",
6859 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04006860 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -04006861 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -07006862 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -07006863 signatureRSAPKCS1WithSHA256,
6864 signatureECDSAWithP256AndSHA256,
6865 signatureRSAPKCS1WithSHA1,
6866 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -04006867 },
6868 },
6869 flags: []string{
6870 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6871 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6872 },
Nick Harper60edffd2016-06-21 15:19:24 -07006873 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -04006874 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04006875
David Benjaminca3d5452016-07-14 12:51:01 -04006876 // Test that the signing preference list may include extra algorithms
6877 // without negotiation problems.
6878 testCases = append(testCases, testCase{
6879 testType: serverTest,
6880 name: "FilterExtraAlgorithms",
6881 config: Config{
6882 MaxVersion: VersionTLS12,
6883 VerifySignatureAlgorithms: []signatureAlgorithm{
6884 signatureRSAPKCS1WithSHA256,
6885 },
6886 },
6887 flags: []string{
6888 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6889 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6890 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
6891 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
6892 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
6893 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
6894 },
6895 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
6896 })
6897
David Benjamin4c3ddf72016-06-29 18:13:53 -04006898 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
6899 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -04006900 testCases = append(testCases, testCase{
6901 name: "CheckLeafCurve",
6902 config: Config{
6903 MaxVersion: VersionTLS12,
6904 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -07006905 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -04006906 },
6907 flags: []string{"-p384-only"},
6908 shouldFail: true,
6909 expectedError: ":BAD_ECC_CERT:",
6910 })
David Benjamin75ea5bb2016-07-08 17:43:29 -07006911
6912 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
6913 testCases = append(testCases, testCase{
6914 name: "CheckLeafCurve-TLS13",
6915 config: Config{
6916 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -07006917 Certificates: []Certificate{ecdsaP256Certificate},
6918 },
6919 flags: []string{"-p384-only"},
6920 })
David Benjamin1fb125c2016-07-08 18:52:12 -07006921
6922 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
6923 testCases = append(testCases, testCase{
6924 name: "ECDSACurveMismatch-Verify-TLS12",
6925 config: Config{
6926 MaxVersion: VersionTLS12,
6927 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
6928 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -07006929 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -07006930 signatureECDSAWithP384AndSHA384,
6931 },
6932 },
6933 })
6934
6935 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
6936 testCases = append(testCases, testCase{
6937 name: "ECDSACurveMismatch-Verify-TLS13",
6938 config: Config{
6939 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -07006940 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -07006941 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -07006942 signatureECDSAWithP384AndSHA384,
6943 },
6944 Bugs: ProtocolBugs{
6945 SkipECDSACurveCheck: true,
6946 },
6947 },
6948 shouldFail: true,
6949 expectedError: ":WRONG_SIGNATURE_TYPE:",
6950 })
6951
6952 // Signature algorithm selection in TLS 1.3 should take the curve into
6953 // account.
6954 testCases = append(testCases, testCase{
6955 testType: serverTest,
6956 name: "ECDSACurveMismatch-Sign-TLS13",
6957 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04006958 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -07006959 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -07006960 signatureECDSAWithP384AndSHA384,
6961 signatureECDSAWithP256AndSHA256,
6962 },
6963 },
6964 flags: []string{
6965 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6966 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6967 },
6968 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6969 })
David Benjamin7944a9f2016-07-12 22:27:01 -04006970
6971 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
6972 // server does not attempt to sign in that case.
6973 testCases = append(testCases, testCase{
6974 testType: serverTest,
6975 name: "RSA-PSS-Large",
6976 config: Config{
6977 MaxVersion: VersionTLS13,
6978 VerifySignatureAlgorithms: []signatureAlgorithm{
6979 signatureRSAPSSWithSHA512,
6980 },
6981 },
6982 flags: []string{
6983 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
6984 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
6985 },
6986 shouldFail: true,
6987 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6988 })
David Benjamin57e929f2016-08-30 00:30:38 -04006989
6990 // Test that RSA-PSS is enabled by default for TLS 1.2.
6991 testCases = append(testCases, testCase{
6992 testType: clientTest,
6993 name: "RSA-PSS-Default-Verify",
6994 config: Config{
6995 MaxVersion: VersionTLS12,
6996 SignSignatureAlgorithms: []signatureAlgorithm{
6997 signatureRSAPSSWithSHA256,
6998 },
6999 },
7000 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7001 })
7002
7003 testCases = append(testCases, testCase{
7004 testType: serverTest,
7005 name: "RSA-PSS-Default-Sign",
7006 config: Config{
7007 MaxVersion: VersionTLS12,
7008 VerifySignatureAlgorithms: []signatureAlgorithm{
7009 signatureRSAPSSWithSHA256,
7010 },
7011 },
7012 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7013 })
David Benjamin000800a2014-11-14 01:43:59 -05007014}
7015
David Benjamin83f90402015-01-27 01:09:43 -05007016// timeouts is the retransmit schedule for BoringSSL. It doubles and
7017// caps at 60 seconds. On the 13th timeout, it gives up.
7018var timeouts = []time.Duration{
7019 1 * time.Second,
7020 2 * time.Second,
7021 4 * time.Second,
7022 8 * time.Second,
7023 16 * time.Second,
7024 32 * time.Second,
7025 60 * time.Second,
7026 60 * time.Second,
7027 60 * time.Second,
7028 60 * time.Second,
7029 60 * time.Second,
7030 60 * time.Second,
7031 60 * time.Second,
7032}
7033
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -07007034// shortTimeouts is an alternate set of timeouts which would occur if the
7035// initial timeout duration was set to 250ms.
7036var shortTimeouts = []time.Duration{
7037 250 * time.Millisecond,
7038 500 * time.Millisecond,
7039 1 * time.Second,
7040 2 * time.Second,
7041 4 * time.Second,
7042 8 * time.Second,
7043 16 * time.Second,
7044 32 * time.Second,
7045 60 * time.Second,
7046 60 * time.Second,
7047 60 * time.Second,
7048 60 * time.Second,
7049 60 * time.Second,
7050}
7051
David Benjamin83f90402015-01-27 01:09:43 -05007052func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -04007053 // These tests work by coordinating some behavior on both the shim and
7054 // the runner.
7055 //
7056 // TimeoutSchedule configures the runner to send a series of timeout
7057 // opcodes to the shim (see packetAdaptor) immediately before reading
7058 // each peer handshake flight N. The timeout opcode both simulates a
7059 // timeout in the shim and acts as a synchronization point to help the
7060 // runner bracket each handshake flight.
7061 //
7062 // We assume the shim does not read from the channel eagerly. It must
7063 // first wait until it has sent flight N and is ready to receive
7064 // handshake flight N+1. At this point, it will process the timeout
7065 // opcode. It must then immediately respond with a timeout ACK and act
7066 // as if the shim was idle for the specified amount of time.
7067 //
7068 // The runner then drops all packets received before the ACK and
7069 // continues waiting for flight N. This ordering results in one attempt
7070 // at sending flight N to be dropped. For the test to complete, the
7071 // shim must send flight N again, testing that the shim implements DTLS
7072 // retransmit on a timeout.
7073
Steven Valdez143e8b32016-07-11 13:19:03 -04007074 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -04007075 // likely be more epochs to cross and the final message's retransmit may
7076 // be more complex.
7077
David Benjamin585d7a42016-06-02 14:58:00 -04007078 for _, async := range []bool{true, false} {
7079 var tests []testCase
7080
7081 // Test that this is indeed the timeout schedule. Stress all
7082 // four patterns of handshake.
7083 for i := 1; i < len(timeouts); i++ {
7084 number := strconv.Itoa(i)
7085 tests = append(tests, testCase{
7086 protocol: dtls,
7087 name: "DTLS-Retransmit-Client-" + number,
7088 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007089 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -04007090 Bugs: ProtocolBugs{
7091 TimeoutSchedule: timeouts[:i],
7092 },
7093 },
7094 resumeSession: true,
7095 })
7096 tests = append(tests, testCase{
7097 protocol: dtls,
7098 testType: serverTest,
7099 name: "DTLS-Retransmit-Server-" + number,
7100 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007101 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -04007102 Bugs: ProtocolBugs{
7103 TimeoutSchedule: timeouts[:i],
7104 },
7105 },
7106 resumeSession: true,
7107 })
7108 }
7109
7110 // Test that exceeding the timeout schedule hits a read
7111 // timeout.
7112 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -05007113 protocol: dtls,
David Benjamin585d7a42016-06-02 14:58:00 -04007114 name: "DTLS-Retransmit-Timeout",
David Benjamin83f90402015-01-27 01:09:43 -05007115 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007116 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -05007117 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -04007118 TimeoutSchedule: timeouts,
David Benjamin83f90402015-01-27 01:09:43 -05007119 },
7120 },
7121 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -04007122 shouldFail: true,
7123 expectedError: ":READ_TIMEOUT_EXPIRED:",
David Benjamin83f90402015-01-27 01:09:43 -05007124 })
David Benjamin585d7a42016-06-02 14:58:00 -04007125
7126 if async {
7127 // Test that timeout handling has a fudge factor, due to API
7128 // problems.
7129 tests = append(tests, testCase{
7130 protocol: dtls,
7131 name: "DTLS-Retransmit-Fudge",
7132 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007133 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -04007134 Bugs: ProtocolBugs{
7135 TimeoutSchedule: []time.Duration{
7136 timeouts[0] - 10*time.Millisecond,
7137 },
7138 },
7139 },
7140 resumeSession: true,
7141 })
7142 }
7143
7144 // Test that the final Finished retransmitting isn't
7145 // duplicated if the peer badly fragments everything.
7146 tests = append(tests, testCase{
7147 testType: serverTest,
7148 protocol: dtls,
7149 name: "DTLS-Retransmit-Fragmented",
7150 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007151 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -04007152 Bugs: ProtocolBugs{
7153 TimeoutSchedule: []time.Duration{timeouts[0]},
7154 MaxHandshakeRecordLength: 2,
7155 },
7156 },
7157 })
7158
7159 // Test the timeout schedule when a shorter initial timeout duration is set.
7160 tests = append(tests, testCase{
7161 protocol: dtls,
7162 name: "DTLS-Retransmit-Short-Client",
7163 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007164 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -04007165 Bugs: ProtocolBugs{
7166 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7167 },
7168 },
7169 resumeSession: true,
7170 flags: []string{"-initial-timeout-duration-ms", "250"},
7171 })
7172 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -05007173 protocol: dtls,
7174 testType: serverTest,
David Benjamin585d7a42016-06-02 14:58:00 -04007175 name: "DTLS-Retransmit-Short-Server",
David Benjamin83f90402015-01-27 01:09:43 -05007176 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007177 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -05007178 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -04007179 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
David Benjamin83f90402015-01-27 01:09:43 -05007180 },
7181 },
7182 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -04007183 flags: []string{"-initial-timeout-duration-ms", "250"},
David Benjamin83f90402015-01-27 01:09:43 -05007184 })
David Benjamin585d7a42016-06-02 14:58:00 -04007185
7186 for _, test := range tests {
7187 if async {
7188 test.name += "-Async"
7189 test.flags = append(test.flags, "-async")
7190 }
7191
7192 testCases = append(testCases, test)
7193 }
David Benjamin83f90402015-01-27 01:09:43 -05007194 }
David Benjamin83f90402015-01-27 01:09:43 -05007195}
7196
David Benjaminc565ebb2015-04-03 04:06:36 -04007197func addExportKeyingMaterialTests() {
7198 for _, vers := range tlsVersions {
7199 if vers.version == VersionSSL30 {
7200 continue
7201 }
7202 testCases = append(testCases, testCase{
7203 name: "ExportKeyingMaterial-" + vers.name,
7204 config: Config{
7205 MaxVersion: vers.version,
7206 },
7207 exportKeyingMaterial: 1024,
7208 exportLabel: "label",
7209 exportContext: "context",
7210 useExportContext: true,
7211 })
7212 testCases = append(testCases, testCase{
7213 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7214 config: Config{
7215 MaxVersion: vers.version,
7216 },
7217 exportKeyingMaterial: 1024,
7218 })
7219 testCases = append(testCases, testCase{
7220 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7221 config: Config{
7222 MaxVersion: vers.version,
7223 },
7224 exportKeyingMaterial: 1024,
7225 useExportContext: true,
7226 })
7227 testCases = append(testCases, testCase{
7228 name: "ExportKeyingMaterial-Small-" + vers.name,
7229 config: Config{
7230 MaxVersion: vers.version,
7231 },
7232 exportKeyingMaterial: 1,
7233 exportLabel: "label",
7234 exportContext: "context",
7235 useExportContext: true,
7236 })
7237 }
David Benjamin7bb1d292016-11-01 19:45:06 -04007238
David Benjaminc565ebb2015-04-03 04:06:36 -04007239 testCases = append(testCases, testCase{
7240 name: "ExportKeyingMaterial-SSL3",
7241 config: Config{
7242 MaxVersion: VersionSSL30,
7243 },
7244 exportKeyingMaterial: 1024,
7245 exportLabel: "label",
7246 exportContext: "context",
7247 useExportContext: true,
7248 shouldFail: true,
7249 expectedError: "failed to export keying material",
7250 })
David Benjamin7bb1d292016-11-01 19:45:06 -04007251
7252 // Exporters work during a False Start.
7253 testCases = append(testCases, testCase{
7254 name: "ExportKeyingMaterial-FalseStart",
7255 config: Config{
7256 MaxVersion: VersionTLS12,
7257 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7258 NextProtos: []string{"foo"},
7259 Bugs: ProtocolBugs{
7260 ExpectFalseStart: true,
7261 },
7262 },
7263 flags: []string{
7264 "-false-start",
7265 "-advertise-alpn", "\x03foo",
7266 },
7267 shimWritesFirst: true,
7268 exportKeyingMaterial: 1024,
7269 exportLabel: "label",
7270 exportContext: "context",
7271 useExportContext: true,
7272 })
7273
7274 // Exporters do not work in the middle of a renegotiation. Test this by
7275 // triggering the exporter after every SSL_read call and configuring the
7276 // shim to run asynchronously.
7277 testCases = append(testCases, testCase{
7278 name: "ExportKeyingMaterial-Renegotiate",
7279 config: Config{
7280 MaxVersion: VersionTLS12,
7281 },
7282 renegotiate: 1,
7283 flags: []string{
7284 "-async",
7285 "-use-exporter-between-reads",
7286 "-renegotiate-freely",
7287 "-expect-total-renegotiations", "1",
7288 },
7289 shouldFail: true,
7290 expectedError: "failed to export keying material",
7291 })
David Benjaminc565ebb2015-04-03 04:06:36 -04007292}
7293
Adam Langleyaf0e32c2015-06-03 09:57:23 -07007294func addTLSUniqueTests() {
7295 for _, isClient := range []bool{false, true} {
7296 for _, isResumption := range []bool{false, true} {
7297 for _, hasEMS := range []bool{false, true} {
7298 var suffix string
7299 if isResumption {
7300 suffix = "Resume-"
7301 } else {
7302 suffix = "Full-"
7303 }
7304
7305 if hasEMS {
7306 suffix += "EMS-"
7307 } else {
7308 suffix += "NoEMS-"
7309 }
7310
7311 if isClient {
7312 suffix += "Client"
7313 } else {
7314 suffix += "Server"
7315 }
7316
7317 test := testCase{
7318 name: "TLSUnique-" + suffix,
7319 testTLSUnique: true,
7320 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007321 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -07007322 Bugs: ProtocolBugs{
7323 NoExtendedMasterSecret: !hasEMS,
7324 },
7325 },
7326 }
7327
7328 if isResumption {
7329 test.resumeSession = true
7330 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007331 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -07007332 Bugs: ProtocolBugs{
7333 NoExtendedMasterSecret: !hasEMS,
7334 },
7335 }
7336 }
7337
7338 if isResumption && !hasEMS {
7339 test.shouldFail = true
7340 test.expectedError = "failed to get tls-unique"
7341 }
7342
7343 testCases = append(testCases, test)
7344 }
7345 }
7346 }
7347}
7348
Adam Langley09505632015-07-30 18:10:13 -07007349func addCustomExtensionTests() {
7350 expectedContents := "custom extension"
7351 emptyString := ""
7352
7353 for _, isClient := range []bool{false, true} {
7354 suffix := "Server"
7355 flag := "-enable-server-custom-extension"
7356 testType := serverTest
7357 if isClient {
7358 suffix = "Client"
7359 flag = "-enable-client-custom-extension"
7360 testType = clientTest
7361 }
7362
7363 testCases = append(testCases, testCase{
7364 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -04007365 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -07007366 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007367 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -04007368 Bugs: ProtocolBugs{
7369 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -07007370 ExpectedCustomExtension: &expectedContents,
7371 },
7372 },
7373 flags: []string{flag},
7374 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007375 testCases = append(testCases, testCase{
7376 testType: testType,
7377 name: "CustomExtensions-" + suffix + "-TLS13",
7378 config: Config{
7379 MaxVersion: VersionTLS13,
7380 Bugs: ProtocolBugs{
7381 CustomExtension: expectedContents,
7382 ExpectedCustomExtension: &expectedContents,
7383 },
7384 },
7385 flags: []string{flag},
7386 })
Adam Langley09505632015-07-30 18:10:13 -07007387
7388 // If the parse callback fails, the handshake should also fail.
7389 testCases = append(testCases, testCase{
7390 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -04007391 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -07007392 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007393 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -04007394 Bugs: ProtocolBugs{
7395 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -07007396 ExpectedCustomExtension: &expectedContents,
7397 },
7398 },
David Benjamin399e7c92015-07-30 23:01:27 -04007399 flags: []string{flag},
7400 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -07007401 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7402 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007403 testCases = append(testCases, testCase{
7404 testType: testType,
7405 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
7406 config: Config{
7407 MaxVersion: VersionTLS13,
7408 Bugs: ProtocolBugs{
7409 CustomExtension: expectedContents + "foo",
7410 ExpectedCustomExtension: &expectedContents,
7411 },
7412 },
7413 flags: []string{flag},
7414 shouldFail: true,
7415 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7416 })
Adam Langley09505632015-07-30 18:10:13 -07007417
7418 // If the add callback fails, the handshake should also fail.
7419 testCases = append(testCases, testCase{
7420 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -04007421 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -07007422 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007423 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -04007424 Bugs: ProtocolBugs{
7425 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -07007426 ExpectedCustomExtension: &expectedContents,
7427 },
7428 },
David Benjamin399e7c92015-07-30 23:01:27 -04007429 flags: []string{flag, "-custom-extension-fail-add"},
7430 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -07007431 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7432 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007433 testCases = append(testCases, testCase{
7434 testType: testType,
7435 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
7436 config: Config{
7437 MaxVersion: VersionTLS13,
7438 Bugs: ProtocolBugs{
7439 CustomExtension: expectedContents,
7440 ExpectedCustomExtension: &expectedContents,
7441 },
7442 },
7443 flags: []string{flag, "-custom-extension-fail-add"},
7444 shouldFail: true,
7445 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7446 })
Adam Langley09505632015-07-30 18:10:13 -07007447
7448 // If the add callback returns zero, no extension should be
7449 // added.
7450 skipCustomExtension := expectedContents
7451 if isClient {
7452 // For the case where the client skips sending the
7453 // custom extension, the server must not “echo” it.
7454 skipCustomExtension = ""
7455 }
7456 testCases = append(testCases, testCase{
7457 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -04007458 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -07007459 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007460 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -04007461 Bugs: ProtocolBugs{
7462 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -07007463 ExpectedCustomExtension: &emptyString,
7464 },
7465 },
7466 flags: []string{flag, "-custom-extension-skip"},
7467 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007468 testCases = append(testCases, testCase{
7469 testType: testType,
7470 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
7471 config: Config{
7472 MaxVersion: VersionTLS13,
7473 Bugs: ProtocolBugs{
7474 CustomExtension: skipCustomExtension,
7475 ExpectedCustomExtension: &emptyString,
7476 },
7477 },
7478 flags: []string{flag, "-custom-extension-skip"},
7479 })
Adam Langley09505632015-07-30 18:10:13 -07007480 }
7481
7482 // The custom extension add callback should not be called if the client
7483 // doesn't send the extension.
7484 testCases = append(testCases, testCase{
7485 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -04007486 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -07007487 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007488 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -04007489 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -07007490 ExpectedCustomExtension: &emptyString,
7491 },
7492 },
7493 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7494 })
Adam Langley2deb9842015-08-07 11:15:37 -07007495
Steven Valdez143e8b32016-07-11 13:19:03 -04007496 testCases = append(testCases, testCase{
7497 testType: serverTest,
7498 name: "CustomExtensions-NotCalled-Server-TLS13",
7499 config: Config{
7500 MaxVersion: VersionTLS13,
7501 Bugs: ProtocolBugs{
7502 ExpectedCustomExtension: &emptyString,
7503 },
7504 },
7505 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7506 })
7507
Adam Langley2deb9842015-08-07 11:15:37 -07007508 // Test an unknown extension from the server.
7509 testCases = append(testCases, testCase{
7510 testType: clientTest,
7511 name: "UnknownExtension-Client",
7512 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007513 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -07007514 Bugs: ProtocolBugs{
7515 CustomExtension: expectedContents,
7516 },
7517 },
David Benjamin0c40a962016-08-01 12:05:50 -04007518 shouldFail: true,
7519 expectedError: ":UNEXPECTED_EXTENSION:",
7520 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -07007521 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007522 testCases = append(testCases, testCase{
7523 testType: clientTest,
7524 name: "UnknownExtension-Client-TLS13",
7525 config: Config{
7526 MaxVersion: VersionTLS13,
7527 Bugs: ProtocolBugs{
7528 CustomExtension: expectedContents,
7529 },
7530 },
David Benjamin0c40a962016-08-01 12:05:50 -04007531 shouldFail: true,
7532 expectedError: ":UNEXPECTED_EXTENSION:",
7533 expectedLocalError: "remote error: unsupported extension",
7534 })
David Benjamin490469f2016-10-05 22:44:38 -04007535 testCases = append(testCases, testCase{
7536 testType: clientTest,
7537 name: "UnknownUnencryptedExtension-Client-TLS13",
7538 config: Config{
7539 MaxVersion: VersionTLS13,
7540 Bugs: ProtocolBugs{
7541 CustomUnencryptedExtension: expectedContents,
7542 },
7543 },
7544 shouldFail: true,
7545 expectedError: ":UNEXPECTED_EXTENSION:",
7546 // The shim must send an alert, but alerts at this point do not
7547 // get successfully decrypted by the runner.
7548 expectedLocalError: "local error: bad record MAC",
7549 })
7550 testCases = append(testCases, testCase{
7551 testType: clientTest,
7552 name: "UnexpectedUnencryptedExtension-Client-TLS13",
7553 config: Config{
7554 MaxVersion: VersionTLS13,
7555 Bugs: ProtocolBugs{
7556 SendUnencryptedALPN: "foo",
7557 },
7558 },
7559 flags: []string{
7560 "-advertise-alpn", "\x03foo\x03bar",
7561 },
7562 shouldFail: true,
7563 expectedError: ":UNEXPECTED_EXTENSION:",
7564 // The shim must send an alert, but alerts at this point do not
7565 // get successfully decrypted by the runner.
7566 expectedLocalError: "local error: bad record MAC",
7567 })
David Benjamin0c40a962016-08-01 12:05:50 -04007568
7569 // Test a known but unoffered extension from the server.
7570 testCases = append(testCases, testCase{
7571 testType: clientTest,
7572 name: "UnofferedExtension-Client",
7573 config: Config{
7574 MaxVersion: VersionTLS12,
7575 Bugs: ProtocolBugs{
7576 SendALPN: "alpn",
7577 },
7578 },
7579 shouldFail: true,
7580 expectedError: ":UNEXPECTED_EXTENSION:",
7581 expectedLocalError: "remote error: unsupported extension",
7582 })
7583 testCases = append(testCases, testCase{
7584 testType: clientTest,
7585 name: "UnofferedExtension-Client-TLS13",
7586 config: Config{
7587 MaxVersion: VersionTLS13,
7588 Bugs: ProtocolBugs{
7589 SendALPN: "alpn",
7590 },
7591 },
7592 shouldFail: true,
7593 expectedError: ":UNEXPECTED_EXTENSION:",
7594 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -04007595 })
Adam Langley09505632015-07-30 18:10:13 -07007596}
7597
David Benjaminb36a3952015-12-01 18:53:13 -05007598func addRSAClientKeyExchangeTests() {
7599 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
7600 testCases = append(testCases, testCase{
7601 testType: serverTest,
7602 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
7603 config: Config{
7604 // Ensure the ClientHello version and final
7605 // version are different, to detect if the
7606 // server uses the wrong one.
7607 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -07007608 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -05007609 Bugs: ProtocolBugs{
7610 BadRSAClientKeyExchange: bad,
7611 },
7612 },
7613 shouldFail: true,
7614 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7615 })
7616 }
David Benjamine63d9d72016-09-19 18:27:34 -04007617
7618 // The server must compare whatever was in ClientHello.version for the
7619 // RSA premaster.
7620 testCases = append(testCases, testCase{
7621 testType: serverTest,
7622 name: "SendClientVersion-RSA",
7623 config: Config{
7624 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
7625 Bugs: ProtocolBugs{
7626 SendClientVersion: 0x1234,
7627 },
7628 },
7629 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7630 })
David Benjaminb36a3952015-12-01 18:53:13 -05007631}
7632
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007633var testCurves = []struct {
7634 name string
7635 id CurveID
7636}{
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007637 {"P-256", CurveP256},
7638 {"P-384", CurveP384},
7639 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -05007640 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007641}
7642
Steven Valdez5440fe02016-07-18 12:40:30 -04007643const bogusCurve = 0x1234
7644
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007645func addCurveTests() {
7646 for _, curve := range testCurves {
7647 testCases = append(testCases, testCase{
7648 name: "CurveTest-Client-" + curve.name,
7649 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007650 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007651 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7652 CurvePreferences: []CurveID{curve.id},
7653 },
David Benjamin5c4e8572016-08-19 17:44:53 -04007654 flags: []string{
7655 "-enable-all-curves",
7656 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7657 },
Steven Valdez5440fe02016-07-18 12:40:30 -04007658 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007659 })
7660 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04007661 name: "CurveTest-Client-" + curve.name + "-TLS13",
7662 config: Config{
7663 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007664 CurvePreferences: []CurveID{curve.id},
7665 },
David Benjamin5c4e8572016-08-19 17:44:53 -04007666 flags: []string{
7667 "-enable-all-curves",
7668 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7669 },
Steven Valdez5440fe02016-07-18 12:40:30 -04007670 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -04007671 })
7672 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007673 testType: serverTest,
7674 name: "CurveTest-Server-" + curve.name,
7675 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007676 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007677 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7678 CurvePreferences: []CurveID{curve.id},
7679 },
David Benjamin5c4e8572016-08-19 17:44:53 -04007680 flags: []string{
7681 "-enable-all-curves",
7682 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7683 },
Steven Valdez5440fe02016-07-18 12:40:30 -04007684 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007685 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007686 testCases = append(testCases, testCase{
7687 testType: serverTest,
7688 name: "CurveTest-Server-" + curve.name + "-TLS13",
7689 config: Config{
7690 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007691 CurvePreferences: []CurveID{curve.id},
7692 },
David Benjamin5c4e8572016-08-19 17:44:53 -04007693 flags: []string{
7694 "-enable-all-curves",
7695 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7696 },
Steven Valdez5440fe02016-07-18 12:40:30 -04007697 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -04007698 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007699 }
David Benjamin241ae832016-01-15 03:04:54 -05007700
7701 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -05007702 testCases = append(testCases, testCase{
7703 testType: serverTest,
7704 name: "UnknownCurve",
7705 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04007706 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -05007707 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7708 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7709 },
7710 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04007711
Steven Valdez803c77a2016-09-06 14:13:43 -04007712 // The server must be tolerant to bogus curves.
7713 testCases = append(testCases, testCase{
7714 testType: serverTest,
7715 name: "UnknownCurve-TLS13",
7716 config: Config{
7717 MaxVersion: VersionTLS13,
7718 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7719 },
7720 })
7721
David Benjamin4c3ddf72016-06-29 18:13:53 -04007722 // The server must not consider ECDHE ciphers when there are no
7723 // supported curves.
7724 testCases = append(testCases, testCase{
7725 testType: serverTest,
7726 name: "NoSupportedCurves",
7727 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007728 MaxVersion: VersionTLS12,
7729 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7730 Bugs: ProtocolBugs{
7731 NoSupportedCurves: true,
7732 },
7733 },
7734 shouldFail: true,
7735 expectedError: ":NO_SHARED_CIPHER:",
7736 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007737 testCases = append(testCases, testCase{
7738 testType: serverTest,
7739 name: "NoSupportedCurves-TLS13",
7740 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04007741 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007742 Bugs: ProtocolBugs{
7743 NoSupportedCurves: true,
7744 },
7745 },
7746 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -04007747 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -04007748 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04007749
7750 // The server must fall back to another cipher when there are no
7751 // supported curves.
7752 testCases = append(testCases, testCase{
7753 testType: serverTest,
7754 name: "NoCommonCurves",
7755 config: Config{
7756 MaxVersion: VersionTLS12,
7757 CipherSuites: []uint16{
7758 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
7759 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
7760 },
7761 CurvePreferences: []CurveID{CurveP224},
7762 },
7763 expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
7764 })
7765
7766 // The client must reject bogus curves and disabled curves.
7767 testCases = append(testCases, testCase{
7768 name: "BadECDHECurve",
7769 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007770 MaxVersion: VersionTLS12,
7771 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7772 Bugs: ProtocolBugs{
7773 SendCurve: bogusCurve,
7774 },
7775 },
7776 shouldFail: true,
7777 expectedError: ":WRONG_CURVE:",
7778 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007779 testCases = append(testCases, testCase{
7780 name: "BadECDHECurve-TLS13",
7781 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04007782 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007783 Bugs: ProtocolBugs{
7784 SendCurve: bogusCurve,
7785 },
7786 },
7787 shouldFail: true,
7788 expectedError: ":WRONG_CURVE:",
7789 })
David Benjamin4c3ddf72016-06-29 18:13:53 -04007790
7791 testCases = append(testCases, testCase{
7792 name: "UnsupportedCurve",
7793 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007794 MaxVersion: VersionTLS12,
7795 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7796 CurvePreferences: []CurveID{CurveP256},
7797 Bugs: ProtocolBugs{
7798 IgnorePeerCurvePreferences: true,
7799 },
7800 },
7801 flags: []string{"-p384-only"},
7802 shouldFail: true,
7803 expectedError: ":WRONG_CURVE:",
7804 })
7805
David Benjamin4f921572016-07-17 14:20:10 +02007806 testCases = append(testCases, testCase{
7807 // TODO(davidben): Add a TLS 1.3 version where
7808 // HelloRetryRequest requests an unsupported curve.
7809 name: "UnsupportedCurve-ServerHello-TLS13",
7810 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -04007811 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +02007812 CurvePreferences: []CurveID{CurveP384},
7813 Bugs: ProtocolBugs{
7814 SendCurve: CurveP256,
7815 },
7816 },
7817 flags: []string{"-p384-only"},
7818 shouldFail: true,
7819 expectedError: ":WRONG_CURVE:",
7820 })
7821
David Benjamin4c3ddf72016-06-29 18:13:53 -04007822 // Test invalid curve points.
7823 testCases = append(testCases, testCase{
7824 name: "InvalidECDHPoint-Client",
7825 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007826 MaxVersion: VersionTLS12,
7827 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7828 CurvePreferences: []CurveID{CurveP256},
7829 Bugs: ProtocolBugs{
7830 InvalidECDHPoint: true,
7831 },
7832 },
7833 shouldFail: true,
7834 expectedError: ":INVALID_ENCODING:",
7835 })
7836 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04007837 name: "InvalidECDHPoint-Client-TLS13",
7838 config: Config{
7839 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007840 CurvePreferences: []CurveID{CurveP256},
7841 Bugs: ProtocolBugs{
7842 InvalidECDHPoint: true,
7843 },
7844 },
7845 shouldFail: true,
7846 expectedError: ":INVALID_ENCODING:",
7847 })
7848 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007849 testType: serverTest,
7850 name: "InvalidECDHPoint-Server",
7851 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -04007852 MaxVersion: VersionTLS12,
7853 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7854 CurvePreferences: []CurveID{CurveP256},
7855 Bugs: ProtocolBugs{
7856 InvalidECDHPoint: true,
7857 },
7858 },
7859 shouldFail: true,
7860 expectedError: ":INVALID_ENCODING:",
7861 })
Steven Valdez143e8b32016-07-11 13:19:03 -04007862 testCases = append(testCases, testCase{
7863 testType: serverTest,
7864 name: "InvalidECDHPoint-Server-TLS13",
7865 config: Config{
7866 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -04007867 CurvePreferences: []CurveID{CurveP256},
7868 Bugs: ProtocolBugs{
7869 InvalidECDHPoint: true,
7870 },
7871 },
7872 shouldFail: true,
7873 expectedError: ":INVALID_ENCODING:",
7874 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -05007875}
7876
Matt Braithwaite54217e42016-06-13 13:03:47 -07007877func addCECPQ1Tests() {
7878 testCases = append(testCases, testCase{
7879 testType: clientTest,
7880 name: "CECPQ1-Client-BadX25519Part",
7881 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007882 MaxVersion: VersionTLS12,
Matt Braithwaite54217e42016-06-13 13:03:47 -07007883 MinVersion: VersionTLS12,
7884 CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
7885 Bugs: ProtocolBugs{
7886 CECPQ1BadX25519Part: true,
7887 },
7888 },
7889 flags: []string{"-cipher", "kCECPQ1"},
7890 shouldFail: true,
7891 expectedLocalError: "local error: bad record MAC",
7892 })
7893 testCases = append(testCases, testCase{
7894 testType: clientTest,
7895 name: "CECPQ1-Client-BadNewhopePart",
7896 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007897 MaxVersion: VersionTLS12,
Matt Braithwaite54217e42016-06-13 13:03:47 -07007898 MinVersion: VersionTLS12,
7899 CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
7900 Bugs: ProtocolBugs{
7901 CECPQ1BadNewhopePart: true,
7902 },
7903 },
7904 flags: []string{"-cipher", "kCECPQ1"},
7905 shouldFail: true,
7906 expectedLocalError: "local error: bad record MAC",
7907 })
7908 testCases = append(testCases, testCase{
7909 testType: serverTest,
7910 name: "CECPQ1-Server-BadX25519Part",
7911 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007912 MaxVersion: VersionTLS12,
Matt Braithwaite54217e42016-06-13 13:03:47 -07007913 MinVersion: VersionTLS12,
7914 CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
7915 Bugs: ProtocolBugs{
7916 CECPQ1BadX25519Part: true,
7917 },
7918 },
7919 flags: []string{"-cipher", "kCECPQ1"},
7920 shouldFail: true,
7921 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7922 })
7923 testCases = append(testCases, testCase{
7924 testType: serverTest,
7925 name: "CECPQ1-Server-BadNewhopePart",
7926 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007927 MaxVersion: VersionTLS12,
Matt Braithwaite54217e42016-06-13 13:03:47 -07007928 MinVersion: VersionTLS12,
7929 CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
7930 Bugs: ProtocolBugs{
7931 CECPQ1BadNewhopePart: true,
7932 },
7933 },
7934 flags: []string{"-cipher", "kCECPQ1"},
7935 shouldFail: true,
7936 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7937 })
7938}
7939
David Benjamin5c4e8572016-08-19 17:44:53 -04007940func addDHEGroupSizeTests() {
David Benjamin4cc36ad2015-12-19 14:23:26 -05007941 testCases = append(testCases, testCase{
David Benjamin5c4e8572016-08-19 17:44:53 -04007942 name: "DHEGroupSize-Client",
David Benjamin4cc36ad2015-12-19 14:23:26 -05007943 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007944 MaxVersion: VersionTLS12,
David Benjamin4cc36ad2015-12-19 14:23:26 -05007945 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
7946 Bugs: ProtocolBugs{
7947 // This is a 1234-bit prime number, generated
7948 // with:
7949 // openssl gendh 1234 | openssl asn1parse -i
7950 DHGroupPrime: bigFromHex("0215C589A86BE450D1255A86D7A08877A70E124C11F0C75E476BA6A2186B1C830D4A132555973F2D5881D5F737BB800B7F417C01EC5960AEBF79478F8E0BBB6A021269BD10590C64C57F50AD8169D5488B56EE38DC5E02DA1A16ED3B5F41FEB2AD184B78A31F3A5B2BEC8441928343DA35DE3D4F89F0D4CEDE0034045084A0D1E6182E5EF7FCA325DD33CE81BE7FA87D43613E8FA7A1457099AB53"),
7951 },
7952 },
David Benjamin9e68f192016-06-30 14:55:33 -04007953 flags: []string{"-expect-dhe-group-size", "1234"},
David Benjamin4cc36ad2015-12-19 14:23:26 -05007954 })
7955 testCases = append(testCases, testCase{
7956 testType: serverTest,
David Benjamin5c4e8572016-08-19 17:44:53 -04007957 name: "DHEGroupSize-Server",
David Benjamin4cc36ad2015-12-19 14:23:26 -05007958 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -07007959 MaxVersion: VersionTLS12,
David Benjamin4cc36ad2015-12-19 14:23:26 -05007960 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
7961 },
7962 // bssl_shim as a server configures a 2048-bit DHE group.
David Benjamin9e68f192016-06-30 14:55:33 -04007963 flags: []string{"-expect-dhe-group-size", "2048"},
David Benjamin4cc36ad2015-12-19 14:23:26 -05007964 })
David Benjamin4cc36ad2015-12-19 14:23:26 -05007965}
7966
David Benjaminc9ae27c2016-06-24 22:56:37 -04007967func addTLS13RecordTests() {
7968 testCases = append(testCases, testCase{
7969 name: "TLS13-RecordPadding",
7970 config: Config{
7971 MaxVersion: VersionTLS13,
7972 MinVersion: VersionTLS13,
7973 Bugs: ProtocolBugs{
7974 RecordPadding: 10,
7975 },
7976 },
7977 })
7978
7979 testCases = append(testCases, testCase{
7980 name: "TLS13-EmptyRecords",
7981 config: Config{
7982 MaxVersion: VersionTLS13,
7983 MinVersion: VersionTLS13,
7984 Bugs: ProtocolBugs{
7985 OmitRecordContents: true,
7986 },
7987 },
7988 shouldFail: true,
7989 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7990 })
7991
7992 testCases = append(testCases, testCase{
7993 name: "TLS13-OnlyPadding",
7994 config: Config{
7995 MaxVersion: VersionTLS13,
7996 MinVersion: VersionTLS13,
7997 Bugs: ProtocolBugs{
7998 OmitRecordContents: true,
7999 RecordPadding: 10,
8000 },
8001 },
8002 shouldFail: true,
8003 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8004 })
8005
8006 testCases = append(testCases, testCase{
8007 name: "TLS13-WrongOuterRecord",
8008 config: Config{
8009 MaxVersion: VersionTLS13,
8010 MinVersion: VersionTLS13,
8011 Bugs: ProtocolBugs{
8012 OuterRecordType: recordTypeHandshake,
8013 },
8014 },
8015 shouldFail: true,
8016 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8017 })
8018}
8019
Steven Valdez5b986082016-09-01 12:29:49 -04008020func addSessionTicketTests() {
8021 testCases = append(testCases, testCase{
8022 // In TLS 1.2 and below, empty NewSessionTicket messages
8023 // mean the server changed its mind on sending a ticket.
8024 name: "SendEmptySessionTicket",
8025 config: Config{
8026 MaxVersion: VersionTLS12,
8027 Bugs: ProtocolBugs{
8028 SendEmptySessionTicket: true,
8029 },
8030 },
8031 flags: []string{"-expect-no-session"},
8032 })
8033
8034 // Test that the server ignores unknown PSK modes.
8035 testCases = append(testCases, testCase{
8036 testType: serverTest,
8037 name: "TLS13-SendUnknownModeSessionTicket-Server",
8038 config: Config{
8039 MaxVersion: VersionTLS13,
8040 Bugs: ProtocolBugs{
8041 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -04008042 },
8043 },
8044 resumeSession: true,
8045 expectedResumeVersion: VersionTLS13,
8046 })
8047
Steven Valdeza833c352016-11-01 13:39:36 -04008048 // Test that the server does not send session tickets with no matching key exchange mode.
8049 testCases = append(testCases, testCase{
8050 testType: serverTest,
8051 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8052 config: Config{
8053 MaxVersion: VersionTLS13,
8054 Bugs: ProtocolBugs{
8055 SendPSKKeyExchangeModes: []byte{0x1a},
8056 ExpectNoNewSessionTicket: true,
8057 },
8058 },
8059 })
8060
8061 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -04008062 testCases = append(testCases, testCase{
8063 testType: serverTest,
8064 name: "TLS13-SendBadKEModeSessionTicket-Server",
8065 config: Config{
8066 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -04008067 },
8068 resumeConfig: &Config{
8069 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -04008070 Bugs: ProtocolBugs{
8071 SendPSKKeyExchangeModes: []byte{0x1a},
8072 },
8073 },
8074 resumeSession: true,
8075 expectResumeRejected: true,
8076 })
8077
Steven Valdeza833c352016-11-01 13:39:36 -04008078 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -04008079 testCases = append(testCases, testCase{
8080 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -04008081 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -04008082 config: Config{
8083 MaxVersion: VersionTLS13,
8084 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -04008085 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -04008086 },
8087 },
Steven Valdeza833c352016-11-01 13:39:36 -04008088 resumeSession: true,
8089 flags: []string{
8090 "-resumption-delay", "10",
8091 },
Steven Valdez5b986082016-09-01 12:29:49 -04008092 })
8093
Steven Valdeza833c352016-11-01 13:39:36 -04008094 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -04008095 testCases = append(testCases, testCase{
8096 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -04008097 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -04008098 config: Config{
8099 MaxVersion: VersionTLS13,
8100 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -04008101 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -04008102 },
8103 },
Steven Valdeza833c352016-11-01 13:39:36 -04008104 resumeSession: true,
8105 shouldFail: true,
8106 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -04008107 })
8108
Steven Valdez5b986082016-09-01 12:29:49 -04008109}
8110
David Benjamin82261be2016-07-07 14:32:50 -07008111func addChangeCipherSpecTests() {
8112 // Test missing ChangeCipherSpecs.
8113 testCases = append(testCases, testCase{
8114 name: "SkipChangeCipherSpec-Client",
8115 config: Config{
8116 MaxVersion: VersionTLS12,
8117 Bugs: ProtocolBugs{
8118 SkipChangeCipherSpec: true,
8119 },
8120 },
8121 shouldFail: true,
8122 expectedError: ":UNEXPECTED_RECORD:",
8123 })
8124 testCases = append(testCases, testCase{
8125 testType: serverTest,
8126 name: "SkipChangeCipherSpec-Server",
8127 config: Config{
8128 MaxVersion: VersionTLS12,
8129 Bugs: ProtocolBugs{
8130 SkipChangeCipherSpec: true,
8131 },
8132 },
8133 shouldFail: true,
8134 expectedError: ":UNEXPECTED_RECORD:",
8135 })
8136 testCases = append(testCases, testCase{
8137 testType: serverTest,
8138 name: "SkipChangeCipherSpec-Server-NPN",
8139 config: Config{
8140 MaxVersion: VersionTLS12,
8141 NextProtos: []string{"bar"},
8142 Bugs: ProtocolBugs{
8143 SkipChangeCipherSpec: true,
8144 },
8145 },
8146 flags: []string{
8147 "-advertise-npn", "\x03foo\x03bar\x03baz",
8148 },
8149 shouldFail: true,
8150 expectedError: ":UNEXPECTED_RECORD:",
8151 })
8152
8153 // Test synchronization between the handshake and ChangeCipherSpec.
8154 // Partial post-CCS handshake messages before ChangeCipherSpec should be
8155 // rejected. Test both with and without handshake packing to handle both
8156 // when the partial post-CCS message is in its own record and when it is
8157 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -07008158 for _, packed := range []bool{false, true} {
8159 var suffix string
8160 if packed {
8161 suffix = "-Packed"
8162 }
8163
8164 testCases = append(testCases, testCase{
8165 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
8166 config: Config{
8167 MaxVersion: VersionTLS12,
8168 Bugs: ProtocolBugs{
8169 FragmentAcrossChangeCipherSpec: true,
8170 PackHandshakeFlight: packed,
8171 },
8172 },
8173 shouldFail: true,
8174 expectedError: ":UNEXPECTED_RECORD:",
8175 })
8176 testCases = append(testCases, testCase{
8177 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
8178 config: Config{
8179 MaxVersion: VersionTLS12,
8180 },
8181 resumeSession: true,
8182 resumeConfig: &Config{
8183 MaxVersion: VersionTLS12,
8184 Bugs: ProtocolBugs{
8185 FragmentAcrossChangeCipherSpec: true,
8186 PackHandshakeFlight: packed,
8187 },
8188 },
8189 shouldFail: true,
8190 expectedError: ":UNEXPECTED_RECORD:",
8191 })
8192 testCases = append(testCases, testCase{
8193 testType: serverTest,
8194 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
8195 config: Config{
8196 MaxVersion: VersionTLS12,
8197 Bugs: ProtocolBugs{
8198 FragmentAcrossChangeCipherSpec: true,
8199 PackHandshakeFlight: packed,
8200 },
8201 },
8202 shouldFail: true,
8203 expectedError: ":UNEXPECTED_RECORD:",
8204 })
8205 testCases = append(testCases, testCase{
8206 testType: serverTest,
8207 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
8208 config: Config{
8209 MaxVersion: VersionTLS12,
8210 },
8211 resumeSession: true,
8212 resumeConfig: &Config{
8213 MaxVersion: VersionTLS12,
8214 Bugs: ProtocolBugs{
8215 FragmentAcrossChangeCipherSpec: true,
8216 PackHandshakeFlight: packed,
8217 },
8218 },
8219 shouldFail: true,
8220 expectedError: ":UNEXPECTED_RECORD:",
8221 })
8222 testCases = append(testCases, testCase{
8223 testType: serverTest,
8224 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
8225 config: Config{
8226 MaxVersion: VersionTLS12,
8227 NextProtos: []string{"bar"},
8228 Bugs: ProtocolBugs{
8229 FragmentAcrossChangeCipherSpec: true,
8230 PackHandshakeFlight: packed,
8231 },
8232 },
8233 flags: []string{
8234 "-advertise-npn", "\x03foo\x03bar\x03baz",
8235 },
8236 shouldFail: true,
8237 expectedError: ":UNEXPECTED_RECORD:",
8238 })
8239 }
8240
David Benjamin61672812016-07-14 23:10:43 -04008241 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
8242 // messages in the handshake queue. Do this by testing the server
8243 // reading the client Finished, reversing the flight so Finished comes
8244 // first.
8245 testCases = append(testCases, testCase{
8246 protocol: dtls,
8247 testType: serverTest,
8248 name: "SendUnencryptedFinished-DTLS",
8249 config: Config{
8250 MaxVersion: VersionTLS12,
8251 Bugs: ProtocolBugs{
8252 SendUnencryptedFinished: true,
8253 ReverseHandshakeFragments: true,
8254 },
8255 },
8256 shouldFail: true,
8257 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8258 })
8259
Steven Valdez143e8b32016-07-11 13:19:03 -04008260 // Test synchronization between encryption changes and the handshake in
8261 // TLS 1.3, where ChangeCipherSpec is implicit.
8262 testCases = append(testCases, testCase{
8263 name: "PartialEncryptedExtensionsWithServerHello",
8264 config: Config{
8265 MaxVersion: VersionTLS13,
8266 Bugs: ProtocolBugs{
8267 PartialEncryptedExtensionsWithServerHello: true,
8268 },
8269 },
8270 shouldFail: true,
8271 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8272 })
8273 testCases = append(testCases, testCase{
8274 testType: serverTest,
8275 name: "PartialClientFinishedWithClientHello",
8276 config: Config{
8277 MaxVersion: VersionTLS13,
8278 Bugs: ProtocolBugs{
8279 PartialClientFinishedWithClientHello: true,
8280 },
8281 },
8282 shouldFail: true,
8283 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8284 })
8285
David Benjamin82261be2016-07-07 14:32:50 -07008286 // Test that early ChangeCipherSpecs are handled correctly.
8287 testCases = append(testCases, testCase{
8288 testType: serverTest,
8289 name: "EarlyChangeCipherSpec-server-1",
8290 config: Config{
8291 MaxVersion: VersionTLS12,
8292 Bugs: ProtocolBugs{
8293 EarlyChangeCipherSpec: 1,
8294 },
8295 },
8296 shouldFail: true,
8297 expectedError: ":UNEXPECTED_RECORD:",
8298 })
8299 testCases = append(testCases, testCase{
8300 testType: serverTest,
8301 name: "EarlyChangeCipherSpec-server-2",
8302 config: Config{
8303 MaxVersion: VersionTLS12,
8304 Bugs: ProtocolBugs{
8305 EarlyChangeCipherSpec: 2,
8306 },
8307 },
8308 shouldFail: true,
8309 expectedError: ":UNEXPECTED_RECORD:",
8310 })
8311 testCases = append(testCases, testCase{
8312 protocol: dtls,
8313 name: "StrayChangeCipherSpec",
8314 config: Config{
8315 // TODO(davidben): Once DTLS 1.3 exists, test
8316 // that stray ChangeCipherSpec messages are
8317 // rejected.
8318 MaxVersion: VersionTLS12,
8319 Bugs: ProtocolBugs{
8320 StrayChangeCipherSpec: true,
8321 },
8322 },
8323 })
8324
8325 // Test that the contents of ChangeCipherSpec are checked.
8326 testCases = append(testCases, testCase{
8327 name: "BadChangeCipherSpec-1",
8328 config: Config{
8329 MaxVersion: VersionTLS12,
8330 Bugs: ProtocolBugs{
8331 BadChangeCipherSpec: []byte{2},
8332 },
8333 },
8334 shouldFail: true,
8335 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8336 })
8337 testCases = append(testCases, testCase{
8338 name: "BadChangeCipherSpec-2",
8339 config: Config{
8340 MaxVersion: VersionTLS12,
8341 Bugs: ProtocolBugs{
8342 BadChangeCipherSpec: []byte{1, 1},
8343 },
8344 },
8345 shouldFail: true,
8346 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8347 })
8348 testCases = append(testCases, testCase{
8349 protocol: dtls,
8350 name: "BadChangeCipherSpec-DTLS-1",
8351 config: Config{
8352 MaxVersion: VersionTLS12,
8353 Bugs: ProtocolBugs{
8354 BadChangeCipherSpec: []byte{2},
8355 },
8356 },
8357 shouldFail: true,
8358 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8359 })
8360 testCases = append(testCases, testCase{
8361 protocol: dtls,
8362 name: "BadChangeCipherSpec-DTLS-2",
8363 config: Config{
8364 MaxVersion: VersionTLS12,
8365 Bugs: ProtocolBugs{
8366 BadChangeCipherSpec: []byte{1, 1},
8367 },
8368 },
8369 shouldFail: true,
8370 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8371 })
8372}
8373
David Benjamincd2c8062016-09-09 11:28:16 -04008374type perMessageTest struct {
8375 messageType uint8
8376 test testCase
8377}
8378
8379// makePerMessageTests returns a series of test templates which cover each
8380// message in the TLS handshake. These may be used with bugs like
8381// WrongMessageType to fully test a per-message bug.
8382func makePerMessageTests() []perMessageTest {
8383 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -04008384 for _, protocol := range []protocol{tls, dtls} {
8385 var suffix string
8386 if protocol == dtls {
8387 suffix = "-DTLS"
8388 }
8389
David Benjamincd2c8062016-09-09 11:28:16 -04008390 ret = append(ret, perMessageTest{
8391 messageType: typeClientHello,
8392 test: testCase{
8393 protocol: protocol,
8394 testType: serverTest,
8395 name: "ClientHello" + suffix,
8396 config: Config{
8397 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008398 },
8399 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008400 })
8401
8402 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -04008403 ret = append(ret, perMessageTest{
8404 messageType: typeHelloVerifyRequest,
8405 test: testCase{
8406 protocol: protocol,
8407 name: "HelloVerifyRequest" + suffix,
8408 config: Config{
8409 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008410 },
8411 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008412 })
8413 }
8414
David Benjamincd2c8062016-09-09 11:28:16 -04008415 ret = append(ret, perMessageTest{
8416 messageType: typeServerHello,
8417 test: testCase{
8418 protocol: protocol,
8419 name: "ServerHello" + suffix,
8420 config: Config{
8421 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008422 },
8423 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008424 })
8425
David Benjamincd2c8062016-09-09 11:28:16 -04008426 ret = append(ret, perMessageTest{
8427 messageType: typeCertificate,
8428 test: testCase{
8429 protocol: protocol,
8430 name: "ServerCertificate" + suffix,
8431 config: Config{
8432 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008433 },
8434 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008435 })
8436
David Benjamincd2c8062016-09-09 11:28:16 -04008437 ret = append(ret, perMessageTest{
8438 messageType: typeCertificateStatus,
8439 test: testCase{
8440 protocol: protocol,
8441 name: "CertificateStatus" + suffix,
8442 config: Config{
8443 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008444 },
David Benjamincd2c8062016-09-09 11:28:16 -04008445 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008446 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008447 })
8448
David Benjamincd2c8062016-09-09 11:28:16 -04008449 ret = append(ret, perMessageTest{
8450 messageType: typeServerKeyExchange,
8451 test: testCase{
8452 protocol: protocol,
8453 name: "ServerKeyExchange" + suffix,
8454 config: Config{
8455 MaxVersion: VersionTLS12,
8456 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008457 },
8458 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008459 })
8460
David Benjamincd2c8062016-09-09 11:28:16 -04008461 ret = append(ret, perMessageTest{
8462 messageType: typeCertificateRequest,
8463 test: testCase{
8464 protocol: protocol,
8465 name: "CertificateRequest" + suffix,
8466 config: Config{
8467 MaxVersion: VersionTLS12,
8468 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008469 },
8470 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008471 })
8472
David Benjamincd2c8062016-09-09 11:28:16 -04008473 ret = append(ret, perMessageTest{
8474 messageType: typeServerHelloDone,
8475 test: testCase{
8476 protocol: protocol,
8477 name: "ServerHelloDone" + suffix,
8478 config: Config{
8479 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008480 },
8481 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008482 })
8483
David Benjamincd2c8062016-09-09 11:28:16 -04008484 ret = append(ret, perMessageTest{
8485 messageType: typeCertificate,
8486 test: testCase{
8487 testType: serverTest,
8488 protocol: protocol,
8489 name: "ClientCertificate" + suffix,
8490 config: Config{
8491 Certificates: []Certificate{rsaCertificate},
8492 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008493 },
David Benjamincd2c8062016-09-09 11:28:16 -04008494 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008495 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008496 })
8497
David Benjamincd2c8062016-09-09 11:28:16 -04008498 ret = append(ret, perMessageTest{
8499 messageType: typeCertificateVerify,
8500 test: testCase{
8501 testType: serverTest,
8502 protocol: protocol,
8503 name: "CertificateVerify" + suffix,
8504 config: Config{
8505 Certificates: []Certificate{rsaCertificate},
8506 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008507 },
David Benjamincd2c8062016-09-09 11:28:16 -04008508 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008509 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008510 })
8511
David Benjamincd2c8062016-09-09 11:28:16 -04008512 ret = append(ret, perMessageTest{
8513 messageType: typeClientKeyExchange,
8514 test: testCase{
8515 testType: serverTest,
8516 protocol: protocol,
8517 name: "ClientKeyExchange" + suffix,
8518 config: Config{
8519 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008520 },
8521 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008522 })
8523
8524 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -04008525 ret = append(ret, perMessageTest{
8526 messageType: typeNextProtocol,
8527 test: testCase{
8528 testType: serverTest,
8529 protocol: protocol,
8530 name: "NextProtocol" + suffix,
8531 config: Config{
8532 MaxVersion: VersionTLS12,
8533 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008534 },
David Benjamincd2c8062016-09-09 11:28:16 -04008535 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -04008536 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008537 })
8538
David Benjamincd2c8062016-09-09 11:28:16 -04008539 ret = append(ret, perMessageTest{
8540 messageType: typeChannelID,
8541 test: testCase{
8542 testType: serverTest,
8543 protocol: protocol,
8544 name: "ChannelID" + suffix,
8545 config: Config{
8546 MaxVersion: VersionTLS12,
8547 ChannelID: channelIDKey,
8548 },
8549 flags: []string{
8550 "-expect-channel-id",
8551 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -04008552 },
8553 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008554 })
8555 }
8556
David Benjamincd2c8062016-09-09 11:28:16 -04008557 ret = append(ret, perMessageTest{
8558 messageType: typeFinished,
8559 test: testCase{
8560 testType: serverTest,
8561 protocol: protocol,
8562 name: "ClientFinished" + suffix,
8563 config: Config{
8564 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008565 },
8566 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008567 })
8568
David Benjamincd2c8062016-09-09 11:28:16 -04008569 ret = append(ret, perMessageTest{
8570 messageType: typeNewSessionTicket,
8571 test: testCase{
8572 protocol: protocol,
8573 name: "NewSessionTicket" + suffix,
8574 config: Config{
8575 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008576 },
8577 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008578 })
8579
David Benjamincd2c8062016-09-09 11:28:16 -04008580 ret = append(ret, perMessageTest{
8581 messageType: typeFinished,
8582 test: testCase{
8583 protocol: protocol,
8584 name: "ServerFinished" + suffix,
8585 config: Config{
8586 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -04008587 },
8588 },
David Benjamin0b8d5da2016-07-15 00:39:56 -04008589 })
8590
8591 }
David Benjamincd2c8062016-09-09 11:28:16 -04008592
8593 ret = append(ret, perMessageTest{
8594 messageType: typeClientHello,
8595 test: testCase{
8596 testType: serverTest,
8597 name: "TLS13-ClientHello",
8598 config: Config{
8599 MaxVersion: VersionTLS13,
8600 },
8601 },
8602 })
8603
8604 ret = append(ret, perMessageTest{
8605 messageType: typeServerHello,
8606 test: testCase{
8607 name: "TLS13-ServerHello",
8608 config: Config{
8609 MaxVersion: VersionTLS13,
8610 },
8611 },
8612 })
8613
8614 ret = append(ret, perMessageTest{
8615 messageType: typeEncryptedExtensions,
8616 test: testCase{
8617 name: "TLS13-EncryptedExtensions",
8618 config: Config{
8619 MaxVersion: VersionTLS13,
8620 },
8621 },
8622 })
8623
8624 ret = append(ret, perMessageTest{
8625 messageType: typeCertificateRequest,
8626 test: testCase{
8627 name: "TLS13-CertificateRequest",
8628 config: Config{
8629 MaxVersion: VersionTLS13,
8630 ClientAuth: RequireAnyClientCert,
8631 },
8632 },
8633 })
8634
8635 ret = append(ret, perMessageTest{
8636 messageType: typeCertificate,
8637 test: testCase{
8638 name: "TLS13-ServerCertificate",
8639 config: Config{
8640 MaxVersion: VersionTLS13,
8641 },
8642 },
8643 })
8644
8645 ret = append(ret, perMessageTest{
8646 messageType: typeCertificateVerify,
8647 test: testCase{
8648 name: "TLS13-ServerCertificateVerify",
8649 config: Config{
8650 MaxVersion: VersionTLS13,
8651 },
8652 },
8653 })
8654
8655 ret = append(ret, perMessageTest{
8656 messageType: typeFinished,
8657 test: testCase{
8658 name: "TLS13-ServerFinished",
8659 config: Config{
8660 MaxVersion: VersionTLS13,
8661 },
8662 },
8663 })
8664
8665 ret = append(ret, perMessageTest{
8666 messageType: typeCertificate,
8667 test: testCase{
8668 testType: serverTest,
8669 name: "TLS13-ClientCertificate",
8670 config: Config{
8671 Certificates: []Certificate{rsaCertificate},
8672 MaxVersion: VersionTLS13,
8673 },
8674 flags: []string{"-require-any-client-certificate"},
8675 },
8676 })
8677
8678 ret = append(ret, perMessageTest{
8679 messageType: typeCertificateVerify,
8680 test: testCase{
8681 testType: serverTest,
8682 name: "TLS13-ClientCertificateVerify",
8683 config: Config{
8684 Certificates: []Certificate{rsaCertificate},
8685 MaxVersion: VersionTLS13,
8686 },
8687 flags: []string{"-require-any-client-certificate"},
8688 },
8689 })
8690
8691 ret = append(ret, perMessageTest{
8692 messageType: typeFinished,
8693 test: testCase{
8694 testType: serverTest,
8695 name: "TLS13-ClientFinished",
8696 config: Config{
8697 MaxVersion: VersionTLS13,
8698 },
8699 },
8700 })
8701
8702 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -04008703}
8704
David Benjamincd2c8062016-09-09 11:28:16 -04008705func addWrongMessageTypeTests() {
8706 for _, t := range makePerMessageTests() {
8707 t.test.name = "WrongMessageType-" + t.test.name
8708 t.test.config.Bugs.SendWrongMessageType = t.messageType
8709 t.test.shouldFail = true
8710 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
8711 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -04008712
David Benjamincd2c8062016-09-09 11:28:16 -04008713 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
8714 // In TLS 1.3, a bad ServerHello means the client sends
8715 // an unencrypted alert while the server expects
8716 // encryption, so the alert is not readable by runner.
8717 t.test.expectedLocalError = "local error: bad record MAC"
8718 }
Steven Valdez143e8b32016-07-11 13:19:03 -04008719
David Benjamincd2c8062016-09-09 11:28:16 -04008720 testCases = append(testCases, t.test)
8721 }
Steven Valdez143e8b32016-07-11 13:19:03 -04008722}
8723
David Benjamin639846e2016-09-09 11:41:18 -04008724func addTrailingMessageDataTests() {
8725 for _, t := range makePerMessageTests() {
8726 t.test.name = "TrailingMessageData-" + t.test.name
8727 t.test.config.Bugs.SendTrailingMessageData = t.messageType
8728 t.test.shouldFail = true
8729 t.test.expectedError = ":DECODE_ERROR:"
8730 t.test.expectedLocalError = "remote error: error decoding message"
8731
8732 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
8733 // In TLS 1.3, a bad ServerHello means the client sends
8734 // an unencrypted alert while the server expects
8735 // encryption, so the alert is not readable by runner.
8736 t.test.expectedLocalError = "local error: bad record MAC"
8737 }
8738
8739 if t.messageType == typeFinished {
8740 // Bad Finished messages read as the verify data having
8741 // the wrong length.
8742 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
8743 t.test.expectedLocalError = "remote error: error decrypting message"
8744 }
8745
8746 testCases = append(testCases, t.test)
8747 }
8748}
8749
Steven Valdez143e8b32016-07-11 13:19:03 -04008750func addTLS13HandshakeTests() {
8751 testCases = append(testCases, testCase{
8752 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -04008753 name: "NegotiatePSKResumption-TLS13",
8754 config: Config{
8755 MaxVersion: VersionTLS13,
8756 Bugs: ProtocolBugs{
8757 NegotiatePSKResumption: true,
8758 },
8759 },
8760 resumeSession: true,
8761 shouldFail: true,
8762 expectedError: ":UNEXPECTED_EXTENSION:",
8763 })
8764
8765 testCases = append(testCases, testCase{
8766 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -04008767 name: "MissingKeyShare-Client",
8768 config: Config{
8769 MaxVersion: VersionTLS13,
8770 Bugs: ProtocolBugs{
8771 MissingKeyShare: true,
8772 },
8773 },
8774 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -04008775 expectedError: ":UNEXPECTED_EXTENSION:",
Steven Valdez143e8b32016-07-11 13:19:03 -04008776 })
8777
8778 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -04008779 testType: serverTest,
8780 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -04008781 config: Config{
8782 MaxVersion: VersionTLS13,
8783 Bugs: ProtocolBugs{
8784 MissingKeyShare: true,
8785 },
8786 },
8787 shouldFail: true,
8788 expectedError: ":MISSING_KEY_SHARE:",
8789 })
8790
8791 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -04008792 testType: serverTest,
8793 name: "DuplicateKeyShares",
8794 config: Config{
8795 MaxVersion: VersionTLS13,
8796 Bugs: ProtocolBugs{
8797 DuplicateKeyShares: true,
8798 },
8799 },
David Benjamin7e1f9842016-09-20 19:24:40 -04008800 shouldFail: true,
8801 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -04008802 })
8803
8804 testCases = append(testCases, testCase{
8805 testType: clientTest,
8806 name: "EmptyEncryptedExtensions",
8807 config: Config{
8808 MaxVersion: VersionTLS13,
8809 Bugs: ProtocolBugs{
8810 EmptyEncryptedExtensions: true,
8811 },
8812 },
8813 shouldFail: true,
8814 expectedLocalError: "remote error: error decoding message",
8815 })
8816
8817 testCases = append(testCases, testCase{
8818 testType: clientTest,
8819 name: "EncryptedExtensionsWithKeyShare",
8820 config: Config{
8821 MaxVersion: VersionTLS13,
8822 Bugs: ProtocolBugs{
8823 EncryptedExtensionsWithKeyShare: true,
8824 },
8825 },
8826 shouldFail: true,
8827 expectedLocalError: "remote error: unsupported extension",
8828 })
Steven Valdez5440fe02016-07-18 12:40:30 -04008829
8830 testCases = append(testCases, testCase{
8831 testType: serverTest,
8832 name: "SendHelloRetryRequest",
8833 config: Config{
8834 MaxVersion: VersionTLS13,
8835 // Require a HelloRetryRequest for every curve.
8836 DefaultCurves: []CurveID{},
8837 },
8838 expectedCurveID: CurveX25519,
8839 })
8840
8841 testCases = append(testCases, testCase{
8842 testType: serverTest,
8843 name: "SendHelloRetryRequest-2",
8844 config: Config{
8845 MaxVersion: VersionTLS13,
8846 DefaultCurves: []CurveID{CurveP384},
8847 },
8848 // Although the ClientHello did not predict our preferred curve,
8849 // we always select it whether it is predicted or not.
8850 expectedCurveID: CurveX25519,
8851 })
8852
8853 testCases = append(testCases, testCase{
8854 name: "UnknownCurve-HelloRetryRequest",
8855 config: Config{
8856 MaxVersion: VersionTLS13,
8857 // P-384 requires HelloRetryRequest in BoringSSL.
8858 CurvePreferences: []CurveID{CurveP384},
8859 Bugs: ProtocolBugs{
8860 SendHelloRetryRequestCurve: bogusCurve,
8861 },
8862 },
8863 shouldFail: true,
8864 expectedError: ":WRONG_CURVE:",
8865 })
8866
8867 testCases = append(testCases, testCase{
8868 name: "DisabledCurve-HelloRetryRequest",
8869 config: Config{
8870 MaxVersion: VersionTLS13,
8871 CurvePreferences: []CurveID{CurveP256},
8872 Bugs: ProtocolBugs{
8873 IgnorePeerCurvePreferences: true,
8874 },
8875 },
8876 flags: []string{"-p384-only"},
8877 shouldFail: true,
8878 expectedError: ":WRONG_CURVE:",
8879 })
8880
8881 testCases = append(testCases, testCase{
8882 name: "UnnecessaryHelloRetryRequest",
8883 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -04008884 MaxVersion: VersionTLS13,
8885 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -04008886 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -04008887 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -04008888 },
8889 },
8890 shouldFail: true,
8891 expectedError: ":WRONG_CURVE:",
8892 })
8893
8894 testCases = append(testCases, testCase{
8895 name: "SecondHelloRetryRequest",
8896 config: Config{
8897 MaxVersion: VersionTLS13,
8898 // P-384 requires HelloRetryRequest in BoringSSL.
8899 CurvePreferences: []CurveID{CurveP384},
8900 Bugs: ProtocolBugs{
8901 SecondHelloRetryRequest: true,
8902 },
8903 },
8904 shouldFail: true,
8905 expectedError: ":UNEXPECTED_MESSAGE:",
8906 })
8907
8908 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -04008909 name: "HelloRetryRequest-Empty",
8910 config: Config{
8911 MaxVersion: VersionTLS13,
8912 Bugs: ProtocolBugs{
8913 AlwaysSendHelloRetryRequest: true,
8914 },
8915 },
8916 shouldFail: true,
8917 expectedError: ":DECODE_ERROR:",
8918 })
8919
8920 testCases = append(testCases, testCase{
8921 name: "HelloRetryRequest-DuplicateCurve",
8922 config: Config{
8923 MaxVersion: VersionTLS13,
8924 // P-384 requires a HelloRetryRequest against BoringSSL's default
8925 // configuration. Assert this ExpectMissingKeyShare.
8926 CurvePreferences: []CurveID{CurveP384},
8927 Bugs: ProtocolBugs{
8928 ExpectMissingKeyShare: true,
8929 DuplicateHelloRetryRequestExtensions: true,
8930 },
8931 },
8932 shouldFail: true,
8933 expectedError: ":DUPLICATE_EXTENSION:",
8934 expectedLocalError: "remote error: illegal parameter",
8935 })
8936
8937 testCases = append(testCases, testCase{
8938 name: "HelloRetryRequest-Cookie",
8939 config: Config{
8940 MaxVersion: VersionTLS13,
8941 Bugs: ProtocolBugs{
8942 SendHelloRetryRequestCookie: []byte("cookie"),
8943 },
8944 },
8945 })
8946
8947 testCases = append(testCases, testCase{
8948 name: "HelloRetryRequest-DuplicateCookie",
8949 config: Config{
8950 MaxVersion: VersionTLS13,
8951 Bugs: ProtocolBugs{
8952 SendHelloRetryRequestCookie: []byte("cookie"),
8953 DuplicateHelloRetryRequestExtensions: true,
8954 },
8955 },
8956 shouldFail: true,
8957 expectedError: ":DUPLICATE_EXTENSION:",
8958 expectedLocalError: "remote error: illegal parameter",
8959 })
8960
8961 testCases = append(testCases, testCase{
8962 name: "HelloRetryRequest-EmptyCookie",
8963 config: Config{
8964 MaxVersion: VersionTLS13,
8965 Bugs: ProtocolBugs{
8966 SendHelloRetryRequestCookie: []byte{},
8967 },
8968 },
8969 shouldFail: true,
8970 expectedError: ":DECODE_ERROR:",
8971 })
8972
8973 testCases = append(testCases, testCase{
8974 name: "HelloRetryRequest-Cookie-Curve",
8975 config: Config{
8976 MaxVersion: VersionTLS13,
8977 // P-384 requires HelloRetryRequest in BoringSSL.
8978 CurvePreferences: []CurveID{CurveP384},
8979 Bugs: ProtocolBugs{
8980 SendHelloRetryRequestCookie: []byte("cookie"),
8981 ExpectMissingKeyShare: true,
8982 },
8983 },
8984 })
8985
8986 testCases = append(testCases, testCase{
8987 name: "HelloRetryRequest-Unknown",
8988 config: Config{
8989 MaxVersion: VersionTLS13,
8990 Bugs: ProtocolBugs{
8991 CustomHelloRetryRequestExtension: "extension",
8992 },
8993 },
8994 shouldFail: true,
8995 expectedError: ":UNEXPECTED_EXTENSION:",
8996 expectedLocalError: "remote error: unsupported extension",
8997 })
8998
8999 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -04009000 testType: serverTest,
9001 name: "SecondClientHelloMissingKeyShare",
9002 config: Config{
9003 MaxVersion: VersionTLS13,
9004 DefaultCurves: []CurveID{},
9005 Bugs: ProtocolBugs{
9006 SecondClientHelloMissingKeyShare: true,
9007 },
9008 },
9009 shouldFail: true,
9010 expectedError: ":MISSING_KEY_SHARE:",
9011 })
9012
9013 testCases = append(testCases, testCase{
9014 testType: serverTest,
9015 name: "SecondClientHelloWrongCurve",
9016 config: Config{
9017 MaxVersion: VersionTLS13,
9018 DefaultCurves: []CurveID{},
9019 Bugs: ProtocolBugs{
9020 MisinterpretHelloRetryRequestCurve: CurveP521,
9021 },
9022 },
9023 shouldFail: true,
9024 expectedError: ":WRONG_CURVE:",
9025 })
9026
9027 testCases = append(testCases, testCase{
9028 name: "HelloRetryRequestVersionMismatch",
9029 config: Config{
9030 MaxVersion: VersionTLS13,
9031 // P-384 requires HelloRetryRequest in BoringSSL.
9032 CurvePreferences: []CurveID{CurveP384},
9033 Bugs: ProtocolBugs{
9034 SendServerHelloVersion: 0x0305,
9035 },
9036 },
9037 shouldFail: true,
9038 expectedError: ":WRONG_VERSION_NUMBER:",
9039 })
9040
9041 testCases = append(testCases, testCase{
9042 name: "HelloRetryRequestCurveMismatch",
9043 config: Config{
9044 MaxVersion: VersionTLS13,
9045 // P-384 requires HelloRetryRequest in BoringSSL.
9046 CurvePreferences: []CurveID{CurveP384},
9047 Bugs: ProtocolBugs{
9048 // Send P-384 (correct) in the HelloRetryRequest.
9049 SendHelloRetryRequestCurve: CurveP384,
9050 // But send P-256 in the ServerHello.
9051 SendCurve: CurveP256,
9052 },
9053 },
9054 shouldFail: true,
9055 expectedError: ":WRONG_CURVE:",
9056 })
9057
9058 // Test the server selecting a curve that requires a HelloRetryRequest
9059 // without sending it.
9060 testCases = append(testCases, testCase{
9061 name: "SkipHelloRetryRequest",
9062 config: Config{
9063 MaxVersion: VersionTLS13,
9064 // P-384 requires HelloRetryRequest in BoringSSL.
9065 CurvePreferences: []CurveID{CurveP384},
9066 Bugs: ProtocolBugs{
9067 SkipHelloRetryRequest: true,
9068 },
9069 },
9070 shouldFail: true,
9071 expectedError: ":WRONG_CURVE:",
9072 })
David Benjamin8a8349b2016-08-18 02:32:23 -04009073
9074 testCases = append(testCases, testCase{
9075 name: "TLS13-RequestContextInHandshake",
9076 config: Config{
9077 MaxVersion: VersionTLS13,
9078 MinVersion: VersionTLS13,
9079 ClientAuth: RequireAnyClientCert,
9080 Bugs: ProtocolBugs{
9081 SendRequestContext: []byte("request context"),
9082 },
9083 },
9084 flags: []string{
9085 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9086 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9087 },
9088 shouldFail: true,
9089 expectedError: ":DECODE_ERROR:",
9090 })
David Benjamin7e1f9842016-09-20 19:24:40 -04009091
9092 testCases = append(testCases, testCase{
9093 testType: serverTest,
9094 name: "TLS13-TrailingKeyShareData",
9095 config: Config{
9096 MaxVersion: VersionTLS13,
9097 Bugs: ProtocolBugs{
9098 TrailingKeyShareData: true,
9099 },
9100 },
9101 shouldFail: true,
9102 expectedError: ":DECODE_ERROR:",
9103 })
David Benjamin7f78df42016-10-05 22:33:19 -04009104
9105 testCases = append(testCases, testCase{
9106 name: "TLS13-AlwaysSelectPSKIdentity",
9107 config: Config{
9108 MaxVersion: VersionTLS13,
9109 Bugs: ProtocolBugs{
9110 AlwaysSelectPSKIdentity: true,
9111 },
9112 },
9113 shouldFail: true,
9114 expectedError: ":UNEXPECTED_EXTENSION:",
9115 })
9116
9117 testCases = append(testCases, testCase{
9118 name: "TLS13-InvalidPSKIdentity",
9119 config: Config{
9120 MaxVersion: VersionTLS13,
9121 Bugs: ProtocolBugs{
9122 SelectPSKIdentityOnResume: 1,
9123 },
9124 },
9125 resumeSession: true,
9126 shouldFail: true,
9127 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
9128 })
David Benjamin1286bee2016-10-07 15:25:06 -04009129
Steven Valdezaf3b8a92016-11-01 12:49:22 -04009130 testCases = append(testCases, testCase{
9131 testType: serverTest,
9132 name: "TLS13-ExtraPSKIdentity",
9133 config: Config{
9134 MaxVersion: VersionTLS13,
9135 Bugs: ProtocolBugs{
9136 ExtraPSKIdentity: true,
9137 },
9138 },
9139 resumeSession: true,
9140 })
9141
David Benjamin1286bee2016-10-07 15:25:06 -04009142 // Test that unknown NewSessionTicket extensions are tolerated.
9143 testCases = append(testCases, testCase{
9144 name: "TLS13-CustomTicketExtension",
9145 config: Config{
9146 MaxVersion: VersionTLS13,
9147 Bugs: ProtocolBugs{
9148 CustomTicketExtension: "1234",
9149 },
9150 },
9151 })
Steven Valdez143e8b32016-07-11 13:19:03 -04009152}
9153
David Benjaminabbbee12016-10-31 19:20:42 -04009154func addTLS13CipherPreferenceTests() {
9155 // Test that client preference is honored if the shim has AES hardware
9156 // and ChaCha20-Poly1305 is preferred otherwise.
9157 testCases = append(testCases, testCase{
9158 testType: serverTest,
9159 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
9160 config: Config{
9161 MaxVersion: VersionTLS13,
9162 CipherSuites: []uint16{
9163 TLS_CHACHA20_POLY1305_SHA256,
9164 TLS_AES_128_GCM_SHA256,
9165 },
9166 },
9167 flags: []string{
9168 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9169 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9170 },
9171 })
9172
9173 testCases = append(testCases, testCase{
9174 testType: serverTest,
9175 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
9176 config: Config{
9177 MaxVersion: VersionTLS13,
9178 CipherSuites: []uint16{
9179 TLS_AES_128_GCM_SHA256,
9180 TLS_CHACHA20_POLY1305_SHA256,
9181 },
9182 },
9183 flags: []string{
9184 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
9185 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9186 },
9187 })
9188
9189 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
9190 // whether it has AES hardware.
9191 testCases = append(testCases, testCase{
9192 name: "TLS13-CipherPreference-Client",
9193 config: Config{
9194 MaxVersion: VersionTLS13,
9195 // Use the client cipher order. (This is the default but
9196 // is listed to be explicit.)
9197 PreferServerCipherSuites: false,
9198 },
9199 flags: []string{
9200 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
9201 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9202 },
9203 })
9204}
9205
David Benjaminf3fbade2016-09-19 13:08:16 -04009206func addPeekTests() {
9207 // Test SSL_peek works, including on empty records.
9208 testCases = append(testCases, testCase{
9209 name: "Peek-Basic",
9210 sendEmptyRecords: 1,
9211 flags: []string{"-peek-then-read"},
9212 })
9213
9214 // Test SSL_peek can drive the initial handshake.
9215 testCases = append(testCases, testCase{
9216 name: "Peek-ImplicitHandshake",
9217 flags: []string{
9218 "-peek-then-read",
9219 "-implicit-handshake",
9220 },
9221 })
9222
9223 // Test SSL_peek can discover and drive a renegotiation.
9224 testCases = append(testCases, testCase{
9225 name: "Peek-Renegotiate",
9226 config: Config{
9227 MaxVersion: VersionTLS12,
9228 },
9229 renegotiate: 1,
9230 flags: []string{
9231 "-peek-then-read",
9232 "-renegotiate-freely",
9233 "-expect-total-renegotiations", "1",
9234 },
9235 })
9236
9237 // Test SSL_peek can discover a close_notify.
9238 testCases = append(testCases, testCase{
9239 name: "Peek-Shutdown",
9240 config: Config{
9241 Bugs: ProtocolBugs{
9242 ExpectCloseNotify: true,
9243 },
9244 },
9245 flags: []string{
9246 "-peek-then-read",
9247 "-check-close-notify",
9248 },
9249 })
9250
9251 // Test SSL_peek can discover an alert.
9252 testCases = append(testCases, testCase{
9253 name: "Peek-Alert",
9254 config: Config{
9255 Bugs: ProtocolBugs{
9256 SendSpuriousAlert: alertRecordOverflow,
9257 },
9258 },
9259 flags: []string{"-peek-then-read"},
9260 shouldFail: true,
9261 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
9262 })
9263
9264 // Test SSL_peek can handle KeyUpdate.
9265 testCases = append(testCases, testCase{
9266 name: "Peek-KeyUpdate",
9267 config: Config{
9268 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -04009269 },
Steven Valdezc4aa7272016-10-03 12:25:56 -04009270 sendKeyUpdates: 1,
9271 keyUpdateRequest: keyUpdateNotRequested,
9272 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -04009273 })
9274}
9275
David Benjamine6f22212016-11-08 14:28:24 -05009276func addRecordVersionTests() {
9277 for _, ver := range tlsVersions {
9278 // Test that the record version is enforced.
9279 testCases = append(testCases, testCase{
9280 name: "CheckRecordVersion-" + ver.name,
9281 config: Config{
9282 MinVersion: ver.version,
9283 MaxVersion: ver.version,
9284 Bugs: ProtocolBugs{
9285 SendRecordVersion: 0x03ff,
9286 },
9287 },
9288 shouldFail: true,
9289 expectedError: ":WRONG_VERSION_NUMBER:",
9290 })
9291
9292 // Test that the ClientHello may use any record version, for
9293 // compatibility reasons.
9294 testCases = append(testCases, testCase{
9295 testType: serverTest,
9296 name: "LooseInitialRecordVersion-" + ver.name,
9297 config: Config{
9298 MinVersion: ver.version,
9299 MaxVersion: ver.version,
9300 Bugs: ProtocolBugs{
9301 SendInitialRecordVersion: 0x03ff,
9302 },
9303 },
9304 })
9305
9306 // Test that garbage ClientHello record versions are rejected.
9307 testCases = append(testCases, testCase{
9308 testType: serverTest,
9309 name: "GarbageInitialRecordVersion-" + ver.name,
9310 config: Config{
9311 MinVersion: ver.version,
9312 MaxVersion: ver.version,
9313 Bugs: ProtocolBugs{
9314 SendInitialRecordVersion: 0xffff,
9315 },
9316 },
9317 shouldFail: true,
9318 expectedError: ":WRONG_VERSION_NUMBER:",
9319 })
9320 }
9321}
9322
David Benjamin2c516452016-11-15 10:16:54 +09009323func addCertificateTests() {
9324 // Test that a certificate chain with intermediate may be sent and
9325 // received as both client and server.
9326 for _, ver := range tlsVersions {
9327 testCases = append(testCases, testCase{
9328 testType: clientTest,
9329 name: "SendReceiveIntermediate-Client-" + ver.name,
9330 config: Config{
9331 Certificates: []Certificate{rsaChainCertificate},
9332 ClientAuth: RequireAnyClientCert,
9333 },
9334 expectPeerCertificate: &rsaChainCertificate,
9335 flags: []string{
9336 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9337 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
9338 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9339 },
9340 })
9341
9342 testCases = append(testCases, testCase{
9343 testType: serverTest,
9344 name: "SendReceiveIntermediate-Server-" + ver.name,
9345 config: Config{
9346 Certificates: []Certificate{rsaChainCertificate},
9347 },
9348 expectPeerCertificate: &rsaChainCertificate,
9349 flags: []string{
9350 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9351 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
9352 "-require-any-client-certificate",
9353 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9354 },
9355 })
9356 }
9357}
9358
Adam Langley7c803a62015-06-15 15:35:05 -07009359func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -07009360 defer wg.Done()
9361
9362 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -08009363 var err error
9364
9365 if *mallocTest < 0 {
9366 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -07009367 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -08009368 } else {
9369 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
9370 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -07009371 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -08009372 if err != nil {
9373 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
9374 }
9375 break
9376 }
9377 }
9378 }
Adam Langley95c29f32014-06-20 12:00:00 -07009379 statusChan <- statusMsg{test: test, err: err}
9380 }
9381}
9382
9383type statusMsg struct {
9384 test *testCase
9385 started bool
9386 err error
9387}
9388
David Benjamin5f237bc2015-02-11 17:14:15 -05009389func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +02009390 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -07009391
David Benjamin5f237bc2015-02-11 17:14:15 -05009392 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -07009393 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -05009394 if !*pipe {
9395 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -05009396 var erase string
9397 for i := 0; i < lineLen; i++ {
9398 erase += "\b \b"
9399 }
9400 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -05009401 }
9402
Adam Langley95c29f32014-06-20 12:00:00 -07009403 if msg.started {
9404 started++
9405 } else {
9406 done++
David Benjamin5f237bc2015-02-11 17:14:15 -05009407
9408 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +02009409 if msg.err == errUnimplemented {
9410 if *pipe {
9411 // Print each test instead of a status line.
9412 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
9413 }
9414 unimplemented++
9415 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
9416 } else {
9417 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
9418 failed++
9419 testOutput.addResult(msg.test.name, "FAIL")
9420 }
David Benjamin5f237bc2015-02-11 17:14:15 -05009421 } else {
9422 if *pipe {
9423 // Print each test instead of a status line.
9424 fmt.Printf("PASSED (%s)\n", msg.test.name)
9425 }
9426 testOutput.addResult(msg.test.name, "PASS")
9427 }
Adam Langley95c29f32014-06-20 12:00:00 -07009428 }
9429
David Benjamin5f237bc2015-02-11 17:14:15 -05009430 if !*pipe {
9431 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +02009432 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -05009433 lineLen = len(line)
9434 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -07009435 }
Adam Langley95c29f32014-06-20 12:00:00 -07009436 }
David Benjamin5f237bc2015-02-11 17:14:15 -05009437
9438 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -07009439}
9440
9441func main() {
Adam Langley95c29f32014-06-20 12:00:00 -07009442 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -07009443 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -07009444 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -07009445
Adam Langley7c803a62015-06-15 15:35:05 -07009446 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -07009447 addCipherSuiteTests()
9448 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -07009449 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -07009450 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -04009451 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -08009452 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -04009453 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -05009454 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -04009455 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -04009456 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -07009457 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -07009458 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -05009459 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -07009460 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -05009461 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -04009462 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -07009463 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -07009464 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -05009465 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -05009466 addCurveTests()
Matt Braithwaite54217e42016-06-13 13:03:47 -07009467 addCECPQ1Tests()
David Benjamin5c4e8572016-08-19 17:44:53 -04009468 addDHEGroupSizeTests()
Steven Valdez5b986082016-09-01 12:29:49 -04009469 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -04009470 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -07009471 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -07009472 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -04009473 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -04009474 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -04009475 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -04009476 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -04009477 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -05009478 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +09009479 addCertificateTests()
Adam Langley95c29f32014-06-20 12:00:00 -07009480
9481 var wg sync.WaitGroup
9482
Adam Langley7c803a62015-06-15 15:35:05 -07009483 statusChan := make(chan statusMsg, *numWorkers)
9484 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -05009485 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -07009486
EKRf71d7ed2016-08-06 13:25:12 -07009487 if len(*shimConfigFile) != 0 {
9488 encoded, err := ioutil.ReadFile(*shimConfigFile)
9489 if err != nil {
9490 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
9491 os.Exit(1)
9492 }
9493
9494 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
9495 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
9496 os.Exit(1)
9497 }
9498 }
9499
David Benjamin025b3d32014-07-01 19:53:04 -04009500 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -07009501
Adam Langley7c803a62015-06-15 15:35:05 -07009502 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -07009503 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -07009504 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -07009505 }
9506
David Benjamin270f0a72016-03-17 14:41:36 -04009507 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -04009508 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -04009509 matched := true
9510 if len(*testToRun) != 0 {
9511 var err error
9512 matched, err = filepath.Match(*testToRun, testCases[i].name)
9513 if err != nil {
9514 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
9515 os.Exit(1)
9516 }
9517 }
9518
EKRf71d7ed2016-08-06 13:25:12 -07009519 if !*includeDisabled {
9520 for pattern := range shimConfig.DisabledTests {
9521 isDisabled, err := filepath.Match(pattern, testCases[i].name)
9522 if err != nil {
9523 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
9524 os.Exit(1)
9525 }
9526
9527 if isDisabled {
9528 matched = false
9529 break
9530 }
9531 }
9532 }
9533
David Benjamin17e12922016-07-28 18:04:43 -04009534 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -04009535 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -04009536 testChan <- &testCases[i]
Adam Langley95c29f32014-06-20 12:00:00 -07009537 }
9538 }
David Benjamin17e12922016-07-28 18:04:43 -04009539
David Benjamin270f0a72016-03-17 14:41:36 -04009540 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -07009541 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -04009542 os.Exit(1)
9543 }
Adam Langley95c29f32014-06-20 12:00:00 -07009544
9545 close(testChan)
9546 wg.Wait()
9547 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -05009548 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -07009549
9550 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -05009551
9552 if *jsonOutput != "" {
9553 if err := testOutput.writeTo(*jsonOutput); err != nil {
9554 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
9555 }
9556 }
David Benjamin2ab7a862015-04-04 17:02:18 -04009557
EKR842ae6c2016-07-27 09:22:05 +02009558 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
9559 os.Exit(1)
9560 }
9561
9562 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -04009563 os.Exit(1)
9564 }
Adam Langley95c29f32014-06-20 12:00:00 -07009565}