Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / c8ff30cbe716c72279a6f6a9d7d7d0d4091220fa / . / ssl / test / runner / runner.go
blob: ed328b6ce5a92d188eddf59bf352745fe3449f32 [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]68 includeDHE = flag.Bool("include-dhe", false, "If true, test DHE ciphersuites.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]69 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]70)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]71
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]72// ShimConfigurations is used with the “json” package and represents a shim
73// config file.
74type ShimConfiguration struct {
75 // DisabledTests maps from a glob-based pattern to a freeform string.
76 // The glob pattern is used to exclude tests from being run and the
77 // freeform string is unparsed but expected to explain why the test is
78 // disabled.
79 DisabledTests map[string]string
80
81 // ErrorMap maps from expected error strings to the correct error
82 // string for the shim in question. For example, it might map
83 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
84 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
85 ErrorMap map[string]string
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]86
87 // HalfRTTTickets is the number of half-RTT tickets the client should
88 // expect before half-RTT data when testing 0-RTT.
89 HalfRTTTickets int
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]90}
91
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]92// Setup shimConfig defaults aligning with BoringSSL.
93var shimConfig ShimConfiguration = ShimConfiguration{
94 HalfRTTTickets: 2,
95}
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]96
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]97type testCert int
98
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]99const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]100 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]101 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]102 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]103 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]104 testCertECDSAP256
105 testCertECDSAP384
106 testCertECDSAP521
107)
108
109const (
110 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]111 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]112 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]113 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]114 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
115 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
116 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]117)
118
119const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]120 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]121 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]122 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]123 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]124 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
125 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
126 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]127 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]128)
129
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]130var (
131 rsaCertificate Certificate
132 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]133 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]134 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]135 ecdsaP256Certificate Certificate
136 ecdsaP384Certificate Certificate
137 ecdsaP521Certificate Certificate
138)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]139
140var testCerts = []struct {
141 id testCert
142 certFile, keyFile string
143 cert *Certificate
144}{
145 {
146 id: testCertRSA,
147 certFile: rsaCertificateFile,
148 keyFile: rsaKeyFile,
149 cert: &rsaCertificate,
150 },
151 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]152 id: testCertRSA1024,
153 certFile: rsa1024CertificateFile,
154 keyFile: rsa1024KeyFile,
155 cert: &rsa1024Certificate,
156 },
157 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]158 id: testCertRSAChain,
159 certFile: rsaChainCertificateFile,
160 keyFile: rsaChainKeyFile,
161 cert: &rsaChainCertificate,
162 },
163 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]164 id: testCertECDSAP224,
165 certFile: ecdsaP224CertificateFile,
166 keyFile: ecdsaP224KeyFile,
167 cert: &ecdsaP224Certificate,
168 },
169 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]170 id: testCertECDSAP256,
171 certFile: ecdsaP256CertificateFile,
172 keyFile: ecdsaP256KeyFile,
173 cert: &ecdsaP256Certificate,
174 },
175 {
176 id: testCertECDSAP384,
177 certFile: ecdsaP384CertificateFile,
178 keyFile: ecdsaP384KeyFile,
179 cert: &ecdsaP384Certificate,
180 },
181 {
182 id: testCertECDSAP521,
183 certFile: ecdsaP521CertificateFile,
184 keyFile: ecdsaP521KeyFile,
185 cert: &ecdsaP521Certificate,
186 },
187}
188
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]189var channelIDKey *ecdsa.PrivateKey
190var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]191
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]192var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]193var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]194
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]195var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]196var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]197
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]198func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]199 for i := range testCerts {
200 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
201 if err != nil {
202 panic(err)
203 }
204 cert.OCSPStaple = testOCSPResponse
205 cert.SignedCertificateTimestampList = testSCTList
206 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]207 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]208
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]209 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]210 if err != nil {
211 panic(err)
212 }
213 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
214 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
215 panic("bad key type")
216 }
217 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
218 if err != nil {
219 panic(err)
220 }
221 if channelIDKey.Curve != elliptic.P256() {
222 panic("bad curve")
223 }
224
225 channelIDBytes = make([]byte, 64)
226 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
227 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]228}
229
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]230func getRunnerCertificate(t testCert) Certificate {
231 for _, cert := range testCerts {
232 if cert.id == t {
233 return *cert.cert
234 }
235 }
236 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]237}
238
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]239func getShimCertificate(t testCert) string {
240 for _, cert := range testCerts {
241 if cert.id == t {
242 return cert.certFile
243 }
244 }
245 panic("Unknown test certificate")
246}
247
248func getShimKey(t testCert) string {
249 for _, cert := range testCerts {
250 if cert.id == t {
251 return cert.keyFile
252 }
253 }
254 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]255}
256
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]257// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
258func encodeDERValues(values [][]byte) string {
259 var ret string
260 for i, v := range values {
261 if i > 0 {
262 ret += ","
263 }
264 ret += hex.EncodeToString(v)
265 }
266
267 return ret
268}
269
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]270type testType int
271
272const (
273 clientTest testType = iota
274 serverTest
275)
276
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]277type protocol int
278
279const (
280 tls protocol = iota
281 dtls
282)
283
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]284const (
285 alpn = 1
286 npn = 2
287)
288
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]289type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]290 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]291 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]292 name string
293 config Config
294 shouldFail bool
295 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]296 // expectedLocalError, if not empty, contains a substring that must be
297 // found in the local error.
298 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]299 // expectedVersion, if non-zero, specifies the TLS version that must be
300 // negotiated.
301 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]302 // expectedResumeVersion, if non-zero, specifies the TLS version that
303 // must be negotiated on resumption. If zero, expectedVersion is used.
304 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]305 // expectedCipher, if non-zero, specifies the TLS cipher suite that
306 // should be negotiated.
307 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]308 // expectChannelID controls whether the connection should have
309 // negotiated a Channel ID with channelIDKey.
310 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]311 // expectedNextProto controls whether the connection should
312 // negotiate a next protocol via NPN or ALPN.
313 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]314 // expectNoNextProto, if true, means that no next protocol should be
315 // negotiated.
316 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]317 // expectedNextProtoType, if non-zero, is the expected next
318 // protocol negotiation mechanism.
319 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]320 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
321 // should be negotiated. If zero, none should be negotiated.
322 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]323 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
324 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]325 // expectedSCTList, if not nil, is the expected SCT list to be received.
326 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]327 // expectedPeerSignatureAlgorithm, if not zero, is the signature
328 // algorithm that the peer should have used in the handshake.
329 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]330 // expectedCurveID, if not zero, is the curve that the handshake should
331 // have used.
332 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]333 // messageLen is the length, in bytes, of the test message that will be
334 // sent.
335 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]336 // messageCount is the number of test messages that will be sent.
337 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]338 // certFile is the path to the certificate to use for the server.
339 certFile string
340 // keyFile is the path to the private key to use for the server.
341 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]342 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]343 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]344 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]345 // resumeRenewedSession controls whether a third connection should be
346 // tested which attempts to resume the second connection's session.
347 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]348 // expectResumeRejected, if true, specifies that the attempted
349 // resumption must be rejected by the client. This is only valid for a
350 // serverTest.
351 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]352 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]353 // resumption. Unless newSessionsOnResume is set,
354 // SessionTicketKey, ServerSessionCache, and
355 // ClientSessionCache are copied from the initial connection's
356 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]357 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]358 // newSessionsOnResume, if true, will cause resumeConfig to
359 // use a different session resumption context.
360 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]361 // noSessionCache, if true, will cause the server to run without a
362 // session cache.
363 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]364 // sendPrefix sends a prefix on the socket before actually performing a
365 // handshake.
366 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]367 // shimWritesFirst controls whether the shim sends an initial "hello"
368 // message before doing a roundtrip with the runner.
369 shimWritesFirst bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]370 // shimShutsDown, if true, runs a test where the shim shuts down the
371 // connection immediately after the handshake rather than echoing
372 // messages from the runner.
373 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]374 // renegotiate indicates the number of times the connection should be
375 // renegotiated during the exchange.
376 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]377 // sendHalfHelloRequest, if true, causes the server to send half a
378 // HelloRequest when the handshake completes.
379 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]380 // renegotiateCiphers is a list of ciphersuite ids that will be
381 // switched in just before renegotiation.
382 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]383 // replayWrites, if true, configures the underlying transport
384 // to replay every write it makes in DTLS tests.
385 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]386 // damageFirstWrite, if true, configures the underlying transport to
387 // damage the final byte of the first application data write.
388 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]389 // exportKeyingMaterial, if non-zero, configures the test to exchange
390 // keying material and verify they match.
391 exportKeyingMaterial int
392 exportLabel string
393 exportContext string
394 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]395 // flags, if not empty, contains a list of command-line flags that will
396 // be passed to the shim program.
397 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]398 // testTLSUnique, if true, causes the shim to send the tls-unique value
399 // which will be compared against the expected value.
400 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]401 // sendEmptyRecords is the number of consecutive empty records to send
402 // before and after the test message.
403 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]404 // sendWarningAlerts is the number of consecutive warning alerts to send
405 // before and after the test message.
406 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]407 // sendKeyUpdates is the number of consecutive key updates to send
408 // before and after the test message.
409 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]410 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
411 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]412 // expectMessageDropped, if true, means the test message is expected to
413 // be dropped by the client rather than echoed back.
414 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]415 // expectPeerCertificate, if not nil, is the certificate chain the peer
416 // is expected to send.
417 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]418}
419
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]420var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]421
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]422func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]423 if len(data) == 0 {
424 return
425 }
426
427 protocol := "tls"
428 if test.protocol == dtls {
429 protocol = "dtls"
430 }
431
432 side := "client"
433 if test.testType == serverTest {
434 side = "server"
435 }
436
437 dir := path.Join(*transcriptDir, protocol, side)
438 if err := os.MkdirAll(dir, 0755); err != nil {
439 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
440 return
441 }
442
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]443 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]444 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
445 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
446 }
447}
448
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]449// A timeoutConn implements an idle timeout on each Read and Write operation.
450type timeoutConn struct {
451 net.Conn
452 timeout time.Duration
453}
454
455func (t *timeoutConn) Read(b []byte) (int, error) {
456 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
457 return 0, err
458 }
459 return t.Conn.Read(b)
460}
461
462func (t *timeoutConn) Write(b []byte) (int, error) {
463 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
464 return 0, err
465 }
466 return t.Conn.Write(b)
467}
468
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]469func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]470 if !test.noSessionCache {
471 if config.ClientSessionCache == nil {
472 config.ClientSessionCache = NewLRUClientSessionCache(1)
473 }
474 if config.ServerSessionCache == nil {
475 config.ServerSessionCache = NewLRUServerSessionCache(1)
476 }
477 }
478 if test.testType == clientTest {
479 if len(config.Certificates) == 0 {
480 config.Certificates = []Certificate{rsaCertificate}
481 }
482 } else {
483 // Supply a ServerName to ensure a constant session cache key,
484 // rather than falling back to net.Conn.RemoteAddr.
485 if len(config.ServerName) == 0 {
486 config.ServerName = "test"
487 }
488 }
489 if *fuzzer {
490 config.Bugs.NullAllCiphers = true
491 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]492 if *deterministic {
493 config.Time = func() time.Time { return time.Unix(1234, 1234) }
494 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]495
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]496 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]497
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]498 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]499 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
500 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]501 }
502
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]503 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]504 local, peer := "client", "server"
505 if test.testType == clientTest {
506 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]507 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]508 connDebug := &recordingConn{
509 Conn: conn,
510 isDatagram: test.protocol == dtls,
511 local: local,
512 peer: peer,
513 }
514 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]515 if *flagDebug {
516 defer connDebug.WriteTo(os.Stdout)
517 }
518 if len(*transcriptDir) != 0 {
519 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]520 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]521 }()
522 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]523
524 if config.Bugs.PacketAdaptor != nil {
525 config.Bugs.PacketAdaptor.debug = connDebug
526 }
527 }
528
529 if test.replayWrites {
530 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]531 }
532
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]533 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]534 if test.damageFirstWrite {
535 connDamage = newDamageAdaptor(conn)
536 conn = connDamage
537 }
538
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]539 if test.sendPrefix != "" {
540 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
541 return err
542 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]543 }
544
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]545 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]546 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]547 if test.protocol == dtls {
548 tlsConn = DTLSServer(conn, config)
549 } else {
550 tlsConn = Server(conn, config)
551 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]552 } else {
553 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]554 if test.protocol == dtls {
555 tlsConn = DTLSClient(conn, config)
556 } else {
557 tlsConn = Client(conn, config)
558 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]559 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]560 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]561
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]562 if err := tlsConn.Handshake(); err != nil {
563 return err
564 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]565
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]566 // TODO(davidben): move all per-connection expectations into a dedicated
567 // expectations struct that can be specified separately for the two
568 // legs.
569 expectedVersion := test.expectedVersion
570 if isResume && test.expectedResumeVersion != 0 {
571 expectedVersion = test.expectedResumeVersion
572 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]573 connState := tlsConn.ConnectionState()
574 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]575 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]576 }
577
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]578 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]579 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
580 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]581 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
582 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
583 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]584
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]585 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]586 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]587 if channelID == nil {
588 return fmt.Errorf("no channel ID negotiated")
589 }
590 if channelID.Curve != channelIDKey.Curve ||
591 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
592 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
593 return fmt.Errorf("incorrect channel ID")
594 }
595 }
596
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]597 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]598 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]599 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
600 }
601 }
602
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]603 if test.expectNoNextProto {
604 if actual := connState.NegotiatedProtocol; actual != "" {
605 return fmt.Errorf("got unexpected next proto %s", actual)
606 }
607 }
608
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]609 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]610 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]611 return fmt.Errorf("next proto type mismatch")
612 }
613 }
614
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]615 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]616 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
617 }
618
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]619 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]620 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]621 }
622
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]623 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
624 return fmt.Errorf("SCT list mismatch")
625 }
626
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]627 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
628 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]629 }
630
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]631 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
632 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
633 }
634
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]635 if test.expectPeerCertificate != nil {
636 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
637 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
638 }
639 for i, cert := range connState.PeerCertificates {
640 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
641 return fmt.Errorf("peer certificate %d did not match", i+1)
642 }
643 }
644 }
645
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]646 if test.exportKeyingMaterial > 0 {
647 actual := make([]byte, test.exportKeyingMaterial)
648 if _, err := io.ReadFull(tlsConn, actual); err != nil {
649 return err
650 }
651 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
652 if err != nil {
653 return err
654 }
655 if !bytes.Equal(actual, expected) {
656 return fmt.Errorf("keying material mismatch")
657 }
658 }
659
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]660 if test.testTLSUnique {
661 var peersValue [12]byte
662 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
663 return err
664 }
665 expected := tlsConn.ConnectionState().TLSUnique
666 if !bytes.Equal(peersValue[:], expected) {
667 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
668 }
669 }
670
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]671 if test.shimWritesFirst {
672 var buf [5]byte
673 _, err := io.ReadFull(tlsConn, buf[:])
674 if err != nil {
675 return err
676 }
677 if string(buf[:]) != "hello" {
678 return fmt.Errorf("bad initial message")
679 }
680 }
681
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]682 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]683 if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil {
David Benjamin7f0965a2016-09-30 15:14:01 -0400[diff] [blame]684 return err
685 }
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]686 }
687
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]688 for i := 0; i < test.sendEmptyRecords; i++ {
689 tlsConn.Write(nil)
690 }
691
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]692 for i := 0; i < test.sendWarningAlerts; i++ {
693 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
694 }
695
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]696 if test.sendHalfHelloRequest {
697 tlsConn.SendHalfHelloRequest()
698 }
699
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]700 if test.renegotiate > 0 {
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]701 if test.renegotiateCiphers != nil {
702 config.CipherSuites = test.renegotiateCiphers
703 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]704 for i := 0; i < test.renegotiate; i++ {
705 if err := tlsConn.Renegotiate(); err != nil {
706 return err
707 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]708 }
709 } else if test.renegotiateCiphers != nil {
710 panic("renegotiateCiphers without renegotiate")
711 }
712
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]713 if test.damageFirstWrite {
714 connDamage.setDamage(true)
715 tlsConn.Write([]byte("DAMAGED WRITE"))
716 connDamage.setDamage(false)
717 }
718
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]719 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]720 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]721 if test.protocol == dtls {
722 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
723 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]724 // Read until EOF.
725 _, err := io.Copy(ioutil.Discard, tlsConn)
726 return err
727 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]728 if messageLen == 0 {
729 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]730 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]731
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]732 messageCount := test.messageCount
733 if messageCount == 0 {
734 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]735 }
736
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]737 for j := 0; j < messageCount; j++ {
738 testMessage := make([]byte, messageLen)
739 for i := range testMessage {
740 testMessage[i] = 0x42 ^ byte(j)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]741 }
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]742 tlsConn.Write(testMessage)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]743
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]744 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]745 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]746 }
747
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]748 for i := 0; i < test.sendEmptyRecords; i++ {
749 tlsConn.Write(nil)
750 }
751
752 for i := 0; i < test.sendWarningAlerts; i++ {
753 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
754 }
755
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]756 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]757 // The shim will not respond.
758 continue
759 }
760
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]761 buf := make([]byte, len(testMessage))
762 if test.protocol == dtls {
763 bufTmp := make([]byte, len(buf)+1)
764 n, err := tlsConn.Read(bufTmp)
765 if err != nil {
766 return err
767 }
768 if n != len(buf) {
769 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
770 }
771 copy(buf, bufTmp)
772 } else {
773 _, err := io.ReadFull(tlsConn, buf)
774 if err != nil {
775 return err
776 }
777 }
778
779 for i, v := range buf {
780 if v != testMessage[i]^0xff {
781 return fmt.Errorf("bad reply contents at byte %d", i)
782 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]783 }
784 }
785
786 return nil
787}
788
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]789func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]790 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]791 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]792 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]793 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]794 valgrindArgs = append(valgrindArgs, path)
795 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]796
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]797 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]798}
799
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]800func gdbOf(path string, args ...string) *exec.Cmd {
801 xtermArgs := []string{"-e", "gdb", "--args"}
802 xtermArgs = append(xtermArgs, path)
803 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]804
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]805 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]806}
807
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]808func lldbOf(path string, args ...string) *exec.Cmd {
809 xtermArgs := []string{"-e", "lldb", "--"}
810 xtermArgs = append(xtermArgs, path)
811 xtermArgs = append(xtermArgs, args...)
812
813 return exec.Command("xterm", xtermArgs...)
814}
815
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]816var (
817 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
818 errUnimplemented = errors.New("child process does not implement needed flags")
819)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]820
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]821// accept accepts a connection from listener, unless waitChan signals a process
822// exit first.
823func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
824 type connOrError struct {
825 conn net.Conn
826 err error
827 }
828 connChan := make(chan connOrError, 1)
829 go func() {
830 conn, err := listener.Accept()
831 connChan <- connOrError{conn, err}
832 close(connChan)
833 }()
834 select {
835 case result := <-connChan:
836 return result.conn, result.err
837 case childErr := <-waitChan:
838 waitChan <- childErr
839 return nil, fmt.Errorf("child exited early: %s", childErr)
840 }
841}
842
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]843func translateExpectedError(errorStr string) string {
844 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
845 return translated
846 }
847
848 if *looseErrors {
849 return ""
850 }
851
852 return errorStr
853}
854
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]855func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]856 // Help debugging panics on the Go side.
857 defer func() {
858 if r := recover(); r != nil {
859 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
860 panic(r)
861 }
862 }()
863
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]864 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
865 panic("Error expected without shouldFail in " + test.name)
866 }
867
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]868 if test.expectResumeRejected && !test.resumeSession {
869 panic("expectResumeRejected without resumeSession in " + test.name)
870 }
871
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]872 for _, ver := range tlsVersions {
873 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
874 continue
875 }
876
877 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
878 continue
879 }
880
881 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
882 }
883
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]884 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
885 if err != nil {
886 panic(err)
887 }
888 defer func() {
889 if listener != nil {
890 listener.Close()
891 }
892 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]893
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]894 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]895 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]896 flags = append(flags, "-server")
897
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]898 flags = append(flags, "-key-file")
899 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]900 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]901 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]902 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]903 }
904
905 flags = append(flags, "-cert-file")
906 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]907 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]908 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]909 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]910 }
911 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]912
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]913 if test.protocol == dtls {
914 flags = append(flags, "-dtls")
915 }
916
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]917 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]918 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]919 resumeCount++
920 if test.resumeRenewedSession {
921 resumeCount++
922 }
923 }
924
925 if resumeCount > 0 {
926 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]927 }
928
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]929 if test.shimWritesFirst {
930 flags = append(flags, "-shim-writes-first")
931 }
932
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]933 if test.shimShutsDown {
934 flags = append(flags, "-shim-shuts-down")
935 }
936
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]937 if test.exportKeyingMaterial > 0 {
938 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
939 flags = append(flags, "-export-label", test.exportLabel)
940 flags = append(flags, "-export-context", test.exportContext)
941 if test.useExportContext {
942 flags = append(flags, "-use-export-context")
943 }
944 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]945 if test.expectResumeRejected {
946 flags = append(flags, "-expect-session-miss")
947 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]948
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]949 if test.testTLSUnique {
950 flags = append(flags, "-tls-unique")
951 }
952
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]953 flags = append(flags, test.flags...)
954
955 var shim *exec.Cmd
956 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]957 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]958 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]959 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]960 } else if *useLLDB {
961 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]962 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]963 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]964 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]965 shim.Stdin = os.Stdin
966 var stdoutBuf, stderrBuf bytes.Buffer
967 shim.Stdout = &stdoutBuf
968 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]969 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]970 shim.Env = os.Environ()
971 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]972 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]973 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]974 }
975 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
976 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]977
978 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]979 panic(err)
980 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]981 waitChan := make(chan error, 1)
982 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]983
984 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]985
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]986 if *deterministic {
987 config.Rand = &deterministicRand{}
988 }
989
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]990 conn, err := acceptOrWait(listener, waitChan)
991 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]992 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]993 conn.Close()
994 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]995
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]996 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]997 var resumeConfig Config
998 if test.resumeConfig != nil {
999 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]1000 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1001 resumeConfig.SessionTicketKey = config.SessionTicketKey
1002 resumeConfig.ClientSessionCache = config.ClientSessionCache
1003 resumeConfig.ServerSessionCache = config.ServerSessionCache
1004 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]1005 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]1006 } else {
1007 resumeConfig = config
1008 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1009 var connResume net.Conn
1010 connResume, err = acceptOrWait(listener, waitChan)
1011 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1012 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1013 connResume.Close()
1014 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1015 }
1016
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1017 // Close the listener now. This is to avoid hangs should the shim try to
1018 // open more connections than expected.
1019 listener.Close()
1020 listener = nil
1021
1022 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1023 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1024 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1025 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1026 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1027 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1028 case 89:
1029 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1030 case 99:
1031 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1032 }
1033 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1034
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1035 // Account for Windows line endings.
1036 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1037 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1038
1039 // Separate the errors from the shim and those from tools like
1040 // AddressSanitizer.
1041 var extraStderr string
1042 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1043 stderr = stderrParts[0]
1044 extraStderr = stderrParts[1]
1045 }
1046
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1047 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1048 expectedError := translateExpectedError(test.expectedError)
1049 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1050
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1051 localError := "none"
1052 if err != nil {
1053 localError = err.Error()
1054 }
1055 if len(test.expectedLocalError) != 0 {
1056 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1057 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1058
1059 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1060 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1061 if childErr != nil {
1062 childError = childErr.Error()
1063 }
1064
1065 var msg string
1066 switch {
1067 case failed && !test.shouldFail:
1068 msg = "unexpected failure"
1069 case !failed && test.shouldFail:
1070 msg = "unexpected success"
1071 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1072 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1073 default:
1074 panic("internal error")
1075 }
1076
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1077 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1078 }
1079
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1080 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1081 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1082 }
1083
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1084 if *useValgrind && isValgrindError {
1085 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1086 }
1087
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1088 return nil
1089}
1090
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1091type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1092 name string
1093 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1094 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1095 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1096}
1097
1098var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1099 {"SSL3", VersionSSL30, "-no-ssl3", false},
1100 {"TLS1", VersionTLS10, "-no-tls1", true},
1101 {"TLS11", VersionTLS11, "-no-tls11", false},
1102 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1103 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1104}
1105
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1106type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1107 name string
1108 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1109}
1110
1111var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1112 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1113 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1114 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1115 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1116 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1117 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1118 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1119 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1120 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1121 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1122 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1123 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1124 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1125 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1126 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1127 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1128 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1129 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1130 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1131 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1132 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1133 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1134 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1135 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1136 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1137 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1138 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1139 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1140 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1141 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1142}
1143
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1144func hasComponent(suiteName, component string) bool {
1145 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1146}
1147
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1148func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1149 return hasComponent(suiteName, "GCM") ||
1150 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1151 hasComponent(suiteName, "SHA384") ||
1152 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1153}
1154
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1155func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1156 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1157}
1158
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1159func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1160 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1161}
1162
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1163func bigFromHex(hex string) *big.Int {
1164 ret, ok := new(big.Int).SetString(hex, 16)
1165 if !ok {
1166 panic("failed to parse hex number 0x" + hex)
1167 }
1168 return ret
1169}
1170
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1171func addBasicTests() {
1172 basicTests := []testCase{
1173 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1174 name: "NoFallbackSCSV",
1175 config: Config{
1176 Bugs: ProtocolBugs{
1177 FailIfNotFallbackSCSV: true,
1178 },
1179 },
1180 shouldFail: true,
1181 expectedLocalError: "no fallback SCSV found",
1182 },
1183 {
1184 name: "SendFallbackSCSV",
1185 config: Config{
1186 Bugs: ProtocolBugs{
1187 FailIfNotFallbackSCSV: true,
1188 },
1189 },
1190 flags: []string{"-fallback-scsv"},
1191 },
1192 {
1193 name: "ClientCertificateTypes",
1194 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1195 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1196 ClientAuth: RequestClientCert,
1197 ClientCertificateTypes: []byte{
1198 CertTypeDSSSign,
1199 CertTypeRSASign,
1200 CertTypeECDSASign,
1201 },
1202 },
1203 flags: []string{
1204 "-expect-certificate-types",
1205 base64.StdEncoding.EncodeToString([]byte{
1206 CertTypeDSSSign,
1207 CertTypeRSASign,
1208 CertTypeECDSASign,
1209 }),
1210 },
1211 },
1212 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1213 name: "UnauthenticatedECDH",
1214 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1215 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1216 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1217 Bugs: ProtocolBugs{
1218 UnauthenticatedECDH: true,
1219 },
1220 },
1221 shouldFail: true,
1222 expectedError: ":UNEXPECTED_MESSAGE:",
1223 },
1224 {
1225 name: "SkipCertificateStatus",
1226 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1227 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1228 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1229 Bugs: ProtocolBugs{
1230 SkipCertificateStatus: true,
1231 },
1232 },
1233 flags: []string{
1234 "-enable-ocsp-stapling",
1235 },
1236 },
1237 {
1238 name: "SkipServerKeyExchange",
1239 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1240 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1241 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1242 Bugs: ProtocolBugs{
1243 SkipServerKeyExchange: true,
1244 },
1245 },
1246 shouldFail: true,
1247 expectedError: ":UNEXPECTED_MESSAGE:",
1248 },
1249 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1250 testType: serverTest,
1251 name: "Alert",
1252 config: Config{
1253 Bugs: ProtocolBugs{
1254 SendSpuriousAlert: alertRecordOverflow,
1255 },
1256 },
1257 shouldFail: true,
1258 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1259 },
1260 {
1261 protocol: dtls,
1262 testType: serverTest,
1263 name: "Alert-DTLS",
1264 config: Config{
1265 Bugs: ProtocolBugs{
1266 SendSpuriousAlert: alertRecordOverflow,
1267 },
1268 },
1269 shouldFail: true,
1270 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1271 },
1272 {
1273 testType: serverTest,
1274 name: "FragmentAlert",
1275 config: Config{
1276 Bugs: ProtocolBugs{
1277 FragmentAlert: true,
1278 SendSpuriousAlert: alertRecordOverflow,
1279 },
1280 },
1281 shouldFail: true,
1282 expectedError: ":BAD_ALERT:",
1283 },
1284 {
1285 protocol: dtls,
1286 testType: serverTest,
1287 name: "FragmentAlert-DTLS",
1288 config: Config{
1289 Bugs: ProtocolBugs{
1290 FragmentAlert: true,
1291 SendSpuriousAlert: alertRecordOverflow,
1292 },
1293 },
1294 shouldFail: true,
1295 expectedError: ":BAD_ALERT:",
1296 },
1297 {
1298 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1299 name: "DoubleAlert",
1300 config: Config{
1301 Bugs: ProtocolBugs{
1302 DoubleAlert: true,
1303 SendSpuriousAlert: alertRecordOverflow,
1304 },
1305 },
1306 shouldFail: true,
1307 expectedError: ":BAD_ALERT:",
1308 },
1309 {
1310 protocol: dtls,
1311 testType: serverTest,
1312 name: "DoubleAlert-DTLS",
1313 config: Config{
1314 Bugs: ProtocolBugs{
1315 DoubleAlert: true,
1316 SendSpuriousAlert: alertRecordOverflow,
1317 },
1318 },
1319 shouldFail: true,
1320 expectedError: ":BAD_ALERT:",
1321 },
1322 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1323 name: "SkipNewSessionTicket",
1324 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1325 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1326 Bugs: ProtocolBugs{
1327 SkipNewSessionTicket: true,
1328 },
1329 },
1330 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1331 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1332 },
1333 {
1334 testType: serverTest,
1335 name: "FallbackSCSV",
1336 config: Config{
1337 MaxVersion: VersionTLS11,
1338 Bugs: ProtocolBugs{
1339 SendFallbackSCSV: true,
1340 },
1341 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1342 shouldFail: true,
1343 expectedError: ":INAPPROPRIATE_FALLBACK:",
1344 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1345 },
1346 {
1347 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1348 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1349 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1350 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1351 Bugs: ProtocolBugs{
1352 SendFallbackSCSV: true,
1353 },
1354 },
1355 },
1356 {
1357 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1358 name: "FallbackSCSV-VersionMatch-TLS12",
1359 config: Config{
1360 MaxVersion: VersionTLS12,
1361 Bugs: ProtocolBugs{
1362 SendFallbackSCSV: true,
1363 },
1364 },
1365 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1366 },
1367 {
1368 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1369 name: "FragmentedClientVersion",
1370 config: Config{
1371 Bugs: ProtocolBugs{
1372 MaxHandshakeRecordLength: 1,
1373 FragmentClientVersion: true,
1374 },
1375 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1376 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1377 },
1378 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1379 testType: serverTest,
1380 name: "HttpGET",
1381 sendPrefix: "GET / HTTP/1.0\n",
1382 shouldFail: true,
1383 expectedError: ":HTTP_REQUEST:",
1384 },
1385 {
1386 testType: serverTest,
1387 name: "HttpPOST",
1388 sendPrefix: "POST / HTTP/1.0\n",
1389 shouldFail: true,
1390 expectedError: ":HTTP_REQUEST:",
1391 },
1392 {
1393 testType: serverTest,
1394 name: "HttpHEAD",
1395 sendPrefix: "HEAD / HTTP/1.0\n",
1396 shouldFail: true,
1397 expectedError: ":HTTP_REQUEST:",
1398 },
1399 {
1400 testType: serverTest,
1401 name: "HttpPUT",
1402 sendPrefix: "PUT / HTTP/1.0\n",
1403 shouldFail: true,
1404 expectedError: ":HTTP_REQUEST:",
1405 },
1406 {
1407 testType: serverTest,
1408 name: "HttpCONNECT",
1409 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1410 shouldFail: true,
1411 expectedError: ":HTTPS_PROXY_REQUEST:",
1412 },
1413 {
1414 testType: serverTest,
1415 name: "Garbage",
1416 sendPrefix: "blah",
1417 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1418 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1419 },
1420 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1421 name: "RSAEphemeralKey",
1422 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1423 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1424 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1425 Bugs: ProtocolBugs{
1426 RSAEphemeralKey: true,
1427 },
1428 },
1429 shouldFail: true,
1430 expectedError: ":UNEXPECTED_MESSAGE:",
1431 },
1432 {
1433 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1434 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1435 shouldFail: true,
1436 expectedError: ":WRONG_SSL_VERSION:",
1437 },
1438 {
1439 protocol: dtls,
1440 name: "DisableEverything-DTLS",
1441 flags: []string{"-no-tls12", "-no-tls1"},
1442 shouldFail: true,
1443 expectedError: ":WRONG_SSL_VERSION:",
1444 },
1445 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1446 protocol: dtls,
1447 testType: serverTest,
1448 name: "MTU",
1449 config: Config{
1450 Bugs: ProtocolBugs{
1451 MaxPacketLength: 256,
1452 },
1453 },
1454 flags: []string{"-mtu", "256"},
1455 },
1456 {
1457 protocol: dtls,
1458 testType: serverTest,
1459 name: "MTUExceeded",
1460 config: Config{
1461 Bugs: ProtocolBugs{
1462 MaxPacketLength: 255,
1463 },
1464 },
1465 flags: []string{"-mtu", "256"},
1466 shouldFail: true,
1467 expectedLocalError: "dtls: exceeded maximum packet length",
1468 },
1469 {
1470 name: "CertMismatchRSA",
1471 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1472 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1473 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1474 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1475 Bugs: ProtocolBugs{
1476 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1477 },
1478 },
1479 shouldFail: true,
1480 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1481 },
1482 {
1483 name: "CertMismatchECDSA",
1484 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1485 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1486 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1487 Certificates: []Certificate{rsaCertificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1488 Bugs: ProtocolBugs{
1489 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1490 },
1491 },
1492 shouldFail: true,
1493 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1494 },
1495 {
1496 name: "EmptyCertificateList",
1497 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1498 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1499 Bugs: ProtocolBugs{
1500 EmptyCertificateList: true,
1501 },
1502 },
1503 shouldFail: true,
1504 expectedError: ":DECODE_ERROR:",
1505 },
1506 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1507 name: "EmptyCertificateList-TLS13",
1508 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1509 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1510 Bugs: ProtocolBugs{
1511 EmptyCertificateList: true,
1512 },
1513 },
1514 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1515 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1516 },
1517 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1518 name: "TLSFatalBadPackets",
1519 damageFirstWrite: true,
1520 shouldFail: true,
1521 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1522 },
1523 {
1524 protocol: dtls,
1525 name: "DTLSIgnoreBadPackets",
1526 damageFirstWrite: true,
1527 },
1528 {
1529 protocol: dtls,
1530 name: "DTLSIgnoreBadPackets-Async",
1531 damageFirstWrite: true,
1532 flags: []string{"-async"},
1533 },
1534 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1535 name: "AppDataBeforeHandshake",
1536 config: Config{
1537 Bugs: ProtocolBugs{
1538 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1539 },
1540 },
1541 shouldFail: true,
1542 expectedError: ":UNEXPECTED_RECORD:",
1543 },
1544 {
1545 name: "AppDataBeforeHandshake-Empty",
1546 config: Config{
1547 Bugs: ProtocolBugs{
1548 AppDataBeforeHandshake: []byte{},
1549 },
1550 },
1551 shouldFail: true,
1552 expectedError: ":UNEXPECTED_RECORD:",
1553 },
1554 {
1555 protocol: dtls,
1556 name: "AppDataBeforeHandshake-DTLS",
1557 config: Config{
1558 Bugs: ProtocolBugs{
1559 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1560 },
1561 },
1562 shouldFail: true,
1563 expectedError: ":UNEXPECTED_RECORD:",
1564 },
1565 {
1566 protocol: dtls,
1567 name: "AppDataBeforeHandshake-DTLS-Empty",
1568 config: Config{
1569 Bugs: ProtocolBugs{
1570 AppDataBeforeHandshake: []byte{},
1571 },
1572 },
1573 shouldFail: true,
1574 expectedError: ":UNEXPECTED_RECORD:",
1575 },
1576 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1577 name: "AppDataAfterChangeCipherSpec",
1578 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1579 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1580 Bugs: ProtocolBugs{
1581 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1582 },
1583 },
1584 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1585 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1586 },
1587 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1588 name: "AppDataAfterChangeCipherSpec-Empty",
1589 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1590 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1591 Bugs: ProtocolBugs{
1592 AppDataAfterChangeCipherSpec: []byte{},
1593 },
1594 },
1595 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1596 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1597 },
1598 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1599 protocol: dtls,
1600 name: "AppDataAfterChangeCipherSpec-DTLS",
1601 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1602 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1603 Bugs: ProtocolBugs{
1604 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1605 },
1606 },
1607 // BoringSSL's DTLS implementation will drop the out-of-order
1608 // application data.
1609 },
1610 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1611 protocol: dtls,
1612 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1613 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1614 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1615 Bugs: ProtocolBugs{
1616 AppDataAfterChangeCipherSpec: []byte{},
1617 },
1618 },
1619 // BoringSSL's DTLS implementation will drop the out-of-order
1620 // application data.
1621 },
1622 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1623 name: "AlertAfterChangeCipherSpec",
1624 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1625 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1626 Bugs: ProtocolBugs{
1627 AlertAfterChangeCipherSpec: alertRecordOverflow,
1628 },
1629 },
1630 shouldFail: true,
1631 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1632 },
1633 {
1634 protocol: dtls,
1635 name: "AlertAfterChangeCipherSpec-DTLS",
1636 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1637 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1638 Bugs: ProtocolBugs{
1639 AlertAfterChangeCipherSpec: alertRecordOverflow,
1640 },
1641 },
1642 shouldFail: true,
1643 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1644 },
1645 {
1646 protocol: dtls,
1647 name: "ReorderHandshakeFragments-Small-DTLS",
1648 config: Config{
1649 Bugs: ProtocolBugs{
1650 ReorderHandshakeFragments: true,
1651 // Small enough that every handshake message is
1652 // fragmented.
1653 MaxHandshakeRecordLength: 2,
1654 },
1655 },
1656 },
1657 {
1658 protocol: dtls,
1659 name: "ReorderHandshakeFragments-Large-DTLS",
1660 config: Config{
1661 Bugs: ProtocolBugs{
1662 ReorderHandshakeFragments: true,
1663 // Large enough that no handshake message is
1664 // fragmented.
1665 MaxHandshakeRecordLength: 2048,
1666 },
1667 },
1668 },
1669 {
1670 protocol: dtls,
1671 name: "MixCompleteMessageWithFragments-DTLS",
1672 config: Config{
1673 Bugs: ProtocolBugs{
1674 ReorderHandshakeFragments: true,
1675 MixCompleteMessageWithFragments: true,
1676 MaxHandshakeRecordLength: 2,
1677 },
1678 },
1679 },
1680 {
1681 name: "SendInvalidRecordType",
1682 config: Config{
1683 Bugs: ProtocolBugs{
1684 SendInvalidRecordType: true,
1685 },
1686 },
1687 shouldFail: true,
1688 expectedError: ":UNEXPECTED_RECORD:",
1689 },
1690 {
1691 protocol: dtls,
1692 name: "SendInvalidRecordType-DTLS",
1693 config: Config{
1694 Bugs: ProtocolBugs{
1695 SendInvalidRecordType: true,
1696 },
1697 },
1698 shouldFail: true,
1699 expectedError: ":UNEXPECTED_RECORD:",
1700 },
1701 {
1702 name: "FalseStart-SkipServerSecondLeg",
1703 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1704 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1705 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1706 NextProtos: []string{"foo"},
1707 Bugs: ProtocolBugs{
1708 SkipNewSessionTicket: true,
1709 SkipChangeCipherSpec: true,
1710 SkipFinished: true,
1711 ExpectFalseStart: true,
1712 },
1713 },
1714 flags: []string{
1715 "-false-start",
1716 "-handshake-never-done",
1717 "-advertise-alpn", "\x03foo",
1718 },
1719 shimWritesFirst: true,
1720 shouldFail: true,
1721 expectedError: ":UNEXPECTED_RECORD:",
1722 },
1723 {
1724 name: "FalseStart-SkipServerSecondLeg-Implicit",
1725 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1726 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1727 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1728 NextProtos: []string{"foo"},
1729 Bugs: ProtocolBugs{
1730 SkipNewSessionTicket: true,
1731 SkipChangeCipherSpec: true,
1732 SkipFinished: true,
1733 },
1734 },
1735 flags: []string{
1736 "-implicit-handshake",
1737 "-false-start",
1738 "-handshake-never-done",
1739 "-advertise-alpn", "\x03foo",
1740 },
1741 shouldFail: true,
1742 expectedError: ":UNEXPECTED_RECORD:",
1743 },
1744 {
1745 testType: serverTest,
1746 name: "FailEarlyCallback",
1747 flags: []string{"-fail-early-callback"},
1748 shouldFail: true,
1749 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1750 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1751 },
1752 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1753 name: "FailCertCallback-Client-TLS12",
1754 config: Config{
1755 MaxVersion: VersionTLS12,
1756 ClientAuth: RequestClientCert,
1757 },
1758 flags: []string{"-fail-cert-callback"},
1759 shouldFail: true,
1760 expectedError: ":CERT_CB_ERROR:",
1761 expectedLocalError: "remote error: internal error",
1762 },
1763 {
1764 testType: serverTest,
1765 name: "FailCertCallback-Server-TLS12",
1766 config: Config{
1767 MaxVersion: VersionTLS12,
1768 },
1769 flags: []string{"-fail-cert-callback"},
1770 shouldFail: true,
1771 expectedError: ":CERT_CB_ERROR:",
1772 expectedLocalError: "remote error: internal error",
1773 },
1774 {
1775 name: "FailCertCallback-Client-TLS13",
1776 config: Config{
1777 MaxVersion: VersionTLS13,
1778 ClientAuth: RequestClientCert,
1779 },
1780 flags: []string{"-fail-cert-callback"},
1781 shouldFail: true,
1782 expectedError: ":CERT_CB_ERROR:",
1783 expectedLocalError: "remote error: internal error",
1784 },
1785 {
1786 testType: serverTest,
1787 name: "FailCertCallback-Server-TLS13",
1788 config: Config{
1789 MaxVersion: VersionTLS13,
1790 },
1791 flags: []string{"-fail-cert-callback"},
1792 shouldFail: true,
1793 expectedError: ":CERT_CB_ERROR:",
1794 expectedLocalError: "remote error: internal error",
1795 },
1796 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1797 protocol: dtls,
1798 name: "FragmentMessageTypeMismatch-DTLS",
1799 config: Config{
1800 Bugs: ProtocolBugs{
1801 MaxHandshakeRecordLength: 2,
1802 FragmentMessageTypeMismatch: true,
1803 },
1804 },
1805 shouldFail: true,
1806 expectedError: ":FRAGMENT_MISMATCH:",
1807 },
1808 {
1809 protocol: dtls,
1810 name: "FragmentMessageLengthMismatch-DTLS",
1811 config: Config{
1812 Bugs: ProtocolBugs{
1813 MaxHandshakeRecordLength: 2,
1814 FragmentMessageLengthMismatch: true,
1815 },
1816 },
1817 shouldFail: true,
1818 expectedError: ":FRAGMENT_MISMATCH:",
1819 },
1820 {
1821 protocol: dtls,
1822 name: "SplitFragments-Header-DTLS",
1823 config: Config{
1824 Bugs: ProtocolBugs{
1825 SplitFragments: 2,
1826 },
1827 },
1828 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1829 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1830 },
1831 {
1832 protocol: dtls,
1833 name: "SplitFragments-Boundary-DTLS",
1834 config: Config{
1835 Bugs: ProtocolBugs{
1836 SplitFragments: dtlsRecordHeaderLen,
1837 },
1838 },
1839 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1840 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1841 },
1842 {
1843 protocol: dtls,
1844 name: "SplitFragments-Body-DTLS",
1845 config: Config{
1846 Bugs: ProtocolBugs{
1847 SplitFragments: dtlsRecordHeaderLen + 1,
1848 },
1849 },
1850 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1851 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1852 },
1853 {
1854 protocol: dtls,
1855 name: "SendEmptyFragments-DTLS",
1856 config: Config{
1857 Bugs: ProtocolBugs{
1858 SendEmptyFragments: true,
1859 },
1860 },
1861 },
1862 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1863 name: "BadFinished-Client",
1864 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1865 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1866 Bugs: ProtocolBugs{
1867 BadFinished: true,
1868 },
1869 },
1870 shouldFail: true,
1871 expectedError: ":DIGEST_CHECK_FAILED:",
1872 },
1873 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1874 name: "BadFinished-Client-TLS13",
1875 config: Config{
1876 MaxVersion: VersionTLS13,
1877 Bugs: ProtocolBugs{
1878 BadFinished: true,
1879 },
1880 },
1881 shouldFail: true,
1882 expectedError: ":DIGEST_CHECK_FAILED:",
1883 },
1884 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1885 testType: serverTest,
1886 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1887 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1888 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1889 Bugs: ProtocolBugs{
1890 BadFinished: true,
1891 },
1892 },
1893 shouldFail: true,
1894 expectedError: ":DIGEST_CHECK_FAILED:",
1895 },
1896 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1897 testType: serverTest,
1898 name: "BadFinished-Server-TLS13",
1899 config: Config{
1900 MaxVersion: VersionTLS13,
1901 Bugs: ProtocolBugs{
1902 BadFinished: true,
1903 },
1904 },
1905 shouldFail: true,
1906 expectedError: ":DIGEST_CHECK_FAILED:",
1907 },
1908 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1909 name: "FalseStart-BadFinished",
1910 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1911 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1912 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1913 NextProtos: []string{"foo"},
1914 Bugs: ProtocolBugs{
1915 BadFinished: true,
1916 ExpectFalseStart: true,
1917 },
1918 },
1919 flags: []string{
1920 "-false-start",
1921 "-handshake-never-done",
1922 "-advertise-alpn", "\x03foo",
1923 },
1924 shimWritesFirst: true,
1925 shouldFail: true,
1926 expectedError: ":DIGEST_CHECK_FAILED:",
1927 },
1928 {
1929 name: "NoFalseStart-NoALPN",
1930 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1931 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1932 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1933 Bugs: ProtocolBugs{
1934 ExpectFalseStart: true,
1935 AlertBeforeFalseStartTest: alertAccessDenied,
1936 },
1937 },
1938 flags: []string{
1939 "-false-start",
1940 },
1941 shimWritesFirst: true,
1942 shouldFail: true,
1943 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1944 expectedLocalError: "tls: peer did not false start: EOF",
1945 },
1946 {
1947 name: "NoFalseStart-NoAEAD",
1948 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1949 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1950 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1951 NextProtos: []string{"foo"},
1952 Bugs: ProtocolBugs{
1953 ExpectFalseStart: true,
1954 AlertBeforeFalseStartTest: alertAccessDenied,
1955 },
1956 },
1957 flags: []string{
1958 "-false-start",
1959 "-advertise-alpn", "\x03foo",
1960 },
1961 shimWritesFirst: true,
1962 shouldFail: true,
1963 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1964 expectedLocalError: "tls: peer did not false start: EOF",
1965 },
1966 {
1967 name: "NoFalseStart-RSA",
1968 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1969 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1970 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1971 NextProtos: []string{"foo"},
1972 Bugs: ProtocolBugs{
1973 ExpectFalseStart: true,
1974 AlertBeforeFalseStartTest: alertAccessDenied,
1975 },
1976 },
1977 flags: []string{
1978 "-false-start",
1979 "-advertise-alpn", "\x03foo",
1980 },
1981 shimWritesFirst: true,
1982 shouldFail: true,
1983 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1984 expectedLocalError: "tls: peer did not false start: EOF",
1985 },
1986 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1987 protocol: dtls,
1988 name: "SendSplitAlert-Sync",
1989 config: Config{
1990 Bugs: ProtocolBugs{
1991 SendSplitAlert: true,
1992 },
1993 },
1994 },
1995 {
1996 protocol: dtls,
1997 name: "SendSplitAlert-Async",
1998 config: Config{
1999 Bugs: ProtocolBugs{
2000 SendSplitAlert: true,
2001 },
2002 },
2003 flags: []string{"-async"},
2004 },
2005 {
2006 protocol: dtls,
2007 name: "PackDTLSHandshake",
2008 config: Config{
2009 Bugs: ProtocolBugs{
2010 MaxHandshakeRecordLength: 2,
2011 PackHandshakeFragments: 20,
2012 PackHandshakeRecords: 200,
2013 },
2014 },
2015 },
2016 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2017 name: "SendEmptyRecords-Pass",
2018 sendEmptyRecords: 32,
2019 },
2020 {
2021 name: "SendEmptyRecords",
2022 sendEmptyRecords: 33,
2023 shouldFail: true,
2024 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2025 },
2026 {
2027 name: "SendEmptyRecords-Async",
2028 sendEmptyRecords: 33,
2029 flags: []string{"-async"},
2030 shouldFail: true,
2031 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2032 },
2033 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2034 name: "SendWarningAlerts-Pass",
2035 config: Config{
2036 MaxVersion: VersionTLS12,
2037 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2038 sendWarningAlerts: 4,
2039 },
2040 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2041 protocol: dtls,
2042 name: "SendWarningAlerts-DTLS-Pass",
2043 config: Config{
2044 MaxVersion: VersionTLS12,
2045 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2046 sendWarningAlerts: 4,
2047 },
2048 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2049 name: "SendWarningAlerts-TLS13",
2050 config: Config{
2051 MaxVersion: VersionTLS13,
2052 },
2053 sendWarningAlerts: 4,
2054 shouldFail: true,
2055 expectedError: ":BAD_ALERT:",
2056 expectedLocalError: "remote error: error decoding message",
2057 },
2058 {
2059 name: "SendWarningAlerts",
2060 config: Config{
2061 MaxVersion: VersionTLS12,
2062 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2063 sendWarningAlerts: 5,
2064 shouldFail: true,
2065 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2066 },
2067 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2068 name: "SendWarningAlerts-Async",
2069 config: Config{
2070 MaxVersion: VersionTLS12,
2071 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2072 sendWarningAlerts: 5,
2073 flags: []string{"-async"},
2074 shouldFail: true,
2075 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2076 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2077 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2078 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2079 config: Config{
2080 MaxVersion: VersionTLS13,
2081 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2082 sendKeyUpdates: 33,
2083 keyUpdateRequest: keyUpdateNotRequested,
2084 shouldFail: true,
2085 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2086 },
2087 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2088 name: "EmptySessionID",
2089 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2090 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2091 SessionTicketsDisabled: true,
2092 },
2093 noSessionCache: true,
2094 flags: []string{"-expect-no-session"},
2095 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2096 {
2097 name: "Unclean-Shutdown",
2098 config: Config{
2099 Bugs: ProtocolBugs{
2100 NoCloseNotify: true,
2101 ExpectCloseNotify: true,
2102 },
2103 },
2104 shimShutsDown: true,
2105 flags: []string{"-check-close-notify"},
2106 shouldFail: true,
2107 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2108 },
2109 {
2110 name: "Unclean-Shutdown-Ignored",
2111 config: Config{
2112 Bugs: ProtocolBugs{
2113 NoCloseNotify: true,
2114 },
2115 },
2116 shimShutsDown: true,
2117 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2118 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2119 name: "Unclean-Shutdown-Alert",
2120 config: Config{
2121 Bugs: ProtocolBugs{
2122 SendAlertOnShutdown: alertDecompressionFailure,
2123 ExpectCloseNotify: true,
2124 },
2125 },
2126 shimShutsDown: true,
2127 flags: []string{"-check-close-notify"},
2128 shouldFail: true,
2129 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2130 },
2131 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2132 name: "LargePlaintext",
2133 config: Config{
2134 Bugs: ProtocolBugs{
2135 SendLargeRecords: true,
2136 },
2137 },
2138 messageLen: maxPlaintext + 1,
2139 shouldFail: true,
2140 expectedError: ":DATA_LENGTH_TOO_LONG:",
2141 },
2142 {
2143 protocol: dtls,
2144 name: "LargePlaintext-DTLS",
2145 config: Config{
2146 Bugs: ProtocolBugs{
2147 SendLargeRecords: true,
2148 },
2149 },
2150 messageLen: maxPlaintext + 1,
2151 shouldFail: true,
2152 expectedError: ":DATA_LENGTH_TOO_LONG:",
2153 },
2154 {
2155 name: "LargeCiphertext",
2156 config: Config{
2157 Bugs: ProtocolBugs{
2158 SendLargeRecords: true,
2159 },
2160 },
2161 messageLen: maxPlaintext * 2,
2162 shouldFail: true,
2163 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2164 },
2165 {
2166 protocol: dtls,
2167 name: "LargeCiphertext-DTLS",
2168 config: Config{
2169 Bugs: ProtocolBugs{
2170 SendLargeRecords: true,
2171 },
2172 },
2173 messageLen: maxPlaintext * 2,
2174 // Unlike the other four cases, DTLS drops records which
2175 // are invalid before authentication, so the connection
2176 // does not fail.
2177 expectMessageDropped: true,
2178 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2179 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2180 name: "BadHelloRequest-1",
2181 renegotiate: 1,
2182 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2183 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2184 Bugs: ProtocolBugs{
2185 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2186 },
2187 },
2188 flags: []string{
2189 "-renegotiate-freely",
2190 "-expect-total-renegotiations", "1",
2191 },
2192 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2193 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2194 },
2195 {
2196 name: "BadHelloRequest-2",
2197 renegotiate: 1,
2198 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2199 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2200 Bugs: ProtocolBugs{
2201 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2202 },
2203 },
2204 flags: []string{
2205 "-renegotiate-freely",
2206 "-expect-total-renegotiations", "1",
2207 },
2208 shouldFail: true,
2209 expectedError: ":BAD_HELLO_REQUEST:",
2210 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2211 {
2212 testType: serverTest,
2213 name: "SupportTicketsWithSessionID",
2214 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2215 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2216 SessionTicketsDisabled: true,
2217 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2218 resumeConfig: &Config{
2219 MaxVersion: VersionTLS12,
2220 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2221 resumeSession: true,
2222 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2223 {
2224 protocol: dtls,
2225 name: "DTLS-SendExtraFinished",
2226 config: Config{
2227 Bugs: ProtocolBugs{
2228 SendExtraFinished: true,
2229 },
2230 },
2231 shouldFail: true,
2232 expectedError: ":UNEXPECTED_RECORD:",
2233 },
2234 {
2235 protocol: dtls,
2236 name: "DTLS-SendExtraFinished-Reordered",
2237 config: Config{
2238 Bugs: ProtocolBugs{
2239 MaxHandshakeRecordLength: 2,
2240 ReorderHandshakeFragments: true,
2241 SendExtraFinished: true,
2242 },
2243 },
2244 shouldFail: true,
2245 expectedError: ":UNEXPECTED_RECORD:",
2246 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2247 {
2248 testType: serverTest,
2249 name: "V2ClientHello-EmptyRecordPrefix",
2250 config: Config{
2251 // Choose a cipher suite that does not involve
2252 // elliptic curves, so no extensions are
2253 // involved.
2254 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2255 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2256 Bugs: ProtocolBugs{
2257 SendV2ClientHello: true,
2258 },
2259 },
2260 sendPrefix: string([]byte{
2261 byte(recordTypeHandshake),
2262 3, 1, // version
2263 0, 0, // length
2264 }),
2265 // A no-op empty record may not be sent before V2ClientHello.
2266 shouldFail: true,
2267 expectedError: ":WRONG_VERSION_NUMBER:",
2268 },
2269 {
2270 testType: serverTest,
2271 name: "V2ClientHello-WarningAlertPrefix",
2272 config: Config{
2273 // Choose a cipher suite that does not involve
2274 // elliptic curves, so no extensions are
2275 // involved.
2276 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2277 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2278 Bugs: ProtocolBugs{
2279 SendV2ClientHello: true,
2280 },
2281 },
2282 sendPrefix: string([]byte{
2283 byte(recordTypeAlert),
2284 3, 1, // version
2285 0, 2, // length
2286 alertLevelWarning, byte(alertDecompressionFailure),
2287 }),
2288 // A no-op warning alert may not be sent before V2ClientHello.
2289 shouldFail: true,
2290 expectedError: ":WRONG_VERSION_NUMBER:",
2291 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2292 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2293 name: "KeyUpdate-Client",
2294 config: Config{
2295 MaxVersion: VersionTLS13,
2296 },
2297 sendKeyUpdates: 1,
2298 keyUpdateRequest: keyUpdateNotRequested,
2299 },
2300 {
2301 testType: serverTest,
2302 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2303 config: Config{
2304 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2305 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2306 sendKeyUpdates: 1,
2307 keyUpdateRequest: keyUpdateNotRequested,
2308 },
2309 {
2310 name: "KeyUpdate-InvalidRequestMode",
2311 config: Config{
2312 MaxVersion: VersionTLS13,
2313 },
2314 sendKeyUpdates: 1,
2315 keyUpdateRequest: 42,
2316 shouldFail: true,
2317 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2318 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2319 {
2320 name: "SendSNIWarningAlert",
2321 config: Config{
2322 MaxVersion: VersionTLS12,
2323 Bugs: ProtocolBugs{
2324 SendSNIWarningAlert: true,
2325 },
2326 },
2327 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2328 {
2329 testType: serverTest,
2330 name: "ExtraCompressionMethods-TLS12",
2331 config: Config{
2332 MaxVersion: VersionTLS12,
2333 Bugs: ProtocolBugs{
2334 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2335 },
2336 },
2337 },
2338 {
2339 testType: serverTest,
2340 name: "ExtraCompressionMethods-TLS13",
2341 config: Config{
2342 MaxVersion: VersionTLS13,
2343 Bugs: ProtocolBugs{
2344 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2345 },
2346 },
2347 shouldFail: true,
2348 expectedError: ":INVALID_COMPRESSION_LIST:",
2349 expectedLocalError: "remote error: illegal parameter",
2350 },
2351 {
2352 testType: serverTest,
2353 name: "NoNullCompression-TLS12",
2354 config: Config{
2355 MaxVersion: VersionTLS12,
2356 Bugs: ProtocolBugs{
2357 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2358 },
2359 },
2360 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2361 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2362 expectedLocalError: "remote error: illegal parameter",
2363 },
2364 {
2365 testType: serverTest,
2366 name: "NoNullCompression-TLS13",
2367 config: Config{
2368 MaxVersion: VersionTLS13,
2369 Bugs: ProtocolBugs{
2370 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2371 },
2372 },
2373 shouldFail: true,
2374 expectedError: ":INVALID_COMPRESSION_LIST:",
2375 expectedLocalError: "remote error: illegal parameter",
2376 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2377 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2378 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2379 config: Config{
2380 MaxVersion: VersionTLS12,
2381 Bugs: ProtocolBugs{
2382 ExpectGREASE: true,
2383 },
2384 },
2385 flags: []string{"-enable-grease"},
2386 },
2387 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2388 name: "GREASE-Client-TLS13",
2389 config: Config{
2390 MaxVersion: VersionTLS13,
2391 Bugs: ProtocolBugs{
2392 ExpectGREASE: true,
2393 },
2394 },
2395 flags: []string{"-enable-grease"},
2396 },
2397 {
2398 testType: serverTest,
2399 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2400 config: Config{
2401 MaxVersion: VersionTLS13,
2402 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2403 // TLS 1.3 servers are expected to
2404 // always enable GREASE. TLS 1.3 is new,
2405 // so there is no existing ecosystem to
2406 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2407 ExpectGREASE: true,
2408 },
2409 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2410 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2411 {
2412 // Test the server so there is a large certificate as
2413 // well as application data.
2414 testType: serverTest,
2415 name: "MaxSendFragment",
2416 config: Config{
2417 Bugs: ProtocolBugs{
2418 MaxReceivePlaintext: 512,
2419 },
2420 },
2421 messageLen: 1024,
2422 flags: []string{
2423 "-max-send-fragment", "512",
2424 "-read-size", "1024",
2425 },
2426 },
2427 {
2428 // Test the server so there is a large certificate as
2429 // well as application data.
2430 testType: serverTest,
2431 name: "MaxSendFragment-TooLarge",
2432 config: Config{
2433 Bugs: ProtocolBugs{
2434 // Ensure that some of the records are
2435 // 512.
2436 MaxReceivePlaintext: 511,
2437 },
2438 },
2439 messageLen: 1024,
2440 flags: []string{
2441 "-max-send-fragment", "512",
2442 "-read-size", "1024",
2443 },
2444 shouldFail: true,
2445 expectedLocalError: "local error: record overflow",
2446 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2447 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2448 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2449
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2450 if *includeDHE {
2451 testCases = append(testCases, testCase{
2452 name: "NoFalseStart-DHE_RSA",
2453 config: Config{
2454 MaxVersion: VersionTLS12,
2455 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2456 NextProtos: []string{"foo"},
2457 Bugs: ProtocolBugs{
2458 ExpectFalseStart: true,
2459 AlertBeforeFalseStartTest: alertAccessDenied,
2460 },
2461 },
2462 flags: []string{
2463 "-false-start",
2464 "-advertise-alpn", "\x03foo",
2465 },
2466 shimWritesFirst: true,
2467 shouldFail: true,
2468 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2469 expectedLocalError: "tls: peer did not false start: EOF",
2470 })
2471 }
2472
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2473 // Test that very large messages can be received.
2474 cert := rsaCertificate
2475 for i := 0; i < 50; i++ {
2476 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2477 }
2478 testCases = append(testCases, testCase{
2479 name: "LargeMessage",
2480 config: Config{
2481 Certificates: []Certificate{cert},
2482 },
2483 })
2484 testCases = append(testCases, testCase{
2485 protocol: dtls,
2486 name: "LargeMessage-DTLS",
2487 config: Config{
2488 Certificates: []Certificate{cert},
2489 },
2490 })
2491
2492 // They are rejected if the maximum certificate chain length is capped.
2493 testCases = append(testCases, testCase{
2494 name: "LargeMessage-Reject",
2495 config: Config{
2496 Certificates: []Certificate{cert},
2497 },
2498 flags: []string{"-max-cert-list", "16384"},
2499 shouldFail: true,
2500 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2501 })
2502 testCases = append(testCases, testCase{
2503 protocol: dtls,
2504 name: "LargeMessage-Reject-DTLS",
2505 config: Config{
2506 Certificates: []Certificate{cert},
2507 },
2508 flags: []string{"-max-cert-list", "16384"},
2509 shouldFail: true,
2510 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2511 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2512}
2513
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2514func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2515 const psk = "12345"
2516 const pskIdentity = "luggage combo"
2517
2518 var prefix string
2519 if protocol == dtls {
2520 if !ver.hasDTLS {
2521 return
2522 }
2523 prefix = "D"
2524 }
2525
2526 var cert Certificate
2527 var certFile string
2528 var keyFile string
2529 if hasComponent(suite.name, "ECDSA") {
2530 cert = ecdsaP256Certificate
2531 certFile = ecdsaP256CertificateFile
2532 keyFile = ecdsaP256KeyFile
2533 } else {
2534 cert = rsaCertificate
2535 certFile = rsaCertificateFile
2536 keyFile = rsaKeyFile
2537 }
2538
2539 var flags []string
2540 if hasComponent(suite.name, "PSK") {
2541 flags = append(flags,
2542 "-psk", psk,
2543 "-psk-identity", pskIdentity)
2544 }
2545 if hasComponent(suite.name, "NULL") {
2546 // NULL ciphers must be explicitly enabled.
2547 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2548 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2549
2550 var shouldServerFail, shouldClientFail bool
2551 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2552 // BoringSSL clients accept ECDHE on SSLv3, but
2553 // a BoringSSL server will never select it
2554 // because the extension is missing.
2555 shouldServerFail = true
2556 }
2557 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2558 shouldClientFail = true
2559 shouldServerFail = true
2560 }
2561 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2562 shouldClientFail = true
2563 shouldServerFail = true
2564 }
2565 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2566 shouldClientFail = true
2567 shouldServerFail = true
2568 }
2569 if !isDTLSCipher(suite.name) && protocol == dtls {
2570 shouldClientFail = true
2571 shouldServerFail = true
2572 }
2573
2574 var sendCipherSuite uint16
2575 var expectedServerError, expectedClientError string
2576 serverCipherSuites := []uint16{suite.id}
2577 if shouldServerFail {
2578 expectedServerError = ":NO_SHARED_CIPHER:"
2579 }
2580 if shouldClientFail {
2581 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2582 // Configure the server to select ciphers as normal but
2583 // select an incompatible cipher in ServerHello.
2584 serverCipherSuites = nil
2585 sendCipherSuite = suite.id
2586 }
2587
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2588 // For cipher suites and versions where exporters are defined, verify
2589 // that they interoperate.
2590 var exportKeyingMaterial int
2591 if ver.version > VersionSSL30 {
2592 exportKeyingMaterial = 1024
2593 }
2594
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2595 testCases = append(testCases, testCase{
2596 testType: serverTest,
2597 protocol: protocol,
2598 name: prefix + ver.name + "-" + suite.name + "-server",
2599 config: Config{
2600 MinVersion: ver.version,
2601 MaxVersion: ver.version,
2602 CipherSuites: []uint16{suite.id},
2603 Certificates: []Certificate{cert},
2604 PreSharedKey: []byte(psk),
2605 PreSharedKeyIdentity: pskIdentity,
2606 Bugs: ProtocolBugs{
2607 AdvertiseAllConfiguredCiphers: true,
2608 },
2609 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2610 certFile: certFile,
2611 keyFile: keyFile,
2612 flags: flags,
2613 resumeSession: true,
2614 shouldFail: shouldServerFail,
2615 expectedError: expectedServerError,
2616 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2617 })
2618
2619 testCases = append(testCases, testCase{
2620 testType: clientTest,
2621 protocol: protocol,
2622 name: prefix + ver.name + "-" + suite.name + "-client",
2623 config: Config{
2624 MinVersion: ver.version,
2625 MaxVersion: ver.version,
2626 CipherSuites: serverCipherSuites,
2627 Certificates: []Certificate{cert},
2628 PreSharedKey: []byte(psk),
2629 PreSharedKeyIdentity: pskIdentity,
2630 Bugs: ProtocolBugs{
2631 IgnorePeerCipherPreferences: shouldClientFail,
2632 SendCipherSuite: sendCipherSuite,
2633 },
2634 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2635 flags: flags,
2636 resumeSession: true,
2637 shouldFail: shouldClientFail,
2638 expectedError: expectedClientError,
2639 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2640 })
2641
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2642 if shouldClientFail {
2643 return
2644 }
2645
2646 // Ensure the maximum record size is accepted.
2647 testCases = append(testCases, testCase{
2648 protocol: protocol,
2649 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2650 config: Config{
2651 MinVersion: ver.version,
2652 MaxVersion: ver.version,
2653 CipherSuites: []uint16{suite.id},
2654 Certificates: []Certificate{cert},
2655 PreSharedKey: []byte(psk),
2656 PreSharedKeyIdentity: pskIdentity,
2657 },
2658 flags: flags,
2659 messageLen: maxPlaintext,
2660 })
2661
2662 // Test bad records for all ciphers. Bad records are fatal in TLS
2663 // and ignored in DTLS.
2664 var shouldFail bool
2665 var expectedError string
2666 if protocol == tls {
2667 shouldFail = true
2668 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2669 }
2670
2671 testCases = append(testCases, testCase{
2672 protocol: protocol,
2673 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2674 config: Config{
2675 MinVersion: ver.version,
2676 MaxVersion: ver.version,
2677 CipherSuites: []uint16{suite.id},
2678 Certificates: []Certificate{cert},
2679 PreSharedKey: []byte(psk),
2680 PreSharedKeyIdentity: pskIdentity,
2681 },
2682 flags: flags,
2683 damageFirstWrite: true,
2684 messageLen: maxPlaintext,
2685 shouldFail: shouldFail,
2686 expectedError: expectedError,
2687 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2688}
2689
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2690func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2691 const bogusCipher = 0xfe00
2692
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2693 if *includeDHE {
2694 testCipherSuites = append(testCipherSuites, []testCipherSuite{
2695 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2696 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
2697 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
2698 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
2699 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
2700 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
2701 }...)
2702 }
2703
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2704 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2705 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2706 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2707 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2708 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2709 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2710 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2711
2712 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2713 name: "NoSharedCipher",
2714 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2715 MaxVersion: VersionTLS12,
2716 CipherSuites: []uint16{},
2717 },
2718 shouldFail: true,
2719 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2720 })
2721
2722 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2723 name: "NoSharedCipher-TLS13",
2724 config: Config{
2725 MaxVersion: VersionTLS13,
2726 CipherSuites: []uint16{},
2727 },
2728 shouldFail: true,
2729 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2730 })
2731
2732 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2733 name: "UnsupportedCipherSuite",
2734 config: Config{
2735 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2736 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2737 Bugs: ProtocolBugs{
2738 IgnorePeerCipherPreferences: true,
2739 },
2740 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2741 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2742 shouldFail: true,
2743 expectedError: ":WRONG_CIPHER_RETURNED:",
2744 })
2745
2746 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2747 name: "ServerHelloBogusCipher",
2748 config: Config{
2749 MaxVersion: VersionTLS12,
2750 Bugs: ProtocolBugs{
2751 SendCipherSuite: bogusCipher,
2752 },
2753 },
2754 shouldFail: true,
2755 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2756 })
2757 testCases = append(testCases, testCase{
2758 name: "ServerHelloBogusCipher-TLS13",
2759 config: Config{
2760 MaxVersion: VersionTLS13,
2761 Bugs: ProtocolBugs{
2762 SendCipherSuite: bogusCipher,
2763 },
2764 },
2765 shouldFail: true,
2766 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2767 })
2768
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2769 if *includeDHE {
2770 testCases = append(testCases, testCase{
2771 name: "WeakDH",
2772 config: Config{
2773 MaxVersion: VersionTLS12,
2774 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2775 Bugs: ProtocolBugs{
2776 // This is a 1023-bit prime number, generated
2777 // with:
2778 // openssl gendh 1023 | openssl asn1parse -i
2779 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
2780 },
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2781 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2782 shouldFail: true,
2783 expectedError: ":BAD_DH_P_LENGTH:",
2784 })
Adam Langleycef75832015-09-03 14:51:12 -0700[diff] [blame]2785
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2786 testCases = append(testCases, testCase{
2787 name: "SillyDH",
2788 config: Config{
2789 MaxVersion: VersionTLS12,
2790 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2791 Bugs: ProtocolBugs{
2792 // This is a 4097-bit prime number, generated
2793 // with:
2794 // openssl gendh 4097 | openssl asn1parse -i
2795 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
2796 },
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2797 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2798 shouldFail: true,
2799 expectedError: ":DH_P_TOO_LONG:",
2800 })
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2801
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2802 // This test ensures that Diffie-Hellman public values are padded with
2803 // zeros so that they're the same length as the prime. This is to avoid
2804 // hitting a bug in yaSSL.
2805 testCases = append(testCases, testCase{
2806 testType: serverTest,
2807 name: "DHPublicValuePadded",
2808 config: Config{
2809 MaxVersion: VersionTLS12,
2810 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2811 Bugs: ProtocolBugs{
2812 RequireDHPublicValueLen: (1025 + 7) / 8,
2813 },
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2814 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2815 flags: []string{"-use-sparse-dh-prime"},
2816 })
2817 }
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2818
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2819 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2820 testCases = append(testCases, testCase{
2821 testType: serverTest,
2822 name: "UnknownCipher",
2823 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2824 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2825 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2826 Bugs: ProtocolBugs{
2827 AdvertiseAllConfiguredCiphers: true,
2828 },
2829 },
2830 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2831
2832 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2833 testCases = append(testCases, testCase{
2834 testType: serverTest,
2835 name: "UnknownCipher-TLS13",
2836 config: Config{
2837 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2838 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2839 Bugs: ProtocolBugs{
2840 AdvertiseAllConfiguredCiphers: true,
2841 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2842 },
2843 })
2844
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2845 // Test empty ECDHE_PSK identity hints work as expected.
2846 testCases = append(testCases, testCase{
2847 name: "EmptyECDHEPSKHint",
2848 config: Config{
2849 MaxVersion: VersionTLS12,
2850 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2851 PreSharedKey: []byte("secret"),
2852 },
2853 flags: []string{"-psk", "secret"},
2854 })
2855
2856 // Test empty PSK identity hints work as expected, even if an explicit
2857 // ServerKeyExchange is sent.
2858 testCases = append(testCases, testCase{
2859 name: "ExplicitEmptyPSKHint",
2860 config: Config{
2861 MaxVersion: VersionTLS12,
2862 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2863 PreSharedKey: []byte("secret"),
2864 Bugs: ProtocolBugs{
2865 AlwaysSendPreSharedKeyIdentityHint: true,
2866 },
2867 },
2868 flags: []string{"-psk", "secret"},
2869 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2870}
2871
2872func addBadECDSASignatureTests() {
2873 for badR := BadValue(1); badR < NumBadValues; badR++ {
2874 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2875 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2876 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2877 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2878 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2879 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2880 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2881 Bugs: ProtocolBugs{
2882 BadECDSAR: badR,
2883 BadECDSAS: badS,
2884 },
2885 },
2886 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2887 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2888 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2889 testCases = append(testCases, testCase{
2890 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2891 config: Config{
2892 MaxVersion: VersionTLS13,
2893 Certificates: []Certificate{ecdsaP256Certificate},
2894 Bugs: ProtocolBugs{
2895 BadECDSAR: badR,
2896 BadECDSAS: badS,
2897 },
2898 },
2899 shouldFail: true,
2900 expectedError: ":BAD_SIGNATURE:",
2901 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2902 }
2903 }
2904}
2905
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2906func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2907 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2908 name: "MaxCBCPadding",
2909 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2910 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2911 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2912 Bugs: ProtocolBugs{
2913 MaxPadding: true,
2914 },
2915 },
2916 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2917 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2918 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2919 name: "BadCBCPadding",
2920 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2921 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2922 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2923 Bugs: ProtocolBugs{
2924 PaddingFirstByteBad: true,
2925 },
2926 },
2927 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2928 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2929 })
2930 // OpenSSL previously had an issue where the first byte of padding in
2931 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2932 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2933 name: "BadCBCPadding255",
2934 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2935 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2936 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2937 Bugs: ProtocolBugs{
2938 MaxPadding: true,
2939 PaddingFirstByteBadIf255: true,
2940 },
2941 },
2942 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2943 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2944 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2945 })
2946}
2947
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2948func addCBCSplittingTests() {
2949 testCases = append(testCases, testCase{
2950 name: "CBCRecordSplitting",
2951 config: Config{
2952 MaxVersion: VersionTLS10,
2953 MinVersion: VersionTLS10,
2954 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2955 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]2956 messageLen: -1, // read until EOF
2957 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2958 flags: []string{
2959 "-async",
2960 "-write-different-record-sizes",
2961 "-cbc-record-splitting",
2962 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]2963 })
2964 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2965 name: "CBCRecordSplittingPartialWrite",
2966 config: Config{
2967 MaxVersion: VersionTLS10,
2968 MinVersion: VersionTLS10,
2969 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2970 },
2971 messageLen: -1, // read until EOF
2972 flags: []string{
2973 "-async",
2974 "-write-different-record-sizes",
2975 "-cbc-record-splitting",
2976 "-partial-write",
2977 },
2978 })
2979}
2980
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2981func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2982 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2983 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]2984 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
2985 cert, err := x509.ParseCertificate(cert.Certificate[0])
2986 if err != nil {
2987 panic(err)
2988 }
2989 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2990 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]2991 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2992
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2993 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2994 testCases = append(testCases, testCase{
2995 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2996 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2997 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2998 MinVersion: ver.version,
2999 MaxVersion: ver.version,
3000 ClientAuth: RequireAnyClientCert,
3001 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3002 },
3003 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3004 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3005 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3006 },
3007 })
3008 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3009 testType: serverTest,
3010 name: ver.name + "-Server-ClientAuth-RSA",
3011 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3012 MinVersion: ver.version,
3013 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3014 Certificates: []Certificate{rsaCertificate},
3015 },
3016 flags: []string{"-require-any-client-certificate"},
3017 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3018 if ver.version != VersionSSL30 {
3019 testCases = append(testCases, testCase{
3020 testType: serverTest,
3021 name: ver.name + "-Server-ClientAuth-ECDSA",
3022 config: Config{
3023 MinVersion: ver.version,
3024 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3025 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3026 },
3027 flags: []string{"-require-any-client-certificate"},
3028 })
3029 testCases = append(testCases, testCase{
3030 testType: clientTest,
3031 name: ver.name + "-Client-ClientAuth-ECDSA",
3032 config: Config{
3033 MinVersion: ver.version,
3034 MaxVersion: ver.version,
3035 ClientAuth: RequireAnyClientCert,
3036 ClientCAs: certPool,
3037 },
3038 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3039 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3040 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3041 },
3042 })
3043 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3044
3045 testCases = append(testCases, testCase{
3046 name: "NoClientCertificate-" + ver.name,
3047 config: Config{
3048 MinVersion: ver.version,
3049 MaxVersion: ver.version,
3050 ClientAuth: RequireAnyClientCert,
3051 },
3052 shouldFail: true,
3053 expectedLocalError: "client didn't provide a certificate",
3054 })
3055
3056 testCases = append(testCases, testCase{
3057 // Even if not configured to expect a certificate, OpenSSL will
3058 // return X509_V_OK as the verify_result.
3059 testType: serverTest,
3060 name: "NoClientCertificateRequested-Server-" + ver.name,
3061 config: Config{
3062 MinVersion: ver.version,
3063 MaxVersion: ver.version,
3064 },
3065 flags: []string{
3066 "-expect-verify-result",
3067 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3068 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3069 })
3070
3071 testCases = append(testCases, testCase{
3072 // If a client certificate is not provided, OpenSSL will still
3073 // return X509_V_OK as the verify_result.
3074 testType: serverTest,
3075 name: "NoClientCertificate-Server-" + ver.name,
3076 config: Config{
3077 MinVersion: ver.version,
3078 MaxVersion: ver.version,
3079 },
3080 flags: []string{
3081 "-expect-verify-result",
3082 "-verify-peer",
3083 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3084 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3085 })
3086
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3087 certificateRequired := "remote error: certificate required"
3088 if ver.version < VersionTLS13 {
3089 // Prior to TLS 1.3, the generic handshake_failure alert
3090 // was used.
3091 certificateRequired = "remote error: handshake failure"
3092 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3093 testCases = append(testCases, testCase{
3094 testType: serverTest,
3095 name: "RequireAnyClientCertificate-" + ver.name,
3096 config: Config{
3097 MinVersion: ver.version,
3098 MaxVersion: ver.version,
3099 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3100 flags: []string{"-require-any-client-certificate"},
3101 shouldFail: true,
3102 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3103 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3104 })
3105
3106 if ver.version != VersionSSL30 {
3107 testCases = append(testCases, testCase{
3108 testType: serverTest,
3109 name: "SkipClientCertificate-" + ver.name,
3110 config: Config{
3111 MinVersion: ver.version,
3112 MaxVersion: ver.version,
3113 Bugs: ProtocolBugs{
3114 SkipClientCertificate: true,
3115 },
3116 },
3117 // Setting SSL_VERIFY_PEER allows anonymous clients.
3118 flags: []string{"-verify-peer"},
3119 shouldFail: true,
3120 expectedError: ":UNEXPECTED_MESSAGE:",
3121 })
3122 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3123
3124 testCases = append(testCases, testCase{
3125 testType: serverTest,
3126 name: ver.name + "-Server-CertReq-CA-List",
3127 config: Config{
3128 MinVersion: ver.version,
3129 MaxVersion: ver.version,
3130 Certificates: []Certificate{rsaCertificate},
3131 Bugs: ProtocolBugs{
3132 ExpectCertificateReqNames: caNames,
3133 },
3134 },
3135 flags: []string{
3136 "-require-any-client-certificate",
3137 "-use-client-ca-list", encodeDERValues(caNames),
3138 },
3139 })
3140
3141 testCases = append(testCases, testCase{
3142 testType: clientTest,
3143 name: ver.name + "-Client-CertReq-CA-List",
3144 config: Config{
3145 MinVersion: ver.version,
3146 MaxVersion: ver.version,
3147 Certificates: []Certificate{rsaCertificate},
3148 ClientAuth: RequireAnyClientCert,
3149 ClientCAs: certPool,
3150 },
3151 flags: []string{
3152 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3153 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3154 "-expect-client-ca-list", encodeDERValues(caNames),
3155 },
3156 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3157 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3158
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3159 // Client auth is only legal in certificate-based ciphers.
3160 testCases = append(testCases, testCase{
3161 testType: clientTest,
3162 name: "ClientAuth-PSK",
3163 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3164 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3165 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3166 PreSharedKey: []byte("secret"),
3167 ClientAuth: RequireAnyClientCert,
3168 },
3169 flags: []string{
3170 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3171 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3172 "-psk", "secret",
3173 },
3174 shouldFail: true,
3175 expectedError: ":UNEXPECTED_MESSAGE:",
3176 })
3177 testCases = append(testCases, testCase{
3178 testType: clientTest,
3179 name: "ClientAuth-ECDHE_PSK",
3180 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3181 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3182 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3183 PreSharedKey: []byte("secret"),
3184 ClientAuth: RequireAnyClientCert,
3185 },
3186 flags: []string{
3187 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3188 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3189 "-psk", "secret",
3190 },
3191 shouldFail: true,
3192 expectedError: ":UNEXPECTED_MESSAGE:",
3193 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3194
3195 // Regression test for a bug where the client CA list, if explicitly
3196 // set to NULL, was mis-encoded.
3197 testCases = append(testCases, testCase{
3198 testType: serverTest,
3199 name: "Null-Client-CA-List",
3200 config: Config{
3201 MaxVersion: VersionTLS12,
3202 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3203 Bugs: ProtocolBugs{
3204 ExpectCertificateReqNames: [][]byte{},
3205 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3206 },
3207 flags: []string{
3208 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3209 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3210 },
3211 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3212}
3213
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3214func addExtendedMasterSecretTests() {
3215 const expectEMSFlag = "-expect-extended-master-secret"
3216
3217 for _, with := range []bool{false, true} {
3218 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3219 if with {
3220 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3221 }
3222
3223 for _, isClient := range []bool{false, true} {
3224 suffix := "-Server"
3225 testType := serverTest
3226 if isClient {
3227 suffix = "-Client"
3228 testType = clientTest
3229 }
3230
3231 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3232 // In TLS 1.3, the extension is irrelevant and
3233 // always reports as enabled.
3234 var flags []string
3235 if with || ver.version >= VersionTLS13 {
3236 flags = []string{expectEMSFlag}
3237 }
3238
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3239 test := testCase{
3240 testType: testType,
3241 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3242 config: Config{
3243 MinVersion: ver.version,
3244 MaxVersion: ver.version,
3245 Bugs: ProtocolBugs{
3246 NoExtendedMasterSecret: !with,
3247 RequireExtendedMasterSecret: with,
3248 },
3249 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3250 flags: flags,
3251 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3252 }
3253 if test.shouldFail {
3254 test.expectedLocalError = "extended master secret required but not supported by peer"
3255 }
3256 testCases = append(testCases, test)
3257 }
3258 }
3259 }
3260
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3261 for _, isClient := range []bool{false, true} {
3262 for _, supportedInFirstConnection := range []bool{false, true} {
3263 for _, supportedInResumeConnection := range []bool{false, true} {
3264 boolToWord := func(b bool) string {
3265 if b {
3266 return "Yes"
3267 }
3268 return "No"
3269 }
3270 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3271 if isClient {
3272 suffix += "Client"
3273 } else {
3274 suffix += "Server"
3275 }
3276
3277 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3278 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3279 Bugs: ProtocolBugs{
3280 RequireExtendedMasterSecret: true,
3281 },
3282 }
3283
3284 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3285 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3286 Bugs: ProtocolBugs{
3287 NoExtendedMasterSecret: true,
3288 },
3289 }
3290
3291 test := testCase{
3292 name: "ExtendedMasterSecret-" + suffix,
3293 resumeSession: true,
3294 }
3295
3296 if !isClient {
3297 test.testType = serverTest
3298 }
3299
3300 if supportedInFirstConnection {
3301 test.config = supportedConfig
3302 } else {
3303 test.config = noSupportConfig
3304 }
3305
3306 if supportedInResumeConnection {
3307 test.resumeConfig = &supportedConfig
3308 } else {
3309 test.resumeConfig = &noSupportConfig
3310 }
3311
3312 switch suffix {
3313 case "YesToYes-Client", "YesToYes-Server":
3314 // When a session is resumed, it should
3315 // still be aware that its master
3316 // secret was generated via EMS and
3317 // thus it's safe to use tls-unique.
3318 test.flags = []string{expectEMSFlag}
3319 case "NoToYes-Server":
3320 // If an original connection did not
3321 // contain EMS, but a resumption
3322 // handshake does, then a server should
3323 // not resume the session.
3324 test.expectResumeRejected = true
3325 case "YesToNo-Server":
3326 // Resuming an EMS session without the
3327 // EMS extension should cause the
3328 // server to abort the connection.
3329 test.shouldFail = true
3330 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3331 case "NoToYes-Client":
3332 // A client should abort a connection
3333 // where the server resumed a non-EMS
3334 // session but echoed the EMS
3335 // extension.
3336 test.shouldFail = true
3337 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3338 case "YesToNo-Client":
3339 // A client should abort a connection
3340 // where the server didn't echo EMS
3341 // when the session used it.
3342 test.shouldFail = true
3343 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3344 }
3345
3346 testCases = append(testCases, test)
3347 }
3348 }
3349 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3350
3351 // Switching EMS on renegotiation is forbidden.
3352 testCases = append(testCases, testCase{
3353 name: "ExtendedMasterSecret-Renego-NoEMS",
3354 config: Config{
3355 MaxVersion: VersionTLS12,
3356 Bugs: ProtocolBugs{
3357 NoExtendedMasterSecret: true,
3358 NoExtendedMasterSecretOnRenegotiation: true,
3359 },
3360 },
3361 renegotiate: 1,
3362 flags: []string{
3363 "-renegotiate-freely",
3364 "-expect-total-renegotiations", "1",
3365 },
3366 })
3367
3368 testCases = append(testCases, testCase{
3369 name: "ExtendedMasterSecret-Renego-Upgrade",
3370 config: Config{
3371 MaxVersion: VersionTLS12,
3372 Bugs: ProtocolBugs{
3373 NoExtendedMasterSecret: true,
3374 },
3375 },
3376 renegotiate: 1,
3377 flags: []string{
3378 "-renegotiate-freely",
3379 "-expect-total-renegotiations", "1",
3380 },
3381 shouldFail: true,
3382 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3383 })
3384
3385 testCases = append(testCases, testCase{
3386 name: "ExtendedMasterSecret-Renego-Downgrade",
3387 config: Config{
3388 MaxVersion: VersionTLS12,
3389 Bugs: ProtocolBugs{
3390 NoExtendedMasterSecretOnRenegotiation: true,
3391 },
3392 },
3393 renegotiate: 1,
3394 flags: []string{
3395 "-renegotiate-freely",
3396 "-expect-total-renegotiations", "1",
3397 },
3398 shouldFail: true,
3399 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3400 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3401}
3402
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3403type stateMachineTestConfig struct {
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3404 protocol protocol
3405 async bool
3406 splitHandshake bool
3407 packHandshakeFlight bool
3408 implicitHandshake bool
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3409}
3410
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3411// Adds tests that try to cover the range of the handshake state machine, under
3412// various conditions. Some of these are redundant with other tests, but they
3413// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3414func addAllStateMachineCoverageTests() {
3415 for _, async := range []bool{false, true} {
3416 for _, protocol := range []protocol{tls, dtls} {
3417 addStateMachineCoverageTests(stateMachineTestConfig{
3418 protocol: protocol,
3419 async: async,
3420 })
3421 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3422 protocol: protocol,
3423 async: async,
3424 implicitHandshake: true,
3425 })
3426 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3427 protocol: protocol,
3428 async: async,
3429 splitHandshake: true,
3430 })
3431 if protocol == tls {
3432 addStateMachineCoverageTests(stateMachineTestConfig{
3433 protocol: protocol,
3434 async: async,
3435 packHandshakeFlight: true,
3436 })
3437 }
3438 }
3439 }
3440}
3441
3442func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3443 var tests []testCase
3444
3445 // Basic handshake, with resumption. Client and server,
3446 // session ID and session ticket.
3447 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3448 name: "Basic-Client",
3449 config: Config{
3450 MaxVersion: VersionTLS12,
3451 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3452 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3453 // Ensure session tickets are used, not session IDs.
3454 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3455 })
3456 tests = append(tests, testCase{
3457 name: "Basic-Client-RenewTicket",
3458 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3459 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3460 Bugs: ProtocolBugs{
3461 RenewTicketOnResume: true,
3462 },
3463 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3464 flags: []string{"-expect-ticket-renewal"},
3465 resumeSession: true,
3466 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3467 })
3468 tests = append(tests, testCase{
3469 name: "Basic-Client-NoTicket",
3470 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3471 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3472 SessionTicketsDisabled: true,
3473 },
3474 resumeSession: true,
3475 })
3476 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3477 testType: serverTest,
3478 name: "Basic-Server",
3479 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3480 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3481 Bugs: ProtocolBugs{
3482 RequireSessionTickets: true,
3483 },
3484 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3485 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3486 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3487 })
3488 tests = append(tests, testCase{
3489 testType: serverTest,
3490 name: "Basic-Server-NoTickets",
3491 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3492 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3493 SessionTicketsDisabled: true,
3494 },
3495 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3496 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3497 })
3498 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3499 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3500 name: "Basic-Server-EarlyCallback",
3501 config: Config{
3502 MaxVersion: VersionTLS12,
3503 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3504 flags: []string{"-use-early-callback"},
3505 resumeSession: true,
3506 })
3507
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3508 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3509 if config.protocol == tls {
3510 tests = append(tests, testCase{
3511 name: "TLS13-1RTT-Client",
3512 config: Config{
3513 MaxVersion: VersionTLS13,
3514 MinVersion: VersionTLS13,
3515 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3516 resumeSession: true,
3517 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3518 })
3519
3520 tests = append(tests, testCase{
3521 testType: serverTest,
3522 name: "TLS13-1RTT-Server",
3523 config: Config{
3524 MaxVersion: VersionTLS13,
3525 MinVersion: VersionTLS13,
3526 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3527 resumeSession: true,
3528 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3529 // TLS 1.3 uses tickets, so the session should not be
3530 // cached statefully.
3531 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3532 })
3533
3534 tests = append(tests, testCase{
3535 name: "TLS13-HelloRetryRequest-Client",
3536 config: Config{
3537 MaxVersion: VersionTLS13,
3538 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3539 // P-384 requires a HelloRetryRequest against BoringSSL's default
3540 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3541 CurvePreferences: []CurveID{CurveP384},
3542 Bugs: ProtocolBugs{
3543 ExpectMissingKeyShare: true,
3544 },
3545 },
3546 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3547 resumeSession: true,
3548 })
3549
3550 tests = append(tests, testCase{
3551 testType: serverTest,
3552 name: "TLS13-HelloRetryRequest-Server",
3553 config: Config{
3554 MaxVersion: VersionTLS13,
3555 MinVersion: VersionTLS13,
3556 // Require a HelloRetryRequest for every curve.
3557 DefaultCurves: []CurveID{},
3558 },
3559 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3560 resumeSession: true,
3561 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3562
3563 // TODO(svaldez): Send data on early data once implemented.
3564 tests = append(tests, testCase{
3565 testType: clientTest,
3566 name: "TLS13-EarlyData-Client",
3567 config: Config{
3568 MaxVersion: VersionTLS13,
3569 MinVersion: VersionTLS13,
3570 MaxEarlyDataSize: 16384,
3571 },
3572 resumeSession: true,
3573 flags: []string{
3574 "-enable-early-data",
3575 "-expect-early-data-info",
3576 "-expect-accept-early-data",
3577 },
3578 })
3579
3580 tests = append(tests, testCase{
3581 testType: serverTest,
3582 name: "TLS13-EarlyData-Server",
3583 config: Config{
3584 MaxVersion: VersionTLS13,
3585 MinVersion: VersionTLS13,
3586 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3587 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3588 ExpectEarlyDataAccepted: true,
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3589 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3590 },
3591 },
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3592 messageCount: 2,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3593 resumeSession: true,
3594 flags: []string{
3595 "-enable-early-data",
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]3596 "-expect-accept-early-data",
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3597 },
3598 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3599 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3600
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3601 // TLS client auth.
3602 tests = append(tests, testCase{
3603 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3604 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3605 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3606 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3607 ClientAuth: RequestClientCert,
3608 },
3609 })
3610 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3611 testType: serverTest,
3612 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3613 config: Config{
3614 MaxVersion: VersionTLS12,
3615 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3616 // Setting SSL_VERIFY_PEER allows anonymous clients.
3617 flags: []string{"-verify-peer"},
3618 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3619 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3620 tests = append(tests, testCase{
3621 testType: clientTest,
3622 name: "ClientAuth-NoCertificate-Client-SSL3",
3623 config: Config{
3624 MaxVersion: VersionSSL30,
3625 ClientAuth: RequestClientCert,
3626 },
3627 })
3628 tests = append(tests, testCase{
3629 testType: serverTest,
3630 name: "ClientAuth-NoCertificate-Server-SSL3",
3631 config: Config{
3632 MaxVersion: VersionSSL30,
3633 },
3634 // Setting SSL_VERIFY_PEER allows anonymous clients.
3635 flags: []string{"-verify-peer"},
3636 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3637 tests = append(tests, testCase{
3638 testType: clientTest,
3639 name: "ClientAuth-NoCertificate-Client-TLS13",
3640 config: Config{
3641 MaxVersion: VersionTLS13,
3642 ClientAuth: RequestClientCert,
3643 },
3644 })
3645 tests = append(tests, testCase{
3646 testType: serverTest,
3647 name: "ClientAuth-NoCertificate-Server-TLS13",
3648 config: Config{
3649 MaxVersion: VersionTLS13,
3650 },
3651 // Setting SSL_VERIFY_PEER allows anonymous clients.
3652 flags: []string{"-verify-peer"},
3653 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3654 }
3655 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3656 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3657 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3658 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3659 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3660 ClientAuth: RequireAnyClientCert,
3661 },
3662 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3663 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3664 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3665 },
3666 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3667 tests = append(tests, testCase{
3668 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3669 name: "ClientAuth-RSA-Client-TLS13",
3670 config: Config{
3671 MaxVersion: VersionTLS13,
3672 ClientAuth: RequireAnyClientCert,
3673 },
3674 flags: []string{
3675 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3676 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3677 },
3678 })
3679 tests = append(tests, testCase{
3680 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3681 name: "ClientAuth-ECDSA-Client",
3682 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3683 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3684 ClientAuth: RequireAnyClientCert,
3685 },
3686 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3687 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3688 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3689 },
3690 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3691 tests = append(tests, testCase{
3692 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3693 name: "ClientAuth-ECDSA-Client-TLS13",
3694 config: Config{
3695 MaxVersion: VersionTLS13,
3696 ClientAuth: RequireAnyClientCert,
3697 },
3698 flags: []string{
3699 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3700 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3701 },
3702 })
3703 tests = append(tests, testCase{
3704 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3705 name: "ClientAuth-NoCertificate-OldCallback",
3706 config: Config{
3707 MaxVersion: VersionTLS12,
3708 ClientAuth: RequestClientCert,
3709 },
3710 flags: []string{"-use-old-client-cert-callback"},
3711 })
3712 tests = append(tests, testCase{
3713 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3714 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3715 config: Config{
3716 MaxVersion: VersionTLS13,
3717 ClientAuth: RequestClientCert,
3718 },
3719 flags: []string{"-use-old-client-cert-callback"},
3720 })
3721 tests = append(tests, testCase{
3722 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3723 name: "ClientAuth-OldCallback",
3724 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3725 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3726 ClientAuth: RequireAnyClientCert,
3727 },
3728 flags: []string{
3729 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3730 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3731 "-use-old-client-cert-callback",
3732 },
3733 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3734 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3735 testType: clientTest,
3736 name: "ClientAuth-OldCallback-TLS13",
3737 config: Config{
3738 MaxVersion: VersionTLS13,
3739 ClientAuth: RequireAnyClientCert,
3740 },
3741 flags: []string{
3742 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3743 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3744 "-use-old-client-cert-callback",
3745 },
3746 })
3747 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3748 testType: serverTest,
3749 name: "ClientAuth-Server",
3750 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3751 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3752 Certificates: []Certificate{rsaCertificate},
3753 },
3754 flags: []string{"-require-any-client-certificate"},
3755 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3756 tests = append(tests, testCase{
3757 testType: serverTest,
3758 name: "ClientAuth-Server-TLS13",
3759 config: Config{
3760 MaxVersion: VersionTLS13,
3761 Certificates: []Certificate{rsaCertificate},
3762 },
3763 flags: []string{"-require-any-client-certificate"},
3764 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3765
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3766 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3767 tests = append(tests, testCase{
3768 testType: serverTest,
3769 name: "Basic-Server-RSA",
3770 config: Config{
3771 MaxVersion: VersionTLS12,
3772 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3773 },
3774 flags: []string{
3775 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3776 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3777 },
3778 })
3779 tests = append(tests, testCase{
3780 testType: serverTest,
3781 name: "Basic-Server-ECDHE-RSA",
3782 config: Config{
3783 MaxVersion: VersionTLS12,
3784 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3785 },
3786 flags: []string{
3787 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3788 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3789 },
3790 })
3791 tests = append(tests, testCase{
3792 testType: serverTest,
3793 name: "Basic-Server-ECDHE-ECDSA",
3794 config: Config{
3795 MaxVersion: VersionTLS12,
3796 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3797 },
3798 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3799 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3800 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3801 },
3802 })
3803
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3804 // No session ticket support; server doesn't send NewSessionTicket.
3805 tests = append(tests, testCase{
3806 name: "SessionTicketsDisabled-Client",
3807 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3808 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3809 SessionTicketsDisabled: true,
3810 },
3811 })
3812 tests = append(tests, testCase{
3813 testType: serverTest,
3814 name: "SessionTicketsDisabled-Server",
3815 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3816 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3817 SessionTicketsDisabled: true,
3818 },
3819 })
3820
3821 // Skip ServerKeyExchange in PSK key exchange if there's no
3822 // identity hint.
3823 tests = append(tests, testCase{
3824 name: "EmptyPSKHint-Client",
3825 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3826 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3827 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3828 PreSharedKey: []byte("secret"),
3829 },
3830 flags: []string{"-psk", "secret"},
3831 })
3832 tests = append(tests, testCase{
3833 testType: serverTest,
3834 name: "EmptyPSKHint-Server",
3835 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3836 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3837 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3838 PreSharedKey: []byte("secret"),
3839 },
3840 flags: []string{"-psk", "secret"},
3841 })
3842
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3843 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3844 tests = append(tests, testCase{
3845 testType: clientTest,
3846 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3847 config: Config{
3848 MaxVersion: VersionTLS12,
3849 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3850 flags: []string{
3851 "-enable-ocsp-stapling",
3852 "-expect-ocsp-response",
3853 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3854 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3855 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3856 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3857 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3858 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3859 testType: serverTest,
3860 name: "OCSPStapling-Server",
3861 config: Config{
3862 MaxVersion: VersionTLS12,
3863 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3864 expectedOCSPResponse: testOCSPResponse,
3865 flags: []string{
3866 "-ocsp-response",
3867 base64.StdEncoding.EncodeToString(testOCSPResponse),
3868 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3869 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3870 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3871 tests = append(tests, testCase{
3872 testType: clientTest,
3873 name: "OCSPStapling-Client-TLS13",
3874 config: Config{
3875 MaxVersion: VersionTLS13,
3876 },
3877 flags: []string{
3878 "-enable-ocsp-stapling",
3879 "-expect-ocsp-response",
3880 base64.StdEncoding.EncodeToString(testOCSPResponse),
3881 "-verify-peer",
3882 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3883 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3884 })
3885 tests = append(tests, testCase{
3886 testType: serverTest,
3887 name: "OCSPStapling-Server-TLS13",
3888 config: Config{
3889 MaxVersion: VersionTLS13,
3890 },
3891 expectedOCSPResponse: testOCSPResponse,
3892 flags: []string{
3893 "-ocsp-response",
3894 base64.StdEncoding.EncodeToString(testOCSPResponse),
3895 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3896 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3897 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3898
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3899 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3900 for _, vers := range tlsVersions {
3901 if config.protocol == dtls && !vers.hasDTLS {
3902 continue
3903 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3904 for _, testType := range []testType{clientTest, serverTest} {
3905 suffix := "-Client"
3906 if testType == serverTest {
3907 suffix = "-Server"
3908 }
3909 suffix += "-" + vers.name
3910
3911 flag := "-verify-peer"
3912 if testType == serverTest {
3913 flag = "-require-any-client-certificate"
3914 }
3915
3916 tests = append(tests, testCase{
3917 testType: testType,
3918 name: "CertificateVerificationSucceed" + suffix,
3919 config: Config{
3920 MaxVersion: vers.version,
3921 Certificates: []Certificate{rsaCertificate},
3922 },
3923 flags: []string{
3924 flag,
3925 "-expect-verify-result",
3926 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3927 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3928 })
3929 tests = append(tests, testCase{
3930 testType: testType,
3931 name: "CertificateVerificationFail" + suffix,
3932 config: Config{
3933 MaxVersion: vers.version,
3934 Certificates: []Certificate{rsaCertificate},
3935 },
3936 flags: []string{
3937 flag,
3938 "-verify-fail",
3939 },
3940 shouldFail: true,
3941 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
3942 })
3943 }
3944
3945 // By default, the client is in a soft fail mode where the peer
3946 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3947 tests = append(tests, testCase{
3948 testType: clientTest,
3949 name: "CertificateVerificationSoftFail-" + vers.name,
3950 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3951 MaxVersion: vers.version,
3952 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3953 },
3954 flags: []string{
3955 "-verify-fail",
3956 "-expect-verify-result",
3957 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3958 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3959 })
3960 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3961
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]3962 tests = append(tests, testCase{
3963 name: "ShimSendAlert",
3964 flags: []string{"-send-alert"},
3965 shimWritesFirst: true,
3966 shouldFail: true,
3967 expectedLocalError: "remote error: decompression failure",
3968 })
3969
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3970 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3971 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3972 name: "Renegotiate-Client",
3973 config: Config{
3974 MaxVersion: VersionTLS12,
3975 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]3976 renegotiate: 1,
3977 flags: []string{
3978 "-renegotiate-freely",
3979 "-expect-total-renegotiations", "1",
3980 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3981 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3982
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]3983 tests = append(tests, testCase{
3984 name: "SendHalfHelloRequest",
3985 config: Config{
3986 MaxVersion: VersionTLS12,
3987 Bugs: ProtocolBugs{
3988 PackHelloRequestWithFinished: config.packHandshakeFlight,
3989 },
3990 },
3991 sendHalfHelloRequest: true,
3992 flags: []string{"-renegotiate-ignore"},
3993 shouldFail: true,
3994 expectedError: ":UNEXPECTED_RECORD:",
3995 })
3996
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3997 // NPN on client and server; results in post-handshake message.
3998 tests = append(tests, testCase{
3999 name: "NPN-Client",
4000 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4001 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4002 NextProtos: []string{"foo"},
4003 },
4004 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4005 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4006 expectedNextProto: "foo",
4007 expectedNextProtoType: npn,
4008 })
4009 tests = append(tests, testCase{
4010 testType: serverTest,
4011 name: "NPN-Server",
4012 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4013 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4014 NextProtos: []string{"bar"},
4015 },
4016 flags: []string{
4017 "-advertise-npn", "\x03foo\x03bar\x03baz",
4018 "-expect-next-proto", "bar",
4019 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4020 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4021 expectedNextProto: "bar",
4022 expectedNextProtoType: npn,
4023 })
4024
4025 // TODO(davidben): Add tests for when False Start doesn't trigger.
4026
4027 // Client does False Start and negotiates NPN.
4028 tests = append(tests, testCase{
4029 name: "FalseStart",
4030 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4031 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4032 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4033 NextProtos: []string{"foo"},
4034 Bugs: ProtocolBugs{
4035 ExpectFalseStart: true,
4036 },
4037 },
4038 flags: []string{
4039 "-false-start",
4040 "-select-next-proto", "foo",
4041 },
4042 shimWritesFirst: true,
4043 resumeSession: true,
4044 })
4045
4046 // Client does False Start and negotiates ALPN.
4047 tests = append(tests, testCase{
4048 name: "FalseStart-ALPN",
4049 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4050 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4051 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4052 NextProtos: []string{"foo"},
4053 Bugs: ProtocolBugs{
4054 ExpectFalseStart: true,
4055 },
4056 },
4057 flags: []string{
4058 "-false-start",
4059 "-advertise-alpn", "\x03foo",
4060 },
4061 shimWritesFirst: true,
4062 resumeSession: true,
4063 })
4064
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4065 // False Start without session tickets.
4066 tests = append(tests, testCase{
4067 name: "FalseStart-SessionTicketsDisabled",
4068 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4069 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4070 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4071 NextProtos: []string{"foo"},
4072 SessionTicketsDisabled: true,
4073 Bugs: ProtocolBugs{
4074 ExpectFalseStart: true,
4075 },
4076 },
4077 flags: []string{
4078 "-false-start",
4079 "-select-next-proto", "foo",
4080 },
4081 shimWritesFirst: true,
4082 })
4083
4084 // Server parses a V2ClientHello.
4085 tests = append(tests, testCase{
4086 testType: serverTest,
4087 name: "SendV2ClientHello",
4088 config: Config{
4089 // Choose a cipher suite that does not involve
4090 // elliptic curves, so no extensions are
4091 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4092 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4093 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4094 Bugs: ProtocolBugs{
4095 SendV2ClientHello: true,
4096 },
4097 },
4098 })
4099
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4100 // Test Channel ID
4101 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4102 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4103 continue
4104 }
4105 // Client sends a Channel ID.
4106 tests = append(tests, testCase{
4107 name: "ChannelID-Client-" + ver.name,
4108 config: Config{
4109 MaxVersion: ver.version,
4110 RequestChannelID: true,
4111 },
4112 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4113 resumeSession: true,
4114 expectChannelID: true,
4115 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4116
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4117 // Server accepts a Channel ID.
4118 tests = append(tests, testCase{
4119 testType: serverTest,
4120 name: "ChannelID-Server-" + ver.name,
4121 config: Config{
4122 MaxVersion: ver.version,
4123 ChannelID: channelIDKey,
4124 },
4125 flags: []string{
4126 "-expect-channel-id",
4127 base64.StdEncoding.EncodeToString(channelIDBytes),
4128 },
4129 resumeSession: true,
4130 expectChannelID: true,
4131 })
4132
4133 tests = append(tests, testCase{
4134 testType: serverTest,
4135 name: "InvalidChannelIDSignature-" + ver.name,
4136 config: Config{
4137 MaxVersion: ver.version,
4138 ChannelID: channelIDKey,
4139 Bugs: ProtocolBugs{
4140 InvalidChannelIDSignature: true,
4141 },
4142 },
4143 flags: []string{"-enable-channel-id"},
4144 shouldFail: true,
4145 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4146 })
4147 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4148
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4149 // Channel ID and NPN at the same time, to ensure their relative
4150 // ordering is correct.
4151 tests = append(tests, testCase{
4152 name: "ChannelID-NPN-Client",
4153 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4154 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4155 RequestChannelID: true,
4156 NextProtos: []string{"foo"},
4157 },
4158 flags: []string{
4159 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4160 "-select-next-proto", "foo",
4161 },
4162 resumeSession: true,
4163 expectChannelID: true,
4164 expectedNextProto: "foo",
4165 expectedNextProtoType: npn,
4166 })
4167 tests = append(tests, testCase{
4168 testType: serverTest,
4169 name: "ChannelID-NPN-Server",
4170 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4171 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4172 ChannelID: channelIDKey,
4173 NextProtos: []string{"bar"},
4174 },
4175 flags: []string{
4176 "-expect-channel-id",
4177 base64.StdEncoding.EncodeToString(channelIDBytes),
4178 "-advertise-npn", "\x03foo\x03bar\x03baz",
4179 "-expect-next-proto", "bar",
4180 },
4181 resumeSession: true,
4182 expectChannelID: true,
4183 expectedNextProto: "bar",
4184 expectedNextProtoType: npn,
4185 })
4186
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4187 // Bidirectional shutdown with the runner initiating.
4188 tests = append(tests, testCase{
4189 name: "Shutdown-Runner",
4190 config: Config{
4191 Bugs: ProtocolBugs{
4192 ExpectCloseNotify: true,
4193 },
4194 },
4195 flags: []string{"-check-close-notify"},
4196 })
4197
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4198 if !config.implicitHandshake {
4199 // Bidirectional shutdown with the shim initiating. The runner,
4200 // in the meantime, sends garbage before the close_notify which
4201 // the shim must ignore. This test is disabled under implicit
4202 // handshake tests because the shim never reads or writes.
4203 tests = append(tests, testCase{
4204 name: "Shutdown-Shim",
4205 config: Config{
4206 MaxVersion: VersionTLS12,
4207 Bugs: ProtocolBugs{
4208 ExpectCloseNotify: true,
4209 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4210 },
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4211 shimShutsDown: true,
4212 sendEmptyRecords: 1,
4213 sendWarningAlerts: 1,
4214 flags: []string{"-check-close-notify"},
4215 })
4216 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4217 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4218 // TODO(davidben): DTLS 1.3 will want a similar thing for
4219 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4220 tests = append(tests, testCase{
4221 name: "SkipHelloVerifyRequest",
4222 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4223 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4224 Bugs: ProtocolBugs{
4225 SkipHelloVerifyRequest: true,
4226 },
4227 },
4228 })
4229 }
4230
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4231 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4232 test.protocol = config.protocol
4233 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4234 test.name += "-DTLS"
4235 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4236 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4237 test.name += "-Async"
4238 test.flags = append(test.flags, "-async")
4239 } else {
4240 test.name += "-Sync"
4241 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4242 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4243 test.name += "-SplitHandshakeRecords"
4244 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4245 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4246 test.config.Bugs.MaxPacketLength = 256
4247 test.flags = append(test.flags, "-mtu", "256")
4248 }
4249 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4250 if config.packHandshakeFlight {
4251 test.name += "-PackHandshakeFlight"
4252 test.config.Bugs.PackHandshakeFlight = true
4253 }
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4254 if config.implicitHandshake {
4255 test.name += "-ImplicitHandshake"
4256 test.flags = append(test.flags, "-implicit-handshake")
4257 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4258 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4259 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4260}
4261
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4262func addDDoSCallbackTests() {
4263 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4264 for _, resume := range []bool{false, true} {
4265 suffix := "Resume"
4266 if resume {
4267 suffix = "No" + suffix
4268 }
4269
4270 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4271 testType: serverTest,
4272 name: "Server-DDoS-OK-" + suffix,
4273 config: Config{
4274 MaxVersion: VersionTLS12,
4275 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4276 flags: []string{"-install-ddos-callback"},
4277 resumeSession: resume,
4278 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4279 testCases = append(testCases, testCase{
4280 testType: serverTest,
4281 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4282 config: Config{
4283 MaxVersion: VersionTLS13,
4284 },
4285 flags: []string{"-install-ddos-callback"},
4286 resumeSession: resume,
4287 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4288
4289 failFlag := "-fail-ddos-callback"
4290 if resume {
4291 failFlag = "-fail-second-ddos-callback"
4292 }
4293 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4294 testType: serverTest,
4295 name: "Server-DDoS-Reject-" + suffix,
4296 config: Config{
4297 MaxVersion: VersionTLS12,
4298 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4299 flags: []string{"-install-ddos-callback", failFlag},
4300 resumeSession: resume,
4301 shouldFail: true,
4302 expectedError: ":CONNECTION_REJECTED:",
4303 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4304 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4305 testCases = append(testCases, testCase{
4306 testType: serverTest,
4307 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4308 config: Config{
4309 MaxVersion: VersionTLS13,
4310 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4311 flags: []string{"-install-ddos-callback", failFlag},
4312 resumeSession: resume,
4313 shouldFail: true,
4314 expectedError: ":CONNECTION_REJECTED:",
4315 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4316 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4317 }
4318}
4319
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4320func addVersionNegotiationTests() {
4321 for i, shimVers := range tlsVersions {
4322 // Assemble flags to disable all newer versions on the shim.
4323 var flags []string
4324 for _, vers := range tlsVersions[i+1:] {
4325 flags = append(flags, vers.flag)
4326 }
4327
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4328 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4329 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4330 protocols := []protocol{tls}
4331 if runnerVers.hasDTLS && shimVers.hasDTLS {
4332 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4333 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4334 for _, protocol := range protocols {
4335 expectedVersion := shimVers.version
4336 if runnerVers.version < shimVers.version {
4337 expectedVersion = runnerVers.version
4338 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4339
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4340 suffix := shimVers.name + "-" + runnerVers.name
4341 if protocol == dtls {
4342 suffix += "-DTLS"
4343 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4344
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4345 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4346
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4347 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4348 clientVers := shimVers.version
4349 if clientVers > VersionTLS10 {
4350 clientVers = VersionTLS10
4351 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4352 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4353 serverVers := expectedVersion
4354 if expectedVersion >= VersionTLS13 {
4355 serverVers = VersionTLS10
4356 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4357 serverVers = versionToWire(serverVers, protocol == dtls)
4358
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4359 testCases = append(testCases, testCase{
4360 protocol: protocol,
4361 testType: clientTest,
4362 name: "VersionNegotiation-Client-" + suffix,
4363 config: Config{
4364 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4365 Bugs: ProtocolBugs{
4366 ExpectInitialRecordVersion: clientVers,
4367 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4368 },
4369 flags: flags,
4370 expectedVersion: expectedVersion,
4371 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4372 testCases = append(testCases, testCase{
4373 protocol: protocol,
4374 testType: clientTest,
4375 name: "VersionNegotiation-Client2-" + suffix,
4376 config: Config{
4377 MaxVersion: runnerVers.version,
4378 Bugs: ProtocolBugs{
4379 ExpectInitialRecordVersion: clientVers,
4380 },
4381 },
4382 flags: []string{"-max-version", shimVersFlag},
4383 expectedVersion: expectedVersion,
4384 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4385
4386 testCases = append(testCases, testCase{
4387 protocol: protocol,
4388 testType: serverTest,
4389 name: "VersionNegotiation-Server-" + suffix,
4390 config: Config{
4391 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4392 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4393 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4394 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4395 },
4396 flags: flags,
4397 expectedVersion: expectedVersion,
4398 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4399 testCases = append(testCases, testCase{
4400 protocol: protocol,
4401 testType: serverTest,
4402 name: "VersionNegotiation-Server2-" + suffix,
4403 config: Config{
4404 MaxVersion: runnerVers.version,
4405 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4406 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4407 },
4408 },
4409 flags: []string{"-max-version", shimVersFlag},
4410 expectedVersion: expectedVersion,
4411 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4412 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4413 }
4414 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4415
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4416 // Test the version extension at all versions.
4417 for _, vers := range tlsVersions {
4418 protocols := []protocol{tls}
4419 if vers.hasDTLS {
4420 protocols = append(protocols, dtls)
4421 }
4422 for _, protocol := range protocols {
4423 suffix := vers.name
4424 if protocol == dtls {
4425 suffix += "-DTLS"
4426 }
4427
4428 wireVersion := versionToWire(vers.version, protocol == dtls)
4429 testCases = append(testCases, testCase{
4430 protocol: protocol,
4431 testType: serverTest,
4432 name: "VersionNegotiationExtension-" + suffix,
4433 config: Config{
4434 Bugs: ProtocolBugs{
4435 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4436 },
4437 },
4438 expectedVersion: vers.version,
4439 })
4440 }
4441
4442 }
4443
4444 // If all versions are unknown, negotiation fails.
4445 testCases = append(testCases, testCase{
4446 testType: serverTest,
4447 name: "NoSupportedVersions",
4448 config: Config{
4449 Bugs: ProtocolBugs{
4450 SendSupportedVersions: []uint16{0x1111},
4451 },
4452 },
4453 shouldFail: true,
4454 expectedError: ":UNSUPPORTED_PROTOCOL:",
4455 })
4456 testCases = append(testCases, testCase{
4457 protocol: dtls,
4458 testType: serverTest,
4459 name: "NoSupportedVersions-DTLS",
4460 config: Config{
4461 Bugs: ProtocolBugs{
4462 SendSupportedVersions: []uint16{0x1111},
4463 },
4464 },
4465 shouldFail: true,
4466 expectedError: ":UNSUPPORTED_PROTOCOL:",
4467 })
4468
4469 testCases = append(testCases, testCase{
4470 testType: serverTest,
4471 name: "ClientHelloVersionTooHigh",
4472 config: Config{
4473 MaxVersion: VersionTLS13,
4474 Bugs: ProtocolBugs{
4475 SendClientVersion: 0x0304,
4476 OmitSupportedVersions: true,
4477 },
4478 },
4479 expectedVersion: VersionTLS12,
4480 })
4481
4482 testCases = append(testCases, testCase{
4483 testType: serverTest,
4484 name: "ConflictingVersionNegotiation",
4485 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4486 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4487 SendClientVersion: VersionTLS12,
4488 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4489 },
4490 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4491 // The extension takes precedence over the ClientHello version.
4492 expectedVersion: VersionTLS11,
4493 })
4494
4495 testCases = append(testCases, testCase{
4496 testType: serverTest,
4497 name: "ConflictingVersionNegotiation-2",
4498 config: Config{
4499 Bugs: ProtocolBugs{
4500 SendClientVersion: VersionTLS11,
4501 SendSupportedVersions: []uint16{VersionTLS12},
4502 },
4503 },
4504 // The extension takes precedence over the ClientHello version.
4505 expectedVersion: VersionTLS12,
4506 })
4507
4508 testCases = append(testCases, testCase{
4509 testType: serverTest,
4510 name: "RejectFinalTLS13",
4511 config: Config{
4512 Bugs: ProtocolBugs{
4513 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4514 },
4515 },
4516 // We currently implement a draft TLS 1.3 version. Ensure that
4517 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4518 expectedVersion: VersionTLS12,
4519 })
4520
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4521 // Test that the maximum version is selected regardless of the
4522 // client-sent order.
4523 testCases = append(testCases, testCase{
4524 testType: serverTest,
4525 name: "IgnoreClientVersionOrder",
4526 config: Config{
4527 Bugs: ProtocolBugs{
4528 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4529 },
4530 },
4531 expectedVersion: VersionTLS13,
4532 })
4533
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4534 // Test for version tolerance.
4535 testCases = append(testCases, testCase{
4536 testType: serverTest,
4537 name: "MinorVersionTolerance",
4538 config: Config{
4539 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4540 SendClientVersion: 0x03ff,
4541 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4542 },
4543 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4544 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4545 })
4546 testCases = append(testCases, testCase{
4547 testType: serverTest,
4548 name: "MajorVersionTolerance",
4549 config: Config{
4550 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4551 SendClientVersion: 0x0400,
4552 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4553 },
4554 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4555 // TLS 1.3 must be negotiated with the supported_versions
4556 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4557 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4558 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4559 testCases = append(testCases, testCase{
4560 testType: serverTest,
4561 name: "VersionTolerance-TLS13",
4562 config: Config{
4563 Bugs: ProtocolBugs{
4564 // Although TLS 1.3 does not use
4565 // ClientHello.version, it still tolerates high
4566 // values there.
4567 SendClientVersion: 0x0400,
4568 },
4569 },
4570 expectedVersion: VersionTLS13,
4571 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4572
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4573 testCases = append(testCases, testCase{
4574 protocol: dtls,
4575 testType: serverTest,
4576 name: "MinorVersionTolerance-DTLS",
4577 config: Config{
4578 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4579 SendClientVersion: 0xfe00,
4580 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4581 },
4582 },
4583 expectedVersion: VersionTLS12,
4584 })
4585 testCases = append(testCases, testCase{
4586 protocol: dtls,
4587 testType: serverTest,
4588 name: "MajorVersionTolerance-DTLS",
4589 config: Config{
4590 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4591 SendClientVersion: 0xfdff,
4592 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4593 },
4594 },
4595 expectedVersion: VersionTLS12,
4596 })
4597
4598 // Test that versions below 3.0 are rejected.
4599 testCases = append(testCases, testCase{
4600 testType: serverTest,
4601 name: "VersionTooLow",
4602 config: Config{
4603 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4604 SendClientVersion: 0x0200,
4605 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4606 },
4607 },
4608 shouldFail: true,
4609 expectedError: ":UNSUPPORTED_PROTOCOL:",
4610 })
4611 testCases = append(testCases, testCase{
4612 protocol: dtls,
4613 testType: serverTest,
4614 name: "VersionTooLow-DTLS",
4615 config: Config{
4616 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4617 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4618 },
4619 },
4620 shouldFail: true,
4621 expectedError: ":UNSUPPORTED_PROTOCOL:",
4622 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4623
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4624 testCases = append(testCases, testCase{
4625 name: "ServerBogusVersion",
4626 config: Config{
4627 Bugs: ProtocolBugs{
4628 SendServerHelloVersion: 0x1234,
4629 },
4630 },
4631 shouldFail: true,
4632 expectedError: ":UNSUPPORTED_PROTOCOL:",
4633 })
4634
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4635 // Test TLS 1.3's downgrade signal.
4636 testCases = append(testCases, testCase{
4637 name: "Downgrade-TLS12-Client",
4638 config: Config{
4639 Bugs: ProtocolBugs{
4640 NegotiateVersion: VersionTLS12,
4641 },
4642 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4643 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4644 // TODO(davidben): This test should fail once TLS 1.3 is final
4645 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4646 })
4647 testCases = append(testCases, testCase{
4648 testType: serverTest,
4649 name: "Downgrade-TLS12-Server",
4650 config: Config{
4651 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4652 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4653 },
4654 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4655 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4656 // TODO(davidben): This test should fail once TLS 1.3 is final
4657 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4658 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4659}
4660
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4661func addMinimumVersionTests() {
4662 for i, shimVers := range tlsVersions {
4663 // Assemble flags to disable all older versions on the shim.
4664 var flags []string
4665 for _, vers := range tlsVersions[:i] {
4666 flags = append(flags, vers.flag)
4667 }
4668
4669 for _, runnerVers := range tlsVersions {
4670 protocols := []protocol{tls}
4671 if runnerVers.hasDTLS && shimVers.hasDTLS {
4672 protocols = append(protocols, dtls)
4673 }
4674 for _, protocol := range protocols {
4675 suffix := shimVers.name + "-" + runnerVers.name
4676 if protocol == dtls {
4677 suffix += "-DTLS"
4678 }
4679 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4680
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4681 var expectedVersion uint16
4682 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4683 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4684 if runnerVers.version >= shimVers.version {
4685 expectedVersion = runnerVers.version
4686 } else {
4687 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4688 expectedError = ":UNSUPPORTED_PROTOCOL:"
4689 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4690 }
4691
4692 testCases = append(testCases, testCase{
4693 protocol: protocol,
4694 testType: clientTest,
4695 name: "MinimumVersion-Client-" + suffix,
4696 config: Config{
4697 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4698 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4699 // Ensure the server does not decline to
4700 // select a version (versions extension) or
4701 // cipher (some ciphers depend on versions).
4702 NegotiateVersion: runnerVers.version,
4703 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4704 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4705 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4706 flags: flags,
4707 expectedVersion: expectedVersion,
4708 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4709 expectedError: expectedError,
4710 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4711 })
4712 testCases = append(testCases, testCase{
4713 protocol: protocol,
4714 testType: clientTest,
4715 name: "MinimumVersion-Client2-" + suffix,
4716 config: Config{
4717 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4718 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4719 // Ensure the server does not decline to
4720 // select a version (versions extension) or
4721 // cipher (some ciphers depend on versions).
4722 NegotiateVersion: runnerVers.version,
4723 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4724 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4725 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4726 flags: []string{"-min-version", shimVersFlag},
4727 expectedVersion: expectedVersion,
4728 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4729 expectedError: expectedError,
4730 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4731 })
4732
4733 testCases = append(testCases, testCase{
4734 protocol: protocol,
4735 testType: serverTest,
4736 name: "MinimumVersion-Server-" + suffix,
4737 config: Config{
4738 MaxVersion: runnerVers.version,
4739 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4740 flags: flags,
4741 expectedVersion: expectedVersion,
4742 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4743 expectedError: expectedError,
4744 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4745 })
4746 testCases = append(testCases, testCase{
4747 protocol: protocol,
4748 testType: serverTest,
4749 name: "MinimumVersion-Server2-" + suffix,
4750 config: Config{
4751 MaxVersion: runnerVers.version,
4752 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4753 flags: []string{"-min-version", shimVersFlag},
4754 expectedVersion: expectedVersion,
4755 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4756 expectedError: expectedError,
4757 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4758 })
4759 }
4760 }
4761 }
4762}
4763
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4764func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4765 // TODO(davidben): Extensions, where applicable, all move their server
4766 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4767 // tests for both. Also test interaction with 0-RTT when implemented.
4768
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4769 // Repeat extensions tests all versions except SSL 3.0.
4770 for _, ver := range tlsVersions {
4771 if ver.version == VersionSSL30 {
4772 continue
4773 }
4774
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4775 // Test that duplicate extensions are rejected.
4776 testCases = append(testCases, testCase{
4777 testType: clientTest,
4778 name: "DuplicateExtensionClient-" + ver.name,
4779 config: Config{
4780 MaxVersion: ver.version,
4781 Bugs: ProtocolBugs{
4782 DuplicateExtension: true,
4783 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4784 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4785 shouldFail: true,
4786 expectedLocalError: "remote error: error decoding message",
4787 })
4788 testCases = append(testCases, testCase{
4789 testType: serverTest,
4790 name: "DuplicateExtensionServer-" + ver.name,
4791 config: Config{
4792 MaxVersion: ver.version,
4793 Bugs: ProtocolBugs{
4794 DuplicateExtension: true,
4795 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4796 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4797 shouldFail: true,
4798 expectedLocalError: "remote error: error decoding message",
4799 })
4800
4801 // Test SNI.
4802 testCases = append(testCases, testCase{
4803 testType: clientTest,
4804 name: "ServerNameExtensionClient-" + ver.name,
4805 config: Config{
4806 MaxVersion: ver.version,
4807 Bugs: ProtocolBugs{
4808 ExpectServerName: "example.com",
4809 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4810 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4811 flags: []string{"-host-name", "example.com"},
4812 })
4813 testCases = append(testCases, testCase{
4814 testType: clientTest,
4815 name: "ServerNameExtensionClientMismatch-" + ver.name,
4816 config: Config{
4817 MaxVersion: ver.version,
4818 Bugs: ProtocolBugs{
4819 ExpectServerName: "mismatch.com",
4820 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4821 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4822 flags: []string{"-host-name", "example.com"},
4823 shouldFail: true,
4824 expectedLocalError: "tls: unexpected server name",
4825 })
4826 testCases = append(testCases, testCase{
4827 testType: clientTest,
4828 name: "ServerNameExtensionClientMissing-" + ver.name,
4829 config: Config{
4830 MaxVersion: ver.version,
4831 Bugs: ProtocolBugs{
4832 ExpectServerName: "missing.com",
4833 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4834 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4835 shouldFail: true,
4836 expectedLocalError: "tls: unexpected server name",
4837 })
4838 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]4839 testType: clientTest,
4840 name: "TolerateServerNameAck-" + ver.name,
4841 config: Config{
4842 MaxVersion: ver.version,
4843 Bugs: ProtocolBugs{
4844 SendServerNameAck: true,
4845 },
4846 },
4847 flags: []string{"-host-name", "example.com"},
4848 resumeSession: true,
4849 })
4850 testCases = append(testCases, testCase{
4851 testType: clientTest,
4852 name: "UnsolicitedServerNameAck-" + ver.name,
4853 config: Config{
4854 MaxVersion: ver.version,
4855 Bugs: ProtocolBugs{
4856 SendServerNameAck: true,
4857 },
4858 },
4859 shouldFail: true,
4860 expectedError: ":UNEXPECTED_EXTENSION:",
4861 expectedLocalError: "remote error: unsupported extension",
4862 })
4863 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4864 testType: serverTest,
4865 name: "ServerNameExtensionServer-" + ver.name,
4866 config: Config{
4867 MaxVersion: ver.version,
4868 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4869 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4870 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4871 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4872 })
4873
4874 // Test ALPN.
4875 testCases = append(testCases, testCase{
4876 testType: clientTest,
4877 name: "ALPNClient-" + ver.name,
4878 config: Config{
4879 MaxVersion: ver.version,
4880 NextProtos: []string{"foo"},
4881 },
4882 flags: []string{
4883 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4884 "-expect-alpn", "foo",
4885 },
4886 expectedNextProto: "foo",
4887 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4888 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4889 })
4890 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4891 testType: clientTest,
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame^]4892 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4893 config: Config{
4894 MaxVersion: ver.version,
4895 Bugs: ProtocolBugs{
4896 SendALPN: "baz",
4897 },
4898 },
4899 flags: []string{
4900 "-advertise-alpn", "\x03foo\x03bar",
4901 },
4902 shouldFail: true,
4903 expectedError: ":INVALID_ALPN_PROTOCOL:",
4904 expectedLocalError: "remote error: illegal parameter",
4905 })
4906 testCases = append(testCases, testCase{
David Benjaminc8ff30c2017-04-04 13:52:36 -0400[diff] [blame^]4907 testType: clientTest,
4908 name: "ALPNClient-AllowUnknown-" + ver.name,
4909 config: Config{
4910 MaxVersion: ver.version,
4911 Bugs: ProtocolBugs{
4912 SendALPN: "baz",
4913 },
4914 },
4915 flags: []string{
4916 "-advertise-alpn", "\x03foo\x03bar",
4917 "-allow-unknown-alpn-protos",
4918 },
4919 })
4920 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4921 testType: serverTest,
4922 name: "ALPNServer-" + ver.name,
4923 config: Config{
4924 MaxVersion: ver.version,
4925 NextProtos: []string{"foo", "bar", "baz"},
4926 },
4927 flags: []string{
4928 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4929 "-select-alpn", "foo",
4930 },
4931 expectedNextProto: "foo",
4932 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4933 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4934 })
4935 testCases = append(testCases, testCase{
4936 testType: serverTest,
4937 name: "ALPNServer-Decline-" + ver.name,
4938 config: Config{
4939 MaxVersion: ver.version,
4940 NextProtos: []string{"foo", "bar", "baz"},
4941 },
4942 flags: []string{"-decline-alpn"},
4943 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4944 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4945 })
4946
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4947 // Test ALPN in async mode as well to ensure that extensions callbacks are only
4948 // called once.
4949 testCases = append(testCases, testCase{
4950 testType: serverTest,
4951 name: "ALPNServer-Async-" + ver.name,
4952 config: Config{
4953 MaxVersion: ver.version,
4954 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]4955 // Prior to TLS 1.3, exercise the asynchronous session callback.
4956 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4957 },
4958 flags: []string{
4959 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4960 "-select-alpn", "foo",
4961 "-async",
4962 },
4963 expectedNextProto: "foo",
4964 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4965 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4966 })
4967
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4968 var emptyString string
4969 testCases = append(testCases, testCase{
4970 testType: clientTest,
4971 name: "ALPNClient-EmptyProtocolName-" + ver.name,
4972 config: Config{
4973 MaxVersion: ver.version,
4974 NextProtos: []string{""},
4975 Bugs: ProtocolBugs{
4976 // A server returning an empty ALPN protocol
4977 // should be rejected.
4978 ALPNProtocol: &emptyString,
4979 },
4980 },
4981 flags: []string{
4982 "-advertise-alpn", "\x03foo",
4983 },
4984 shouldFail: true,
4985 expectedError: ":PARSE_TLSEXT:",
4986 })
4987 testCases = append(testCases, testCase{
4988 testType: serverTest,
4989 name: "ALPNServer-EmptyProtocolName-" + ver.name,
4990 config: Config{
4991 MaxVersion: ver.version,
4992 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4993 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4994 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4995 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4996 flags: []string{
4997 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]4998 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4999 shouldFail: true,
5000 expectedError: ":PARSE_TLSEXT:",
5001 })
5002
5003 // Test NPN and the interaction with ALPN.
5004 if ver.version < VersionTLS13 {
5005 // Test that the server prefers ALPN over NPN.
5006 testCases = append(testCases, testCase{
5007 testType: serverTest,
5008 name: "ALPNServer-Preferred-" + ver.name,
5009 config: Config{
5010 MaxVersion: ver.version,
5011 NextProtos: []string{"foo", "bar", "baz"},
5012 },
5013 flags: []string{
5014 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5015 "-select-alpn", "foo",
5016 "-advertise-npn", "\x03foo\x03bar\x03baz",
5017 },
5018 expectedNextProto: "foo",
5019 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5020 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5021 })
5022 testCases = append(testCases, testCase{
5023 testType: serverTest,
5024 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5025 config: Config{
5026 MaxVersion: ver.version,
5027 NextProtos: []string{"foo", "bar", "baz"},
5028 Bugs: ProtocolBugs{
5029 SwapNPNAndALPN: true,
5030 },
5031 },
5032 flags: []string{
5033 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5034 "-select-alpn", "foo",
5035 "-advertise-npn", "\x03foo\x03bar\x03baz",
5036 },
5037 expectedNextProto: "foo",
5038 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5039 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5040 })
5041
5042 // Test that negotiating both NPN and ALPN is forbidden.
5043 testCases = append(testCases, testCase{
5044 name: "NegotiateALPNAndNPN-" + ver.name,
5045 config: Config{
5046 MaxVersion: ver.version,
5047 NextProtos: []string{"foo", "bar", "baz"},
5048 Bugs: ProtocolBugs{
5049 NegotiateALPNAndNPN: true,
5050 },
5051 },
5052 flags: []string{
5053 "-advertise-alpn", "\x03foo",
5054 "-select-next-proto", "foo",
5055 },
5056 shouldFail: true,
5057 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5058 })
5059 testCases = append(testCases, testCase{
5060 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5061 config: Config{
5062 MaxVersion: ver.version,
5063 NextProtos: []string{"foo", "bar", "baz"},
5064 Bugs: ProtocolBugs{
5065 NegotiateALPNAndNPN: true,
5066 SwapNPNAndALPN: true,
5067 },
5068 },
5069 flags: []string{
5070 "-advertise-alpn", "\x03foo",
5071 "-select-next-proto", "foo",
5072 },
5073 shouldFail: true,
5074 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5075 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5076 }
5077
5078 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5079
5080 // Resume with a corrupt ticket.
5081 testCases = append(testCases, testCase{
5082 testType: serverTest,
5083 name: "CorruptTicket-" + ver.name,
5084 config: Config{
5085 MaxVersion: ver.version,
5086 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5087 FilterTicket: func(in []byte) ([]byte, error) {
5088 in[len(in)-1] ^= 1
5089 return in, nil
5090 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5091 },
5092 },
5093 resumeSession: true,
5094 expectResumeRejected: true,
5095 })
5096 // Test the ticket callback, with and without renewal.
5097 testCases = append(testCases, testCase{
5098 testType: serverTest,
5099 name: "TicketCallback-" + ver.name,
5100 config: Config{
5101 MaxVersion: ver.version,
5102 },
5103 resumeSession: true,
5104 flags: []string{"-use-ticket-callback"},
5105 })
5106 testCases = append(testCases, testCase{
5107 testType: serverTest,
5108 name: "TicketCallback-Renew-" + ver.name,
5109 config: Config{
5110 MaxVersion: ver.version,
5111 Bugs: ProtocolBugs{
5112 ExpectNewTicket: true,
5113 },
5114 },
5115 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5116 resumeSession: true,
5117 })
5118
5119 // Test that the ticket callback is only called once when everything before
5120 // it in the ClientHello is asynchronous. This corrupts the ticket so
5121 // certificate selection callbacks run.
5122 testCases = append(testCases, testCase{
5123 testType: serverTest,
5124 name: "TicketCallback-SingleCall-" + ver.name,
5125 config: Config{
5126 MaxVersion: ver.version,
5127 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5128 FilterTicket: func(in []byte) ([]byte, error) {
5129 in[len(in)-1] ^= 1
5130 return in, nil
5131 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5132 },
5133 },
5134 resumeSession: true,
5135 expectResumeRejected: true,
5136 flags: []string{
5137 "-use-ticket-callback",
5138 "-async",
5139 },
5140 })
5141
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5142 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5143 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5144 testCases = append(testCases, testCase{
5145 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5146 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5147 config: Config{
5148 MaxVersion: ver.version,
5149 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5150 EmptyTicketSessionID: true,
5151 },
5152 },
5153 resumeSession: true,
5154 })
5155 testCases = append(testCases, testCase{
5156 testType: serverTest,
5157 name: "TicketSessionIDLength-16-" + ver.name,
5158 config: Config{
5159 MaxVersion: ver.version,
5160 Bugs: ProtocolBugs{
5161 TicketSessionIDLength: 16,
5162 },
5163 },
5164 resumeSession: true,
5165 })
5166 testCases = append(testCases, testCase{
5167 testType: serverTest,
5168 name: "TicketSessionIDLength-32-" + ver.name,
5169 config: Config{
5170 MaxVersion: ver.version,
5171 Bugs: ProtocolBugs{
5172 TicketSessionIDLength: 32,
5173 },
5174 },
5175 resumeSession: true,
5176 })
5177 testCases = append(testCases, testCase{
5178 testType: serverTest,
5179 name: "TicketSessionIDLength-33-" + ver.name,
5180 config: Config{
5181 MaxVersion: ver.version,
5182 Bugs: ProtocolBugs{
5183 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5184 },
5185 },
5186 resumeSession: true,
5187 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5188 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5189 expectedError: ":DECODE_ERROR:",
5190 })
5191 }
5192
5193 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5194 // are ignored.
5195 if ver.hasDTLS {
5196 testCases = append(testCases, testCase{
5197 protocol: dtls,
5198 name: "SRTP-Client-" + ver.name,
5199 config: Config{
5200 MaxVersion: ver.version,
5201 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5202 },
5203 flags: []string{
5204 "-srtp-profiles",
5205 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5206 },
5207 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5208 })
5209 testCases = append(testCases, testCase{
5210 protocol: dtls,
5211 testType: serverTest,
5212 name: "SRTP-Server-" + ver.name,
5213 config: Config{
5214 MaxVersion: ver.version,
5215 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5216 },
5217 flags: []string{
5218 "-srtp-profiles",
5219 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5220 },
5221 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5222 })
5223 // Test that the MKI is ignored.
5224 testCases = append(testCases, testCase{
5225 protocol: dtls,
5226 testType: serverTest,
5227 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5228 config: Config{
5229 MaxVersion: ver.version,
5230 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5231 Bugs: ProtocolBugs{
5232 SRTPMasterKeyIdentifer: "bogus",
5233 },
5234 },
5235 flags: []string{
5236 "-srtp-profiles",
5237 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5238 },
5239 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5240 })
5241 // Test that SRTP isn't negotiated on the server if there were
5242 // no matching profiles.
5243 testCases = append(testCases, testCase{
5244 protocol: dtls,
5245 testType: serverTest,
5246 name: "SRTP-Server-NoMatch-" + ver.name,
5247 config: Config{
5248 MaxVersion: ver.version,
5249 SRTPProtectionProfiles: []uint16{100, 101, 102},
5250 },
5251 flags: []string{
5252 "-srtp-profiles",
5253 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5254 },
5255 expectedSRTPProtectionProfile: 0,
5256 })
5257 // Test that the server returning an invalid SRTP profile is
5258 // flagged as an error by the client.
5259 testCases = append(testCases, testCase{
5260 protocol: dtls,
5261 name: "SRTP-Client-NoMatch-" + ver.name,
5262 config: Config{
5263 MaxVersion: ver.version,
5264 Bugs: ProtocolBugs{
5265 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5266 },
5267 },
5268 flags: []string{
5269 "-srtp-profiles",
5270 "SRTP_AES128_CM_SHA1_80",
5271 },
5272 shouldFail: true,
5273 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5274 })
5275 }
5276
5277 // Test SCT list.
5278 testCases = append(testCases, testCase{
5279 name: "SignedCertificateTimestampList-Client-" + ver.name,
5280 testType: clientTest,
5281 config: Config{
5282 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5283 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5284 flags: []string{
5285 "-enable-signed-cert-timestamps",
5286 "-expect-signed-cert-timestamps",
5287 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5288 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5289 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5290 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5291
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5292 var differentSCTList []byte
5293 differentSCTList = append(differentSCTList, testSCTList...)
5294 differentSCTList[len(differentSCTList)-1] ^= 1
5295
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5296 // The SCT extension did not specify that it must only be sent on resumption as it
5297 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5298 testCases = append(testCases, testCase{
5299 name: "SendSCTListOnResume-" + ver.name,
5300 config: Config{
5301 MaxVersion: ver.version,
5302 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5303 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5304 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5305 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5306 flags: []string{
5307 "-enable-signed-cert-timestamps",
5308 "-expect-signed-cert-timestamps",
5309 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5310 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5311 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5312 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5313
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5314 testCases = append(testCases, testCase{
5315 name: "SignedCertificateTimestampList-Server-" + ver.name,
5316 testType: serverTest,
5317 config: Config{
5318 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5319 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5320 flags: []string{
5321 "-signed-cert-timestamps",
5322 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5323 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5324 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5325 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5326 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5327
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5328 emptySCTListCert := *testCerts[0].cert
5329 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5330
5331 // Test empty SCT list.
5332 testCases = append(testCases, testCase{
5333 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5334 testType: clientTest,
5335 config: Config{
5336 MaxVersion: ver.version,
5337 Certificates: []Certificate{emptySCTListCert},
5338 },
5339 flags: []string{
5340 "-enable-signed-cert-timestamps",
5341 },
5342 shouldFail: true,
5343 expectedError: ":ERROR_PARSING_EXTENSION:",
5344 })
5345
5346 emptySCTCert := *testCerts[0].cert
5347 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5348
5349 // Test empty SCT in non-empty list.
5350 testCases = append(testCases, testCase{
5351 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5352 testType: clientTest,
5353 config: Config{
5354 MaxVersion: ver.version,
5355 Certificates: []Certificate{emptySCTCert},
5356 },
5357 flags: []string{
5358 "-enable-signed-cert-timestamps",
5359 },
5360 shouldFail: true,
5361 expectedError: ":ERROR_PARSING_EXTENSION:",
5362 })
5363
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5364 // Test that certificate-related extensions are not sent unsolicited.
5365 testCases = append(testCases, testCase{
5366 testType: serverTest,
5367 name: "UnsolicitedCertificateExtensions-" + ver.name,
5368 config: Config{
5369 MaxVersion: ver.version,
5370 Bugs: ProtocolBugs{
5371 NoOCSPStapling: true,
5372 NoSignedCertificateTimestamps: true,
5373 },
5374 },
5375 flags: []string{
5376 "-ocsp-response",
5377 base64.StdEncoding.EncodeToString(testOCSPResponse),
5378 "-signed-cert-timestamps",
5379 base64.StdEncoding.EncodeToString(testSCTList),
5380 },
5381 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5382 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5383
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5384 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5385 testType: clientTest,
5386 name: "ClientHelloPadding",
5387 config: Config{
5388 Bugs: ProtocolBugs{
5389 RequireClientHelloSize: 512,
5390 },
5391 },
5392 // This hostname just needs to be long enough to push the
5393 // ClientHello into F5's danger zone between 256 and 511 bytes
5394 // long.
5395 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5396 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5397
5398 // Extensions should not function in SSL 3.0.
5399 testCases = append(testCases, testCase{
5400 testType: serverTest,
5401 name: "SSLv3Extensions-NoALPN",
5402 config: Config{
5403 MaxVersion: VersionSSL30,
5404 NextProtos: []string{"foo", "bar", "baz"},
5405 },
5406 flags: []string{
5407 "-select-alpn", "foo",
5408 },
5409 expectNoNextProto: true,
5410 })
5411
5412 // Test session tickets separately as they follow a different codepath.
5413 testCases = append(testCases, testCase{
5414 testType: serverTest,
5415 name: "SSLv3Extensions-NoTickets",
5416 config: Config{
5417 MaxVersion: VersionSSL30,
5418 Bugs: ProtocolBugs{
5419 // Historically, session tickets in SSL 3.0
5420 // failed in different ways depending on whether
5421 // the client supported renegotiation_info.
5422 NoRenegotiationInfo: true,
5423 },
5424 },
5425 resumeSession: true,
5426 })
5427 testCases = append(testCases, testCase{
5428 testType: serverTest,
5429 name: "SSLv3Extensions-NoTickets2",
5430 config: Config{
5431 MaxVersion: VersionSSL30,
5432 },
5433 resumeSession: true,
5434 })
5435
5436 // But SSL 3.0 does send and process renegotiation_info.
5437 testCases = append(testCases, testCase{
5438 testType: serverTest,
5439 name: "SSLv3Extensions-RenegotiationInfo",
5440 config: Config{
5441 MaxVersion: VersionSSL30,
5442 Bugs: ProtocolBugs{
5443 RequireRenegotiationInfo: true,
5444 },
5445 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5446 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5447 })
5448 testCases = append(testCases, testCase{
5449 testType: serverTest,
5450 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5451 config: Config{
5452 MaxVersion: VersionSSL30,
5453 Bugs: ProtocolBugs{
5454 NoRenegotiationInfo: true,
5455 SendRenegotiationSCSV: true,
5456 RequireRenegotiationInfo: true,
5457 },
5458 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5459 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5460 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5461
5462 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5463 // in ServerHello.
5464 testCases = append(testCases, testCase{
5465 name: "NPN-Forbidden-TLS13",
5466 config: Config{
5467 MaxVersion: VersionTLS13,
5468 NextProtos: []string{"foo"},
5469 Bugs: ProtocolBugs{
5470 NegotiateNPNAtAllVersions: true,
5471 },
5472 },
5473 flags: []string{"-select-next-proto", "foo"},
5474 shouldFail: true,
5475 expectedError: ":ERROR_PARSING_EXTENSION:",
5476 })
5477 testCases = append(testCases, testCase{
5478 name: "EMS-Forbidden-TLS13",
5479 config: Config{
5480 MaxVersion: VersionTLS13,
5481 Bugs: ProtocolBugs{
5482 NegotiateEMSAtAllVersions: true,
5483 },
5484 },
5485 shouldFail: true,
5486 expectedError: ":ERROR_PARSING_EXTENSION:",
5487 })
5488 testCases = append(testCases, testCase{
5489 name: "RenegotiationInfo-Forbidden-TLS13",
5490 config: Config{
5491 MaxVersion: VersionTLS13,
5492 Bugs: ProtocolBugs{
5493 NegotiateRenegotiationInfoAtAllVersions: true,
5494 },
5495 },
5496 shouldFail: true,
5497 expectedError: ":ERROR_PARSING_EXTENSION:",
5498 })
5499 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5500 name: "Ticket-Forbidden-TLS13",
5501 config: Config{
5502 MaxVersion: VersionTLS12,
5503 },
5504 resumeConfig: &Config{
5505 MaxVersion: VersionTLS13,
5506 Bugs: ProtocolBugs{
5507 AdvertiseTicketExtension: true,
5508 },
5509 },
5510 resumeSession: true,
5511 shouldFail: true,
5512 expectedError: ":ERROR_PARSING_EXTENSION:",
5513 })
5514
5515 // Test that illegal extensions in TLS 1.3 are declined by the server if
5516 // offered in ClientHello. The runner's server will fail if this occurs,
5517 // so we exercise the offering path. (EMS and Renegotiation Info are
5518 // implicit in every test.)
5519 testCases = append(testCases, testCase{
5520 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5521 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5522 config: Config{
5523 MaxVersion: VersionTLS13,
5524 NextProtos: []string{"bar"},
5525 },
5526 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5527 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5528
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5529 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5530 // tolerated.
5531 testCases = append(testCases, testCase{
5532 name: "SendOCSPResponseOnResume-TLS12",
5533 config: Config{
5534 MaxVersion: VersionTLS12,
5535 Bugs: ProtocolBugs{
5536 SendOCSPResponseOnResume: []byte("bogus"),
5537 },
5538 },
5539 flags: []string{
5540 "-enable-ocsp-stapling",
5541 "-expect-ocsp-response",
5542 base64.StdEncoding.EncodeToString(testOCSPResponse),
5543 },
5544 resumeSession: true,
5545 })
5546
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5547 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5548 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5549 config: Config{
5550 MaxVersion: VersionTLS13,
5551 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5552 SendExtensionOnCertificate: testOCSPExtension,
5553 },
5554 },
5555 shouldFail: true,
5556 expectedError: ":UNEXPECTED_EXTENSION:",
5557 })
5558
5559 testCases = append(testCases, testCase{
5560 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5561 config: Config{
5562 MaxVersion: VersionTLS13,
5563 Bugs: ProtocolBugs{
5564 SendExtensionOnCertificate: testSCTExtension,
5565 },
5566 },
5567 shouldFail: true,
5568 expectedError: ":UNEXPECTED_EXTENSION:",
5569 })
5570
5571 // Test that extensions on client certificates are never accepted.
5572 testCases = append(testCases, testCase{
5573 name: "SendExtensionOnClientCertificate-TLS13",
5574 testType: serverTest,
5575 config: Config{
5576 MaxVersion: VersionTLS13,
5577 Certificates: []Certificate{rsaCertificate},
5578 Bugs: ProtocolBugs{
5579 SendExtensionOnCertificate: testOCSPExtension,
5580 },
5581 },
5582 flags: []string{
5583 "-enable-ocsp-stapling",
5584 "-require-any-client-certificate",
5585 },
5586 shouldFail: true,
5587 expectedError: ":UNEXPECTED_EXTENSION:",
5588 })
5589
5590 testCases = append(testCases, testCase{
5591 name: "SendUnknownExtensionOnCertificate-TLS13",
5592 config: Config{
5593 MaxVersion: VersionTLS13,
5594 Bugs: ProtocolBugs{
5595 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5596 },
5597 },
5598 shouldFail: true,
5599 expectedError: ":UNEXPECTED_EXTENSION:",
5600 })
5601
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5602 var differentSCTList []byte
5603 differentSCTList = append(differentSCTList, testSCTList...)
5604 differentSCTList[len(differentSCTList)-1] ^= 1
5605
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5606 // Test that extensions on intermediates are allowed but ignored.
5607 testCases = append(testCases, testCase{
5608 name: "IgnoreExtensionsOnIntermediates-TLS13",
5609 config: Config{
5610 MaxVersion: VersionTLS13,
5611 Certificates: []Certificate{rsaChainCertificate},
5612 Bugs: ProtocolBugs{
5613 // Send different values on the intermediate. This tests
5614 // the intermediate's extensions do not override the
5615 // leaf's.
5616 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5617 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5618 },
5619 },
5620 flags: []string{
5621 "-enable-ocsp-stapling",
5622 "-expect-ocsp-response",
5623 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5624 "-enable-signed-cert-timestamps",
5625 "-expect-signed-cert-timestamps",
5626 base64.StdEncoding.EncodeToString(testSCTList),
5627 },
5628 resumeSession: true,
5629 })
5630
5631 // Test that extensions are not sent on intermediates when configured
5632 // only for a leaf.
5633 testCases = append(testCases, testCase{
5634 testType: serverTest,
5635 name: "SendNoExtensionsOnIntermediate-TLS13",
5636 config: Config{
5637 MaxVersion: VersionTLS13,
5638 Bugs: ProtocolBugs{
5639 ExpectNoExtensionsOnIntermediate: true,
5640 },
5641 },
5642 flags: []string{
5643 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5644 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5645 "-ocsp-response",
5646 base64.StdEncoding.EncodeToString(testOCSPResponse),
5647 "-signed-cert-timestamps",
5648 base64.StdEncoding.EncodeToString(testSCTList),
5649 },
5650 })
5651
5652 // Test that extensions are not sent on client certificates.
5653 testCases = append(testCases, testCase{
5654 name: "SendNoClientCertificateExtensions-TLS13",
5655 config: Config{
5656 MaxVersion: VersionTLS13,
5657 ClientAuth: RequireAnyClientCert,
5658 },
5659 flags: []string{
5660 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5661 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5662 "-ocsp-response",
5663 base64.StdEncoding.EncodeToString(testOCSPResponse),
5664 "-signed-cert-timestamps",
5665 base64.StdEncoding.EncodeToString(testSCTList),
5666 },
5667 })
5668
5669 testCases = append(testCases, testCase{
5670 name: "SendDuplicateExtensionsOnCerts-TLS13",
5671 config: Config{
5672 MaxVersion: VersionTLS13,
5673 Bugs: ProtocolBugs{
5674 SendDuplicateCertExtensions: true,
5675 },
5676 },
5677 flags: []string{
5678 "-enable-ocsp-stapling",
5679 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5680 },
5681 resumeSession: true,
5682 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5683 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5684 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5685
5686 testCases = append(testCases, testCase{
5687 name: "SignedCertificateTimestampListInvalid-Server",
5688 testType: serverTest,
5689 flags: []string{
5690 "-signed-cert-timestamps",
5691 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5692 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5693 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5694 expectedError: ":INVALID_SCT_LIST:",
5695 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5696}
5697
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5698func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5699 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5700 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5701 // SSL 3.0 does not have tickets and TLS 1.3 does not
5702 // have session IDs, so skip their cross-resumption
5703 // tests.
5704 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5705 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5706 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5707 }
5708
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5709 protocols := []protocol{tls}
5710 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5711 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5712 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5713 for _, protocol := range protocols {
5714 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5715 if protocol == dtls {
5716 suffix += "-DTLS"
5717 }
5718
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5719 if sessionVers.version == resumeVers.version {
5720 testCases = append(testCases, testCase{
5721 protocol: protocol,
5722 name: "Resume-Client" + suffix,
5723 resumeSession: true,
5724 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5725 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5726 Bugs: ProtocolBugs{
5727 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5728 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5729 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5730 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5731 expectedVersion: sessionVers.version,
5732 expectedResumeVersion: resumeVers.version,
5733 })
5734 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5735 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5736
5737 // Offering a TLS 1.3 session sends an empty session ID, so
5738 // there is no way to convince a non-lookahead client the
5739 // session was resumed. It will appear to the client that a
5740 // stray ChangeCipherSpec was sent.
5741 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5742 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5743 }
5744
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5745 testCases = append(testCases, testCase{
5746 protocol: protocol,
5747 name: "Resume-Client-Mismatch" + suffix,
5748 resumeSession: true,
5749 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5750 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5751 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5752 expectedVersion: sessionVers.version,
5753 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5754 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5755 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5756 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5757 },
5758 },
5759 expectedResumeVersion: resumeVers.version,
5760 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5761 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5762 })
5763 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5764
5765 testCases = append(testCases, testCase{
5766 protocol: protocol,
5767 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5768 resumeSession: true,
5769 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5770 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5771 },
5772 expectedVersion: sessionVers.version,
5773 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5774 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5775 },
5776 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5777 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5778 expectedResumeVersion: resumeVers.version,
5779 })
5780
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5781 testCases = append(testCases, testCase{
5782 protocol: protocol,
5783 testType: serverTest,
5784 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5785 resumeSession: true,
5786 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5787 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5788 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5789 expectedVersion: sessionVers.version,
5790 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5791 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5792 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5793 Bugs: ProtocolBugs{
5794 SendBothTickets: true,
5795 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5796 },
5797 expectedResumeVersion: resumeVers.version,
5798 })
5799 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5800 }
5801 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5802
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5803 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5804 testCases = append(testCases, testCase{
5805 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5806 name: "ShimTicketRewritable",
5807 resumeSession: true,
5808 config: Config{
5809 MaxVersion: VersionTLS12,
5810 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5811 Bugs: ProtocolBugs{
5812 FilterTicket: func(in []byte) ([]byte, error) {
5813 in, err := SetShimTicketVersion(in, VersionTLS12)
5814 if err != nil {
5815 return nil, err
5816 }
5817 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5818 },
5819 },
5820 },
5821 flags: []string{
5822 "-ticket-key",
5823 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5824 },
5825 })
5826
5827 // Resumptions are declined if the version does not match.
5828 testCases = append(testCases, testCase{
5829 testType: serverTest,
5830 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5831 resumeSession: true,
5832 config: Config{
5833 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5834 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5835 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5836 FilterTicket: func(in []byte) ([]byte, error) {
5837 return SetShimTicketVersion(in, VersionTLS13)
5838 },
5839 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5840 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5841 flags: []string{
5842 "-ticket-key",
5843 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5844 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5845 expectResumeRejected: true,
5846 })
5847
5848 testCases = append(testCases, testCase{
5849 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5850 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5851 resumeSession: true,
5852 config: Config{
5853 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5854 Bugs: ProtocolBugs{
5855 FilterTicket: func(in []byte) ([]byte, error) {
5856 return SetShimTicketVersion(in, VersionTLS12)
5857 },
5858 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5859 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5860 flags: []string{
5861 "-ticket-key",
5862 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5863 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5864 expectResumeRejected: true,
5865 })
5866
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5867 // Resumptions are declined if the cipher is invalid or disabled.
5868 testCases = append(testCases, testCase{
5869 testType: serverTest,
5870 name: "Resume-Server-DeclineBadCipher",
5871 resumeSession: true,
5872 config: Config{
5873 MaxVersion: VersionTLS12,
5874 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5875 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5876 FilterTicket: func(in []byte) ([]byte, error) {
5877 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5878 },
5879 },
5880 },
5881 flags: []string{
5882 "-ticket-key",
5883 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5884 },
5885 expectResumeRejected: true,
5886 })
5887
5888 testCases = append(testCases, testCase{
5889 testType: serverTest,
5890 name: "Resume-Server-DeclineBadCipher-2",
5891 resumeSession: true,
5892 config: Config{
5893 MaxVersion: VersionTLS12,
5894 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5895 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5896 FilterTicket: func(in []byte) ([]byte, error) {
5897 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5898 },
5899 },
5900 },
5901 flags: []string{
5902 "-cipher", "AES128",
5903 "-ticket-key",
5904 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5905 },
5906 expectResumeRejected: true,
5907 })
5908
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5909 // Sessions are not resumed if they do not use the preferred cipher.
5910 testCases = append(testCases, testCase{
5911 testType: serverTest,
5912 name: "Resume-Server-CipherNotPreferred",
5913 resumeSession: true,
5914 config: Config{
5915 MaxVersion: VersionTLS12,
5916 Bugs: ProtocolBugs{
5917 ExpectNewTicket: true,
5918 FilterTicket: func(in []byte) ([]byte, error) {
5919 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
5920 },
5921 },
5922 },
5923 flags: []string{
5924 "-ticket-key",
5925 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5926 },
5927 shouldFail: false,
5928 expectResumeRejected: true,
5929 })
5930
5931 // TLS 1.3 allows sessions to be resumed at a different cipher if their
5932 // PRF hashes match, but BoringSSL will always decline such resumptions.
5933 testCases = append(testCases, testCase{
5934 testType: serverTest,
5935 name: "Resume-Server-CipherNotPreferred-TLS13",
5936 resumeSession: true,
5937 config: Config{
5938 MaxVersion: VersionTLS13,
5939 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
5940 Bugs: ProtocolBugs{
5941 FilterTicket: func(in []byte) ([]byte, error) {
5942 // If the client (runner) offers ChaCha20-Poly1305 first, the
5943 // server (shim) always prefers it. Switch it to AES-GCM.
5944 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5945 },
5946 },
5947 },
5948 flags: []string{
5949 "-ticket-key",
5950 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5951 },
5952 shouldFail: false,
5953 expectResumeRejected: true,
5954 })
5955
5956 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5957 testCases = append(testCases, testCase{
5958 testType: serverTest,
5959 name: "Resume-Server-DeclineBadCipher-TLS13",
5960 resumeSession: true,
5961 config: Config{
5962 MaxVersion: VersionTLS13,
5963 Bugs: ProtocolBugs{
5964 FilterTicket: func(in []byte) ([]byte, error) {
5965 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5966 },
5967 },
5968 },
5969 flags: []string{
5970 "-ticket-key",
5971 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5972 },
5973 expectResumeRejected: true,
5974 })
5975
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5976 // If the client does not offer the cipher from the session, decline to
5977 // resume. Clients are forbidden from doing this, but BoringSSL selects
5978 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5979 testCases = append(testCases, testCase{
5980 testType: serverTest,
5981 name: "Resume-Server-UnofferedCipher",
5982 resumeSession: true,
5983 config: Config{
5984 MaxVersion: VersionTLS12,
5985 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5986 },
5987 resumeConfig: &Config{
5988 MaxVersion: VersionTLS12,
5989 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5990 Bugs: ProtocolBugs{
5991 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5992 },
5993 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5994 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5995 })
5996
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5997 // In TLS 1.3, clients may advertise a cipher list which does not
5998 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]5999 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
6000 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6001 testCases = append(testCases, testCase{
6002 testType: serverTest,
6003 name: "Resume-Server-UnofferedCipher-TLS13",
6004 resumeSession: true,
6005 config: Config{
6006 MaxVersion: VersionTLS13,
6007 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6008 },
6009 resumeConfig: &Config{
6010 MaxVersion: VersionTLS13,
6011 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6012 Bugs: ProtocolBugs{
6013 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6014 },
6015 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]6016 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]6017 })
6018
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]6019 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6020 testCases = append(testCases, testCase{
6021 name: "Resume-Client-CipherMismatch",
6022 resumeSession: true,
6023 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6024 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6025 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6026 },
6027 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6028 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6029 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6030 Bugs: ProtocolBugs{
6031 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6032 },
6033 },
6034 shouldFail: true,
6035 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6036 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6037
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6038 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6039 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6040 testCases = append(testCases, testCase{
6041 name: "Resume-Client-CipherMismatch-TLS13",
6042 resumeSession: true,
6043 config: Config{
6044 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6045 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6046 },
6047 resumeConfig: &Config{
6048 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6049 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6050 },
6051 })
6052
6053 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6054 testCases = append(testCases, testCase{
6055 name: "Resume-Client-PRFMismatch-TLS13",
6056 resumeSession: true,
6057 config: Config{
6058 MaxVersion: VersionTLS13,
6059 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6060 },
6061 resumeConfig: &Config{
6062 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6063 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6064 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6065 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6066 },
6067 },
6068 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6069 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6070 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6071
6072 testCases = append(testCases, testCase{
6073 testType: serverTest,
6074 name: "Resume-Server-BinderWrongLength",
6075 resumeSession: true,
6076 config: Config{
6077 MaxVersion: VersionTLS13,
6078 Bugs: ProtocolBugs{
6079 SendShortPSKBinder: true,
6080 },
6081 },
6082 shouldFail: true,
6083 expectedLocalError: "remote error: error decrypting message",
6084 expectedError: ":DIGEST_CHECK_FAILED:",
6085 })
6086
6087 testCases = append(testCases, testCase{
6088 testType: serverTest,
6089 name: "Resume-Server-NoPSKBinder",
6090 resumeSession: true,
6091 config: Config{
6092 MaxVersion: VersionTLS13,
6093 Bugs: ProtocolBugs{
6094 SendNoPSKBinder: true,
6095 },
6096 },
6097 shouldFail: true,
6098 expectedLocalError: "remote error: error decoding message",
6099 expectedError: ":DECODE_ERROR:",
6100 })
6101
6102 testCases = append(testCases, testCase{
6103 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6104 name: "Resume-Server-ExtraPSKBinder",
6105 resumeSession: true,
6106 config: Config{
6107 MaxVersion: VersionTLS13,
6108 Bugs: ProtocolBugs{
6109 SendExtraPSKBinder: true,
6110 },
6111 },
6112 shouldFail: true,
6113 expectedLocalError: "remote error: illegal parameter",
6114 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6115 })
6116
6117 testCases = append(testCases, testCase{
6118 testType: serverTest,
6119 name: "Resume-Server-ExtraIdentityNoBinder",
6120 resumeSession: true,
6121 config: Config{
6122 MaxVersion: VersionTLS13,
6123 Bugs: ProtocolBugs{
6124 ExtraPSKIdentity: true,
6125 },
6126 },
6127 shouldFail: true,
6128 expectedLocalError: "remote error: illegal parameter",
6129 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6130 })
6131
6132 testCases = append(testCases, testCase{
6133 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6134 name: "Resume-Server-InvalidPSKBinder",
6135 resumeSession: true,
6136 config: Config{
6137 MaxVersion: VersionTLS13,
6138 Bugs: ProtocolBugs{
6139 SendInvalidPSKBinder: true,
6140 },
6141 },
6142 shouldFail: true,
6143 expectedLocalError: "remote error: error decrypting message",
6144 expectedError: ":DIGEST_CHECK_FAILED:",
6145 })
6146
6147 testCases = append(testCases, testCase{
6148 testType: serverTest,
6149 name: "Resume-Server-PSKBinderFirstExtension",
6150 resumeSession: true,
6151 config: Config{
6152 MaxVersion: VersionTLS13,
6153 Bugs: ProtocolBugs{
6154 PSKBinderFirst: true,
6155 },
6156 },
6157 shouldFail: true,
6158 expectedLocalError: "remote error: illegal parameter",
6159 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6160 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6161}
6162
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6163func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6164 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6165 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6166 testType: serverTest,
6167 name: "Renegotiate-Server-Forbidden",
6168 config: Config{
6169 MaxVersion: VersionTLS12,
6170 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6171 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6172 shouldFail: true,
6173 expectedError: ":NO_RENEGOTIATION:",
6174 expectedLocalError: "remote error: no renegotiation",
6175 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6176 // The server shouldn't echo the renegotiation extension unless
6177 // requested by the client.
6178 testCases = append(testCases, testCase{
6179 testType: serverTest,
6180 name: "Renegotiate-Server-NoExt",
6181 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6182 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6183 Bugs: ProtocolBugs{
6184 NoRenegotiationInfo: true,
6185 RequireRenegotiationInfo: true,
6186 },
6187 },
6188 shouldFail: true,
6189 expectedLocalError: "renegotiation extension missing",
6190 })
6191 // The renegotiation SCSV should be sufficient for the server to echo
6192 // the extension.
6193 testCases = append(testCases, testCase{
6194 testType: serverTest,
6195 name: "Renegotiate-Server-NoExt-SCSV",
6196 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6197 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6198 Bugs: ProtocolBugs{
6199 NoRenegotiationInfo: true,
6200 SendRenegotiationSCSV: true,
6201 RequireRenegotiationInfo: true,
6202 },
6203 },
6204 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6205 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6206 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6207 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6208 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6209 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6210 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6211 },
6212 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6213 renegotiate: 1,
6214 flags: []string{
6215 "-renegotiate-freely",
6216 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6217 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6218 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6219 })
6220 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6221 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6222 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6223 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6224 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6225 Bugs: ProtocolBugs{
6226 EmptyRenegotiationInfo: true,
6227 },
6228 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6229 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6230 shouldFail: true,
6231 expectedError: ":RENEGOTIATION_MISMATCH:",
6232 })
6233 testCases = append(testCases, testCase{
6234 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6235 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6236 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6237 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6238 Bugs: ProtocolBugs{
6239 BadRenegotiationInfo: true,
6240 },
6241 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6242 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6243 shouldFail: true,
6244 expectedError: ":RENEGOTIATION_MISMATCH:",
6245 })
6246 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6247 name: "Renegotiate-Client-Downgrade",
6248 renegotiate: 1,
6249 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6250 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6251 Bugs: ProtocolBugs{
6252 NoRenegotiationInfoAfterInitial: true,
6253 },
6254 },
6255 flags: []string{"-renegotiate-freely"},
6256 shouldFail: true,
6257 expectedError: ":RENEGOTIATION_MISMATCH:",
6258 })
6259 testCases = append(testCases, testCase{
6260 name: "Renegotiate-Client-Upgrade",
6261 renegotiate: 1,
6262 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6263 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6264 Bugs: ProtocolBugs{
6265 NoRenegotiationInfoInInitial: true,
6266 },
6267 },
6268 flags: []string{"-renegotiate-freely"},
6269 shouldFail: true,
6270 expectedError: ":RENEGOTIATION_MISMATCH:",
6271 })
6272 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6273 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6274 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6275 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6276 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6277 Bugs: ProtocolBugs{
6278 NoRenegotiationInfo: true,
6279 },
6280 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6281 flags: []string{
6282 "-renegotiate-freely",
6283 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6284 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6285 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6286 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6287
6288 // Test that the server may switch ciphers on renegotiation without
6289 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6290 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6291 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6292 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6293 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6294 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6295 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6296 },
6297 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6298 flags: []string{
6299 "-renegotiate-freely",
6300 "-expect-total-renegotiations", "1",
6301 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6302 })
6303 testCases = append(testCases, testCase{
6304 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6305 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6306 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6307 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6308 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6309 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6310 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6311 flags: []string{
6312 "-renegotiate-freely",
6313 "-expect-total-renegotiations", "1",
6314 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6315 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6316
6317 // Test that the server may not switch versions on renegotiation.
6318 testCases = append(testCases, testCase{
6319 name: "Renegotiate-Client-SwitchVersion",
6320 config: Config{
6321 MaxVersion: VersionTLS12,
6322 // Pick a cipher which exists at both versions.
6323 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6324 Bugs: ProtocolBugs{
6325 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6326 // Avoid failing early at the record layer.
6327 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6328 },
6329 },
6330 renegotiate: 1,
6331 flags: []string{
6332 "-renegotiate-freely",
6333 "-expect-total-renegotiations", "1",
6334 },
6335 shouldFail: true,
6336 expectedError: ":WRONG_SSL_VERSION:",
6337 })
6338
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6339 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6340 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6341 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6342 config: Config{
6343 MaxVersion: VersionTLS10,
6344 Bugs: ProtocolBugs{
6345 RequireSameRenegoClientVersion: true,
6346 },
6347 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6348 flags: []string{
6349 "-renegotiate-freely",
6350 "-expect-total-renegotiations", "1",
6351 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6352 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6353 testCases = append(testCases, testCase{
6354 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6355 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6356 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6357 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6358 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6359 NextProtos: []string{"foo"},
6360 },
6361 flags: []string{
6362 "-false-start",
6363 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6364 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6365 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6366 },
6367 shimWritesFirst: true,
6368 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6369
6370 // Client-side renegotiation controls.
6371 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6372 name: "Renegotiate-Client-Forbidden-1",
6373 config: Config{
6374 MaxVersion: VersionTLS12,
6375 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6376 renegotiate: 1,
6377 shouldFail: true,
6378 expectedError: ":NO_RENEGOTIATION:",
6379 expectedLocalError: "remote error: no renegotiation",
6380 })
6381 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6382 name: "Renegotiate-Client-Once-1",
6383 config: Config{
6384 MaxVersion: VersionTLS12,
6385 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6386 renegotiate: 1,
6387 flags: []string{
6388 "-renegotiate-once",
6389 "-expect-total-renegotiations", "1",
6390 },
6391 })
6392 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6393 name: "Renegotiate-Client-Freely-1",
6394 config: Config{
6395 MaxVersion: VersionTLS12,
6396 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6397 renegotiate: 1,
6398 flags: []string{
6399 "-renegotiate-freely",
6400 "-expect-total-renegotiations", "1",
6401 },
6402 })
6403 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6404 name: "Renegotiate-Client-Once-2",
6405 config: Config{
6406 MaxVersion: VersionTLS12,
6407 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6408 renegotiate: 2,
6409 flags: []string{"-renegotiate-once"},
6410 shouldFail: true,
6411 expectedError: ":NO_RENEGOTIATION:",
6412 expectedLocalError: "remote error: no renegotiation",
6413 })
6414 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6415 name: "Renegotiate-Client-Freely-2",
6416 config: Config{
6417 MaxVersion: VersionTLS12,
6418 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6419 renegotiate: 2,
6420 flags: []string{
6421 "-renegotiate-freely",
6422 "-expect-total-renegotiations", "2",
6423 },
6424 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6425 testCases = append(testCases, testCase{
6426 name: "Renegotiate-Client-NoIgnore",
6427 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6428 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6429 Bugs: ProtocolBugs{
6430 SendHelloRequestBeforeEveryAppDataRecord: true,
6431 },
6432 },
6433 shouldFail: true,
6434 expectedError: ":NO_RENEGOTIATION:",
6435 })
6436 testCases = append(testCases, testCase{
6437 name: "Renegotiate-Client-Ignore",
6438 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6439 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6440 Bugs: ProtocolBugs{
6441 SendHelloRequestBeforeEveryAppDataRecord: true,
6442 },
6443 },
6444 flags: []string{
6445 "-renegotiate-ignore",
6446 "-expect-total-renegotiations", "0",
6447 },
6448 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6449
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6450 // Renegotiation is not allowed at SSL 3.0.
6451 testCases = append(testCases, testCase{
6452 name: "Renegotiate-Client-SSL3",
6453 config: Config{
6454 MaxVersion: VersionSSL30,
6455 },
6456 renegotiate: 1,
6457 flags: []string{
6458 "-renegotiate-freely",
6459 "-expect-total-renegotiations", "1",
6460 },
6461 shouldFail: true,
6462 expectedError: ":NO_RENEGOTIATION:",
6463 expectedLocalError: "remote error: no renegotiation",
6464 })
6465
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6466 // Renegotiation is not allowed when there is an unfinished write.
6467 testCases = append(testCases, testCase{
6468 name: "Renegotiate-Client-UnfinishedWrite",
6469 config: Config{
6470 MaxVersion: VersionTLS12,
6471 },
6472 renegotiate: 1,
6473 flags: []string{
6474 "-async",
6475 "-renegotiate-freely",
6476 "-read-with-unfinished-write",
6477 },
6478 shouldFail: true,
6479 expectedError: ":NO_RENEGOTIATION:",
6480 // We do not successfully send the no_renegotiation alert in
6481 // this case. https://crbug.com/boringssl/130
6482 })
6483
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6484 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6485 testCases = append(testCases, testCase{
6486 name: "StrayHelloRequest",
6487 config: Config{
6488 MaxVersion: VersionTLS12,
6489 Bugs: ProtocolBugs{
6490 SendHelloRequestBeforeEveryHandshakeMessage: true,
6491 },
6492 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6493 shouldFail: true,
6494 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6495 })
6496 testCases = append(testCases, testCase{
6497 name: "StrayHelloRequest-Packed",
6498 config: Config{
6499 MaxVersion: VersionTLS12,
6500 Bugs: ProtocolBugs{
6501 PackHandshakeFlight: true,
6502 SendHelloRequestBeforeEveryHandshakeMessage: true,
6503 },
6504 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6505 shouldFail: true,
6506 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6507 })
6508
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6509 // Test renegotiation works if HelloRequest and server Finished come in
6510 // the same record.
6511 testCases = append(testCases, testCase{
6512 name: "Renegotiate-Client-Packed",
6513 config: Config{
6514 MaxVersion: VersionTLS12,
6515 Bugs: ProtocolBugs{
6516 PackHandshakeFlight: true,
6517 PackHelloRequestWithFinished: true,
6518 },
6519 },
6520 renegotiate: 1,
6521 flags: []string{
6522 "-renegotiate-freely",
6523 "-expect-total-renegotiations", "1",
6524 },
6525 })
6526
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6527 // Renegotiation is forbidden in TLS 1.3.
6528 testCases = append(testCases, testCase{
6529 name: "Renegotiate-Client-TLS13",
6530 config: Config{
6531 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6532 Bugs: ProtocolBugs{
6533 SendHelloRequestBeforeEveryAppDataRecord: true,
6534 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6535 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6536 flags: []string{
6537 "-renegotiate-freely",
6538 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6539 shouldFail: true,
6540 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6541 })
6542
6543 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6544 testCases = append(testCases, testCase{
6545 name: "StrayHelloRequest-TLS13",
6546 config: Config{
6547 MaxVersion: VersionTLS13,
6548 Bugs: ProtocolBugs{
6549 SendHelloRequestBeforeEveryHandshakeMessage: true,
6550 },
6551 },
6552 shouldFail: true,
6553 expectedError: ":UNEXPECTED_MESSAGE:",
6554 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6555
6556 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6557 // always reads as supporting it, regardless of whether it was
6558 // negotiated.
6559 testCases = append(testCases, testCase{
6560 name: "AlwaysReportRenegotiationInfo-TLS13",
6561 config: Config{
6562 MaxVersion: VersionTLS13,
6563 Bugs: ProtocolBugs{
6564 NoRenegotiationInfo: true,
6565 },
6566 },
6567 flags: []string{
6568 "-expect-secure-renegotiation",
6569 },
6570 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]6571
6572 // Certificates may not change on renegotiation.
6573 testCases = append(testCases, testCase{
6574 name: "Renegotiation-CertificateChange",
6575 config: Config{
6576 MaxVersion: VersionTLS12,
6577 Certificates: []Certificate{rsaCertificate},
6578 Bugs: ProtocolBugs{
6579 RenegotiationCertificate: &rsaChainCertificate,
6580 },
6581 },
6582 renegotiate: 1,
6583 flags: []string{"-renegotiate-freely"},
6584 shouldFail: true,
6585 expectedError: ":SERVER_CERT_CHANGED:",
6586 })
6587 testCases = append(testCases, testCase{
6588 name: "Renegotiation-CertificateChange-2",
6589 config: Config{
6590 MaxVersion: VersionTLS12,
6591 Certificates: []Certificate{rsaCertificate},
6592 Bugs: ProtocolBugs{
6593 RenegotiationCertificate: &rsa1024Certificate,
6594 },
6595 },
6596 renegotiate: 1,
6597 flags: []string{"-renegotiate-freely"},
6598 shouldFail: true,
6599 expectedError: ":SERVER_CERT_CHANGED:",
6600 })
David Benjaminbbf42462017-03-14 21:27:10 -0400[diff] [blame]6601
6602 // We do not negotiate ALPN after the initial handshake. This is
6603 // error-prone and only risks bugs in consumers.
6604 testCases = append(testCases, testCase{
6605 testType: clientTest,
6606 name: "Renegotiation-ForbidALPN",
6607 config: Config{
6608 MaxVersion: VersionTLS12,
6609 Bugs: ProtocolBugs{
6610 // Forcibly negotiate ALPN on both initial and
6611 // renegotiation handshakes. The test stack will
6612 // internally check the client does not offer
6613 // it.
6614 SendALPN: "foo",
6615 },
6616 },
6617 flags: []string{
6618 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6619 "-expect-alpn", "foo",
6620 "-renegotiate-freely",
6621 },
6622 renegotiate: 1,
6623 shouldFail: true,
6624 expectedError: ":UNEXPECTED_EXTENSION:",
6625 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6626}
6627
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6628func addDTLSReplayTests() {
6629 // Test that sequence number replays are detected.
6630 testCases = append(testCases, testCase{
6631 protocol: dtls,
6632 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6633 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6634 replayWrites: true,
6635 })
6636
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6637 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6638 // than the retransmit window.
6639 testCases = append(testCases, testCase{
6640 protocol: dtls,
6641 name: "DTLS-Replay-LargeGaps",
6642 config: Config{
6643 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6644 SequenceNumberMapping: func(in uint64) uint64 {
6645 return in * 127
6646 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6647 },
6648 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6649 messageCount: 200,
6650 replayWrites: true,
6651 })
6652
6653 // Test the incoming sequence number changing non-monotonically.
6654 testCases = append(testCases, testCase{
6655 protocol: dtls,
6656 name: "DTLS-Replay-NonMonotonic",
6657 config: Config{
6658 Bugs: ProtocolBugs{
6659 SequenceNumberMapping: func(in uint64) uint64 {
6660 return in ^ 31
6661 },
6662 },
6663 },
6664 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6665 replayWrites: true,
6666 })
6667}
6668
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6669var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6670 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6671 id signatureAlgorithm
6672 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6673}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6674 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6675 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6676 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6677 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6678 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6679 // The “P256” in the following line is not a mistake. In TLS 1.2 the
6680 // hash function doesn't have to match the curve and so the same
6681 // signature algorithm works with P-224.
6682 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6683 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6684 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6685 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6686 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6687 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6688 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6689 // Tests for key types prior to TLS 1.2.
6690 {"RSA", 0, testCertRSA},
6691 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6692}
6693
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6694const fakeSigAlg1 signatureAlgorithm = 0x2a01
6695const fakeSigAlg2 signatureAlgorithm = 0xff01
6696
6697func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6698 // Not all ciphers involve a signature. Advertise a list which gives all
6699 // versions a signing cipher.
6700 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6701 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6702 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6703 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6704 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6705 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6706 }
6707 if *includeDHE {
6708 signingCiphers = append(signingCiphers, TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6709 }
6710
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6711 var allAlgorithms []signatureAlgorithm
6712 for _, alg := range testSignatureAlgorithms {
6713 if alg.id != 0 {
6714 allAlgorithms = append(allAlgorithms, alg.id)
6715 }
6716 }
6717
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6718 // Make sure each signature algorithm works. Include some fake values in
6719 // the list and ensure they're ignored.
6720 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6721 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6722 if (ver.version < VersionTLS12) != (alg.id == 0) {
6723 continue
6724 }
6725
6726 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6727 // or remove it in C.
6728 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6729 continue
6730 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6731
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6732 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6733 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6734 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6735 shouldSignFail = true
6736 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6737 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6738 // RSA-PKCS1 does not exist in TLS 1.3.
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]6739 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
6740 shouldSignFail = true
6741 shouldVerifyFail = true
6742 }
6743 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
6744 // the curve has to match the hash size.
6745 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6746 shouldSignFail = true
6747 shouldVerifyFail = true
6748 }
6749
6750 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6751 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6752 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6753 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6754
6755 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6756 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6757 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6758 }
6759 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6760 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6761 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6762
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6763 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6764
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6765 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6766 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6767 config: Config{
6768 MaxVersion: ver.version,
6769 ClientAuth: RequireAnyClientCert,
6770 VerifySignatureAlgorithms: []signatureAlgorithm{
6771 fakeSigAlg1,
6772 alg.id,
6773 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6774 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6775 },
6776 flags: []string{
6777 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6778 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6779 "-enable-all-curves",
6780 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6781 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6782 expectedError: signError,
6783 expectedPeerSignatureAlgorithm: alg.id,
6784 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6785
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6786 testCases = append(testCases, testCase{
6787 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6788 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6789 config: Config{
6790 MaxVersion: ver.version,
6791 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6792 SignSignatureAlgorithms: []signatureAlgorithm{
6793 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6794 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6795 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6796 SkipECDSACurveCheck: shouldVerifyFail,
6797 IgnoreSignatureVersionChecks: shouldVerifyFail,
6798 // Some signature algorithms may not be advertised.
6799 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6800 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6801 },
6802 flags: []string{
6803 "-require-any-client-certificate",
6804 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6805 "-enable-all-curves",
6806 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6807 // Resume the session to assert the peer signature
6808 // algorithm is reported on both handshakes.
6809 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6810 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6811 expectedError: verifyError,
6812 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6813
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6814 // No signing cipher for SSL 3.0.
6815 if *includeDHE || ver.version > VersionSSL30 {
6816 testCases = append(testCases, testCase{
6817 testType: serverTest,
6818 name: "ServerAuth-Sign" + suffix,
6819 config: Config{
6820 MaxVersion: ver.version,
6821 CipherSuites: signingCiphers,
6822 VerifySignatureAlgorithms: []signatureAlgorithm{
6823 fakeSigAlg1,
6824 alg.id,
6825 fakeSigAlg2,
6826 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6827 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6828 flags: []string{
6829 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6830 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6831 "-enable-all-curves",
6832 },
6833 shouldFail: shouldSignFail,
6834 expectedError: signError,
6835 expectedPeerSignatureAlgorithm: alg.id,
6836 })
6837 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6838
6839 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6840 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6841 config: Config{
6842 MaxVersion: ver.version,
6843 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6844 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6845 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6846 alg.id,
6847 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6848 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6849 SkipECDSACurveCheck: shouldVerifyFail,
6850 IgnoreSignatureVersionChecks: shouldVerifyFail,
6851 // Some signature algorithms may not be advertised.
6852 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6853 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6854 },
6855 flags: []string{
6856 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6857 "-enable-all-curves",
6858 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6859 // Resume the session to assert the peer signature
6860 // algorithm is reported on both handshakes.
6861 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6862 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6863 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6864 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6865
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6866 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6867 testCases = append(testCases, testCase{
6868 testType: serverTest,
6869 name: "ClientAuth-InvalidSignature" + suffix,
6870 config: Config{
6871 MaxVersion: ver.version,
6872 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6873 SignSignatureAlgorithms: []signatureAlgorithm{
6874 alg.id,
6875 },
6876 Bugs: ProtocolBugs{
6877 InvalidSignature: true,
6878 },
6879 },
6880 flags: []string{
6881 "-require-any-client-certificate",
6882 "-enable-all-curves",
6883 },
6884 shouldFail: true,
6885 expectedError: ":BAD_SIGNATURE:",
6886 })
6887
6888 testCases = append(testCases, testCase{
6889 name: "ServerAuth-InvalidSignature" + suffix,
6890 config: Config{
6891 MaxVersion: ver.version,
6892 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6893 CipherSuites: signingCiphers,
6894 SignSignatureAlgorithms: []signatureAlgorithm{
6895 alg.id,
6896 },
6897 Bugs: ProtocolBugs{
6898 InvalidSignature: true,
6899 },
6900 },
6901 flags: []string{"-enable-all-curves"},
6902 shouldFail: true,
6903 expectedError: ":BAD_SIGNATURE:",
6904 })
6905 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6906
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6907 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6908 testCases = append(testCases, testCase{
6909 name: "ClientAuth-Sign-Negotiate" + suffix,
6910 config: Config{
6911 MaxVersion: ver.version,
6912 ClientAuth: RequireAnyClientCert,
6913 VerifySignatureAlgorithms: allAlgorithms,
6914 },
6915 flags: []string{
6916 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6917 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6918 "-enable-all-curves",
6919 "-signing-prefs", strconv.Itoa(int(alg.id)),
6920 },
6921 expectedPeerSignatureAlgorithm: alg.id,
6922 })
6923
6924 testCases = append(testCases, testCase{
6925 testType: serverTest,
6926 name: "ServerAuth-Sign-Negotiate" + suffix,
6927 config: Config{
6928 MaxVersion: ver.version,
6929 CipherSuites: signingCiphers,
6930 VerifySignatureAlgorithms: allAlgorithms,
6931 },
6932 flags: []string{
6933 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6934 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6935 "-enable-all-curves",
6936 "-signing-prefs", strconv.Itoa(int(alg.id)),
6937 },
6938 expectedPeerSignatureAlgorithm: alg.id,
6939 })
6940 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6941 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6942 }
6943
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6944 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6945 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6946 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6947 config: Config{
6948 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6949 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6950 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6951 signatureECDSAWithP521AndSHA512,
6952 signatureRSAPKCS1WithSHA384,
6953 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6954 },
6955 },
6956 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]6957 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6958 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6959 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6960 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6961 })
6962
6963 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6964 name: "ClientAuth-SignatureType-TLS13",
6965 config: Config{
6966 ClientAuth: RequireAnyClientCert,
6967 MaxVersion: VersionTLS13,
6968 VerifySignatureAlgorithms: []signatureAlgorithm{
6969 signatureECDSAWithP521AndSHA512,
6970 signatureRSAPKCS1WithSHA384,
6971 signatureRSAPSSWithSHA384,
6972 signatureECDSAWithSHA1,
6973 },
6974 },
6975 flags: []string{
6976 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6977 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6978 },
6979 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6980 })
6981
6982 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6983 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6984 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6985 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6986 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6987 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6988 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6989 signatureECDSAWithP521AndSHA512,
6990 signatureRSAPKCS1WithSHA384,
6991 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6992 },
6993 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6994 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6995 })
6996
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6997 testCases = append(testCases, testCase{
6998 testType: serverTest,
6999 name: "ServerAuth-SignatureType-TLS13",
7000 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7001 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7002 VerifySignatureAlgorithms: []signatureAlgorithm{
7003 signatureECDSAWithP521AndSHA512,
7004 signatureRSAPKCS1WithSHA384,
7005 signatureRSAPSSWithSHA384,
7006 signatureECDSAWithSHA1,
7007 },
7008 },
7009 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7010 })
7011
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7012 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7013 testCases = append(testCases, testCase{
7014 testType: serverTest,
7015 name: "Verify-ClientAuth-SignatureType",
7016 config: Config{
7017 MaxVersion: VersionTLS12,
7018 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7019 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7020 signatureRSAPKCS1WithSHA256,
7021 },
7022 Bugs: ProtocolBugs{
7023 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7024 },
7025 },
7026 flags: []string{
7027 "-require-any-client-certificate",
7028 },
7029 shouldFail: true,
7030 expectedError: ":WRONG_SIGNATURE_TYPE:",
7031 })
7032
7033 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7034 testType: serverTest,
7035 name: "Verify-ClientAuth-SignatureType-TLS13",
7036 config: Config{
7037 MaxVersion: VersionTLS13,
7038 Certificates: []Certificate{rsaCertificate},
7039 SignSignatureAlgorithms: []signatureAlgorithm{
7040 signatureRSAPSSWithSHA256,
7041 },
7042 Bugs: ProtocolBugs{
7043 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7044 },
7045 },
7046 flags: []string{
7047 "-require-any-client-certificate",
7048 },
7049 shouldFail: true,
7050 expectedError: ":WRONG_SIGNATURE_TYPE:",
7051 })
7052
7053 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7054 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7055 config: Config{
7056 MaxVersion: VersionTLS12,
7057 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7058 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7059 signatureRSAPKCS1WithSHA256,
7060 },
7061 Bugs: ProtocolBugs{
7062 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7063 },
7064 },
7065 shouldFail: true,
7066 expectedError: ":WRONG_SIGNATURE_TYPE:",
7067 })
7068
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7069 testCases = append(testCases, testCase{
7070 name: "Verify-ServerAuth-SignatureType-TLS13",
7071 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7072 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7073 SignSignatureAlgorithms: []signatureAlgorithm{
7074 signatureRSAPSSWithSHA256,
7075 },
7076 Bugs: ProtocolBugs{
7077 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7078 },
7079 },
7080 shouldFail: true,
7081 expectedError: ":WRONG_SIGNATURE_TYPE:",
7082 })
7083
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7084 // Test that, if the list is missing, the peer falls back to SHA-1 in
7085 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7086 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7087 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7088 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7089 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7090 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7091 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7092 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7093 },
7094 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7095 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7096 },
7097 },
7098 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7099 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7100 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7101 },
7102 })
7103
7104 testCases = append(testCases, testCase{
7105 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7106 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7107 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7108 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7109 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7110 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7111 },
7112 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7113 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7114 },
7115 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7116 flags: []string{
7117 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7118 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7119 },
7120 })
7121
7122 testCases = append(testCases, testCase{
7123 name: "ClientAuth-SHA1-Fallback-ECDSA",
7124 config: Config{
7125 MaxVersion: VersionTLS12,
7126 ClientAuth: RequireAnyClientCert,
7127 VerifySignatureAlgorithms: []signatureAlgorithm{
7128 signatureECDSAWithSHA1,
7129 },
7130 Bugs: ProtocolBugs{
7131 NoSignatureAlgorithms: true,
7132 },
7133 },
7134 flags: []string{
7135 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7136 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7137 },
7138 })
7139
7140 testCases = append(testCases, testCase{
7141 testType: serverTest,
7142 name: "ServerAuth-SHA1-Fallback-ECDSA",
7143 config: Config{
7144 MaxVersion: VersionTLS12,
7145 VerifySignatureAlgorithms: []signatureAlgorithm{
7146 signatureECDSAWithSHA1,
7147 },
7148 Bugs: ProtocolBugs{
7149 NoSignatureAlgorithms: true,
7150 },
7151 },
7152 flags: []string{
7153 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7154 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7155 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7156 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7157
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7158 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7159 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7160 config: Config{
7161 MaxVersion: VersionTLS13,
7162 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7163 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7164 signatureRSAPKCS1WithSHA1,
7165 },
7166 Bugs: ProtocolBugs{
7167 NoSignatureAlgorithms: true,
7168 },
7169 },
7170 flags: []string{
7171 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7172 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7173 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7174 shouldFail: true,
7175 // An empty CertificateRequest signature algorithm list is a
7176 // syntax error in TLS 1.3.
7177 expectedError: ":DECODE_ERROR:",
7178 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7179 })
7180
7181 testCases = append(testCases, testCase{
7182 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7183 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7184 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7185 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7186 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7187 signatureRSAPKCS1WithSHA1,
7188 },
7189 Bugs: ProtocolBugs{
7190 NoSignatureAlgorithms: true,
7191 },
7192 },
7193 shouldFail: true,
7194 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7195 })
7196
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7197 // Test that hash preferences are enforced. BoringSSL does not implement
7198 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7199 testCases = append(testCases, testCase{
7200 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7201 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7202 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7203 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7204 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7205 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7206 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7207 },
7208 Bugs: ProtocolBugs{
7209 IgnorePeerSignatureAlgorithmPreferences: true,
7210 },
7211 },
7212 flags: []string{"-require-any-client-certificate"},
7213 shouldFail: true,
7214 expectedError: ":WRONG_SIGNATURE_TYPE:",
7215 })
7216
7217 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7218 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7219 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7220 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7221 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7222 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7223 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7224 },
7225 Bugs: ProtocolBugs{
7226 IgnorePeerSignatureAlgorithmPreferences: true,
7227 },
7228 },
7229 shouldFail: true,
7230 expectedError: ":WRONG_SIGNATURE_TYPE:",
7231 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7232 testCases = append(testCases, testCase{
7233 testType: serverTest,
7234 name: "ClientAuth-Enforced-TLS13",
7235 config: Config{
7236 MaxVersion: VersionTLS13,
7237 Certificates: []Certificate{rsaCertificate},
7238 SignSignatureAlgorithms: []signatureAlgorithm{
7239 signatureRSAPKCS1WithMD5,
7240 },
7241 Bugs: ProtocolBugs{
7242 IgnorePeerSignatureAlgorithmPreferences: true,
7243 IgnoreSignatureVersionChecks: true,
7244 },
7245 },
7246 flags: []string{"-require-any-client-certificate"},
7247 shouldFail: true,
7248 expectedError: ":WRONG_SIGNATURE_TYPE:",
7249 })
7250
7251 testCases = append(testCases, testCase{
7252 name: "ServerAuth-Enforced-TLS13",
7253 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7254 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7255 SignSignatureAlgorithms: []signatureAlgorithm{
7256 signatureRSAPKCS1WithMD5,
7257 },
7258 Bugs: ProtocolBugs{
7259 IgnorePeerSignatureAlgorithmPreferences: true,
7260 IgnoreSignatureVersionChecks: true,
7261 },
7262 },
7263 shouldFail: true,
7264 expectedError: ":WRONG_SIGNATURE_TYPE:",
7265 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7266
7267 // Test that the agreed upon digest respects the client preferences and
7268 // the server digests.
7269 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7270 name: "NoCommonAlgorithms-Digests",
7271 config: Config{
7272 MaxVersion: VersionTLS12,
7273 ClientAuth: RequireAnyClientCert,
7274 VerifySignatureAlgorithms: []signatureAlgorithm{
7275 signatureRSAPKCS1WithSHA512,
7276 signatureRSAPKCS1WithSHA1,
7277 },
7278 },
7279 flags: []string{
7280 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7281 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7282 "-digest-prefs", "SHA256",
7283 },
7284 shouldFail: true,
7285 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7286 })
7287 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7288 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7289 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7290 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7291 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7292 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7293 signatureRSAPKCS1WithSHA512,
7294 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7295 },
7296 },
7297 flags: []string{
7298 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7299 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7300 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7301 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7302 shouldFail: true,
7303 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7304 })
7305 testCases = append(testCases, testCase{
7306 name: "NoCommonAlgorithms-TLS13",
7307 config: Config{
7308 MaxVersion: VersionTLS13,
7309 ClientAuth: RequireAnyClientCert,
7310 VerifySignatureAlgorithms: []signatureAlgorithm{
7311 signatureRSAPSSWithSHA512,
7312 signatureRSAPSSWithSHA384,
7313 },
7314 },
7315 flags: []string{
7316 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7317 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7318 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7319 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7320 shouldFail: true,
7321 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7322 })
7323 testCases = append(testCases, testCase{
7324 name: "Agree-Digest-SHA256",
7325 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7326 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7327 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7328 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7329 signatureRSAPKCS1WithSHA1,
7330 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7331 },
7332 },
7333 flags: []string{
7334 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7335 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7336 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7337 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7338 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7339 })
7340 testCases = append(testCases, testCase{
7341 name: "Agree-Digest-SHA1",
7342 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7343 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7344 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7345 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7346 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7347 },
7348 },
7349 flags: []string{
7350 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7351 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7352 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7353 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7354 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7355 })
7356 testCases = append(testCases, testCase{
7357 name: "Agree-Digest-Default",
7358 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7359 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7360 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7361 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7362 signatureRSAPKCS1WithSHA256,
7363 signatureECDSAWithP256AndSHA256,
7364 signatureRSAPKCS1WithSHA1,
7365 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7366 },
7367 },
7368 flags: []string{
7369 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7370 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7371 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7372 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7373 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7374
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7375 // Test that the signing preference list may include extra algorithms
7376 // without negotiation problems.
7377 testCases = append(testCases, testCase{
7378 testType: serverTest,
7379 name: "FilterExtraAlgorithms",
7380 config: Config{
7381 MaxVersion: VersionTLS12,
7382 VerifySignatureAlgorithms: []signatureAlgorithm{
7383 signatureRSAPKCS1WithSHA256,
7384 },
7385 },
7386 flags: []string{
7387 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7388 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7389 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7390 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7391 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7392 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7393 },
7394 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7395 })
7396
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7397 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7398 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7399 testCases = append(testCases, testCase{
7400 name: "CheckLeafCurve",
7401 config: Config{
7402 MaxVersion: VersionTLS12,
7403 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7404 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7405 },
7406 flags: []string{"-p384-only"},
7407 shouldFail: true,
7408 expectedError: ":BAD_ECC_CERT:",
7409 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7410
7411 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7412 testCases = append(testCases, testCase{
7413 name: "CheckLeafCurve-TLS13",
7414 config: Config{
7415 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7416 Certificates: []Certificate{ecdsaP256Certificate},
7417 },
7418 flags: []string{"-p384-only"},
7419 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7420
7421 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7422 testCases = append(testCases, testCase{
7423 name: "ECDSACurveMismatch-Verify-TLS12",
7424 config: Config{
7425 MaxVersion: VersionTLS12,
7426 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7427 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7428 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7429 signatureECDSAWithP384AndSHA384,
7430 },
7431 },
7432 })
7433
7434 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7435 testCases = append(testCases, testCase{
7436 name: "ECDSACurveMismatch-Verify-TLS13",
7437 config: Config{
7438 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7439 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7440 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7441 signatureECDSAWithP384AndSHA384,
7442 },
7443 Bugs: ProtocolBugs{
7444 SkipECDSACurveCheck: true,
7445 },
7446 },
7447 shouldFail: true,
7448 expectedError: ":WRONG_SIGNATURE_TYPE:",
7449 })
7450
7451 // Signature algorithm selection in TLS 1.3 should take the curve into
7452 // account.
7453 testCases = append(testCases, testCase{
7454 testType: serverTest,
7455 name: "ECDSACurveMismatch-Sign-TLS13",
7456 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7457 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7458 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7459 signatureECDSAWithP384AndSHA384,
7460 signatureECDSAWithP256AndSHA256,
7461 },
7462 },
7463 flags: []string{
7464 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7465 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7466 },
7467 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7468 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7469
7470 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7471 // server does not attempt to sign in that case.
7472 testCases = append(testCases, testCase{
7473 testType: serverTest,
7474 name: "RSA-PSS-Large",
7475 config: Config{
7476 MaxVersion: VersionTLS13,
7477 VerifySignatureAlgorithms: []signatureAlgorithm{
7478 signatureRSAPSSWithSHA512,
7479 },
7480 },
7481 flags: []string{
7482 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7483 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7484 },
7485 shouldFail: true,
7486 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7487 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7488
7489 // Test that RSA-PSS is enabled by default for TLS 1.2.
7490 testCases = append(testCases, testCase{
7491 testType: clientTest,
7492 name: "RSA-PSS-Default-Verify",
7493 config: Config{
7494 MaxVersion: VersionTLS12,
7495 SignSignatureAlgorithms: []signatureAlgorithm{
7496 signatureRSAPSSWithSHA256,
7497 },
7498 },
7499 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7500 })
7501
7502 testCases = append(testCases, testCase{
7503 testType: serverTest,
7504 name: "RSA-PSS-Default-Sign",
7505 config: Config{
7506 MaxVersion: VersionTLS12,
7507 VerifySignatureAlgorithms: []signatureAlgorithm{
7508 signatureRSAPSSWithSHA256,
7509 },
7510 },
7511 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7512 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7513}
7514
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7515// timeouts is the retransmit schedule for BoringSSL. It doubles and
7516// caps at 60 seconds. On the 13th timeout, it gives up.
7517var timeouts = []time.Duration{
7518 1 * time.Second,
7519 2 * time.Second,
7520 4 * time.Second,
7521 8 * time.Second,
7522 16 * time.Second,
7523 32 * time.Second,
7524 60 * time.Second,
7525 60 * time.Second,
7526 60 * time.Second,
7527 60 * time.Second,
7528 60 * time.Second,
7529 60 * time.Second,
7530 60 * time.Second,
7531}
7532
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7533// shortTimeouts is an alternate set of timeouts which would occur if the
7534// initial timeout duration was set to 250ms.
7535var shortTimeouts = []time.Duration{
7536 250 * time.Millisecond,
7537 500 * time.Millisecond,
7538 1 * time.Second,
7539 2 * time.Second,
7540 4 * time.Second,
7541 8 * time.Second,
7542 16 * time.Second,
7543 32 * time.Second,
7544 60 * time.Second,
7545 60 * time.Second,
7546 60 * time.Second,
7547 60 * time.Second,
7548 60 * time.Second,
7549}
7550
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7551func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7552 // These tests work by coordinating some behavior on both the shim and
7553 // the runner.
7554 //
7555 // TimeoutSchedule configures the runner to send a series of timeout
7556 // opcodes to the shim (see packetAdaptor) immediately before reading
7557 // each peer handshake flight N. The timeout opcode both simulates a
7558 // timeout in the shim and acts as a synchronization point to help the
7559 // runner bracket each handshake flight.
7560 //
7561 // We assume the shim does not read from the channel eagerly. It must
7562 // first wait until it has sent flight N and is ready to receive
7563 // handshake flight N+1. At this point, it will process the timeout
7564 // opcode. It must then immediately respond with a timeout ACK and act
7565 // as if the shim was idle for the specified amount of time.
7566 //
7567 // The runner then drops all packets received before the ACK and
7568 // continues waiting for flight N. This ordering results in one attempt
7569 // at sending flight N to be dropped. For the test to complete, the
7570 // shim must send flight N again, testing that the shim implements DTLS
7571 // retransmit on a timeout.
7572
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7573 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7574 // likely be more epochs to cross and the final message's retransmit may
7575 // be more complex.
7576
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7577 // Test that this is indeed the timeout schedule. Stress all
7578 // four patterns of handshake.
7579 for i := 1; i < len(timeouts); i++ {
7580 number := strconv.Itoa(i)
7581 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7582 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7583 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7584 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7585 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7586 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7587 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7588 },
7589 },
7590 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7591 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7592 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7593 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7594 protocol: dtls,
7595 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7596 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7597 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7598 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7599 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7600 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7601 },
7602 },
7603 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7604 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7605 })
7606 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7607
7608 // Test that exceeding the timeout schedule hits a read
7609 // timeout.
7610 testCases = append(testCases, testCase{
7611 protocol: dtls,
7612 name: "DTLS-Retransmit-Timeout",
7613 config: Config{
7614 MaxVersion: VersionTLS12,
7615 Bugs: ProtocolBugs{
7616 TimeoutSchedule: timeouts,
7617 },
7618 },
7619 resumeSession: true,
7620 flags: []string{"-async"},
7621 shouldFail: true,
7622 expectedError: ":READ_TIMEOUT_EXPIRED:",
7623 })
7624
7625 // Test that timeout handling has a fudge factor, due to API
7626 // problems.
7627 testCases = append(testCases, testCase{
7628 protocol: dtls,
7629 name: "DTLS-Retransmit-Fudge",
7630 config: Config{
7631 MaxVersion: VersionTLS12,
7632 Bugs: ProtocolBugs{
7633 TimeoutSchedule: []time.Duration{
7634 timeouts[0] - 10*time.Millisecond,
7635 },
7636 },
7637 },
7638 resumeSession: true,
7639 flags: []string{"-async"},
7640 })
7641
7642 // Test that the final Finished retransmitting isn't
7643 // duplicated if the peer badly fragments everything.
7644 testCases = append(testCases, testCase{
7645 testType: serverTest,
7646 protocol: dtls,
7647 name: "DTLS-Retransmit-Fragmented",
7648 config: Config{
7649 MaxVersion: VersionTLS12,
7650 Bugs: ProtocolBugs{
7651 TimeoutSchedule: []time.Duration{timeouts[0]},
7652 MaxHandshakeRecordLength: 2,
7653 },
7654 },
7655 flags: []string{"-async"},
7656 })
7657
7658 // Test the timeout schedule when a shorter initial timeout duration is set.
7659 testCases = append(testCases, testCase{
7660 protocol: dtls,
7661 name: "DTLS-Retransmit-Short-Client",
7662 config: Config{
7663 MaxVersion: VersionTLS12,
7664 Bugs: ProtocolBugs{
7665 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7666 },
7667 },
7668 resumeSession: true,
7669 flags: []string{
7670 "-async",
7671 "-initial-timeout-duration-ms", "250",
7672 },
7673 })
7674 testCases = append(testCases, testCase{
7675 protocol: dtls,
7676 testType: serverTest,
7677 name: "DTLS-Retransmit-Short-Server",
7678 config: Config{
7679 MaxVersion: VersionTLS12,
7680 Bugs: ProtocolBugs{
7681 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7682 },
7683 },
7684 resumeSession: true,
7685 flags: []string{
7686 "-async",
7687 "-initial-timeout-duration-ms", "250",
7688 },
7689 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7690}
7691
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7692func addExportKeyingMaterialTests() {
7693 for _, vers := range tlsVersions {
7694 if vers.version == VersionSSL30 {
7695 continue
7696 }
7697 testCases = append(testCases, testCase{
7698 name: "ExportKeyingMaterial-" + vers.name,
7699 config: Config{
7700 MaxVersion: vers.version,
7701 },
7702 exportKeyingMaterial: 1024,
7703 exportLabel: "label",
7704 exportContext: "context",
7705 useExportContext: true,
7706 })
7707 testCases = append(testCases, testCase{
7708 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7709 config: Config{
7710 MaxVersion: vers.version,
7711 },
7712 exportKeyingMaterial: 1024,
7713 })
7714 testCases = append(testCases, testCase{
7715 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7716 config: Config{
7717 MaxVersion: vers.version,
7718 },
7719 exportKeyingMaterial: 1024,
7720 useExportContext: true,
7721 })
7722 testCases = append(testCases, testCase{
7723 name: "ExportKeyingMaterial-Small-" + vers.name,
7724 config: Config{
7725 MaxVersion: vers.version,
7726 },
7727 exportKeyingMaterial: 1,
7728 exportLabel: "label",
7729 exportContext: "context",
7730 useExportContext: true,
7731 })
7732 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7733
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7734 testCases = append(testCases, testCase{
7735 name: "ExportKeyingMaterial-SSL3",
7736 config: Config{
7737 MaxVersion: VersionSSL30,
7738 },
7739 exportKeyingMaterial: 1024,
7740 exportLabel: "label",
7741 exportContext: "context",
7742 useExportContext: true,
7743 shouldFail: true,
7744 expectedError: "failed to export keying material",
7745 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7746
7747 // Exporters work during a False Start.
7748 testCases = append(testCases, testCase{
7749 name: "ExportKeyingMaterial-FalseStart",
7750 config: Config{
7751 MaxVersion: VersionTLS12,
7752 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7753 NextProtos: []string{"foo"},
7754 Bugs: ProtocolBugs{
7755 ExpectFalseStart: true,
7756 },
7757 },
7758 flags: []string{
7759 "-false-start",
7760 "-advertise-alpn", "\x03foo",
7761 },
7762 shimWritesFirst: true,
7763 exportKeyingMaterial: 1024,
7764 exportLabel: "label",
7765 exportContext: "context",
7766 useExportContext: true,
7767 })
7768
7769 // Exporters do not work in the middle of a renegotiation. Test this by
7770 // triggering the exporter after every SSL_read call and configuring the
7771 // shim to run asynchronously.
7772 testCases = append(testCases, testCase{
7773 name: "ExportKeyingMaterial-Renegotiate",
7774 config: Config{
7775 MaxVersion: VersionTLS12,
7776 },
7777 renegotiate: 1,
7778 flags: []string{
7779 "-async",
7780 "-use-exporter-between-reads",
7781 "-renegotiate-freely",
7782 "-expect-total-renegotiations", "1",
7783 },
7784 shouldFail: true,
7785 expectedError: "failed to export keying material",
7786 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7787}
7788
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7789func addTLSUniqueTests() {
7790 for _, isClient := range []bool{false, true} {
7791 for _, isResumption := range []bool{false, true} {
7792 for _, hasEMS := range []bool{false, true} {
7793 var suffix string
7794 if isResumption {
7795 suffix = "Resume-"
7796 } else {
7797 suffix = "Full-"
7798 }
7799
7800 if hasEMS {
7801 suffix += "EMS-"
7802 } else {
7803 suffix += "NoEMS-"
7804 }
7805
7806 if isClient {
7807 suffix += "Client"
7808 } else {
7809 suffix += "Server"
7810 }
7811
7812 test := testCase{
7813 name: "TLSUnique-" + suffix,
7814 testTLSUnique: true,
7815 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7816 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7817 Bugs: ProtocolBugs{
7818 NoExtendedMasterSecret: !hasEMS,
7819 },
7820 },
7821 }
7822
7823 if isResumption {
7824 test.resumeSession = true
7825 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7826 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7827 Bugs: ProtocolBugs{
7828 NoExtendedMasterSecret: !hasEMS,
7829 },
7830 }
7831 }
7832
7833 if isResumption && !hasEMS {
7834 test.shouldFail = true
7835 test.expectedError = "failed to get tls-unique"
7836 }
7837
7838 testCases = append(testCases, test)
7839 }
7840 }
7841 }
7842}
7843
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7844func addCustomExtensionTests() {
7845 expectedContents := "custom extension"
7846 emptyString := ""
7847
7848 for _, isClient := range []bool{false, true} {
7849 suffix := "Server"
7850 flag := "-enable-server-custom-extension"
7851 testType := serverTest
7852 if isClient {
7853 suffix = "Client"
7854 flag = "-enable-client-custom-extension"
7855 testType = clientTest
7856 }
7857
7858 testCases = append(testCases, testCase{
7859 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7860 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7861 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7862 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7863 Bugs: ProtocolBugs{
7864 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7865 ExpectedCustomExtension: &expectedContents,
7866 },
7867 },
7868 flags: []string{flag},
7869 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7870 testCases = append(testCases, testCase{
7871 testType: testType,
7872 name: "CustomExtensions-" + suffix + "-TLS13",
7873 config: Config{
7874 MaxVersion: VersionTLS13,
7875 Bugs: ProtocolBugs{
7876 CustomExtension: expectedContents,
7877 ExpectedCustomExtension: &expectedContents,
7878 },
7879 },
7880 flags: []string{flag},
7881 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7882
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]7883 // 0-RTT is not currently supported with Custom Extensions.
7884 testCases = append(testCases, testCase{
7885 testType: testType,
7886 name: "CustomExtensions-" + suffix + "-EarlyData",
7887 config: Config{
7888 MaxVersion: VersionTLS13,
7889 Bugs: ProtocolBugs{
7890 CustomExtension: expectedContents,
7891 ExpectedCustomExtension: &expectedContents,
7892 },
7893 },
7894 shouldFail: true,
7895 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7896 flags: []string{flag, "-enable-early-data"},
7897 })
7898
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7899 // If the parse callback fails, the handshake should also fail.
7900 testCases = append(testCases, testCase{
7901 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7902 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7903 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7904 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7905 Bugs: ProtocolBugs{
7906 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7907 ExpectedCustomExtension: &expectedContents,
7908 },
7909 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7910 flags: []string{flag},
7911 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7912 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7913 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7914 testCases = append(testCases, testCase{
7915 testType: testType,
7916 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
7917 config: Config{
7918 MaxVersion: VersionTLS13,
7919 Bugs: ProtocolBugs{
7920 CustomExtension: expectedContents + "foo",
7921 ExpectedCustomExtension: &expectedContents,
7922 },
7923 },
7924 flags: []string{flag},
7925 shouldFail: true,
7926 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7927 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7928
7929 // If the add callback fails, the handshake should also fail.
7930 testCases = append(testCases, testCase{
7931 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7932 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7933 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7934 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7935 Bugs: ProtocolBugs{
7936 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7937 ExpectedCustomExtension: &expectedContents,
7938 },
7939 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7940 flags: []string{flag, "-custom-extension-fail-add"},
7941 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7942 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7943 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7944 testCases = append(testCases, testCase{
7945 testType: testType,
7946 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
7947 config: Config{
7948 MaxVersion: VersionTLS13,
7949 Bugs: ProtocolBugs{
7950 CustomExtension: expectedContents,
7951 ExpectedCustomExtension: &expectedContents,
7952 },
7953 },
7954 flags: []string{flag, "-custom-extension-fail-add"},
7955 shouldFail: true,
7956 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7957 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7958
7959 // If the add callback returns zero, no extension should be
7960 // added.
7961 skipCustomExtension := expectedContents
7962 if isClient {
7963 // For the case where the client skips sending the
7964 // custom extension, the server must not “echo” it.
7965 skipCustomExtension = ""
7966 }
7967 testCases = append(testCases, testCase{
7968 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7969 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7970 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7971 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7972 Bugs: ProtocolBugs{
7973 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7974 ExpectedCustomExtension: &emptyString,
7975 },
7976 },
7977 flags: []string{flag, "-custom-extension-skip"},
7978 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7979 testCases = append(testCases, testCase{
7980 testType: testType,
7981 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
7982 config: Config{
7983 MaxVersion: VersionTLS13,
7984 Bugs: ProtocolBugs{
7985 CustomExtension: skipCustomExtension,
7986 ExpectedCustomExtension: &emptyString,
7987 },
7988 },
7989 flags: []string{flag, "-custom-extension-skip"},
7990 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7991 }
7992
7993 // The custom extension add callback should not be called if the client
7994 // doesn't send the extension.
7995 testCases = append(testCases, testCase{
7996 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7997 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7998 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7999 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]8000 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8001 ExpectedCustomExtension: &emptyString,
8002 },
8003 },
8004 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8005 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8006
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8007 testCases = append(testCases, testCase{
8008 testType: serverTest,
8009 name: "CustomExtensions-NotCalled-Server-TLS13",
8010 config: Config{
8011 MaxVersion: VersionTLS13,
8012 Bugs: ProtocolBugs{
8013 ExpectedCustomExtension: &emptyString,
8014 },
8015 },
8016 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8017 })
8018
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8019 // Test an unknown extension from the server.
8020 testCases = append(testCases, testCase{
8021 testType: clientTest,
8022 name: "UnknownExtension-Client",
8023 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8024 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8025 Bugs: ProtocolBugs{
8026 CustomExtension: expectedContents,
8027 },
8028 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8029 shouldFail: true,
8030 expectedError: ":UNEXPECTED_EXTENSION:",
8031 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8032 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8033 testCases = append(testCases, testCase{
8034 testType: clientTest,
8035 name: "UnknownExtension-Client-TLS13",
8036 config: Config{
8037 MaxVersion: VersionTLS13,
8038 Bugs: ProtocolBugs{
8039 CustomExtension: expectedContents,
8040 },
8041 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8042 shouldFail: true,
8043 expectedError: ":UNEXPECTED_EXTENSION:",
8044 expectedLocalError: "remote error: unsupported extension",
8045 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8046 testCases = append(testCases, testCase{
8047 testType: clientTest,
8048 name: "UnknownUnencryptedExtension-Client-TLS13",
8049 config: Config{
8050 MaxVersion: VersionTLS13,
8051 Bugs: ProtocolBugs{
8052 CustomUnencryptedExtension: expectedContents,
8053 },
8054 },
8055 shouldFail: true,
8056 expectedError: ":UNEXPECTED_EXTENSION:",
8057 // The shim must send an alert, but alerts at this point do not
8058 // get successfully decrypted by the runner.
8059 expectedLocalError: "local error: bad record MAC",
8060 })
8061 testCases = append(testCases, testCase{
8062 testType: clientTest,
8063 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8064 config: Config{
8065 MaxVersion: VersionTLS13,
8066 Bugs: ProtocolBugs{
8067 SendUnencryptedALPN: "foo",
8068 },
8069 },
8070 flags: []string{
8071 "-advertise-alpn", "\x03foo\x03bar",
8072 },
8073 shouldFail: true,
8074 expectedError: ":UNEXPECTED_EXTENSION:",
8075 // The shim must send an alert, but alerts at this point do not
8076 // get successfully decrypted by the runner.
8077 expectedLocalError: "local error: bad record MAC",
8078 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8079
8080 // Test a known but unoffered extension from the server.
8081 testCases = append(testCases, testCase{
8082 testType: clientTest,
8083 name: "UnofferedExtension-Client",
8084 config: Config{
8085 MaxVersion: VersionTLS12,
8086 Bugs: ProtocolBugs{
8087 SendALPN: "alpn",
8088 },
8089 },
8090 shouldFail: true,
8091 expectedError: ":UNEXPECTED_EXTENSION:",
8092 expectedLocalError: "remote error: unsupported extension",
8093 })
8094 testCases = append(testCases, testCase{
8095 testType: clientTest,
8096 name: "UnofferedExtension-Client-TLS13",
8097 config: Config{
8098 MaxVersion: VersionTLS13,
8099 Bugs: ProtocolBugs{
8100 SendALPN: "alpn",
8101 },
8102 },
8103 shouldFail: true,
8104 expectedError: ":UNEXPECTED_EXTENSION:",
8105 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8106 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8107}
8108
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8109func addRSAClientKeyExchangeTests() {
8110 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8111 testCases = append(testCases, testCase{
8112 testType: serverTest,
8113 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8114 config: Config{
8115 // Ensure the ClientHello version and final
8116 // version are different, to detect if the
8117 // server uses the wrong one.
8118 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8119 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8120 Bugs: ProtocolBugs{
8121 BadRSAClientKeyExchange: bad,
8122 },
8123 },
8124 shouldFail: true,
8125 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8126 })
8127 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8128
8129 // The server must compare whatever was in ClientHello.version for the
8130 // RSA premaster.
8131 testCases = append(testCases, testCase{
8132 testType: serverTest,
8133 name: "SendClientVersion-RSA",
8134 config: Config{
8135 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8136 Bugs: ProtocolBugs{
8137 SendClientVersion: 0x1234,
8138 },
8139 },
8140 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8141 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8142}
8143
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8144var testCurves = []struct {
8145 name string
8146 id CurveID
8147}{
Adam Langley764ab982017-03-10 18:01:30 -0800[diff] [blame]8148 {"P-224", CurveP224},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8149 {"P-256", CurveP256},
8150 {"P-384", CurveP384},
8151 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8152 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8153}
8154
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8155const bogusCurve = 0x1234
8156
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8157func addCurveTests() {
8158 for _, curve := range testCurves {
8159 testCases = append(testCases, testCase{
8160 name: "CurveTest-Client-" + curve.name,
8161 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8162 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8163 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8164 CurvePreferences: []CurveID{curve.id},
8165 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8166 flags: []string{
8167 "-enable-all-curves",
8168 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8169 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8170 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8171 })
8172 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8173 name: "CurveTest-Client-" + curve.name + "-TLS13",
8174 config: Config{
8175 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8176 CurvePreferences: []CurveID{curve.id},
8177 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8178 flags: []string{
8179 "-enable-all-curves",
8180 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8181 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8182 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8183 })
8184 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8185 testType: serverTest,
8186 name: "CurveTest-Server-" + curve.name,
8187 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8188 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8189 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8190 CurvePreferences: []CurveID{curve.id},
8191 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8192 flags: []string{
8193 "-enable-all-curves",
8194 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8195 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8196 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8197 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8198 testCases = append(testCases, testCase{
8199 testType: serverTest,
8200 name: "CurveTest-Server-" + curve.name + "-TLS13",
8201 config: Config{
8202 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8203 CurvePreferences: []CurveID{curve.id},
8204 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8205 flags: []string{
8206 "-enable-all-curves",
8207 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8208 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8209 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8210 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8211 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8212
8213 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8214 testCases = append(testCases, testCase{
8215 testType: serverTest,
8216 name: "UnknownCurve",
8217 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8218 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8219 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8220 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8221 },
8222 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8223
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8224 // The server must be tolerant to bogus curves.
8225 testCases = append(testCases, testCase{
8226 testType: serverTest,
8227 name: "UnknownCurve-TLS13",
8228 config: Config{
8229 MaxVersion: VersionTLS13,
8230 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8231 },
8232 })
8233
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8234 // The server must not consider ECDHE ciphers when there are no
8235 // supported curves.
8236 testCases = append(testCases, testCase{
8237 testType: serverTest,
8238 name: "NoSupportedCurves",
8239 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8240 MaxVersion: VersionTLS12,
8241 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8242 Bugs: ProtocolBugs{
8243 NoSupportedCurves: true,
8244 },
8245 },
8246 shouldFail: true,
8247 expectedError: ":NO_SHARED_CIPHER:",
8248 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8249 testCases = append(testCases, testCase{
8250 testType: serverTest,
8251 name: "NoSupportedCurves-TLS13",
8252 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8253 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8254 Bugs: ProtocolBugs{
8255 NoSupportedCurves: true,
8256 },
8257 },
8258 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8259 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8260 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8261
8262 // The server must fall back to another cipher when there are no
8263 // supported curves.
8264 testCases = append(testCases, testCase{
8265 testType: serverTest,
8266 name: "NoCommonCurves",
8267 config: Config{
8268 MaxVersion: VersionTLS12,
8269 CipherSuites: []uint16{
8270 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8271 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8272 },
8273 CurvePreferences: []CurveID{CurveP224},
8274 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8275 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8276 })
8277
8278 // The client must reject bogus curves and disabled curves.
8279 testCases = append(testCases, testCase{
8280 name: "BadECDHECurve",
8281 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8282 MaxVersion: VersionTLS12,
8283 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8284 Bugs: ProtocolBugs{
8285 SendCurve: bogusCurve,
8286 },
8287 },
8288 shouldFail: true,
8289 expectedError: ":WRONG_CURVE:",
8290 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8291 testCases = append(testCases, testCase{
8292 name: "BadECDHECurve-TLS13",
8293 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8294 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8295 Bugs: ProtocolBugs{
8296 SendCurve: bogusCurve,
8297 },
8298 },
8299 shouldFail: true,
8300 expectedError: ":WRONG_CURVE:",
8301 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8302
8303 testCases = append(testCases, testCase{
8304 name: "UnsupportedCurve",
8305 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8306 MaxVersion: VersionTLS12,
8307 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8308 CurvePreferences: []CurveID{CurveP256},
8309 Bugs: ProtocolBugs{
8310 IgnorePeerCurvePreferences: true,
8311 },
8312 },
8313 flags: []string{"-p384-only"},
8314 shouldFail: true,
8315 expectedError: ":WRONG_CURVE:",
8316 })
8317
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8318 testCases = append(testCases, testCase{
8319 // TODO(davidben): Add a TLS 1.3 version where
8320 // HelloRetryRequest requests an unsupported curve.
8321 name: "UnsupportedCurve-ServerHello-TLS13",
8322 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8323 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8324 CurvePreferences: []CurveID{CurveP384},
8325 Bugs: ProtocolBugs{
8326 SendCurve: CurveP256,
8327 },
8328 },
8329 flags: []string{"-p384-only"},
8330 shouldFail: true,
8331 expectedError: ":WRONG_CURVE:",
8332 })
8333
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8334 // Test invalid curve points.
8335 testCases = append(testCases, testCase{
8336 name: "InvalidECDHPoint-Client",
8337 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8338 MaxVersion: VersionTLS12,
8339 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8340 CurvePreferences: []CurveID{CurveP256},
8341 Bugs: ProtocolBugs{
8342 InvalidECDHPoint: true,
8343 },
8344 },
8345 shouldFail: true,
8346 expectedError: ":INVALID_ENCODING:",
8347 })
8348 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8349 name: "InvalidECDHPoint-Client-TLS13",
8350 config: Config{
8351 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8352 CurvePreferences: []CurveID{CurveP256},
8353 Bugs: ProtocolBugs{
8354 InvalidECDHPoint: true,
8355 },
8356 },
8357 shouldFail: true,
8358 expectedError: ":INVALID_ENCODING:",
8359 })
8360 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8361 testType: serverTest,
8362 name: "InvalidECDHPoint-Server",
8363 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8364 MaxVersion: VersionTLS12,
8365 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8366 CurvePreferences: []CurveID{CurveP256},
8367 Bugs: ProtocolBugs{
8368 InvalidECDHPoint: true,
8369 },
8370 },
8371 shouldFail: true,
8372 expectedError: ":INVALID_ENCODING:",
8373 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8374 testCases = append(testCases, testCase{
8375 testType: serverTest,
8376 name: "InvalidECDHPoint-Server-TLS13",
8377 config: Config{
8378 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8379 CurvePreferences: []CurveID{CurveP256},
8380 Bugs: ProtocolBugs{
8381 InvalidECDHPoint: true,
8382 },
8383 },
8384 shouldFail: true,
8385 expectedError: ":INVALID_ENCODING:",
8386 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8387
8388 // The previous curve ID should be reported on TLS 1.2 resumption.
8389 testCases = append(testCases, testCase{
8390 name: "CurveID-Resume-Client",
8391 config: Config{
8392 MaxVersion: VersionTLS12,
8393 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8394 CurvePreferences: []CurveID{CurveX25519},
8395 },
8396 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8397 resumeSession: true,
8398 })
8399 testCases = append(testCases, testCase{
8400 testType: serverTest,
8401 name: "CurveID-Resume-Server",
8402 config: Config{
8403 MaxVersion: VersionTLS12,
8404 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8405 CurvePreferences: []CurveID{CurveX25519},
8406 },
8407 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8408 resumeSession: true,
8409 })
8410
8411 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8412 // one should be reported.
8413 testCases = append(testCases, testCase{
8414 name: "CurveID-Resume-Client-TLS13",
8415 config: Config{
8416 MaxVersion: VersionTLS13,
8417 CurvePreferences: []CurveID{CurveX25519},
8418 },
8419 resumeConfig: &Config{
8420 MaxVersion: VersionTLS13,
8421 CurvePreferences: []CurveID{CurveP256},
8422 },
8423 flags: []string{
8424 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8425 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8426 },
8427 resumeSession: true,
8428 })
8429 testCases = append(testCases, testCase{
8430 testType: serverTest,
8431 name: "CurveID-Resume-Server-TLS13",
8432 config: Config{
8433 MaxVersion: VersionTLS13,
8434 CurvePreferences: []CurveID{CurveX25519},
8435 },
8436 resumeConfig: &Config{
8437 MaxVersion: VersionTLS13,
8438 CurvePreferences: []CurveID{CurveP256},
8439 },
8440 flags: []string{
8441 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8442 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8443 },
8444 resumeSession: true,
8445 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8446
8447 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8448 testCases = append(testCases, testCase{
8449 name: "PointFormat-ServerHello-TLS12",
8450 config: Config{
8451 MaxVersion: VersionTLS12,
8452 Bugs: ProtocolBugs{
8453 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8454 },
8455 },
8456 })
8457 testCases = append(testCases, testCase{
8458 name: "PointFormat-EncryptedExtensions-TLS13",
8459 config: Config{
8460 MaxVersion: VersionTLS13,
8461 Bugs: ProtocolBugs{
8462 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8463 },
8464 },
8465 shouldFail: true,
8466 expectedError: ":ERROR_PARSING_EXTENSION:",
8467 })
8468
8469 // Test that we tolerate unknown point formats, as long as
8470 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8471 // check they are still functional.
8472 testCases = append(testCases, testCase{
8473 name: "PointFormat-Client-Tolerance",
8474 config: Config{
8475 MaxVersion: VersionTLS12,
8476 Bugs: ProtocolBugs{
8477 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8478 },
8479 },
8480 })
8481 testCases = append(testCases, testCase{
8482 testType: serverTest,
8483 name: "PointFormat-Server-Tolerance",
8484 config: Config{
8485 MaxVersion: VersionTLS12,
8486 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8487 Bugs: ProtocolBugs{
8488 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8489 },
8490 },
8491 })
8492
8493 // Test TLS 1.2 does not require the point format extension to be
8494 // present.
8495 testCases = append(testCases, testCase{
8496 name: "PointFormat-Client-Missing",
8497 config: Config{
8498 MaxVersion: VersionTLS12,
8499 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8500 Bugs: ProtocolBugs{
8501 SendSupportedPointFormats: []byte{},
8502 },
8503 },
8504 })
8505 testCases = append(testCases, testCase{
8506 testType: serverTest,
8507 name: "PointFormat-Server-Missing",
8508 config: Config{
8509 MaxVersion: VersionTLS12,
8510 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8511 Bugs: ProtocolBugs{
8512 SendSupportedPointFormats: []byte{},
8513 },
8514 },
8515 })
8516
8517 // If the point format extension is present, uncompressed points must be
8518 // offered. BoringSSL requires this whether or not ECDHE is used.
8519 testCases = append(testCases, testCase{
8520 name: "PointFormat-Client-MissingUncompressed",
8521 config: Config{
8522 MaxVersion: VersionTLS12,
8523 Bugs: ProtocolBugs{
8524 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8525 },
8526 },
8527 shouldFail: true,
8528 expectedError: ":ERROR_PARSING_EXTENSION:",
8529 })
8530 testCases = append(testCases, testCase{
8531 testType: serverTest,
8532 name: "PointFormat-Server-MissingUncompressed",
8533 config: Config{
8534 MaxVersion: VersionTLS12,
8535 Bugs: ProtocolBugs{
8536 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8537 },
8538 },
8539 shouldFail: true,
8540 expectedError: ":ERROR_PARSING_EXTENSION:",
8541 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8542}
8543
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8544func addTLS13RecordTests() {
8545 testCases = append(testCases, testCase{
8546 name: "TLS13-RecordPadding",
8547 config: Config{
8548 MaxVersion: VersionTLS13,
8549 MinVersion: VersionTLS13,
8550 Bugs: ProtocolBugs{
8551 RecordPadding: 10,
8552 },
8553 },
8554 })
8555
8556 testCases = append(testCases, testCase{
8557 name: "TLS13-EmptyRecords",
8558 config: Config{
8559 MaxVersion: VersionTLS13,
8560 MinVersion: VersionTLS13,
8561 Bugs: ProtocolBugs{
8562 OmitRecordContents: true,
8563 },
8564 },
8565 shouldFail: true,
8566 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8567 })
8568
8569 testCases = append(testCases, testCase{
8570 name: "TLS13-OnlyPadding",
8571 config: Config{
8572 MaxVersion: VersionTLS13,
8573 MinVersion: VersionTLS13,
8574 Bugs: ProtocolBugs{
8575 OmitRecordContents: true,
8576 RecordPadding: 10,
8577 },
8578 },
8579 shouldFail: true,
8580 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8581 })
8582
8583 testCases = append(testCases, testCase{
8584 name: "TLS13-WrongOuterRecord",
8585 config: Config{
8586 MaxVersion: VersionTLS13,
8587 MinVersion: VersionTLS13,
8588 Bugs: ProtocolBugs{
8589 OuterRecordType: recordTypeHandshake,
8590 },
8591 },
8592 shouldFail: true,
8593 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8594 })
8595}
8596
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8597func addSessionTicketTests() {
8598 testCases = append(testCases, testCase{
8599 // In TLS 1.2 and below, empty NewSessionTicket messages
8600 // mean the server changed its mind on sending a ticket.
8601 name: "SendEmptySessionTicket",
8602 config: Config{
8603 MaxVersion: VersionTLS12,
8604 Bugs: ProtocolBugs{
8605 SendEmptySessionTicket: true,
8606 },
8607 },
8608 flags: []string{"-expect-no-session"},
8609 })
8610
8611 // Test that the server ignores unknown PSK modes.
8612 testCases = append(testCases, testCase{
8613 testType: serverTest,
8614 name: "TLS13-SendUnknownModeSessionTicket-Server",
8615 config: Config{
8616 MaxVersion: VersionTLS13,
8617 Bugs: ProtocolBugs{
8618 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8619 },
8620 },
8621 resumeSession: true,
8622 expectedResumeVersion: VersionTLS13,
8623 })
8624
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8625 // Test that the server does not send session tickets with no matching key exchange mode.
8626 testCases = append(testCases, testCase{
8627 testType: serverTest,
8628 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8629 config: Config{
8630 MaxVersion: VersionTLS13,
8631 Bugs: ProtocolBugs{
8632 SendPSKKeyExchangeModes: []byte{0x1a},
8633 ExpectNoNewSessionTicket: true,
8634 },
8635 },
8636 })
8637
8638 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8639 testCases = append(testCases, testCase{
8640 testType: serverTest,
8641 name: "TLS13-SendBadKEModeSessionTicket-Server",
8642 config: Config{
8643 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8644 },
8645 resumeConfig: &Config{
8646 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8647 Bugs: ProtocolBugs{
8648 SendPSKKeyExchangeModes: []byte{0x1a},
8649 },
8650 },
8651 resumeSession: true,
8652 expectResumeRejected: true,
8653 })
8654
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8655 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8656 testCases = append(testCases, testCase{
8657 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8658 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8659 config: Config{
8660 MaxVersion: VersionTLS13,
8661 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8662 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8663 },
8664 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8665 resumeSession: true,
8666 flags: []string{
8667 "-resumption-delay", "10",
8668 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8669 })
8670
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8671 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8672 testCases = append(testCases, testCase{
8673 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8674 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8675 config: Config{
8676 MaxVersion: VersionTLS13,
8677 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8678 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8679 },
8680 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8681 resumeSession: true,
8682 shouldFail: true,
8683 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8684 })
8685
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8686 // Test that the server's ticket age skew reporting works.
8687 testCases = append(testCases, testCase{
8688 testType: serverTest,
8689 name: "TLS13-TicketAgeSkew-Forward",
8690 config: Config{
8691 MaxVersion: VersionTLS13,
8692 Bugs: ProtocolBugs{
8693 SendTicketAge: 15 * time.Second,
8694 },
8695 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8696 resumeSession: true,
8697 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8698 flags: []string{
8699 "-resumption-delay", "10",
8700 "-expect-ticket-age-skew", "5",
8701 },
8702 })
8703 testCases = append(testCases, testCase{
8704 testType: serverTest,
8705 name: "TLS13-TicketAgeSkew-Backward",
8706 config: Config{
8707 MaxVersion: VersionTLS13,
8708 Bugs: ProtocolBugs{
8709 SendTicketAge: 5 * time.Second,
8710 },
8711 },
David Benjamin065d7332017-03-26 10:51:43 -0500[diff] [blame]8712 resumeSession: true,
8713 resumeRenewedSession: true,
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8714 flags: []string{
8715 "-resumption-delay", "10",
8716 "-expect-ticket-age-skew", "-5",
8717 },
8718 })
8719
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8720 testCases = append(testCases, testCase{
8721 testType: clientTest,
8722 name: "TLS13-SendTicketEarlyDataInfo",
8723 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8724 MaxVersion: VersionTLS13,
8725 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8726 },
8727 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8728 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8729 "-expect-early-data-info",
8730 },
8731 })
8732
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8733 // Test that 0-RTT tickets are ignored in clients unless opted in.
8734 testCases = append(testCases, testCase{
8735 testType: clientTest,
8736 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8737 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8738 MaxVersion: VersionTLS13,
8739 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8740 },
8741 })
8742
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8743 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8744 testType: clientTest,
8745 name: "TLS13-DuplicateTicketEarlyDataInfo",
8746 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8747 MaxVersion: VersionTLS13,
8748 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8749 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8750 DuplicateTicketEarlyDataInfo: true,
8751 },
8752 },
8753 shouldFail: true,
8754 expectedError: ":DUPLICATE_EXTENSION:",
8755 expectedLocalError: "remote error: illegal parameter",
8756 })
8757
8758 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8759 testType: serverTest,
8760 name: "TLS13-ExpectTicketEarlyDataInfo",
8761 config: Config{
8762 MaxVersion: VersionTLS13,
8763 Bugs: ProtocolBugs{
8764 ExpectTicketEarlyDataInfo: true,
8765 },
8766 },
8767 flags: []string{
8768 "-enable-early-data",
8769 },
8770 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]8771
8772 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
8773 // is honored.
8774 testCases = append(testCases, testCase{
8775 testType: clientTest,
8776 name: "TLS13-HonorServerSessionTicketLifetime",
8777 config: Config{
8778 MaxVersion: VersionTLS13,
8779 Bugs: ProtocolBugs{
8780 SendTicketLifetime: 20 * time.Second,
8781 },
8782 },
8783 flags: []string{
8784 "-resumption-delay", "19",
8785 },
8786 resumeSession: true,
8787 })
8788 testCases = append(testCases, testCase{
8789 testType: clientTest,
8790 name: "TLS13-HonorServerSessionTicketLifetime-2",
8791 config: Config{
8792 MaxVersion: VersionTLS13,
8793 Bugs: ProtocolBugs{
8794 SendTicketLifetime: 20 * time.Second,
8795 // The client should not offer the expired session.
8796 ExpectNoTLS13PSK: true,
8797 },
8798 },
8799 flags: []string{
8800 "-resumption-delay", "21",
8801 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]8802 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]8803 expectResumeRejected: true,
8804 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8805}
8806
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8807func addChangeCipherSpecTests() {
8808 // Test missing ChangeCipherSpecs.
8809 testCases = append(testCases, testCase{
8810 name: "SkipChangeCipherSpec-Client",
8811 config: Config{
8812 MaxVersion: VersionTLS12,
8813 Bugs: ProtocolBugs{
8814 SkipChangeCipherSpec: true,
8815 },
8816 },
8817 shouldFail: true,
8818 expectedError: ":UNEXPECTED_RECORD:",
8819 })
8820 testCases = append(testCases, testCase{
8821 testType: serverTest,
8822 name: "SkipChangeCipherSpec-Server",
8823 config: Config{
8824 MaxVersion: VersionTLS12,
8825 Bugs: ProtocolBugs{
8826 SkipChangeCipherSpec: true,
8827 },
8828 },
8829 shouldFail: true,
8830 expectedError: ":UNEXPECTED_RECORD:",
8831 })
8832 testCases = append(testCases, testCase{
8833 testType: serverTest,
8834 name: "SkipChangeCipherSpec-Server-NPN",
8835 config: Config{
8836 MaxVersion: VersionTLS12,
8837 NextProtos: []string{"bar"},
8838 Bugs: ProtocolBugs{
8839 SkipChangeCipherSpec: true,
8840 },
8841 },
8842 flags: []string{
8843 "-advertise-npn", "\x03foo\x03bar\x03baz",
8844 },
8845 shouldFail: true,
8846 expectedError: ":UNEXPECTED_RECORD:",
8847 })
8848
8849 // Test synchronization between the handshake and ChangeCipherSpec.
8850 // Partial post-CCS handshake messages before ChangeCipherSpec should be
8851 // rejected. Test both with and without handshake packing to handle both
8852 // when the partial post-CCS message is in its own record and when it is
8853 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8854 for _, packed := range []bool{false, true} {
8855 var suffix string
8856 if packed {
8857 suffix = "-Packed"
8858 }
8859
8860 testCases = append(testCases, testCase{
8861 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
8862 config: Config{
8863 MaxVersion: VersionTLS12,
8864 Bugs: ProtocolBugs{
8865 FragmentAcrossChangeCipherSpec: true,
8866 PackHandshakeFlight: packed,
8867 },
8868 },
8869 shouldFail: true,
8870 expectedError: ":UNEXPECTED_RECORD:",
8871 })
8872 testCases = append(testCases, testCase{
8873 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
8874 config: Config{
8875 MaxVersion: VersionTLS12,
8876 },
8877 resumeSession: true,
8878 resumeConfig: &Config{
8879 MaxVersion: VersionTLS12,
8880 Bugs: ProtocolBugs{
8881 FragmentAcrossChangeCipherSpec: true,
8882 PackHandshakeFlight: packed,
8883 },
8884 },
8885 shouldFail: true,
8886 expectedError: ":UNEXPECTED_RECORD:",
8887 })
8888 testCases = append(testCases, testCase{
8889 testType: serverTest,
8890 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
8891 config: Config{
8892 MaxVersion: VersionTLS12,
8893 Bugs: ProtocolBugs{
8894 FragmentAcrossChangeCipherSpec: true,
8895 PackHandshakeFlight: packed,
8896 },
8897 },
8898 shouldFail: true,
8899 expectedError: ":UNEXPECTED_RECORD:",
8900 })
8901 testCases = append(testCases, testCase{
8902 testType: serverTest,
8903 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
8904 config: Config{
8905 MaxVersion: VersionTLS12,
8906 },
8907 resumeSession: true,
8908 resumeConfig: &Config{
8909 MaxVersion: VersionTLS12,
8910 Bugs: ProtocolBugs{
8911 FragmentAcrossChangeCipherSpec: true,
8912 PackHandshakeFlight: packed,
8913 },
8914 },
8915 shouldFail: true,
8916 expectedError: ":UNEXPECTED_RECORD:",
8917 })
8918 testCases = append(testCases, testCase{
8919 testType: serverTest,
8920 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
8921 config: Config{
8922 MaxVersion: VersionTLS12,
8923 NextProtos: []string{"bar"},
8924 Bugs: ProtocolBugs{
8925 FragmentAcrossChangeCipherSpec: true,
8926 PackHandshakeFlight: packed,
8927 },
8928 },
8929 flags: []string{
8930 "-advertise-npn", "\x03foo\x03bar\x03baz",
8931 },
8932 shouldFail: true,
8933 expectedError: ":UNEXPECTED_RECORD:",
8934 })
8935 }
8936
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]8937 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
8938 // messages in the handshake queue. Do this by testing the server
8939 // reading the client Finished, reversing the flight so Finished comes
8940 // first.
8941 testCases = append(testCases, testCase{
8942 protocol: dtls,
8943 testType: serverTest,
8944 name: "SendUnencryptedFinished-DTLS",
8945 config: Config{
8946 MaxVersion: VersionTLS12,
8947 Bugs: ProtocolBugs{
8948 SendUnencryptedFinished: true,
8949 ReverseHandshakeFragments: true,
8950 },
8951 },
8952 shouldFail: true,
8953 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8954 })
8955
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8956 // Test synchronization between encryption changes and the handshake in
8957 // TLS 1.3, where ChangeCipherSpec is implicit.
8958 testCases = append(testCases, testCase{
8959 name: "PartialEncryptedExtensionsWithServerHello",
8960 config: Config{
8961 MaxVersion: VersionTLS13,
8962 Bugs: ProtocolBugs{
8963 PartialEncryptedExtensionsWithServerHello: true,
8964 },
8965 },
8966 shouldFail: true,
8967 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8968 })
8969 testCases = append(testCases, testCase{
8970 testType: serverTest,
8971 name: "PartialClientFinishedWithClientHello",
8972 config: Config{
8973 MaxVersion: VersionTLS13,
8974 Bugs: ProtocolBugs{
8975 PartialClientFinishedWithClientHello: true,
8976 },
8977 },
8978 shouldFail: true,
8979 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8980 })
8981
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8982 // Test that early ChangeCipherSpecs are handled correctly.
8983 testCases = append(testCases, testCase{
8984 testType: serverTest,
8985 name: "EarlyChangeCipherSpec-server-1",
8986 config: Config{
8987 MaxVersion: VersionTLS12,
8988 Bugs: ProtocolBugs{
8989 EarlyChangeCipherSpec: 1,
8990 },
8991 },
8992 shouldFail: true,
8993 expectedError: ":UNEXPECTED_RECORD:",
8994 })
8995 testCases = append(testCases, testCase{
8996 testType: serverTest,
8997 name: "EarlyChangeCipherSpec-server-2",
8998 config: Config{
8999 MaxVersion: VersionTLS12,
9000 Bugs: ProtocolBugs{
9001 EarlyChangeCipherSpec: 2,
9002 },
9003 },
9004 shouldFail: true,
9005 expectedError: ":UNEXPECTED_RECORD:",
9006 })
9007 testCases = append(testCases, testCase{
9008 protocol: dtls,
9009 name: "StrayChangeCipherSpec",
9010 config: Config{
9011 // TODO(davidben): Once DTLS 1.3 exists, test
9012 // that stray ChangeCipherSpec messages are
9013 // rejected.
9014 MaxVersion: VersionTLS12,
9015 Bugs: ProtocolBugs{
9016 StrayChangeCipherSpec: true,
9017 },
9018 },
9019 })
9020
9021 // Test that the contents of ChangeCipherSpec are checked.
9022 testCases = append(testCases, testCase{
9023 name: "BadChangeCipherSpec-1",
9024 config: Config{
9025 MaxVersion: VersionTLS12,
9026 Bugs: ProtocolBugs{
9027 BadChangeCipherSpec: []byte{2},
9028 },
9029 },
9030 shouldFail: true,
9031 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9032 })
9033 testCases = append(testCases, testCase{
9034 name: "BadChangeCipherSpec-2",
9035 config: Config{
9036 MaxVersion: VersionTLS12,
9037 Bugs: ProtocolBugs{
9038 BadChangeCipherSpec: []byte{1, 1},
9039 },
9040 },
9041 shouldFail: true,
9042 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9043 })
9044 testCases = append(testCases, testCase{
9045 protocol: dtls,
9046 name: "BadChangeCipherSpec-DTLS-1",
9047 config: Config{
9048 MaxVersion: VersionTLS12,
9049 Bugs: ProtocolBugs{
9050 BadChangeCipherSpec: []byte{2},
9051 },
9052 },
9053 shouldFail: true,
9054 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9055 })
9056 testCases = append(testCases, testCase{
9057 protocol: dtls,
9058 name: "BadChangeCipherSpec-DTLS-2",
9059 config: Config{
9060 MaxVersion: VersionTLS12,
9061 Bugs: ProtocolBugs{
9062 BadChangeCipherSpec: []byte{1, 1},
9063 },
9064 },
9065 shouldFail: true,
9066 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9067 })
9068}
9069
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9070type perMessageTest struct {
9071 messageType uint8
9072 test testCase
9073}
9074
9075// makePerMessageTests returns a series of test templates which cover each
9076// message in the TLS handshake. These may be used with bugs like
9077// WrongMessageType to fully test a per-message bug.
9078func makePerMessageTests() []perMessageTest {
9079 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9080 for _, protocol := range []protocol{tls, dtls} {
9081 var suffix string
9082 if protocol == dtls {
9083 suffix = "-DTLS"
9084 }
9085
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9086 ret = append(ret, perMessageTest{
9087 messageType: typeClientHello,
9088 test: testCase{
9089 protocol: protocol,
9090 testType: serverTest,
9091 name: "ClientHello" + suffix,
9092 config: Config{
9093 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9094 },
9095 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9096 })
9097
9098 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9099 ret = append(ret, perMessageTest{
9100 messageType: typeHelloVerifyRequest,
9101 test: testCase{
9102 protocol: protocol,
9103 name: "HelloVerifyRequest" + suffix,
9104 config: Config{
9105 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9106 },
9107 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9108 })
9109 }
9110
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9111 ret = append(ret, perMessageTest{
9112 messageType: typeServerHello,
9113 test: testCase{
9114 protocol: protocol,
9115 name: "ServerHello" + suffix,
9116 config: Config{
9117 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9118 },
9119 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9120 })
9121
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9122 ret = append(ret, perMessageTest{
9123 messageType: typeCertificate,
9124 test: testCase{
9125 protocol: protocol,
9126 name: "ServerCertificate" + suffix,
9127 config: Config{
9128 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9129 },
9130 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9131 })
9132
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9133 ret = append(ret, perMessageTest{
9134 messageType: typeCertificateStatus,
9135 test: testCase{
9136 protocol: protocol,
9137 name: "CertificateStatus" + suffix,
9138 config: Config{
9139 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9140 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9141 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9142 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9143 })
9144
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9145 ret = append(ret, perMessageTest{
9146 messageType: typeServerKeyExchange,
9147 test: testCase{
9148 protocol: protocol,
9149 name: "ServerKeyExchange" + suffix,
9150 config: Config{
9151 MaxVersion: VersionTLS12,
9152 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9153 },
9154 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9155 })
9156
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9157 ret = append(ret, perMessageTest{
9158 messageType: typeCertificateRequest,
9159 test: testCase{
9160 protocol: protocol,
9161 name: "CertificateRequest" + suffix,
9162 config: Config{
9163 MaxVersion: VersionTLS12,
9164 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9165 },
9166 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9167 })
9168
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9169 ret = append(ret, perMessageTest{
9170 messageType: typeServerHelloDone,
9171 test: testCase{
9172 protocol: protocol,
9173 name: "ServerHelloDone" + suffix,
9174 config: Config{
9175 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9176 },
9177 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9178 })
9179
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9180 ret = append(ret, perMessageTest{
9181 messageType: typeCertificate,
9182 test: testCase{
9183 testType: serverTest,
9184 protocol: protocol,
9185 name: "ClientCertificate" + suffix,
9186 config: Config{
9187 Certificates: []Certificate{rsaCertificate},
9188 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9189 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9190 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9191 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9192 })
9193
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9194 ret = append(ret, perMessageTest{
9195 messageType: typeCertificateVerify,
9196 test: testCase{
9197 testType: serverTest,
9198 protocol: protocol,
9199 name: "CertificateVerify" + suffix,
9200 config: Config{
9201 Certificates: []Certificate{rsaCertificate},
9202 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9203 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9204 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9205 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9206 })
9207
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9208 ret = append(ret, perMessageTest{
9209 messageType: typeClientKeyExchange,
9210 test: testCase{
9211 testType: serverTest,
9212 protocol: protocol,
9213 name: "ClientKeyExchange" + suffix,
9214 config: Config{
9215 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9216 },
9217 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9218 })
9219
9220 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9221 ret = append(ret, perMessageTest{
9222 messageType: typeNextProtocol,
9223 test: testCase{
9224 testType: serverTest,
9225 protocol: protocol,
9226 name: "NextProtocol" + suffix,
9227 config: Config{
9228 MaxVersion: VersionTLS12,
9229 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9230 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9231 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9232 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9233 })
9234
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9235 ret = append(ret, perMessageTest{
9236 messageType: typeChannelID,
9237 test: testCase{
9238 testType: serverTest,
9239 protocol: protocol,
9240 name: "ChannelID" + suffix,
9241 config: Config{
9242 MaxVersion: VersionTLS12,
9243 ChannelID: channelIDKey,
9244 },
9245 flags: []string{
9246 "-expect-channel-id",
9247 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9248 },
9249 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9250 })
9251 }
9252
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9253 ret = append(ret, perMessageTest{
9254 messageType: typeFinished,
9255 test: testCase{
9256 testType: serverTest,
9257 protocol: protocol,
9258 name: "ClientFinished" + suffix,
9259 config: Config{
9260 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9261 },
9262 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9263 })
9264
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9265 ret = append(ret, perMessageTest{
9266 messageType: typeNewSessionTicket,
9267 test: testCase{
9268 protocol: protocol,
9269 name: "NewSessionTicket" + suffix,
9270 config: Config{
9271 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9272 },
9273 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9274 })
9275
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9276 ret = append(ret, perMessageTest{
9277 messageType: typeFinished,
9278 test: testCase{
9279 protocol: protocol,
9280 name: "ServerFinished" + suffix,
9281 config: Config{
9282 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9283 },
9284 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9285 })
9286
9287 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9288
9289 ret = append(ret, perMessageTest{
9290 messageType: typeClientHello,
9291 test: testCase{
9292 testType: serverTest,
9293 name: "TLS13-ClientHello",
9294 config: Config{
9295 MaxVersion: VersionTLS13,
9296 },
9297 },
9298 })
9299
9300 ret = append(ret, perMessageTest{
9301 messageType: typeServerHello,
9302 test: testCase{
9303 name: "TLS13-ServerHello",
9304 config: Config{
9305 MaxVersion: VersionTLS13,
9306 },
9307 },
9308 })
9309
9310 ret = append(ret, perMessageTest{
9311 messageType: typeEncryptedExtensions,
9312 test: testCase{
9313 name: "TLS13-EncryptedExtensions",
9314 config: Config{
9315 MaxVersion: VersionTLS13,
9316 },
9317 },
9318 })
9319
9320 ret = append(ret, perMessageTest{
9321 messageType: typeCertificateRequest,
9322 test: testCase{
9323 name: "TLS13-CertificateRequest",
9324 config: Config{
9325 MaxVersion: VersionTLS13,
9326 ClientAuth: RequireAnyClientCert,
9327 },
9328 },
9329 })
9330
9331 ret = append(ret, perMessageTest{
9332 messageType: typeCertificate,
9333 test: testCase{
9334 name: "TLS13-ServerCertificate",
9335 config: Config{
9336 MaxVersion: VersionTLS13,
9337 },
9338 },
9339 })
9340
9341 ret = append(ret, perMessageTest{
9342 messageType: typeCertificateVerify,
9343 test: testCase{
9344 name: "TLS13-ServerCertificateVerify",
9345 config: Config{
9346 MaxVersion: VersionTLS13,
9347 },
9348 },
9349 })
9350
9351 ret = append(ret, perMessageTest{
9352 messageType: typeFinished,
9353 test: testCase{
9354 name: "TLS13-ServerFinished",
9355 config: Config{
9356 MaxVersion: VersionTLS13,
9357 },
9358 },
9359 })
9360
9361 ret = append(ret, perMessageTest{
9362 messageType: typeCertificate,
9363 test: testCase{
9364 testType: serverTest,
9365 name: "TLS13-ClientCertificate",
9366 config: Config{
9367 Certificates: []Certificate{rsaCertificate},
9368 MaxVersion: VersionTLS13,
9369 },
9370 flags: []string{"-require-any-client-certificate"},
9371 },
9372 })
9373
9374 ret = append(ret, perMessageTest{
9375 messageType: typeCertificateVerify,
9376 test: testCase{
9377 testType: serverTest,
9378 name: "TLS13-ClientCertificateVerify",
9379 config: Config{
9380 Certificates: []Certificate{rsaCertificate},
9381 MaxVersion: VersionTLS13,
9382 },
9383 flags: []string{"-require-any-client-certificate"},
9384 },
9385 })
9386
9387 ret = append(ret, perMessageTest{
9388 messageType: typeFinished,
9389 test: testCase{
9390 testType: serverTest,
9391 name: "TLS13-ClientFinished",
9392 config: Config{
9393 MaxVersion: VersionTLS13,
9394 },
9395 },
9396 })
9397
9398 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9399}
9400
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9401func addWrongMessageTypeTests() {
9402 for _, t := range makePerMessageTests() {
9403 t.test.name = "WrongMessageType-" + t.test.name
9404 t.test.config.Bugs.SendWrongMessageType = t.messageType
9405 t.test.shouldFail = true
9406 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9407 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9408
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9409 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9410 // In TLS 1.3, a bad ServerHello means the client sends
9411 // an unencrypted alert while the server expects
9412 // encryption, so the alert is not readable by runner.
9413 t.test.expectedLocalError = "local error: bad record MAC"
9414 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9415
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9416 testCases = append(testCases, t.test)
9417 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9418}
9419
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9420func addTrailingMessageDataTests() {
9421 for _, t := range makePerMessageTests() {
9422 t.test.name = "TrailingMessageData-" + t.test.name
9423 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9424 t.test.shouldFail = true
9425 t.test.expectedError = ":DECODE_ERROR:"
9426 t.test.expectedLocalError = "remote error: error decoding message"
9427
9428 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9429 // In TLS 1.3, a bad ServerHello means the client sends
9430 // an unencrypted alert while the server expects
9431 // encryption, so the alert is not readable by runner.
9432 t.test.expectedLocalError = "local error: bad record MAC"
9433 }
9434
9435 if t.messageType == typeFinished {
9436 // Bad Finished messages read as the verify data having
9437 // the wrong length.
9438 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9439 t.test.expectedLocalError = "remote error: error decrypting message"
9440 }
9441
9442 testCases = append(testCases, t.test)
9443 }
9444}
9445
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9446func addTLS13HandshakeTests() {
9447 testCases = append(testCases, testCase{
9448 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9449 name: "NegotiatePSKResumption-TLS13",
9450 config: Config{
9451 MaxVersion: VersionTLS13,
9452 Bugs: ProtocolBugs{
9453 NegotiatePSKResumption: true,
9454 },
9455 },
9456 resumeSession: true,
9457 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9458 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9459 })
9460
9461 testCases = append(testCases, testCase{
9462 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9463 name: "MissingKeyShare-Client",
9464 config: Config{
9465 MaxVersion: VersionTLS13,
9466 Bugs: ProtocolBugs{
9467 MissingKeyShare: true,
9468 },
9469 },
9470 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9471 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9472 })
9473
9474 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9475 testType: serverTest,
9476 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9477 config: Config{
9478 MaxVersion: VersionTLS13,
9479 Bugs: ProtocolBugs{
9480 MissingKeyShare: true,
9481 },
9482 },
9483 shouldFail: true,
9484 expectedError: ":MISSING_KEY_SHARE:",
9485 })
9486
9487 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9488 testType: serverTest,
9489 name: "DuplicateKeyShares",
9490 config: Config{
9491 MaxVersion: VersionTLS13,
9492 Bugs: ProtocolBugs{
9493 DuplicateKeyShares: true,
9494 },
9495 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9496 shouldFail: true,
9497 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9498 })
9499
9500 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9501 testType: serverTest,
9502 name: "SkipEarlyData",
9503 config: Config{
9504 MaxVersion: VersionTLS13,
9505 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9506 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9507 },
9508 },
9509 })
9510
9511 testCases = append(testCases, testCase{
9512 testType: serverTest,
9513 name: "SkipEarlyData-OmitEarlyDataExtension",
9514 config: Config{
9515 MaxVersion: VersionTLS13,
9516 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9517 SendFakeEarlyDataLength: 4,
9518 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9519 },
9520 },
9521 shouldFail: true,
9522 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9523 })
9524
9525 testCases = append(testCases, testCase{
9526 testType: serverTest,
9527 name: "SkipEarlyData-TooMuchData",
9528 config: Config{
9529 MaxVersion: VersionTLS13,
9530 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9531 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9532 },
9533 },
9534 shouldFail: true,
9535 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9536 })
9537
9538 testCases = append(testCases, testCase{
9539 testType: serverTest,
9540 name: "SkipEarlyData-Interleaved",
9541 config: Config{
9542 MaxVersion: VersionTLS13,
9543 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9544 SendFakeEarlyDataLength: 4,
9545 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9546 },
9547 },
9548 shouldFail: true,
9549 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9550 })
9551
9552 testCases = append(testCases, testCase{
9553 testType: serverTest,
9554 name: "SkipEarlyData-EarlyDataInTLS12",
9555 config: Config{
9556 MaxVersion: VersionTLS13,
9557 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9558 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9559 },
9560 },
9561 shouldFail: true,
9562 expectedError: ":UNEXPECTED_RECORD:",
9563 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9564 })
9565
9566 testCases = append(testCases, testCase{
9567 testType: serverTest,
9568 name: "SkipEarlyData-HRR",
9569 config: Config{
9570 MaxVersion: VersionTLS13,
9571 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9572 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9573 },
9574 DefaultCurves: []CurveID{},
9575 },
9576 })
9577
9578 testCases = append(testCases, testCase{
9579 testType: serverTest,
9580 name: "SkipEarlyData-HRR-Interleaved",
9581 config: Config{
9582 MaxVersion: VersionTLS13,
9583 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9584 SendFakeEarlyDataLength: 4,
9585 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9586 },
9587 DefaultCurves: []CurveID{},
9588 },
9589 shouldFail: true,
9590 expectedError: ":UNEXPECTED_RECORD:",
9591 })
9592
9593 testCases = append(testCases, testCase{
9594 testType: serverTest,
9595 name: "SkipEarlyData-HRR-TooMuchData",
9596 config: Config{
9597 MaxVersion: VersionTLS13,
9598 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9599 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9600 },
9601 DefaultCurves: []CurveID{},
9602 },
9603 shouldFail: true,
9604 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9605 })
9606
9607 // Test that skipping early data looking for cleartext correctly
9608 // processes an alert record.
9609 testCases = append(testCases, testCase{
9610 testType: serverTest,
9611 name: "SkipEarlyData-HRR-FatalAlert",
9612 config: Config{
9613 MaxVersion: VersionTLS13,
9614 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9615 SendEarlyAlert: true,
9616 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9617 },
9618 DefaultCurves: []CurveID{},
9619 },
9620 shouldFail: true,
9621 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9622 })
9623
9624 testCases = append(testCases, testCase{
9625 testType: serverTest,
9626 name: "SkipEarlyData-SecondClientHelloEarlyData",
9627 config: Config{
9628 MaxVersion: VersionTLS13,
9629 Bugs: ProtocolBugs{
9630 SendEarlyDataOnSecondClientHello: true,
9631 },
9632 DefaultCurves: []CurveID{},
9633 },
9634 shouldFail: true,
9635 expectedLocalError: "remote error: bad record MAC",
9636 })
9637
9638 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9639 testType: clientTest,
9640 name: "EmptyEncryptedExtensions",
9641 config: Config{
9642 MaxVersion: VersionTLS13,
9643 Bugs: ProtocolBugs{
9644 EmptyEncryptedExtensions: true,
9645 },
9646 },
9647 shouldFail: true,
9648 expectedLocalError: "remote error: error decoding message",
9649 })
9650
9651 testCases = append(testCases, testCase{
9652 testType: clientTest,
9653 name: "EncryptedExtensionsWithKeyShare",
9654 config: Config{
9655 MaxVersion: VersionTLS13,
9656 Bugs: ProtocolBugs{
9657 EncryptedExtensionsWithKeyShare: true,
9658 },
9659 },
9660 shouldFail: true,
9661 expectedLocalError: "remote error: unsupported extension",
9662 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9663
9664 testCases = append(testCases, testCase{
9665 testType: serverTest,
9666 name: "SendHelloRetryRequest",
9667 config: Config{
9668 MaxVersion: VersionTLS13,
9669 // Require a HelloRetryRequest for every curve.
9670 DefaultCurves: []CurveID{},
9671 },
9672 expectedCurveID: CurveX25519,
9673 })
9674
9675 testCases = append(testCases, testCase{
9676 testType: serverTest,
9677 name: "SendHelloRetryRequest-2",
9678 config: Config{
9679 MaxVersion: VersionTLS13,
9680 DefaultCurves: []CurveID{CurveP384},
9681 },
9682 // Although the ClientHello did not predict our preferred curve,
9683 // we always select it whether it is predicted or not.
9684 expectedCurveID: CurveX25519,
9685 })
9686
9687 testCases = append(testCases, testCase{
9688 name: "UnknownCurve-HelloRetryRequest",
9689 config: Config{
9690 MaxVersion: VersionTLS13,
9691 // P-384 requires HelloRetryRequest in BoringSSL.
9692 CurvePreferences: []CurveID{CurveP384},
9693 Bugs: ProtocolBugs{
9694 SendHelloRetryRequestCurve: bogusCurve,
9695 },
9696 },
9697 shouldFail: true,
9698 expectedError: ":WRONG_CURVE:",
9699 })
9700
9701 testCases = append(testCases, testCase{
9702 name: "DisabledCurve-HelloRetryRequest",
9703 config: Config{
9704 MaxVersion: VersionTLS13,
9705 CurvePreferences: []CurveID{CurveP256},
9706 Bugs: ProtocolBugs{
9707 IgnorePeerCurvePreferences: true,
9708 },
9709 },
9710 flags: []string{"-p384-only"},
9711 shouldFail: true,
9712 expectedError: ":WRONG_CURVE:",
9713 })
9714
9715 testCases = append(testCases, testCase{
9716 name: "UnnecessaryHelloRetryRequest",
9717 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9718 MaxVersion: VersionTLS13,
9719 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9720 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9721 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9722 },
9723 },
9724 shouldFail: true,
9725 expectedError: ":WRONG_CURVE:",
9726 })
9727
9728 testCases = append(testCases, testCase{
9729 name: "SecondHelloRetryRequest",
9730 config: Config{
9731 MaxVersion: VersionTLS13,
9732 // P-384 requires HelloRetryRequest in BoringSSL.
9733 CurvePreferences: []CurveID{CurveP384},
9734 Bugs: ProtocolBugs{
9735 SecondHelloRetryRequest: true,
9736 },
9737 },
9738 shouldFail: true,
9739 expectedError: ":UNEXPECTED_MESSAGE:",
9740 })
9741
9742 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9743 name: "HelloRetryRequest-Empty",
9744 config: Config{
9745 MaxVersion: VersionTLS13,
9746 Bugs: ProtocolBugs{
9747 AlwaysSendHelloRetryRequest: true,
9748 },
9749 },
9750 shouldFail: true,
9751 expectedError: ":DECODE_ERROR:",
9752 })
9753
9754 testCases = append(testCases, testCase{
9755 name: "HelloRetryRequest-DuplicateCurve",
9756 config: Config{
9757 MaxVersion: VersionTLS13,
9758 // P-384 requires a HelloRetryRequest against BoringSSL's default
9759 // configuration. Assert this ExpectMissingKeyShare.
9760 CurvePreferences: []CurveID{CurveP384},
9761 Bugs: ProtocolBugs{
9762 ExpectMissingKeyShare: true,
9763 DuplicateHelloRetryRequestExtensions: true,
9764 },
9765 },
9766 shouldFail: true,
9767 expectedError: ":DUPLICATE_EXTENSION:",
9768 expectedLocalError: "remote error: illegal parameter",
9769 })
9770
9771 testCases = append(testCases, testCase{
9772 name: "HelloRetryRequest-Cookie",
9773 config: Config{
9774 MaxVersion: VersionTLS13,
9775 Bugs: ProtocolBugs{
9776 SendHelloRetryRequestCookie: []byte("cookie"),
9777 },
9778 },
9779 })
9780
9781 testCases = append(testCases, testCase{
9782 name: "HelloRetryRequest-DuplicateCookie",
9783 config: Config{
9784 MaxVersion: VersionTLS13,
9785 Bugs: ProtocolBugs{
9786 SendHelloRetryRequestCookie: []byte("cookie"),
9787 DuplicateHelloRetryRequestExtensions: true,
9788 },
9789 },
9790 shouldFail: true,
9791 expectedError: ":DUPLICATE_EXTENSION:",
9792 expectedLocalError: "remote error: illegal parameter",
9793 })
9794
9795 testCases = append(testCases, testCase{
9796 name: "HelloRetryRequest-EmptyCookie",
9797 config: Config{
9798 MaxVersion: VersionTLS13,
9799 Bugs: ProtocolBugs{
9800 SendHelloRetryRequestCookie: []byte{},
9801 },
9802 },
9803 shouldFail: true,
9804 expectedError: ":DECODE_ERROR:",
9805 })
9806
9807 testCases = append(testCases, testCase{
9808 name: "HelloRetryRequest-Cookie-Curve",
9809 config: Config{
9810 MaxVersion: VersionTLS13,
9811 // P-384 requires HelloRetryRequest in BoringSSL.
9812 CurvePreferences: []CurveID{CurveP384},
9813 Bugs: ProtocolBugs{
9814 SendHelloRetryRequestCookie: []byte("cookie"),
9815 ExpectMissingKeyShare: true,
9816 },
9817 },
9818 })
9819
9820 testCases = append(testCases, testCase{
9821 name: "HelloRetryRequest-Unknown",
9822 config: Config{
9823 MaxVersion: VersionTLS13,
9824 Bugs: ProtocolBugs{
9825 CustomHelloRetryRequestExtension: "extension",
9826 },
9827 },
9828 shouldFail: true,
9829 expectedError: ":UNEXPECTED_EXTENSION:",
9830 expectedLocalError: "remote error: unsupported extension",
9831 })
9832
9833 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9834 testType: serverTest,
9835 name: "SecondClientHelloMissingKeyShare",
9836 config: Config{
9837 MaxVersion: VersionTLS13,
9838 DefaultCurves: []CurveID{},
9839 Bugs: ProtocolBugs{
9840 SecondClientHelloMissingKeyShare: true,
9841 },
9842 },
9843 shouldFail: true,
9844 expectedError: ":MISSING_KEY_SHARE:",
9845 })
9846
9847 testCases = append(testCases, testCase{
9848 testType: serverTest,
9849 name: "SecondClientHelloWrongCurve",
9850 config: Config{
9851 MaxVersion: VersionTLS13,
9852 DefaultCurves: []CurveID{},
9853 Bugs: ProtocolBugs{
9854 MisinterpretHelloRetryRequestCurve: CurveP521,
9855 },
9856 },
9857 shouldFail: true,
9858 expectedError: ":WRONG_CURVE:",
9859 })
9860
9861 testCases = append(testCases, testCase{
9862 name: "HelloRetryRequestVersionMismatch",
9863 config: Config{
9864 MaxVersion: VersionTLS13,
9865 // P-384 requires HelloRetryRequest in BoringSSL.
9866 CurvePreferences: []CurveID{CurveP384},
9867 Bugs: ProtocolBugs{
9868 SendServerHelloVersion: 0x0305,
9869 },
9870 },
9871 shouldFail: true,
9872 expectedError: ":WRONG_VERSION_NUMBER:",
9873 })
9874
9875 testCases = append(testCases, testCase{
9876 name: "HelloRetryRequestCurveMismatch",
9877 config: Config{
9878 MaxVersion: VersionTLS13,
9879 // P-384 requires HelloRetryRequest in BoringSSL.
9880 CurvePreferences: []CurveID{CurveP384},
9881 Bugs: ProtocolBugs{
9882 // Send P-384 (correct) in the HelloRetryRequest.
9883 SendHelloRetryRequestCurve: CurveP384,
9884 // But send P-256 in the ServerHello.
9885 SendCurve: CurveP256,
9886 },
9887 },
9888 shouldFail: true,
9889 expectedError: ":WRONG_CURVE:",
9890 })
9891
9892 // Test the server selecting a curve that requires a HelloRetryRequest
9893 // without sending it.
9894 testCases = append(testCases, testCase{
9895 name: "SkipHelloRetryRequest",
9896 config: Config{
9897 MaxVersion: VersionTLS13,
9898 // P-384 requires HelloRetryRequest in BoringSSL.
9899 CurvePreferences: []CurveID{CurveP384},
9900 Bugs: ProtocolBugs{
9901 SkipHelloRetryRequest: true,
9902 },
9903 },
9904 shouldFail: true,
9905 expectedError: ":WRONG_CURVE:",
9906 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]9907
9908 testCases = append(testCases, testCase{
9909 name: "TLS13-RequestContextInHandshake",
9910 config: Config{
9911 MaxVersion: VersionTLS13,
9912 MinVersion: VersionTLS13,
9913 ClientAuth: RequireAnyClientCert,
9914 Bugs: ProtocolBugs{
9915 SendRequestContext: []byte("request context"),
9916 },
9917 },
9918 flags: []string{
9919 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9920 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9921 },
9922 shouldFail: true,
9923 expectedError: ":DECODE_ERROR:",
9924 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9925
9926 testCases = append(testCases, testCase{
9927 testType: serverTest,
9928 name: "TLS13-TrailingKeyShareData",
9929 config: Config{
9930 MaxVersion: VersionTLS13,
9931 Bugs: ProtocolBugs{
9932 TrailingKeyShareData: true,
9933 },
9934 },
9935 shouldFail: true,
9936 expectedError: ":DECODE_ERROR:",
9937 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]9938
9939 testCases = append(testCases, testCase{
9940 name: "TLS13-AlwaysSelectPSKIdentity",
9941 config: Config{
9942 MaxVersion: VersionTLS13,
9943 Bugs: ProtocolBugs{
9944 AlwaysSelectPSKIdentity: true,
9945 },
9946 },
9947 shouldFail: true,
9948 expectedError: ":UNEXPECTED_EXTENSION:",
9949 })
9950
9951 testCases = append(testCases, testCase{
9952 name: "TLS13-InvalidPSKIdentity",
9953 config: Config{
9954 MaxVersion: VersionTLS13,
9955 Bugs: ProtocolBugs{
9956 SelectPSKIdentityOnResume: 1,
9957 },
9958 },
9959 resumeSession: true,
9960 shouldFail: true,
9961 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
9962 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9963
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9964 testCases = append(testCases, testCase{
9965 testType: serverTest,
9966 name: "TLS13-ExtraPSKIdentity",
9967 config: Config{
9968 MaxVersion: VersionTLS13,
9969 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]9970 ExtraPSKIdentity: true,
9971 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9972 },
9973 },
9974 resumeSession: true,
9975 })
9976
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9977 // Test that unknown NewSessionTicket extensions are tolerated.
9978 testCases = append(testCases, testCase{
9979 name: "TLS13-CustomTicketExtension",
9980 config: Config{
9981 MaxVersion: VersionTLS13,
9982 Bugs: ProtocolBugs{
9983 CustomTicketExtension: "1234",
9984 },
9985 },
9986 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]9987
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]9988 testCases = append(testCases, testCase{
9989 testType: clientTest,
9990 name: "TLS13-DataLessEarlyData-Reject-Client",
9991 config: Config{
9992 MaxVersion: VersionTLS13,
9993 MaxEarlyDataSize: 16384,
9994 },
9995 resumeConfig: &Config{
9996 MaxVersion: VersionTLS13,
9997 MaxEarlyDataSize: 16384,
9998 Bugs: ProtocolBugs{
9999 AlwaysRejectEarlyData: true,
10000 },
10001 },
10002 resumeSession: true,
10003 flags: []string{
10004 "-enable-early-data",
10005 "-expect-early-data-info",
10006 "-expect-reject-early-data",
10007 },
10008 })
10009
10010 testCases = append(testCases, testCase{
10011 testType: clientTest,
10012 name: "TLS13-DataLessEarlyData-HRR-Client",
10013 config: Config{
10014 MaxVersion: VersionTLS13,
10015 MaxEarlyDataSize: 16384,
10016 },
10017 resumeConfig: &Config{
10018 MaxVersion: VersionTLS13,
10019 MaxEarlyDataSize: 16384,
10020 Bugs: ProtocolBugs{
10021 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10022 },
10023 },
10024 resumeSession: true,
10025 flags: []string{
10026 "-enable-early-data",
10027 "-expect-early-data-info",
10028 "-expect-reject-early-data",
10029 },
10030 })
10031
10032 // The client must check the server does not send the early_data
10033 // extension while rejecting the session.
10034 testCases = append(testCases, testCase{
10035 testType: clientTest,
10036 name: "TLS13-EarlyDataWithoutResume-Client",
10037 config: Config{
10038 MaxVersion: VersionTLS13,
10039 MaxEarlyDataSize: 16384,
10040 },
10041 resumeConfig: &Config{
10042 MaxVersion: VersionTLS13,
10043 SessionTicketsDisabled: true,
10044 Bugs: ProtocolBugs{
10045 SendEarlyDataExtension: true,
10046 },
10047 },
10048 resumeSession: true,
10049 flags: []string{
10050 "-enable-early-data",
10051 "-expect-early-data-info",
10052 },
10053 shouldFail: true,
10054 expectedError: ":UNEXPECTED_EXTENSION:",
10055 })
10056
10057 // The client must fail with a dedicated error code if the server
10058 // responds with TLS 1.2 when offering 0-RTT.
10059 testCases = append(testCases, testCase{
10060 testType: clientTest,
10061 name: "TLS13-EarlyDataVersionDowngrade-Client",
10062 config: Config{
10063 MaxVersion: VersionTLS13,
10064 MaxEarlyDataSize: 16384,
10065 },
10066 resumeConfig: &Config{
10067 MaxVersion: VersionTLS12,
10068 },
10069 resumeSession: true,
10070 flags: []string{
10071 "-enable-early-data",
10072 "-expect-early-data-info",
10073 },
10074 shouldFail: true,
10075 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10076 })
10077
10078 // Test that the client rejects an (unsolicited) early_data extension if
10079 // the server sent an HRR.
10080 testCases = append(testCases, testCase{
10081 testType: clientTest,
10082 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10083 config: Config{
10084 MaxVersion: VersionTLS13,
10085 MaxEarlyDataSize: 16384,
10086 },
10087 resumeConfig: &Config{
10088 MaxVersion: VersionTLS13,
10089 MaxEarlyDataSize: 16384,
10090 Bugs: ProtocolBugs{
10091 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10092 SendEarlyDataExtension: true,
10093 },
10094 },
10095 resumeSession: true,
10096 flags: []string{
10097 "-enable-early-data",
10098 "-expect-early-data-info",
10099 },
10100 shouldFail: true,
10101 expectedError: ":UNEXPECTED_EXTENSION:",
10102 })
10103
10104 fooString := "foo"
10105 barString := "bar"
10106
10107 // Test that the client reports the correct ALPN after a 0-RTT reject
10108 // that changed it.
10109 testCases = append(testCases, testCase{
10110 testType: clientTest,
10111 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10112 config: Config{
10113 MaxVersion: VersionTLS13,
10114 MaxEarlyDataSize: 16384,
10115 Bugs: ProtocolBugs{
10116 ALPNProtocol: &fooString,
10117 },
10118 },
10119 resumeConfig: &Config{
10120 MaxVersion: VersionTLS13,
10121 MaxEarlyDataSize: 16384,
10122 Bugs: ProtocolBugs{
10123 ALPNProtocol: &barString,
10124 },
10125 },
10126 resumeSession: true,
10127 flags: []string{
10128 "-advertise-alpn", "\x03foo\x03bar",
10129 "-enable-early-data",
10130 "-expect-early-data-info",
10131 "-expect-reject-early-data",
10132 "-expect-alpn", "foo",
10133 "-expect-resume-alpn", "bar",
10134 },
10135 })
10136
10137 // Test that the client reports the correct ALPN after a 0-RTT reject if
10138 // ALPN was omitted from the first connection.
10139 testCases = append(testCases, testCase{
10140 testType: clientTest,
10141 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10142 config: Config{
10143 MaxVersion: VersionTLS13,
10144 MaxEarlyDataSize: 16384,
10145 },
10146 resumeConfig: &Config{
10147 MaxVersion: VersionTLS13,
10148 MaxEarlyDataSize: 16384,
10149 NextProtos: []string{"foo"},
10150 },
10151 resumeSession: true,
10152 flags: []string{
10153 "-advertise-alpn", "\x03foo\x03bar",
10154 "-enable-early-data",
10155 "-expect-early-data-info",
10156 "-expect-reject-early-data",
10157 "-expect-no-alpn",
10158 "-expect-resume-alpn", "foo",
10159 },
10160 })
10161
10162 // Test that the client reports the correct ALPN after a 0-RTT reject if
10163 // ALPN was omitted from the second connection.
10164 testCases = append(testCases, testCase{
10165 testType: clientTest,
10166 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10167 config: Config{
10168 MaxVersion: VersionTLS13,
10169 MaxEarlyDataSize: 16384,
10170 NextProtos: []string{"foo"},
10171 },
10172 resumeConfig: &Config{
10173 MaxVersion: VersionTLS13,
10174 MaxEarlyDataSize: 16384,
10175 },
10176 resumeSession: true,
10177 flags: []string{
10178 "-advertise-alpn", "\x03foo\x03bar",
10179 "-enable-early-data",
10180 "-expect-early-data-info",
10181 "-expect-reject-early-data",
10182 "-expect-alpn", "foo",
10183 "-expect-no-resume-alpn",
10184 },
10185 })
10186
10187 // Test that the client enforces ALPN match on 0-RTT accept.
10188 testCases = append(testCases, testCase{
10189 testType: clientTest,
10190 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10191 config: Config{
10192 MaxVersion: VersionTLS13,
10193 MaxEarlyDataSize: 16384,
10194 Bugs: ProtocolBugs{
10195 ALPNProtocol: &fooString,
10196 },
10197 },
10198 resumeConfig: &Config{
10199 MaxVersion: VersionTLS13,
10200 MaxEarlyDataSize: 16384,
10201 Bugs: ProtocolBugs{
10202 AlwaysAcceptEarlyData: true,
10203 ALPNProtocol: &barString,
10204 },
10205 },
10206 resumeSession: true,
10207 flags: []string{
10208 "-advertise-alpn", "\x03foo\x03bar",
10209 "-enable-early-data",
10210 "-expect-early-data-info",
10211 },
10212 shouldFail: true,
10213 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10214 })
10215
10216 // Test that the server correctly rejects 0-RTT when the previous
10217 // session did not allow early data on resumption.
10218 testCases = append(testCases, testCase{
10219 testType: serverTest,
10220 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10221 config: Config{
10222 MaxVersion: VersionTLS13,
10223 },
10224 resumeConfig: &Config{
10225 MaxVersion: VersionTLS13,
10226 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10227 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10228 ExpectEarlyDataAccepted: false,
10229 },
10230 },
10231 resumeSession: true,
10232 flags: []string{
10233 "-enable-resume-early-data",
10234 "-expect-reject-early-data",
10235 },
10236 })
10237
10238 // Test that we reject early data where ALPN is omitted from the first
10239 // connection.
10240 testCases = append(testCases, testCase{
10241 testType: serverTest,
10242 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10243 config: Config{
10244 MaxVersion: VersionTLS13,
10245 NextProtos: []string{},
10246 },
10247 resumeConfig: &Config{
10248 MaxVersion: VersionTLS13,
10249 NextProtos: []string{"foo"},
10250 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10251 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10252 ExpectEarlyDataAccepted: false,
10253 },
10254 },
10255 resumeSession: true,
10256 flags: []string{
10257 "-enable-early-data",
10258 "-select-alpn", "",
10259 "-select-resume-alpn", "foo",
10260 },
10261 })
10262
10263 // Test that we reject early data where ALPN is omitted from the second
10264 // connection.
10265 testCases = append(testCases, testCase{
10266 testType: serverTest,
10267 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10268 config: Config{
10269 MaxVersion: VersionTLS13,
10270 NextProtos: []string{"foo"},
10271 },
10272 resumeConfig: &Config{
10273 MaxVersion: VersionTLS13,
10274 NextProtos: []string{},
10275 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10276 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10277 ExpectEarlyDataAccepted: false,
10278 },
10279 },
10280 resumeSession: true,
10281 flags: []string{
10282 "-enable-early-data",
10283 "-select-alpn", "foo",
10284 "-select-resume-alpn", "",
10285 },
10286 })
10287
10288 // Test that we reject early data with mismatched ALPN.
10289 testCases = append(testCases, testCase{
10290 testType: serverTest,
10291 name: "TLS13-EarlyData-ALPNMismatch-Server",
10292 config: Config{
10293 MaxVersion: VersionTLS13,
10294 NextProtos: []string{"foo"},
10295 },
10296 resumeConfig: &Config{
10297 MaxVersion: VersionTLS13,
10298 NextProtos: []string{"bar"},
10299 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10300 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]10301 ExpectEarlyDataAccepted: false,
10302 },
10303 },
10304 resumeSession: true,
10305 flags: []string{
10306 "-enable-early-data",
10307 "-select-alpn", "foo",
10308 "-select-resume-alpn", "bar",
10309 },
10310 })
10311
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10312 // Test that the client offering 0-RTT and Channel ID forbids the server
10313 // from accepting both.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10314 testCases = append(testCases, testCase{
10315 testType: clientTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10316 name: "TLS13-EarlyDataChannelID-AcceptBoth-Client",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10317 config: Config{
10318 MaxVersion: VersionTLS13,
10319 MaxEarlyDataSize: 16384,
10320 RequestChannelID: true,
10321 },
10322 resumeSession: true,
10323 expectChannelID: true,
10324 shouldFail: true,
10325 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
10326 flags: []string{
10327 "-enable-early-data",
10328 "-expect-early-data-info",
10329 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10330 },
10331 })
10332
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10333 // Test that the client offering Channel ID and 0-RTT allows the server
10334 // to decline 0-RTT.
10335 testCases = append(testCases, testCase{
10336 testType: clientTest,
10337 name: "TLS13-EarlyDataChannelID-AcceptChannelID-Client",
10338 config: Config{
10339 MaxVersion: VersionTLS13,
10340 MaxEarlyDataSize: 16384,
10341 RequestChannelID: true,
10342 Bugs: ProtocolBugs{
10343 AlwaysRejectEarlyData: true,
10344 },
10345 },
10346 resumeSession: true,
10347 expectChannelID: true,
10348 flags: []string{
10349 "-enable-early-data",
10350 "-expect-early-data-info",
10351 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10352 "-expect-reject-early-data",
10353 },
10354 })
10355
10356 // Test that the client offering Channel ID and 0-RTT allows the server
10357 // to decline Channel ID.
10358 testCases = append(testCases, testCase{
10359 testType: clientTest,
10360 name: "TLS13-EarlyDataChannelID-AcceptEarlyData-Client",
10361 config: Config{
10362 MaxVersion: VersionTLS13,
10363 MaxEarlyDataSize: 16384,
10364 },
10365 resumeSession: true,
10366 flags: []string{
10367 "-enable-early-data",
10368 "-expect-early-data-info",
10369 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10370 "-expect-accept-early-data",
10371 },
10372 })
10373
10374 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
10375 // if it would negotiate Channel ID.
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10376 testCases = append(testCases, testCase{
10377 testType: serverTest,
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10378 name: "TLS13-EarlyDataChannelID-OfferBoth-Server",
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10379 config: Config{
10380 MaxVersion: VersionTLS13,
10381 ChannelID: channelIDKey,
10382 Bugs: ProtocolBugs{
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10383 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]10384 ExpectEarlyDataAccepted: false,
10385 },
10386 },
10387 resumeSession: true,
10388 expectChannelID: true,
10389 flags: []string{
10390 "-enable-early-data",
10391 "-expect-reject-early-data",
10392 "-expect-channel-id",
10393 base64.StdEncoding.EncodeToString(channelIDBytes),
10394 },
10395 })
10396
David Benjamin6bb507b2017-03-29 16:35:57 -0500[diff] [blame]10397 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
10398 // if not offered Channel ID.
10399 testCases = append(testCases, testCase{
10400 testType: serverTest,
10401 name: "TLS13-EarlyDataChannelID-OfferEarlyData-Server",
10402 config: Config{
10403 MaxVersion: VersionTLS13,
10404 Bugs: ProtocolBugs{
10405 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10406 ExpectEarlyDataAccepted: true,
10407 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
10408 },
10409 },
10410 resumeSession: true,
10411 expectChannelID: false,
10412 flags: []string{
10413 "-enable-early-data",
10414 "-expect-accept-early-data",
10415 "-enable-channel-id",
10416 },
10417 })
10418
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10419 // Test that the server rejects 0-RTT streams without end_of_early_data.
10420 // The subsequent records should fail to decrypt.
10421 testCases = append(testCases, testCase{
10422 testType: serverTest,
10423 name: "TLS13-EarlyData-SkipEndOfEarlyData",
10424 config: Config{
10425 MaxVersion: VersionTLS13,
10426 Bugs: ProtocolBugs{
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10427 SendEarlyData: [][]byte{{1, 2, 3, 4}},
David Benjamin32c89272017-03-26 13:54:21 -0500[diff] [blame]10428 ExpectEarlyDataAccepted: true,
10429 SkipEndOfEarlyData: true,
10430 },
10431 },
10432 resumeSession: true,
10433 flags: []string{"-enable-early-data"},
10434 shouldFail: true,
10435 expectedLocalError: "remote error: bad record MAC",
10436 expectedError: ":BAD_DECRYPT:",
10437 })
Steven Valdez681eb6a2016-12-19 13:19:29 -0500[diff] [blame]10438
10439 testCases = append(testCases, testCase{
10440 testType: serverTest,
10441 name: "TLS13-EarlyData-UnexpectedHandshake-Server",
10442 config: Config{
10443 MaxVersion: VersionTLS13,
10444 },
10445 resumeConfig: &Config{
10446 MaxVersion: VersionTLS13,
10447 Bugs: ProtocolBugs{
10448 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10449 SendStrayEarlyHandshake: true,
10450 ExpectEarlyDataAccepted: true},
10451 },
10452 resumeSession: true,
10453 shouldFail: true,
10454 expectedError: ":UNEXPECTED_RECORD:",
10455 expectedLocalError: "remote error: unexpected message",
10456 flags: []string{
10457 "-enable-early-data",
10458 },
10459 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10460}
10461
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10462func addTLS13CipherPreferenceTests() {
10463 // Test that client preference is honored if the shim has AES hardware
10464 // and ChaCha20-Poly1305 is preferred otherwise.
10465 testCases = append(testCases, testCase{
10466 testType: serverTest,
10467 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10468 config: Config{
10469 MaxVersion: VersionTLS13,
10470 CipherSuites: []uint16{
10471 TLS_CHACHA20_POLY1305_SHA256,
10472 TLS_AES_128_GCM_SHA256,
10473 },
10474 },
10475 flags: []string{
10476 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10477 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10478 },
10479 })
10480
10481 testCases = append(testCases, testCase{
10482 testType: serverTest,
10483 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10484 config: Config{
10485 MaxVersion: VersionTLS13,
10486 CipherSuites: []uint16{
10487 TLS_AES_128_GCM_SHA256,
10488 TLS_CHACHA20_POLY1305_SHA256,
10489 },
10490 },
10491 flags: []string{
10492 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10493 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10494 },
10495 })
10496
10497 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10498 // whether it has AES hardware.
10499 testCases = append(testCases, testCase{
10500 name: "TLS13-CipherPreference-Client",
10501 config: Config{
10502 MaxVersion: VersionTLS13,
10503 // Use the client cipher order. (This is the default but
10504 // is listed to be explicit.)
10505 PreferServerCipherSuites: false,
10506 },
10507 flags: []string{
10508 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10509 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10510 },
10511 })
10512}
10513
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10514func addPeekTests() {
10515 // Test SSL_peek works, including on empty records.
10516 testCases = append(testCases, testCase{
10517 name: "Peek-Basic",
10518 sendEmptyRecords: 1,
10519 flags: []string{"-peek-then-read"},
10520 })
10521
10522 // Test SSL_peek can drive the initial handshake.
10523 testCases = append(testCases, testCase{
10524 name: "Peek-ImplicitHandshake",
10525 flags: []string{
10526 "-peek-then-read",
10527 "-implicit-handshake",
10528 },
10529 })
10530
10531 // Test SSL_peek can discover and drive a renegotiation.
10532 testCases = append(testCases, testCase{
10533 name: "Peek-Renegotiate",
10534 config: Config{
10535 MaxVersion: VersionTLS12,
10536 },
10537 renegotiate: 1,
10538 flags: []string{
10539 "-peek-then-read",
10540 "-renegotiate-freely",
10541 "-expect-total-renegotiations", "1",
10542 },
10543 })
10544
10545 // Test SSL_peek can discover a close_notify.
10546 testCases = append(testCases, testCase{
10547 name: "Peek-Shutdown",
10548 config: Config{
10549 Bugs: ProtocolBugs{
10550 ExpectCloseNotify: true,
10551 },
10552 },
10553 flags: []string{
10554 "-peek-then-read",
10555 "-check-close-notify",
10556 },
10557 })
10558
10559 // Test SSL_peek can discover an alert.
10560 testCases = append(testCases, testCase{
10561 name: "Peek-Alert",
10562 config: Config{
10563 Bugs: ProtocolBugs{
10564 SendSpuriousAlert: alertRecordOverflow,
10565 },
10566 },
10567 flags: []string{"-peek-then-read"},
10568 shouldFail: true,
10569 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10570 })
10571
10572 // Test SSL_peek can handle KeyUpdate.
10573 testCases = append(testCases, testCase{
10574 name: "Peek-KeyUpdate",
10575 config: Config{
10576 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10577 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]10578 sendKeyUpdates: 1,
10579 keyUpdateRequest: keyUpdateNotRequested,
10580 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10581 })
10582}
10583
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10584func addRecordVersionTests() {
10585 for _, ver := range tlsVersions {
10586 // Test that the record version is enforced.
10587 testCases = append(testCases, testCase{
10588 name: "CheckRecordVersion-" + ver.name,
10589 config: Config{
10590 MinVersion: ver.version,
10591 MaxVersion: ver.version,
10592 Bugs: ProtocolBugs{
10593 SendRecordVersion: 0x03ff,
10594 },
10595 },
10596 shouldFail: true,
10597 expectedError: ":WRONG_VERSION_NUMBER:",
10598 })
10599
10600 // Test that the ClientHello may use any record version, for
10601 // compatibility reasons.
10602 testCases = append(testCases, testCase{
10603 testType: serverTest,
10604 name: "LooseInitialRecordVersion-" + ver.name,
10605 config: Config{
10606 MinVersion: ver.version,
10607 MaxVersion: ver.version,
10608 Bugs: ProtocolBugs{
10609 SendInitialRecordVersion: 0x03ff,
10610 },
10611 },
10612 })
10613
10614 // Test that garbage ClientHello record versions are rejected.
10615 testCases = append(testCases, testCase{
10616 testType: serverTest,
10617 name: "GarbageInitialRecordVersion-" + ver.name,
10618 config: Config{
10619 MinVersion: ver.version,
10620 MaxVersion: ver.version,
10621 Bugs: ProtocolBugs{
10622 SendInitialRecordVersion: 0xffff,
10623 },
10624 },
10625 shouldFail: true,
10626 expectedError: ":WRONG_VERSION_NUMBER:",
10627 })
10628 }
10629}
10630
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10631func addCertificateTests() {
10632 // Test that a certificate chain with intermediate may be sent and
10633 // received as both client and server.
10634 for _, ver := range tlsVersions {
10635 testCases = append(testCases, testCase{
10636 testType: clientTest,
10637 name: "SendReceiveIntermediate-Client-" + ver.name,
10638 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10639 MinVersion: ver.version,
10640 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10641 Certificates: []Certificate{rsaChainCertificate},
10642 ClientAuth: RequireAnyClientCert,
10643 },
10644 expectPeerCertificate: &rsaChainCertificate,
10645 flags: []string{
10646 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10647 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10648 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10649 },
10650 })
10651
10652 testCases = append(testCases, testCase{
10653 testType: serverTest,
10654 name: "SendReceiveIntermediate-Server-" + ver.name,
10655 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10656 MinVersion: ver.version,
10657 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10658 Certificates: []Certificate{rsaChainCertificate},
10659 },
10660 expectPeerCertificate: &rsaChainCertificate,
10661 flags: []string{
10662 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10663 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10664 "-require-any-client-certificate",
10665 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10666 },
10667 })
10668 }
10669}
10670
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10671func addRetainOnlySHA256ClientCertTests() {
10672 for _, ver := range tlsVersions {
10673 // Test that enabling
10674 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10675 // actually requesting a client certificate is a no-op.
10676 testCases = append(testCases, testCase{
10677 testType: serverTest,
10678 name: "RetainOnlySHA256-NoCert-" + ver.name,
10679 config: Config{
10680 MinVersion: ver.version,
10681 MaxVersion: ver.version,
10682 },
10683 flags: []string{
10684 "-retain-only-sha256-client-cert-initial",
10685 "-retain-only-sha256-client-cert-resume",
10686 },
10687 resumeSession: true,
10688 })
10689
10690 // Test that when retaining only a SHA-256 certificate is
10691 // enabled, the hash appears as expected.
10692 testCases = append(testCases, testCase{
10693 testType: serverTest,
10694 name: "RetainOnlySHA256-Cert-" + ver.name,
10695 config: Config{
10696 MinVersion: ver.version,
10697 MaxVersion: ver.version,
10698 Certificates: []Certificate{rsaCertificate},
10699 },
10700 flags: []string{
10701 "-verify-peer",
10702 "-retain-only-sha256-client-cert-initial",
10703 "-retain-only-sha256-client-cert-resume",
10704 "-expect-sha256-client-cert-initial",
10705 "-expect-sha256-client-cert-resume",
10706 },
10707 resumeSession: true,
10708 })
10709
10710 // Test that when the config changes from on to off, a
10711 // resumption is rejected because the server now wants the full
10712 // certificate chain.
10713 testCases = append(testCases, testCase{
10714 testType: serverTest,
10715 name: "RetainOnlySHA256-OnOff-" + ver.name,
10716 config: Config{
10717 MinVersion: ver.version,
10718 MaxVersion: ver.version,
10719 Certificates: []Certificate{rsaCertificate},
10720 },
10721 flags: []string{
10722 "-verify-peer",
10723 "-retain-only-sha256-client-cert-initial",
10724 "-expect-sha256-client-cert-initial",
10725 },
10726 resumeSession: true,
10727 expectResumeRejected: true,
10728 })
10729
10730 // Test that when the config changes from off to on, a
10731 // resumption is rejected because the server now wants just the
10732 // hash.
10733 testCases = append(testCases, testCase{
10734 testType: serverTest,
10735 name: "RetainOnlySHA256-OffOn-" + ver.name,
10736 config: Config{
10737 MinVersion: ver.version,
10738 MaxVersion: ver.version,
10739 Certificates: []Certificate{rsaCertificate},
10740 },
10741 flags: []string{
10742 "-verify-peer",
10743 "-retain-only-sha256-client-cert-resume",
10744 "-expect-sha256-client-cert-resume",
10745 },
10746 resumeSession: true,
10747 expectResumeRejected: true,
10748 })
10749 }
10750}
10751
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10752func addECDSAKeyUsageTests() {
10753 p256 := elliptic.P256()
10754 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
10755 if err != nil {
10756 panic(err)
10757 }
10758
10759 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
10760 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
10761 if err != nil {
10762 panic(err)
10763 }
10764
10765 template := x509.Certificate{
10766 SerialNumber: serialNumber,
10767 Subject: pkix.Name{
10768 Organization: []string{"Acme Co"},
10769 },
10770 NotBefore: time.Now(),
10771 NotAfter: time.Now(),
10772
10773 // An ECC certificate with only the keyAgreement key usgae may
10774 // be used with ECDH, but not ECDSA.
10775 KeyUsage: x509.KeyUsageKeyAgreement,
10776 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
10777 BasicConstraintsValid: true,
10778 }
10779
10780 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
10781 if err != nil {
10782 panic(err)
10783 }
10784
10785 cert := Certificate{
10786 Certificate: [][]byte{derBytes},
10787 PrivateKey: priv,
10788 }
10789
10790 for _, ver := range tlsVersions {
10791 if ver.version < VersionTLS12 {
10792 continue
10793 }
10794
10795 testCases = append(testCases, testCase{
10796 testType: clientTest,
10797 name: "ECDSAKeyUsage-" + ver.name,
10798 config: Config{
10799 MinVersion: ver.version,
10800 MaxVersion: ver.version,
10801 Certificates: []Certificate{cert},
10802 },
10803 shouldFail: true,
10804 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
10805 })
10806 }
10807}
10808
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]10809func addExtraHandshakeTests() {
10810 // An extra SSL_do_handshake is normally a no-op. These tests use -async
10811 // to ensure there is no transport I/O.
10812 testCases = append(testCases, testCase{
10813 testType: clientTest,
10814 name: "ExtraHandshake-Client-TLS12",
10815 config: Config{
10816 MinVersion: VersionTLS12,
10817 MaxVersion: VersionTLS12,
10818 },
10819 flags: []string{
10820 "-async",
10821 "-no-op-extra-handshake",
10822 },
10823 })
10824 testCases = append(testCases, testCase{
10825 testType: serverTest,
10826 name: "ExtraHandshake-Server-TLS12",
10827 config: Config{
10828 MinVersion: VersionTLS12,
10829 MaxVersion: VersionTLS12,
10830 },
10831 flags: []string{
10832 "-async",
10833 "-no-op-extra-handshake",
10834 },
10835 })
10836 testCases = append(testCases, testCase{
10837 testType: clientTest,
10838 name: "ExtraHandshake-Client-TLS13",
10839 config: Config{
10840 MinVersion: VersionTLS13,
10841 MaxVersion: VersionTLS13,
10842 },
10843 flags: []string{
10844 "-async",
10845 "-no-op-extra-handshake",
10846 },
10847 })
10848 testCases = append(testCases, testCase{
10849 testType: serverTest,
10850 name: "ExtraHandshake-Server-TLS13",
10851 config: Config{
10852 MinVersion: VersionTLS13,
10853 MaxVersion: VersionTLS13,
10854 },
10855 flags: []string{
10856 "-async",
10857 "-no-op-extra-handshake",
10858 },
10859 })
10860
10861 // An extra SSL_do_handshake is a no-op in server 0-RTT.
10862 testCases = append(testCases, testCase{
10863 testType: serverTest,
10864 name: "ExtraHandshake-Server-EarlyData-TLS13",
10865 config: Config{
10866 MaxVersion: VersionTLS13,
10867 MinVersion: VersionTLS13,
10868 Bugs: ProtocolBugs{
10869 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10870 ExpectEarlyDataAccepted: true,
10871 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
10872 },
10873 },
10874 messageCount: 2,
10875 resumeSession: true,
10876 flags: []string{
10877 "-async",
10878 "-enable-early-data",
10879 "-expect-accept-early-data",
10880 "-no-op-extra-handshake",
10881 },
10882 })
10883
10884 // An extra SSL_do_handshake drives the handshake to completion in False
10885 // Start. We test this by handshaking twice and asserting the False
10886 // Start does not appear to happen. See AlertBeforeFalseStartTest for
10887 // how the test works.
10888 testCases = append(testCases, testCase{
10889 testType: clientTest,
10890 name: "ExtraHandshake-FalseStart",
10891 config: Config{
10892 MaxVersion: VersionTLS12,
10893 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10894 NextProtos: []string{"foo"},
10895 Bugs: ProtocolBugs{
10896 ExpectFalseStart: true,
10897 AlertBeforeFalseStartTest: alertAccessDenied,
10898 },
10899 },
10900 flags: []string{
10901 "-handshake-twice",
10902 "-false-start",
10903 "-advertise-alpn", "\x03foo",
10904 },
10905 shimWritesFirst: true,
10906 shouldFail: true,
10907 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
10908 expectedLocalError: "tls: peer did not false start: EOF",
10909 })
10910}
10911
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10912func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10913 defer wg.Done()
10914
10915 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10916 var err error
10917
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10918 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10919 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
10920 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10921 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10922 if err != nil {
10923 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
10924 }
10925 break
10926 }
10927 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10928 } else if *repeatUntilFailure {
10929 for err == nil {
10930 statusChan <- statusMsg{test: test, started: true}
10931 err = runTest(test, shimPath, -1)
10932 }
10933 } else {
10934 statusChan <- statusMsg{test: test, started: true}
10935 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10936 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10937 statusChan <- statusMsg{test: test, err: err}
10938 }
10939}
10940
10941type statusMsg struct {
10942 test *testCase
10943 started bool
10944 err error
10945}
10946
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10947func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10948 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10949
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10950 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10951 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10952 if !*pipe {
10953 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]10954 var erase string
10955 for i := 0; i < lineLen; i++ {
10956 erase += "\b \b"
10957 }
10958 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10959 }
10960
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10961 if msg.started {
10962 started++
10963 } else {
10964 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10965
10966 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10967 if msg.err == errUnimplemented {
10968 if *pipe {
10969 // Print each test instead of a status line.
10970 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
10971 }
10972 unimplemented++
10973 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
10974 } else {
10975 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
10976 failed++
10977 testOutput.addResult(msg.test.name, "FAIL")
10978 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10979 } else {
10980 if *pipe {
10981 // Print each test instead of a status line.
10982 fmt.Printf("PASSED (%s)\n", msg.test.name)
10983 }
10984 testOutput.addResult(msg.test.name, "PASS")
10985 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10986 }
10987
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10988 if !*pipe {
10989 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10990 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10991 lineLen = len(line)
10992 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10993 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10994 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10995
10996 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10997}
10998
10999func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11000 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11001 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]11002 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11003
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11004 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11005 addCipherSuiteTests()
11006 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]11007 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]11008 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]11009 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]11010 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]11011 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]11012 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]11013 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]11014 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]11015 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]11016 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]11017 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]11018 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]11019 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]11020 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]11021 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]11022 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]11023 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]11024 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]11025 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]11026 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]11027 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]11028 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]11029 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]11030 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]11031 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]11032 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]11033 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]11034 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]11035 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]11036 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]11037 addECDSAKeyUsageTests()
David Benjamin8c26d752017-03-26 15:13:51 -0500[diff] [blame]11038 addExtraHandshakeTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11039
11040 var wg sync.WaitGroup
11041
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11042 statusChan := make(chan statusMsg, *numWorkers)
11043 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11044 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11045
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11046 if len(*shimConfigFile) != 0 {
11047 encoded, err := ioutil.ReadFile(*shimConfigFile)
11048 if err != nil {
11049 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
11050 os.Exit(1)
11051 }
11052
11053 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
11054 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
11055 os.Exit(1)
11056 }
11057 }
11058
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11059 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11060
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11061 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11062 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]11063 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11064 }
11065
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11066 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11067 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11068 matched := true
11069 if len(*testToRun) != 0 {
11070 var err error
11071 matched, err = filepath.Match(*testToRun, testCases[i].name)
11072 if err != nil {
11073 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
11074 os.Exit(1)
11075 }
11076 }
11077
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11078 if !*includeDisabled {
11079 for pattern := range shimConfig.DisabledTests {
11080 isDisabled, err := filepath.Match(pattern, testCases[i].name)
11081 if err != nil {
11082 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
11083 os.Exit(1)
11084 }
11085
11086 if isDisabled {
11087 matched = false
11088 break
11089 }
11090 }
11091 }
11092
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11093 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11094 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]11095 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]11096
11097 // Only run one test if repeating until failure.
11098 if *repeatUntilFailure {
11099 break
11100 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11101 }
11102 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]11103
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11104 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]11105 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]11106 os.Exit(1)
11107 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11108
11109 close(testChan)
11110 wg.Wait()
11111 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11112 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11113
11114 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]11115
11116 if *jsonOutput != "" {
11117 if err := testOutput.writeTo(*jsonOutput); err != nil {
11118 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
11119 }
11120 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11121
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]11122 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
11123 os.Exit(1)
11124 }
11125
11126 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]11127 os.Exit(1)
11128 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11129}